Slashdot Mirror

← Back to Stories (view on slashdot.org)

Please Do Not Change Your Password

Posted by CmdrTaco on from the my-password-is-trustno1 dept.

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

10 of 497 comments (clear)

  1. The best password is: by Anonymous Coward · · Score: 5, Funny

    hunter2

    1. Re:The best password is: by danomac · · Score: 5, Informative

      For those that don't know where that comes from, it's a bash quote.

  2. Please let me use the same password by Hatta · · Score: 5, Insightful

    We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Please let me use the same password by oldspewey · · Score: 5, Insightful

      And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    2. Re:Please let me use the same password by oldspewey · · Score: 5, Funny

      What a waste of a perfectly good pretend. No thanks, I'm going to pretend I'm on a white sand beach in Thailand, gentle waves lapping at the nearby shoreline, while I sip gin tonics and a dainty masseuse massages my pale white calves.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    3. Re:Please let me use the same password by Bearhouse · · Score: 5, Informative

      And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

      Indeed. Similar to the Enigma: http://en.wikipedia.org/wiki/Enigma_machine
      Where a misguided decision was taken to never let a character be encoded to itself. This actually weakened the cypher: http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma

  3. Re:Password aging isn't in touch with the real wor by ConceptJunkie · · Score: 5, Insightful

    And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..

    --
    You are in a maze of twisty little passages, all alike.
  4. Re:Please fix your systems! by MobyDisk · · Score: 5, Insightful

    Amen! The concept of "password" is obsolete. Just never use it. Say "passphrase" and watch the light bulb go off as people realize it is easier to remember *and* more secure.

  5. Re:Please fix your systems! by Benzido · · Score: 5, Funny

    Better yet, change your password to "do you have a pen?" and then call your IT person to say that you've forgotten what your password is.

  6. Complex and expiring passwords are a GOOD thing by _bug_ · · Score: 5, Funny

    The biggest problem with password security is user education.

    USER. EDUCATION.

    Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.

    Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.

    It produces a complex, easy to remember password.