Slashdot Mirror
Passwords That Are Simple — and Safe (?)
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
Why don't use simple words that can't easily be found using dictionnary bruteforce ?
And most hacked account come from shitty secret question/answer that can let you change password.
Call it a "passphrase." Ban that other word.
Recent paper by some microsoft folks at usenix security: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf)
Damn, now I'll have to read the article.
If I suffer any injuries it'll be on you slashdot!
The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.
To me it depends on two things:
1) How important is the data.
2) What level of access do un-authorized people have to the system.
For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).
Do I really need a password like 2wsx)OKMnhy6BGT%?
or does something simple like: 53xym@n cover it?
Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?
I'm not sure that allowing unique but simpler passwords is a better idea.
There is a misunderstanding here. The paper itself is proposing an additional mechanism for protecting against popular passwords. Let's say I give you the password "password" and you find it in the dictionary and send it back to me. Now I give you the password "p@ssword" and you again explain it must have an uppercase/lowercase mix as well as a special character and a number. So I give you "P@ssw0rd" and we go about on our merry business.
... and can be applied equally to the loosest and most stringent password requirements.
Unfortunately for the security of my account, I responded to your system's demands in a very algorithmic way. And, after millions of users try this, it might be safe for me to add in my dictionary attacks substitutions for characters in password.
I believe what the proposed paper is suggesting is that there is an oracle that alerts the user when their password is acceptable but is simply too common and therefore unsafe. The final piece of the puzzle is building in protection so that attackers cannot "query" the Oracle to find out what are popular passwords in your system that have reached their max. It's about managing entropy in the set of passwords that your user has with a new mechanism
After reading the paper (assuming you don't have this already), it is genuinely a way to increase your user's protection.
My work here is dung.
Use your favourite idiom/s with random symbols mixed in. For instance, turn "All that glitters is not gold" into "$all.that_glitters.is_not.gold#". Works like a charm.
t*m1Lv!^88o%wYc5#pq9-eb7+n? That's amazing. I've got the same combination on my luggage.
It's the same as the combination to my luggage.
"I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain"
Actually I don't have a problem with it. Once you get used to it and it's normal, then it's really not a problem. The thing with these people is that no matter how easy a password system is, they are going to complain about it.
Just write down your password in a convenient & easily accessible location near entry point. Problem solved.
This only works for big servics: If you have only a couple of users, you will miss many of the easy-to-guess passwords. Instead of preventing users to pick the same password as other users, you should check the passwords against a pre-made dictionary. This is basically the same approach, only without relying on the users for building your dictionary.
In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.
Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.
Taxation is legalized theft, no more, no less.
Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.
It's pretty easy to make secure, simple to remember passwords. Take some random sentence from your like like, "I grew up at 367 oak Street in Mytown when I was little." Grab the first letter and all the numbers, Igua367OiMwIwl and you've got a dictionary proof password that's secure and easy to remember.
I am, by no means, an expert in any of this. Are they suggestion that if (say) 5 people all pick "h3lloth3r3" as their password then this is automatically added to the banned list?
Or are they also suggesting that if a dictionary based attack occurs and 5 people all get "iamgod" as a password tried then it too will get added to the banned list?
The problem I can see with the former is that you could still end up with a deeply insecure password, it's just that no-one else has come up with it. The problem with the latter is that anyone who previously had that password now has to have their account locked until they change it to something more secure.
Thanks for any clarifications!
Avantslash - View Slashdot cleanly on your mobile phone.
If the idea is to prevent compromise of multiple accounts, this has merit. But if the attackers only need to get one account (and don't care which one), this actually hurts things. By allowing simpler passwords but requiring that not too many users have the same simple password, they increase the number of simple passwords used by the system, thus increasing the chance the attacker has a password on the system in his dictionary.
Microsoft's advice for your security: Use simpler shorter passwords to protect your data like your birthday or your name etc etc..
i used to use the designations of military units as passwords. something like HHC of the 72nd Armor Battallion would be hhc72armrbn. after the domain admins started to use 5 passwords remembered i switched to restaurant names and anything else i liked to do. for a little while i thought about using hashed versions of porn star names for system account passwords.
a hash of a nursery rhyme segment or something that you have on your computer would work well. A simple program that hashes a part of a nursery rhyme and pops it into the password field.
I just love being required to use a SECURE PASSWORD for something totally meaningless like a forum or shopping cart. It usually goes like this: 1) Password rejected! All passwords must contain numbers. 2) Password rejected! All passwords must contain mixed case. 3) Password rejected! All passwords must contain at least one symbol. 4) Password rejected! Use only ASCII, ¥ and © are not allowed. 5) Password rejected! Your account has been disabled and a 24 hour block has been placed on your IP address. Please call customer service, the number is on another page of our website.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Not allowing duplicate passwords is often one of the first things that people that don't understand security think of. It's also one of the first things that people realize is a very stupid idea once they come to understand security. The problem is simple. If you tell somebody that the password entered is in use, you've just told them the password of another user. User names are not secret, so it's much simpler to fly through a list of users trying a single password than it is to fly through a list of passwords for a single user. Allowing multiple users to use the same password before it is locked out just makes it worse. If there are multiple potential hits, it's easier to find one account once you have a locked-out password.
Think about a sentence, take the first letter of each word, include a digit : you got your password.
Why aren't we using public key encryption?
If you automatically ban overly popular passwords, you have provided attackers with positive information about passwords in existence among the pool of users under the regime.
1) change password, repeat until
2) you hit upon a banned password
3) add password to the top of your dictionary
4) ???
5) profit
http://www.adel.nursat.kz/apg/Automated Password Generator can generate very nice, pronouncable, but still pretty secure passwords. Add a few punctuation characters, and you have a strong password that is fairly easy to remember.
