Slashdot Mirror

← Back to Stories (view on slashdot.org)

Please Do Not Change Your Password

Posted by CmdrTaco on from the my-password-is-trustno1 dept.

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

33 of 497 comments (clear)

  1. The best password is: by Anonymous Coward · · Score: 5, Funny

    hunter2

    1. Re:The best password is: by bluefoxlucid · · Score: 4, Funny

      Yeah, when you type it you'll see 'hunter2', and when I copy/paste it you'll see 'hunter2', but all I see is *******

      --
      Support my political activism on Patreon.
    2. Re:The best password is: by danomac · · Score: 5, Informative

      For those that don't know where that comes from, it's a bash quote.

  2. Please let me use the same password by Hatta · · Score: 5, Insightful

    We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Please let me use the same password by oldspewey · · Score: 5, Insightful

      And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    2. Re:Please let me use the same password by oldspewey · · Score: 5, Funny

      What a waste of a perfectly good pretend. No thanks, I'm going to pretend I'm on a white sand beach in Thailand, gentle waves lapping at the nearby shoreline, while I sip gin tonics and a dainty masseuse massages my pale white calves.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    3. Re:Please let me use the same password by r_jensen11 · · Score: 4, Insightful

      We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

      Password rotation doesn't help with hackers, but it helps when a coworker learns what your password is.

    4. Re:Please let me use the same password by whois · · Score: 4, Insightful

      There is a flip-side to this. No matter how careful you think you are, you will one day expose your password in the clear. Once that happens you have no way of knowing if anyone was watching.

      Typing a password in the wrong terminal, typing a password in the wrong web field and having it autosearch google for your password. Typing your password over a bluetooth wireless keyboard with unknown encryption. Using a telnet session, etc. Logging in using a friend or co-workers PC that may have been compromised, etc.

      Because of all this, it's still a good policy to change passwords on an annual basis, with an immediate password change if you know it's been leaked.

      I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

      Or having to change a password on a system you only login to once every 6 months, every time you login. I hate that. :)

      Unfortunately, it doesn't always work out because one centralized password means you trust one department of a company with access to everything (there are workarounds for this, but still company politics gets in the way)

    5. Re:Please let me use the same password by Moryath · · Score: 4, Insightful

      I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

      Single sign-on for a single company is a great idea.

      Having your work password, gmail, hotmail, bank password all be the same? BAD idea.

    6. Re:Please let me use the same password by COMON$ · · Score: 4, Insightful
      On our LAN I put rational policies in place. Essentially I look at the threat of an event and what it will take to mitigate it. If I am worried about a brute force attack I can solve that by password rotation or increasing complexity. I let the user choose which they are comfortable with. Some users dont want to use a passphrase so they have to change their password more often. Other people have realized that "I love my dog fluffy." is really easy to remember and since it meets my complexity and length requirements I make the password rotation much much longer.

      Yes, In 2008 AD you can do granular password policies, and yes this works VERY well. Not only do I have a pile of users with 15+ characters, I have users who WANT to use these passwords.

      I find that when you give the users a choice and work with them, security goes much smoother. users will always take the easiest way out, every time.

      --
      CS: It is all sink or swim...oh and did I mention there are sharks in that water?
    7. Re:Please let me use the same password by Shakrai · · Score: 4, Funny

      Am I mistaken?

      Please provide me with your social security number, birthday and mailing address so that I may answer your question.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    8. Re:Please let me use the same password by DarkOx · · Score: 4, Insightful

      What is might do is limit exposure. Suppose someone guesses a password. They are not a hacker and even having guess a password they perhaps lack priviliges to make any systemic changes given them a back door. Having a rotation policy ensures they are only reading your CEO's e-mail for 90 days rather than years undetected.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    9. Re:Please let me use the same password by Bearhouse · · Score: 5, Informative

      And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

      Indeed. Similar to the Enigma: http://en.wikipedia.org/wiki/Enigma_machine
      Where a misguided decision was taken to never let a character be encoded to itself. This actually weakened the cypher: http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma

    10. Re:Please let me use the same password by MobyDisk · · Score: 4, Insightful

      My favorite is "password may be no longer than X characters" - why arbitrarily limit the length of them? It's especially great when X is something small like 4 (pin #s) or 8.

