Slashdot Mirror
Please Do Not Change Your Password
cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."
hunter2
We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.
Give me Classic Slashdot or give me death!
"Change your passwords and be rooted." -- JIRA attackers.
1. Apache Foundation Attacked, Passwords Stolen
2. Please Do Not Change Your Password
Slashdot is awesome today!
Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:
(1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
(2) A lot more easy-to-guess passwords
(3) Incremented passwords (FuckTheSecurityGuys14)
This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Password aging is not only irritating for users, it causes them to choose even worse passwords, or to write their passwords down. If you are lucky, and they do neither of these, then it is very likely that they will use "strong-password-1", "strong-password-2".
Enjoy life! This is not a dress rehearsal.
If anyone gathered metrics on such practices, I would bet that for most environments, they would find that it yields the opposite effect of what is intended.
It makes strong passwords and lots and lots of password lists under keyboards, in text files, and on post-it notes.
I gave a little talk at a Toorcon event a couple years ago where I included some pictures of password lists found in the wild.
I think everyone competent knows about these things, they just choose not to say anything about it because it is a "best practice."
Yes, yes. This is all very fine. Until there is a massive security breach (like this recent one) and the CEO is looking for a place to drop the blame-hammer. Password aging may have had nothing to do with the breach, but who cares? The IS dept didn't have one? It's their fault then....
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Less than a month ago. http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational
Kudos to the /. editors for cutting way down on the number of dupes and summary-contradicts-article stories over the past couple of years, but they're certainly not eradicated. Maybe dupe-checking should be part of slashcode--an automatic search for links and link titles that the editor (or submitter?) has to at least scroll past to post.
The original Howling Frog is a fictional character and has no UID.
Could someone post an actual stong password you have in use?
You neglected another possibility: your security restrictions were set by some dumbass in a state legislature who read some paper or book regarding "IT Security" and passed laws and regulations for government agencies...
Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
The stereotype is that computer geeks can't get a date or fit into social situations. Why? Because they don't understand human nature. And who is in charge of setting the password policy? The geekiest guy in the organization. I see a major issue.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.
I see password security as an exponential curve, on a graph, reaching a certain peak and then dropping to zero. That dropping point is where the password rules become so complicated that most people would rather write the password down than try to remember it. That piece of paper suddenly became your weak point in the security model. For this reason you password policies need to focus on something that is sufficiently secure, but not so secure that it is in effect insecure.
Jumpstart the tartan drive.
Password aging made sense, once upon a time. When the biggest issue was resource theft, changing passwords every few months cleaned out the unintended access some people had, either nefariously or through chance (old unclosed account and what have you).
Now with the speed of automated hacking tools password rotation is less than useless as a defense.
I've been doing columns of keys on they keyboard, It's going to be a long time before I run out, and meets most requirements. (Sometimes I hit a caps lock for the second set), Plus logging in takes almost no time at all.
1qaz2wsx
1qaz3edc
2wsx3edc
1qaz4rfv
2wsx4rfv
3edc4rfv
1qaz5tgb
It's called singular they, and its usage is debated. Shakespeare and Jane Austin can't be that wrong.
Terrorist, bomb, al Qaeda, nuclear, yellowcake, kill, assassinate. Carnivore is dead... long live Echelon.
And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..
You are in a maze of twisty little passages, all alike.
How many times have you seen "the password must be between x and y characters in length and must contain blah blah"?
I want to enter a full sentence. Like "this is my password and you won't be able to guess it, you idiot". You aren't making this possible, because you're thinking like geek programmers who use randomly-generated strings of 8-12 characters by the dozens.
I write code and do inter-office support for my apps. Do you know how many times someone told me "I forgotz my password, halp!!11" after they were instructed to use a full sentence with a minimum of twenty-five characters? Zero. Nobody ever forgot it.
Don't feed the trolls.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I often tell people at work I'll be adding a squirrel noise requirement to the password policy next month. I always expect them to laugh but they usually just have a horrified look on their face that reads something like 'you can do that?'. I then have to clam them down and tell them I'm only kidding.
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed H
Perhaps you should take your own advice, and find out what "subject-verb agreement" means? Neither "user" nor "they" is a verb or a subject, so I'm not sure how subject-verb agreement could be relevant here.
If you meant "pronoun agreement," you're still wrong. "They" agrees perfectly with a singular noun of indeterminate gender.
Password: Aaaaaayyy
Man, I just looked down at my kb thinking you had a good idea, then was REALLY confused for a minute.
Then I remembered I'd messed the keys around to fuck with people who looked over my shoulder.
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Increased security always decreases usability. Though now that I think about it, I'm wondering: why aren't smart cards used more in corporations? Wouldn't it be convenient for people to log in with the same ID they use to get into their workplace building or floor?
Just a thought...
The biggest problem with password security is user education.
USER. EDUCATION.
Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.
Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.
It produces a complex, easy to remember password.
but we just ran a cracker program on the passwd file )on Solaris at the time) and exposed about 50% of the passwords. Then we went to the affected users and said, "This is your password, right?" After the first shock passed we would say, "It's too easy. You need to change it. Next week we'll run the cracker program again." We also sent around a little tutorial on how to create good passwords by using initials of a memorized sentence (as some have suggested here) After about four runs we were down to less than 10%, and we called it good.