An example of the output:
I've posted this as a potential answer on /. before though the original page on my site is no longer available. It's also been discussed here: http://www.schneier.com/blog/archives/2009/05/secret_question.html (find cipher.php)
I found my old page on the wayback machine...perhaps I'll move it back where it goes
http://web.archive.org/web/20060715223129/http://levii.com/cipher.php
I'd appreciate input on the method. You have your random card, your own ez phrase and you end up with properly complex passwords. I've implemented this in numerous business environements, and people seem very happy with the result. Every 60 days they choose a new ez passprase and/or get a new dynamically generated card.
Okay, how about an informal poll?
1. What is the oldest password that you are still using?
2. Is the username associated with said account one that can be hit by dictionary attacks? Yes, username.
Because a username and password are only as weak as the weakest link between them. Don't get me started on password recovery schemes. Secret question anyone? Gotta be kiddin' me. People post their secret questions' answers in their blogs sometimes!
Hopefully any site will temporarily lock the account if too many failed passwords are tried. There are other security measures that can be implemented too.
I'd be more scared of trojans than someone guessing a medium strength password myself.
If you can lock out a service, and have things flagged that way, simple isn't quite so bad. You need to have access to the password source to brute force things (in which case, you may just have lost already by giving up that extremely sensitive file).
Users like things nice and simple and memorable. If you force nasty constructs on them, they'll either:
1) Write things down on a piece of paper, or text doc on their desktop. Both are bad (though probably the desktop is worse).
2) Call the service desk every time they need to log in, after having forgotten their password. As long as you've got good checks in place, this isn't quite so bad, but can also open you up to social engineering attacks pretty easily. It is, however, incredibly resource hungry (and service desks rarely have infinite resources).
Having a simple, memorable password, and tracking the fails (locking out on multiple fails) is a reasonably decent way forward, unless you're in a super sensitive domain. In which case, your users should be of a higher calibre as far as familiarity with IT security and procedures are concerned.
In any security process, there will always be flaws. The trick is trying to balance each stage sufficiently that a service is usable by the required users, and also that it is appropriate to protect the services and information desired.
I never understood why phrases never caught on in place of single, overly-complex and hard to remember "words." Using a phrase like "I need my morning coffee!!" as a password is long enough that it won't be brute forced, complex enough that it won't be dictionary'd, and is still completely memorable. Nonsense phrases would make it even less likely to be "figured out."
I like generating passwords that substitute numbers for letters and are misspelled but phonetically recognizable, e.g. j3n3rou5ly
This is definitely a pet peeve of mine. We recently introduced new password rules at work, despite me trying to convince them otherwise. Has to be 8 or more characters, must contain upper and lower case letters, numbers, and symbols. And it has to be changed every 3 months.
Wonderful. Now everyone has these horribly complex passwords, which around half the users are now posting next to their monitor on a sticky note. If they'd had made simpler passwords available, not nearly as many people would have resorted to that.
It seems common sense, but too many IT managers just don't get it - complex passwords are only useful until they hit the threshold at which the user sidesteps around the whole secrecy part of it.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Let's say that there's two threats to passwords:
- Short passwords
- Bruteforceable passwords
The best password is one that overcomes both of these with the minimum memory required.
This is NOT fZ&%!kf(mM*$12ppkf
It is rather M&yfAvouritefiLmI)sAFishCalledWand$a
How do you brute force that? If you were to, you would need a dictionary attack that took all words, or recognised phrases, and randomly inserted all symbols at all positions and tried with all kinds of capitalisations. This comes quite close in terms of bruteforcing to "random collection of symbols". VERY easy to remember, VERY difficult to crack. Please show me wrong.
If you are extremely lazy and sloppy and don't care about nothing (like me), you can also have 2-3 passwords that you mainly use, but each of them tailored to the website by 1 or 2 letters. Something like 'qlmntybio7' but where you replace the T with the last latter of the name in the website (t for slashdoT), or the number with the number of letters in the name, and you use a different password for the webmail it is all linked to. Superficially not easy to guess, blocks fishing bots, takes at least some intelligence and targeted effort to figure out.
Interactive Brokers has an eight character limit for passwords to ensure your money is nice and secure. TightVNC also limits your password to eight characters. Why is this limit imposed for some passwords?
Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.
Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"
It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.
I'll meet you at the intersection of "Should be" and "Reality"
I don't mind elaborate rules, I do mind that some say things like "You must have a non-letter/number character" while others say "you can't have". It makes my systematic "rules" based approach to creating a password that is easy to remember much harder. (I.e. I can have a rule that says "Password is 1st letter of website name + last letter before the .com/.net/.org plus the combination "!4a" if one idiot says you need something like an ! and another moron says you can't have something like an !
----------
Also, I absolutely HATE the moron that decided every website needs/wants a password. There are certain movie theaters that I refuse to go to because their web based ticket purchasing system requires an invasive profile with password. Look, you don't need that info and trying to get it is incredibally obnoxious when all I want is to buy a ticket on line. You aren't even giving me a discount - instead you charge more. You want that precious information, give me a 10% discount.
excitingthingstodo.blogspot.com
or just have 2-3 simple passwords that must be done in a certain order, brute force with a dictionary would take much longer
Funny, I do the same thing.
DF331n'$Mu2@l
I simply refuse to earn enough money to make my bank account worth hacking
When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.
And having written-down passwords negates the benefit of all those special characters.
Also, simply making it policy that users can't write the passwords down doesn't help...users either break the policy or often forget their passwords, forcing frequent use of the password recovery process, which can be costly and further weakens the security of your system.