    11. Re:Please let me use the same password by CastrTroy · · Score: 4, Informative

      Any halfway decent password system only stores a hash of the password, and therefore can't tell if you only changed 1 character on your password, because it has no idea what your previous password was, only what your previous password hashed to.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    12. Re:Please let me use the same password by PPH · · Score: 4, Funny

      Or ex-wife.

      --
      Have gnu, will travel.
    13. Re:Please let me use the same password by UnknowingFool · · Score: 4, Interesting

      Actually the Enigma is a good example of how a system is weakened by its users. Yes the cipher had weaknesses such as never encoding a character to itself and that the rotors were in alphabetic order rather than randomized. But the main weakness was the users and the Allies exploited that.

      The machine itself had a number of settings. With all these settings, the Enigma messages could have daily and message specific settings. For the Army and Luftwaffe, it was left up to the operator to set them. Unfortunately, some operators were lazy and re-used settings. Also the German military had a habit of re-sending the same messages again and again for propaganda, morale, etc.

      The German Navy was much more disciplined. They issued code books that specified many of the settings per day. These settings were much more randomized. These code books were printed on specialized paper that would disintegrate in contact with water. This system was much more secure until the Allies captured some code books when they captured a German vessel. The procedure was the captain was to destroy the code books by tossing them into sea. The captain of a disabled vessel abandoned it only to return to retrieve his personal effects rather than destroy the books.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    14. Re:Please let me use the same password by Tomy · · Score: 4, Insightful

      Pretend that if an attempt to log into his account fails three times, his account is locked and requires a new password.

      Or pretend that your security system notes what IP address such failures comes from, and disables all access from that IP. Or it scores various IP connections, giving more trust to IP addresses that are successful.

      Whenever I see the onus forced on users, I see people who haven't learned the wisdom of the following quote:

      "I object to doing things that computers can do." - Olin Shivers

    15. Re:Please let me use the same password by jbengt · · Score: 4, Insightful

      Sounds like a bad application of math to me. (I admit, though that I only skimmed through the report, so I could be wrong)
      There are two sides to a risk analysis, the probabilities and the values being risked. People will play the lottery even when they don't have a reasonable chance, because the thing being risked is not that valuable. But they are not willing to risk their life savings when the odds are slightly in their favor, because they can't repeat the bet 100 times to try and come out ahead on average.
      If I'm the owner of a business, and I'm paying my employees X time the minimum wage, and a breach costs me Y dollars, I can live with the math. But if there's even a small chance that a breach will cause the death of my business, then I'm willing to have my employees spend "more than it's worth".

    16. Re:Please let me use the same password by cusco · · Score: 4, Informative

      Had an instructor once whose day job was penetration testing for financial institutions. He and his partner would show up at the site and he would start unpacking the equipment they would use to probe the external connections to the network. While he was doing this his partner would get on the phone and start calling branch offices, asking to speak to the manager claiming to be from the IT department. He said that in three years he had never finished setting up before his partner had managed to secure a login and password.

      Amusingly enough, they learned quickly not to bother with rank and file employees. Most of those folks were aware that they would be out the door if they were stupid enough to hand over a login and password to a voice on the phone, but managers always seemed to think they were too important to be fired, so too important to have to pay attention to minor issues like security policies.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  3. Totally in time. by Anonymous Coward · · Score: 4, Funny

    "Change your passwords and be rooted." -- JIRA attackers.

  4. Ironic Juxtaposition by Arancaytar · · Score: 4, Interesting

    1. Apache Foundation Attacked, Passwords Stolen

    2. Please Do Not Change Your Password

    Slashdot is awesome today!

  5. Password aging isn't in touch with the real world by Skyshadow · · Score: 4, Insightful

    Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.

    Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:

    (1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
    (2) A lot more easy-to-guess passwords
    (3) Incremented passwords (FuckTheSecurityGuys14)

    This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  6. Password aging does *not* help by bradley13 · · Score: 4, Insightful

    Password aging is not only irritating for users, it causes them to choose even worse passwords, or to write their passwords down. If you are lucky, and they do neither of these, then it is very likely that they will use "strong-password-1", "strong-password-2".

    --
    Enjoy life! This is not a dress rehearsal.
  7. Post-it Note passwords by Midnight+Thunder · · Score: 4, Interesting

    There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.

    I see password security as an exponential curve, on a graph, reaching a certain peak and then dropping to zero. That dropping point is where the password rules become so complicated that most people would rather write the password down than try to remember it. That piece of paper suddenly became your weak point in the security model. For this reason you password policies need to focus on something that is sufficiently secure, but not so secure that it is in effect insecure.

    --
    Jumpstart the tartan drive.
  8. Re:Password aging isn't in touch with the real wor by ConceptJunkie · · Score: 5, Insightful

    And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..

    --
    You are in a maze of twisty little passages, all alike.
  9. Please fix your systems! by A+Friendly+Troll · · Score: 4, Interesting

    How many times have you seen "the password must be between x and y characters in length and must contain blah blah"?

    I want to enter a full sentence. Like "this is my password and you won't be able to guess it, you idiot". You aren't making this possible, because you're thinking like geek programmers who use randomly-generated strings of 8-12 characters by the dozens.

    I write code and do inter-office support for my apps. Do you know how many times someone told me "I forgotz my password, halp!!11" after they were instructed to use a full sentence with a minimum of twenty-five characters? Zero. Nobody ever forgot it.

    1. Re:Please fix your systems! by MobyDisk · · Score: 5, Insightful

      Amen! The concept of "password" is obsolete. Just never use it. Say "passphrase" and watch the light bulb go off as people realize it is easier to remember *and* more secure.

    2. Re:Please fix your systems! by Benzido · · Score: 5, Funny

      Better yet, change your password to "do you have a pen?" and then call your IT person to say that you've forgotten what your password is.

  10. Username: TheFonz by poptones · · Score: 4, Funny

    Password: Aaaaaayyy

  11. Complex and expiring passwords are a GOOD thing by _bug_ · · Score: 5, Funny

    The biggest problem with password security is user education.

    USER. EDUCATION.

    Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.

    Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.

    It produces a complex, easy to remember password.

  12. Bad argument by Geoffrey.landis · · Score: 4, Insightful

    Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.

    That is an incorrect argument made by somebody who knows nothing about statistics.

    First, if the time taken to crack a password is two months, and you change your passwords every two months, then there's a 50% chance of cracking the password in the first attempt, and a 100% chance of cracking the password the second attempt. So your example doesn't work.

    Now, suppose a cracker has a, say 1% chance of guessing a password per month of attempts, and is attacking, say, 10,000 accounts. On the average, the cracker will have a ten hits every month, but he will only break your account, on the average, once every 8 years. Still, that's a 12 percent chance of you getting compromised in a year, and a 6 percent chance you'll get hit in six months. So, can you reduce that 6 percent chance by changing your password every 2 months? NO. The chance that your change password moves into the window of passwords that the cracker is going to try next month is exactly equal to the chance that the password change moves the password out of the window the cracker is trying. The odds of the cracking succeeding does not change at all by password changing.

    The number of passwords that the cracker guesses per month does not change.

    --
    http://www.geoffreylandis.com
  13. password aging doesn't work by roc97007 · · Score: 4, Interesting

    As a long time sysadmin, my experience has been, the more onerous the password aging algorithm, the more likely that passwords will be on yellow stickies under the keyboard.

    For instance, if your password expires monthly and you're required to pick a password with upper case, lower case, numbers and symbols, I guarantee that the majority of your users will write it down and stick it to something easily accessible.

    If you get really draconian about keeping passwords on stickies on the monitor or under the keyboard, they'll keep it in their pocketbook or stuck to the back of their cell phone, which is difficult to track and actually a worse security hole (because the building at least has physical security).

    My opinion is that password aging and password complexity rules are a managerial line item, not really a security strategy. A true security strategy is a combination of good logging, regular analysis, and tools like password breakers.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.