How about a moderation of -1 pedantic.
TechRepublic covered this almost a month ago, though it still gets sidetracked (like the Boston article) in a way that exemplifies the bigger issue.
Particularly, the point is not about password ageing, which is merely one example of how controls are often ineffective at achieving the security objectives. The bigger problem is that the usual IT security industry mantra has total disregard for all the other IT objectives. The goal (the ultimate, parent objective) of IT is to assist the organisation in achieving its objectives. IT security is just one objective for achieving that goal, but all of them are important.
When evaluating implementing security controls do not simply consider security. You also have to consider things like productivity, expense, risk, or how it might make it harder for the company to respond to customer requirements. Failing to do this is why users’ rejection of the security advice they receive is entirely rational from an economic perspective: they are pursuing objectives and IT security appears little more than an obstacle.
As somebody whose girlfriend recently changed her password, let me say it does have an effect.
The problem with password rules, unlike rules passed by city councils or congress, is that we can use computers to completely enforce them.
That immediately points out exactly how useful real-life rulez are, too but I won't get into that except to say that civilization creates laws, laws do not create civilization. As proof, look at any political revolution.
Getting back to passwords, the rules have very little to do with desired goals--no break-ins.
Seriously, how many accounts are hacked by guessing passwords? Brute force guessing is stopped by a 3 and out system rule for bad pwds. Continued access from a compromised pwd is a serious issue but 1) the account first has to be hacked and 2) continual access from different machines can be monitored by the sys admins without user involvement.
Just a modicum of analysis shows that if you implement no reuse and a 45-day timeout, then each user has to come up with 8-10 hard-to-remember passwords each year. FOR EACH ACCOUNT.
The rule is as silly as Citibank's warning on the envelope they send me that a paper trail is an identity thief's best friend. How many of those crimes occur via paper and how many occur electronically? They just want to make their jobs easier and more cost-effective.
Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.
That is an incorrect argument made by somebody who knows nothing about statistics.
First, if the time taken to crack a password is two months, and you change your passwords every two months, then there's a 50% chance of cracking the password in the first attempt, and a 100% chance of cracking the password the second attempt. So your example doesn't work.
Now, suppose a cracker has a, say 1% chance of guessing a password per month of attempts, and is attacking, say, 10,000 accounts. On the average, the cracker will have a ten hits every month, but he will only break your account, on the average, once every 8 years. Still, that's a 12 percent chance of you getting compromised in a year, and a 6 percent chance you'll get hit in six months. So, can you reduce that 6 percent chance by changing your password every 2 months? NO. The chance that your change password moves into the window of passwords that the cracker is going to try next month is exactly equal to the chance that the password change moves the password out of the window the cracker is trying. The odds of the cracking succeeding does not change at all by password changing.
The number of passwords that the cracker guesses per month does not change.
http://www.geoffreylandis.com
As a long time sysadmin, my experience has been, the more onerous the password aging algorithm, the more likely that passwords will be on yellow stickies under the keyboard.
For instance, if your password expires monthly and you're required to pick a password with upper case, lower case, numbers and symbols, I guarantee that the majority of your users will write it down and stick it to something easily accessible.
If you get really draconian about keeping passwords on stickies on the monitor or under the keyboard, they'll keep it in their pocketbook or stuck to the back of their cell phone, which is difficult to track and actually a worse security hole (because the building at least has physical security).
My opinion is that password aging and password complexity rules are a managerial line item, not really a security strategy. A true security strategy is a combination of good logging, regular analysis, and tools like password breakers.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
It seems you have forgotten the other common user behavior... sharing passwords.
One of my reporting users had direct SQL access to a replicated and sanitized (no sensitive data) copy of our Database. He is an advanced user with plenty of reporting knowledge and we required ad-hoc reporting that did not damage/slow production.
during a security audit, I was required to expire his password.
the next day we had 9 tickets from 9 different users: "My access was taken away"
it would be a matter of a simple lookup since all the "grunt" work has been done already.
Not quite. There are no tables that exist, nor can they exist, that have 16 character passwords with the given qualifications. Assuming you could generate the tables, which as my comment above shows as being not possible, let's find out just how much space that table would require to store.
MD5 hashes are 128 bits. The corresponding password, assuming 8 bits per character, is also 16*8=128bits. Assuming no overhead, that means we have 256 bits, or 32 bytes per password. Using the calculation in my previous post, 16 character passwords with those qualifications have 1.24*10^30 combinations. That means 3.96*10^31 bytes would be required to store this. How much is that? Let's put it this way - SI prefixes don't go up that high. Why? Because it's such an astronomically large number that there is no reason (yet) to have naming conventions that high. The entire internet is estimated to have 5*10^20 bytes. The amount of hard drive storage in every computer ever made by man combined doesn't have the necessary storage to hold that rainbow table.
The very next story on Slashdot is "Apache Foundation Attacked, Passwords Stolen". I think the answer is "yes", password aging makes lots of sense.
In the mainframe days we put in place a delay before another attempt that exponentially grew each time the password was entered incorrectly. First fail - 2 seconds delay, Second fail - 4 seconds delay, Third fail - 8 seconds...etc