I think the biggest issue (for me) is that for work I have seriously about 20 different passwords for different systems and logins and they all seem to have different requirements. It has taken me 5 minutes before just to create a password that the system will take.. I.E. 8 to 16 chars, must contain 1 special char, 1 cap, 1 lower case, and 1 number the number and the cap can not be next to each other, the number can't be the first or last char, and you cant have more than 4 chars in a row of the same class. Another system says: Must be 6 to 20 chars and contain lower case, upper case, and must begin with a number. It is an absolute nessecity to use my 256 bit AES Android password keeper on my phone or I can't even do my job nowadays.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
FTA:
[...]
One way that system designers try to defeat dictionary attacks is by temporarily disabling an account when a wrong password is submitted more than a few times. This is called account lock-out, and not surprisingly, attackers have discovered a simple way to defeat the approach.
[...]
Nice, now I can lock-out other people from their own Accounts much easier!
my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and... god.
If the password can be easily remembered, it will end up in a dictionary.
But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.
You have two different uses for passwords:
#1. Lets you login to your computer or account or whatever.
#2. Encrypts files that you don't want other people to read.
If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).
In case #2 then you want a HUGE key because the file can be attacked off-line.
you can conver numbers into words:
2001: movie ..
2010: movie
1942: arcade saloon game
1984: movie
42: answer
You can also have tiny words that have meaning to you: ..
LOTR: lord of the rings
imho: in my humble opinion
me: me
orly: oh, really?
bf: battlefield
so you can mix both things
bf2010me44 ... ...
tk40000z21
rs47ak232
to me is easier to remenber {expresion} {number} {expresion} {number} than a true mix of number of letters.
Passwords, imho, sould be easy to remenber and hard to guest.
-Woof woof woof!
One method I heard was to have something simple that you remember but type one key to the right (or any other direction) F
For example a password as simple as slashdot becomes d;sjfpy
Instead of memorizing a series of digits, numbers and symbols, I use "nonsense" passwords based on the position of my fingers (not just on the home row) that can be typed quickly. By shifting the block of keys left or right, I can create new passwords with a minimum of fuss. The result is non-dictionary passwords that are easy to remember and quick to enter.
My employer makes us use passwords that have special characters, at least one numeral and at least one upper case _and_ it expires every two weeks. It also can _not_ start _or_ end with a numeral and must be 10 characters in length or more.
I would seriously be amazed if anyone has their password memorized after the first change.
I had to devise a way of creating and remembering my password so I wouldn't have to write it down. I came up with a simple way to do this.
Pick a number key at the top of the keyboard and simply hold shift to get my special character and continue to hold shit to hit the letter below it for the capital.
IE: hold shit and hit 1 then q to get !Q
Then I simply do _not_ hold shift and hit the next 4 sets to numbers/letters.
IE: 2w3e4r5t
This allowed me to create a few unique and easy to type/remember passwords. !Q2w3e4r5t @W3e4r5t6y #E4r5t6y7u, etc. Now, unfortunately I'm at the end of the row of usable 10 character passwords ^Y7u8i9o0p. So now I'm going to have to devise a new method, probably holding shift for the first two sets of letters/numbers.
IE: !Q@W3e4r5t, or, I can go with !Q1q1q1q1q, etc.
My point here is not to give away my passwords but to show off an obvious flaw in my employers policy. I have a system now that I can't actually memorize the password (I can't easily recite it) but I can type it through a pattern. However, if anyone reads this post and knows which system to exploit, they can deduce what my current password is in a matter of minutes (barring lockout).
My employer has forced me to go with an easy to guess system (for subsequent passwords) and isn't secure at all. And how many others have figured out this easy to type in pattern where I work? They have made it so "secure" that I have to use an easy to identify pattern to keep myself sane. That or I write it down which defeats the purpose all together.
How is that secure?
AC just in case...
Use your phrase. Just turn it into a password.
I Need My Morning Coffee!!
Then jam a number (your morning train, maybe) than makes sense onto it. Result:
inmmc!!650
I do this with song lyrics and quotes, going as far as to leave plaintext reminders on post-its - it's still impossible to guess.
11 random letters (all lowercase) and digits. No need to be more fancy than that. And if you roll the generator several times you'll find the combination which is pretty easy to remember after entering it 2-5 times.
But is that really enough? Let's calculate, assuming somebody can test a million tries per second (way optimistically/pessimistically, I'd say): (26+10)^11 / 10^6 = over 4000 years. Pretty secure. Actually, in real life you can even use 10 or 9 characters and sleep well.
Seriously, I've found that the simplest, non-dictionary passwords are the best. Call me crazy, but I work from the premise that a random user is just as likely to guess my password on the first try as they are to guess it if given 100000 tries.
The place where I work (and other places that fly the same banner) has employees that are exceedingly technology illiterate, so it's a pretty good bet that I can find their passwords written near the terminals on pieces of paper. Since we're required to use two different, complex passwords with special characters, numbers, and various case letters (one for the local system and one for the corporate), and change them both (every month and every three months, respectively) without repeating the same thing for six changes, it's a recipe for disaster. I even tried explaining this basic principle to one of the upper IT guys where I work, one of the key people in deciding various policies.
I guess it's the idea that these techno-phobes, or whatever term is used to label them, need to be told to use something unusual, lest they use something more obvious, like "love", "tammy", "robert".
The easy solution is to make the passwords longer. Everyone can remember a sentence.
" "Replacing password creation rules with popularity limitations has the potential to increase both security and usability," the authors write. "Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing. "
The problem here is, If you attempt to sign up and get told that your password is too common, Then you know your in for a good chance to use that password to gain entry...
You TELLING! the hacker what passwords are common on said system.
People don't remember good passwords very well, so people tend to use the same ones everywhere (73% in a recent published survey used the same password for random hobby or porn or whatnot sites they use for their banking) or make them algorithmic. Need numbers and letters and change every 90 days? How about "Q32010pwd" ? Or "Q3.2010pwd" if a punctuation is needed?
Mere entropy in the word captures only a tiny piece of the security properties of a password. Thus it really IS better to have a shorter password that gets remembered
and is kept a long time, rather than one that is written down and visible, or that is algorithmic and has 3 not-very-random characters instead of 9. For someone
to learn and remember a password they need time, which is what rapidly changing them denies.
Denying popular words is however not bad, but will cause trouble with many. In some areas vocabularies run to ~5000 words.
If users don't/can't remember their complex passwords then change to some form of two-factor authentication.
And the people STILL share passwords because they cannot remember how to navigate through the various folders.
This is a case where I'd prefer the *nix method and just mount the directories under the user's home directory.
Technology will never be a match for someone's mindset. Bob's files are in Bob's directory on Bob's computer. If Alice wants to see Bob's files, Alice wants to go to Bob's computer. And then Alice wants to copy them to Alice's computer to work on them.
You end up locked out of sites like SLASHDOT that once your password gets so good YOU can't even remember it, you have to create a NEW SLASHDOT ACCOUNT because their stupid email password retrieval system isn't working!!!
And to think I had something knee slapping hilarious to say and now I'm so enraged I can't remember it! ... Oh yeah ...
My passwords are protected by extreme poverty. I've nothing worth hacking.
I keep a database for all the passwords I have and frequently a site claims the password or login is wrong when it is correct! I even copy/paste the login info and pw incase I fat finger it, and it still says it's wrong. Just like what happened to slasdot which I'm now locked out of!
I see two problems -- I don't know that either is a deal breaker, but I figure I'll put them out there.
First, users might not enjoy certain aspects of the experience.
Usually, there are rules, they tell you the rules, and if you follow them, your password is accepted. The system seems fair -- there are rules, you can follow them, if you follow them, it works. The proposed system will feel arbitrary -- you try a password, maybe it will work, maybe not. If it doesn't, you have to try again. Maybe it won't work again.
A certain kind of user is going to get rejected over and over again, because they're going to consistently pick common passwords. And they'll really,really hate this system.
Second, I'm not sure that dictionary attacks will be impossible. Attackers are smart, and they're good at adapting. Just because current dictionary attacks would fail doesn't mean that future dictionary attacks would fail.
People like to use words and swap characters around. So someone might start out with "football". That's not good enough, so they try "footb@ll". Or "footba1l". Whatever. I believe it might be possible to model the processes that people use to generate passwords in their heads, and to create a dictionary of words using the model.
Maybe that would be a lot harder than it seems -- but as well all know, some attackers are really smart and really competent. So that would worry me.
Seriously where does biometric sit these days? Is there a potentially cheap/reliable/ubiquitous form to replace password? Finger-print, retina scan, voice, spit sample... something?
Yet very easy to generate for a machine as well.
It seems like this scheme would require all the passwords to be either stored as plain text or with the same salt in the hash function.
Wouldn't it make all user passwords more vulnerable if the database was leaked?
I'm sorry, that password is already in use in the following accounts.
Myself, I use terms that are meaningful to me (but not derived from personal information or relationships) and not guessable or subject to dictionary attacks. I think that these sort of passwords are easy to remember, but reasonably secure. I use different base terms depending upon the security (perceived or otherwise) of the site I am accessing. Ones for financial sites are longer, more complex, and convoluted than the ones I use for more public sites, like this one. So far, after 15+ years on the internet, I've never had one of my accounts hacked (knock on wood).
Sometimes, real fast is almost as good as real-time.
I'm not going to try and say everyone should have a password thats 64 characters and a mix of 7 languages including native symbols which have never been translated but I do agree short passwords aren't the best idea.
The best idea is to make sure you have the strong passwords blocking access to anything important on the network like servers, firewalls and routers and just have the normal desktop computers protected with a normal 8 - 16 character password.
Even better instead of protecting with a known password have a program generate a password for you and then update all the ssh keys and only allow entry with dynamic ssh keys that also get generated.
It really doesn't matter on the desktop level how strong a password is because you should always store all important information on a server. If your dumb enough to have important information on a desktop then it's about time you get hacked because you earned it.
In short have big passwords on important network equipment that is connected to the edge of the network such as a firewall and routers, then have everything inside protected with normal passwords.
Shift your hand(s) over or up one character:
over: password = [sddeptf
up: password = 0qww294e
No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.
Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.
The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.
Your password policies should be geared towards the individual security requirements of ... the individuals.
Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.
Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.
If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
The only reason that people hate complex passwords is that they are hard to remember. However, rather than dumbing down your password, just invent a simple strategy. For instance, let's say you like poetry. Choose a poem that you like, for instance Robert Frost's The Road Not Taken. Then choose your favorite line or stanza, for instance "Two roads diverged in a yellow wood". Now take the first character of each word and concatenate them: "Trdiayw". Now most password enforcers want some special characters including numbers, so you can add a few to get something like: "Trdiayw10-".
This is a reasonably complex password that is really easy to remember, but it's unlikely that this kind of password will show up in a dictionary. And because it's based on a key phrase, I find it really easy to type (I don't even have to think about it). Don't like poetry? Choose lines from your favorite books, or famous quotes, or lines from your favorite songs, etc..
Combining an easy to remember word/phrase/name, with an easy to remember and "run" by hand algorithm gives you pretty safe and easy to rebuild passwords. A simple example is the classical "pick a phrase and take out the initials". You can make it a bit more complex oreven expand it to add some input from where you are applying that password to make them unique to web sites, servers, or mail accounts. Have other advantages...you don't have to remember the actual password, even could have no clue on how it looks, just run the algorithm and write down letter by letter. And if well is totally bad luck to write somewhere your real password, having close the phrase that generates it (but keeping secret the algorithm) is not that bad (and could be seen as casual, is not the same finding a paper saying "Inception was a great movie!" than finding "Iwagm!" somewhere)
From this I would suggest that the risk of losing my wallet, or my car keys (also left in my jacket) is still higher than the risk of someone in the building accessing my computer with malice in mind. I also know I am not alone in this practice: everyone here is trusting and honest enough that they have no fear of leaving personal items unattended in, on, or near their desks.
So, given that none of our organisation's machines are directly accessible from the outside and that the risk of an unauthorised intrusion from within is smaller than anyone's threshold for personal paranoia where exactly does the need for strong passwords come from?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it.
This system was thought of, and rejected many years ago. If you let user x know that a given password is in use, he now has a password that he can try against everyone else's account.
You could try to randomly reject "good" passwords as well, but that would piss off your users.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Like everyone else here, I have too many accounts with too many different sets of password rules. They all have memories and want to rotate often. My solution: I installed pgp and made an encrypted text file (1024 bit or something like that) with usernames and accounts in it. This means I have ONE password which I can change when I like.
Brute force attacks are powerless if it takes 5 seconds before a new try is allowed. 5 failed attempts, wait 15 mins.
That would amount to 20 attempts per hour, 480 per day. And there could be a bell to wake an IT admin to figure out what is going on.
Bert
because I CBA to read ALL the comments, but wouldn't it seem like the hackers approach would just be as such, then: Try to change your password to a couple of different ones, finding perhaps 3 (or more, depending on the allowed failed attempts) passwords that are locked out, thus guarenteed to have a hit SOMEWHERE. Then, try those three passwords on every email you have in your database. Wash, rinse, repeat.
Seriously, I don't need to have my password as Po0g33!ln1h3xB6a to be secure. On my home network I often use passwords that are simple words twisted a bit. My home wifi pass is simply "Bl3wB1rd". Easy to remember, somewhat secure... if anyone is desperate to get into my wifi and has the skills to crack that I'm sure they'll crack anything else I can conjure up.
My solution on systems I admin (that's my home stuff, basically) is to use a ridiculously high-quality password and never change it. I think people can memorize anything as long as they know they're not going to have to throw it away in 2 or 6 months and do it all again.
I've used the same password for my last 5 systems at home. With over 60 characters (including lowercase and caps; various punctuation; selections from the extended ASCII character set; and no words from the dictionary), it looks like total gobbledygook. Yet I'll know it forever.
There is a simple method for producing strong easily remembered passwords. Step 1) Think of a three to four word phrase that you can easily remember Step 2) Capitalize one or more but not all the words Step 3) Replace some characters and spaces with numbers and special characters Step 4) Input your new awesome password
Protected by extreme poverty. There's nothing worth hacking! ;-p
www.Migrainesoft.com - Computer giving you a headache? We can fix that!
It leaks information.
You may not know WHO has a password of y0m@mm@soF@t!!!eleven but you will know that SOMEONE (at least one person) in the organization has that password.
And if you are on the inside of that organization you'll know the pattern for forming usernames. That means that you'll only need to make a single attempt per username to crack someone's password (although you will not know who's password it is initially).
A better approach would be to simply store the hashes of the passwords that have been used or attempted in the past X days in a dictionary and not allow anyone to use those.
That way, the most common passwords will keep updating as they are attempted and will keep being forbidden. Even if no one has them as an actual password at this time.
The password is, one (echo one, re-echo one), two (echo two, re-echo two), three (echo three, re-echo three), four (echo four, re-echo four), five (echo five, re-echo five). So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Give up passwords, move to certificates, SSH keys, biometrics etc. It doesn't matter how good your password is, it's toast if someone grabs it off a hacked server/client/WiFi (BTW there's some Brazilian hackers busy installing trojan sshd everywhere they can get to).
Re. stupid website passwords, I've started generating random 20-char passwords and using FireFox to remember them (with a master password, of course). A bit of a pain moving between computers, I really need to get some secure sync scheme sorted out (they do exist)
A full security analysis and examination of its capabilities can be found here:
http://www.grc.com/securitynow.htm#256
"Trying is only the first step towards failure." - Homer
I set my password to "********". Eight asterisks. That way, if anyone ever cracks it or uses a keylogger or something, they'll say "What the hell? I still can't see it." If I need my password to be extra secure, I throw a few more asterisks in there.
Ive found a pretty simple way of making very complex passwords.
There are many many combinations to this method:
d3d3E#E#
g5g5G%G%
a1S@d3F$
8 char, lowercase, uppercase, numbers, special char, no dupes.
Look where the keys are, and when the shift key is used.
You can get pretty creative with this method.
I know customers that went with long very difficult passwords and may different password variation for different programs. They had a security breach because people started writing them down all over the place because of remembrance issues. But yet the short password that never changes is bad to because it can be easily guessed. This is the headache of admins across the world.
http://www.thetechnologygeek.org
My password is "password". My userid and the site where I use "password"? Ahhh... now that's obscure, and very secure.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
If the password can be easily remembered, it will end up in a dictionary.
Frobgard.
The clock is ticking on your assertion...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I agree, with one caveat: mobile devices!!!! If you are not using that password ever on a mobile device (never say never, I just had to type a passphrase pwd via ssh on my iphone to one of my servers... was a complete frustration, since my error rate on the touchscreen keypad is much higher than on a keyboard). I don't think any mobile device has a good way of entering text-based passwords, and length is a big issue there.
Make sure everyone's vote counts: Verified Voting
Just send me the account login information and passwords for your bank accounts and I'll make sure that they are hard to crack. Oh, I'll also hook you up with this friend of mine from Nigeria, who is a banker and probably has some money for you.
"Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
THIS
I considered putting this very system into place on a site of mine a half-decade ago, until I realized that I would just be informing attackers which passwords are in use.
Anything that makes a user write down a password has weakened the security essentially to a failure mode.
All of the complex rules some place put in place are the quickest route to a breach in your security. You obviously cannot tell people not to write down passwords - well you can, but people will simply ignore you even under threat of firing, and you certainly have no leverage over executives.
Just make sure a dictionary attack doesn't work against passwords people choose, and let them do what they want beyond that. I would argue for many simple sites where having an account temporarily taken over is not a big deal I wouldn't even go that far.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I've used the same two passwords for over 25 years. Actually it was just one random alpha password that a mainframe spit out when I created one of my first password protected accounts, and I added the second because the original didnt have any numbers in it. I came up with that one the first time a system demanded that I put numbers in a password.
I did recently introduce a 3rd password for my email accounts since I've seen some malware or hackers get your email addy and password from some site you use, then try the same password on that email account, then look for emails from financial institutions and businesses that can be exploited with the same password. But the 3rd password is still the same original password with one number stuck in the middle.
I've never had anything whatsoever hacked into or had any problems of any kind related to the password, even though I've probably used it on more than a thousand systems from mainframes to minicomputers to networks to pc's to web sites.
When I worked for one company that enforced the fancy password rules of length and numeric/symbols and changing it frequently, I just wrote it on a piece of paper and stuck it under the keyboard, just like you're supposed to. I'm not a security guy, I have a different job and forgetting the stupid password sort of made doing that job difficult. While I'm sure that its some degree better to go through all these shenanigans, most users not only dont care or wont do it if they can avoid it, they dont want to do it and it probably doesnt make any difference in the grand scheme of things.
Shoot, I used a bank for over 20 years and was pretty happy with them until they introduced the complex password and rotating them every two weeks. I'm not going to remember that crap and I dont want to have to write down my banking password. Kissed them goodbye immediately and put my money in a bank that lets ME decide how much security I need around my password.
Use a really simple password, then run it through your favorite hashing algorithm (MD5, SHA1, etc). Take the first 16 or 32 hex characters. That's your password.
Bonus: Include the name of the website in the pre-hashed password so the passwords are unique.
Don't forget the salt.
echo "my simple password"|sha1sum|cut -b1-12
178e7867fb91
I have my own rules for passwords. 1: never use a word that can be in a dictionary 2: use something I can remember through association (something that has meaning to me, but not something easy to figure out) 3: limit the number of passwords I use so I limit the number of passwords I need to remember. So I hate it when a site tell me I need 8 digits with upper and lowercase password and numbers and special char, or tells me I need to change my password ever XX days. I think it just makes it harder for me not for the hacker who "might" try to get my password
An easy alternative is to run a dictionary word through a hash algorithm. For example my WPA key is a normal dictionary word, with a salt that i can easily remember, then checksumed with MD5. Produces something pretty much psuedo-random alphanumeric like this: b6ba4077d4421cb6ad49c1321453e37c you could also truncate it as >8 chars provides much the same security against brute force. Yet, is very easy for me to retrieve should i forget it, if you really wanted to you could also have a method after the checksuming for adding special chars to it, like every other char use the shift key on.
If i had one dollar for every brain you dont have, i would have $1.
Was that wybduvcep or webdovkap?
Great. I bet the haxxorz just can't wait to revamp their dictionaries using brute force scanning of the password choice form.
Early adopters! Come on!
I have to say "You password must be at least seven characters, contain and uppercase letter, lowercase letter and a number and can not contain you name or birth year" so much it loses all meaning to myself. I know it doesn't mean shit and will only make things harder on people.
The problem isn't too simple of passwords. The problem is servers allowing brute force or dictionary attacks to occur. The only time password complexity matters is static data that can be brought "home" to the attacker, like encrypted archives or filesystems, where no such penalty for automated attacks can be imposed.
Don't throw rules at people, just tell them "don't be stupid", make their password be at least 8 characters, and when something tries to log into an account more than once every so many seconds ban that IP. If multiple IPs are trying to log into one account in a short period of time, lock that account, contact the user and ask them to change their username.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
STS Services are the simplest thing for the past 2 years.If only people would use them more...hell i'll just blame website developers for not implementing this feature into their sites(sloppy coded blog engines like wordpress and others should have this turned on by default).
use passwords like "Ihavefiftydollars$dollarsy0" -27 digit strong password. It's super strong and really easy to remember. It's not advisable to md5 hash your weak password then use the hash as your real password; but can be similarly strong.
I spent two years explaining to users how pass phrases would be easier to remember and much, much, much more secure. I don't think we had even one person take me up on the idea. Almost every single person told me it was "too much work" to type in a pass phrase. The place I worked in was a newspaper, and nearly all of these people were required to type 70 wpm or better! I tried to use password generators then, and no one would accept any password-generator-made passwords. They were "too hard to remember." I tried to get them to at least keep their passwords in their wallets instead of posted up on their cubicle. But it was "too much trouble to remember where the password is and too much work to get it out of the wallet to look at it." The only way computer systems will ever be secure is if they are designed to work well with completely stupid and lazy people using them. We kept looking into biometrics but last I knew they were just as insecure as bad passwords and too unreliable. The first time one wouldn't let somebody into his computer would be the last time the system was ever used. And don't bother saying the "management should do" this or that. Our management was far dumber and lazier than any normal user ever was, and the biggest roadblock to any sort of progress. One day I was expressing my frustration with trying to help save people from themselves with their stupid behavior. My own boss angrily told me there was NO WAY he would ever remember a password unless it was HIS OWN NAME.
Second part of the article is more interesting than scheme they talk about. ~~~~~~~~~ "Florencio and Herley found that the sites that had the most stringent password requirements were those where the users generally had no ability to shop around--sites like the U.S. Social Security Administration, the National Weather Service, and the webmail systems for several large universities. For these systems, the organizations have no monetary incentive to balance usability with security, or to find some other way of protecting user accounts."
I recommend everyone have three passwords, for situations that demand High, Medium and Low security. Your bank and credit card accounts, and places where you have to supply a bank or credit card number (e.g., a site where you purchase stuff) deserve High security. Places on the Internet where your identity is at stake (e.g., do you want a criminal sending eMails from your account?) deserve Medium security. And, finally, you need a "throwaway," Low security passwords for those situations where you are required to provide a password, but you don't sense a security need (e.g., a password required to read a newspaper online; do you really care if someone else uses your password to read that same news?). But, mind you, three is not a magic number. If you have need for four security levels, by all means, select four...or more. Or, if you have different passwords for your business and your family matters, set up two sets of passwords (say, three for the office, and four for home).
Now I'd like to show you a way to create a High security password that's easy to remember, in xx easy steps:
1) Pick a word that connects with you, one that isn't particularly obvious. It might be a term of art in a hobby (not "woodworking" but, perhaps, "dovetail," not "stamps" but "philatelist."). Make it a longer word if you have more concerns about security. You can use very longs words, like "antidisestablishmentarianism," but make sure you can easily remember it (for purposes of illustration, I've picked "philatelist").
2) Pick a short string of digits, but don't use your age, your home address, or some part of your Social Security number, or other common information other people already know about you. And never use your bank account number as a password! I like to pick a word (say, that word you use to refer to some silly event in your past that still produces a smile), tap it out on the telephone touchpad, and write down those digits. Now there's a number that's hard to guess! Or, pick the month and day of an important date (but avoid those dates easy to learn or guess, like your birthday). Let's use "3981" for our example.
3) Now, take the word you picked, and break it into two parts (most people like to split on syllable boundaries, but you can pick, say, the first six letters, leaving all the rest. Write down the two parts on a piece of paper, separated by some space (you'd see "phila", some space, and then "telist").
4) Now, insert the digits you created in step #2 in the space between the two parts; you get "phila3981telist".
5) Finally, capitalize some of the letters. Capitalizing the first letter of each of the two parts is fairly obvious; maybe you'd like to make it a bit more complex and captialize the second letter in each string, ending up with "pHila3981tElist."
That makes your password easier to remember (it's a word and string of digits you know, with your own personal preference on positioning of the parts and the capitalization).
From this you can easily use use the first two-thirds or the last two-thirds for your Medium-security password (e.g., "pHila3981" or "3981tElist"; just pick one, and remember that).
Finally, for a throw-away password, just pick some easy part of your Medium-security password (e.g., "3981t"; notice I included one of the letters, too; some websites refuse all-digit passwords).
Within a couple of days, you'll have easily remembered three different passwords, none of which are easy to guess. And, you won't have to keep them written down, anywhere (however, I always recommend you write them down and store them in a safe, or a bank deposit drawer, in case you're incapacitated and somebody needs to legitimately act like you to pay the mortgage, etc.)
I hope this helps someone else, too.
--Carol Anne (Copyright 2009, Carol Anne Ogdin)
Process
Step 1: Make a sentence that's memorable, such as "I am making a password that I will never forget"
Step 2: Use title capitalization rules, such as Article Adjectives and Prepositions: the Capitals of Tomorrow.
Step 3: Convert to Acronym. Preserve capitalization.
Step 4: Convert at least a few letters to l33t.
Example
Step 1: i'm telling you, it's easy to create strong passwords
Step 2: I'm Telling you, it's Easy to Create Strong Passwords
Step 3: ITyiEtCSP
Step 4: I'I'yiEtC5P
Randomness avoids dictionaries. Using conversion rules like these, you end up with something that has a meaningful basis, but looks quite random.
"There are some people that if they don't know, you can't tell them." ~ Louis Armstrong
Advice users to write down part of their passwords:
They write down @j4t4n3n4
They can remember a simple password to combine.
That way you are protected from network attacks (strong password for people who can't read the sticky)
and from local attacks (you can't login just by reading the sticky, it's easier to guess the password but not easy)
Why not use a system of using simple phrases, including spaces and punctuation. Most systems allow that sort of thing. So the password "I love stinky cheese!" (including spaces and exclamation) is good for two reasons:
That said, I agree with the parent post: many times writing a password down is actually a good idea.
Hotmail has millions of users?
One can use stock symbols, stock option strike prices and number of granted options that makes you gloat every time you log in. 2500000GOOG@1.25
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
If you do a lot of sysadmin work, choose a topic that interests you, and find some kind of chart or table or data set that you would like to memorize. For example, you could choose capital cities and states, countries and their capitals, wire gauge to diameter, etc.
After a while of using that password each time, you will be able to remember all kinds of esoteric table data and amaze your friends at cocktail parties when you can recite the capital of every country on the globe, or what year many famous scientists were born.
Since you have to spend the effort remembering data, why not make the data something useful that you would like to remember for other applications?
I use 26 different passwords that satisfy all possible password rules. My passwords are basically just an algorithm applied to the first 26 periodic table entries, the password I use for a site is chosen based on the first letter of the sites URL So, if my algorithm was first letter of the Element identifier + element number + Element name + ! (not what I use but good enough) then my password for slashdot (S=19) would be K19Potassium!. I have a periodic table taped to the wall next to each computer I use and one in my wallet but I never have to use them anymore. My passwords are in plain view for me all the time but no one here has any idea what the periodic table on my wall is for and even if they did they would have to guess my algorithm which is also quite improbable. My algorithm is quite a bit stranger than the one above so that the passwords are not recognizable as elements (wouldn't want someone to figure out my algorithm and know my password for everything). My slashdot password is 1K9P#o39. I think it is unlikely that even if you saw my password for a bunch of sites that anyone would identify them as elements of the periodic table. 0H1H!y01 for A, 0H2H@e04 for B, 0L3L#i06 for C... You got the algorithm yet? Would you have gotten it without the knowledge that it comes from the periodic table?
For password changes at work I just use elements 1-24 on a two year cycle and change once a month.
I find it amusing that people answer these questions honestly. My mother's maiden name was Johnson. A lot of people who know me know this. I think that it's silly that me telling anyone this could be considered a security risk. It's probably easily found out in public records that anyone can access.
That's why when anyone ever asks me, "For security purposes in case you lose your account information, what is your mother's maiden name?" I answer, "Brigadoon." That way if someone who knows me decides to have a good laugh on ol' Skippus and they call up some owner of an account I have and they ask, "Okay, for security purposes, what is your mother's maiden name?" and they answer, "Johnson," they will not be allowed access to whatever it was they were trying to get access to.
I have a list of stock answers to questions such as my mother's maiden name, my high school, my favorite pet's name, my favorite sports team, etc. Most of them are related. My mother's maiden name is Brigadoon. My high school was good ol' BHS. My favorite pet was Brigadot. My favorite team is the Brigands. You get the idea.
Of course, I've also lied about almost everything in this post. My mother's maiden name really isn't Johnson, and the name I give everyone isn't really Brigadoon, but the part about lying on those forms and using meta-passwords is true, and I highly encourage everyone else to do the same. Using actual facts or experiences that aren't so intimately personal that I wouldn't be telling anyone anyway as a security checkpoint is pretty damn stupid.
Most everything has already been said here, but it is crazy to enforce password changes... One of my clients is a financial advisor/Brokerage. the clear through a larger firm that gives them access to account info, trading, wire transfers etc thorugh an web based interface. Clearly it is critical that access to this is secured. However since passwords are changed every 90 days the employes have lists on their desks with previous passwords crossed off and current ones at the bottom. I or a cleaning person could easily gain access to their customers information and even their assets. I have repeatedly pointed out this vulnerabilty to both the users (so they stop writing them down) and to the IT people at the clearing firm.. but there seems to be a mental block at these large corporate IT departments and they insist on having the password changed and they cant even use some large number of previous passwords. I personally recomend people have several, I have 6 (not including slight modifications to meet password standards for a site) password of various security needs. a couple highly secure passwords (easy for me to remember but very hard to guess) for things like online banking that you tell No One. Somewhat secure for things that you would like to be private but are not super critical that you may share with a wife or good friend for things like a social site etc. and something simple for the miriad of sites that ask you to create an account and you are not sure how safe a password is in their hands and that I could care less if someone breaks into. Now if my simple password is "dogname" I may have to modify it to dogname1, Dogname, or Dogname1 but when I visit that site I havent logged into in 6 months I generally know my password. But if I am forced to change my password periodically I keep a document titled with the site on my computer (which I can access remotely), but it bothers me when I know that I keep my important passwords secure and feel I am forced to be slightly less secure by having the password recorded in a file on my computer. I never have to write down my passwords as I know my 6 passwords and what sites I would use them on.
Catbert,
Evil HR Director
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Personally there are too many sites that require registration and login. If I wanted to post to a forum, give me a disposable password, after I verify a captcha for example, because I would not know when I will post there ever again. But I would like to see the responses or replies to the post though, to see if a site is active, say by being contacted by email (now THAT* password I remember)
Sometimes I will just pick a sentence and use it. It doesn't have to be an obvious one; sentences are just easier for humans to remember. I may try to obfuscate it like you do for a shorter password but for an encryption passphrase a sentence is fine.
Saying "I'll probably get modded down for this" in a post is the best way to get it modded up.
Make a rule to remember your password by. Take for instance a line of a song or a quote, take the first letter of each word, add some capitalization and special symbols where applicable and voilá - you have an easy to remember non-dictionary password. Spice it up with for instance the first two letters of the service you're signing up to for extra security.
-- fiskeben
I don't think it means what you think it does.
How many times do we have to flog this secure password animal? We (as IT professional) know what strong and weak passwords are, if you're even a competent IT administrator. They need to be non-literal or non-dictionary words or phrases that contain things other than alpha characters. We know that if the scheme/method for generating these passwords is too complex then people are forced to write them down, which negates the usefulness of using a password at all.
As for best practices, it's really a subjective thing as we've seen through countless "studies", but there are some hard and fast "rules" (outlined above) that we know work. The trick is in how we apply those rules. In my experience, as an IT administrator for more than 15 years, using "leeted" phrases seems to work the best. I ask folks to use something like a line from their favorite song, or passage from a book, or catch phrase, etc. i.e., $0Y0uTh1nkY0uC4nD4nc3 = So You Think You Can Dance. This way the only thing to learn is mapping what characters to numbers or specials. Everything else is simple English (for us English speakers, no offense to others). Generating very secure, lengthy passwords then becomes easy, and easy to remember. I use several (seemingly ridiculously) long passwords like that regularly and have no problem meeting any password length or character requirement.
frobGARD
not frobGUARD
frobGUARD is obviously a word... :-)
If you don't want a word that's in a dictionary somewhere don't use words that are composites of any real words.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Here's a novel idea: don't mask password fields by default
If the user can see the password he typed in (and the coffee house guest peeking over the shoulder), the user will not pick "fluffy" as a the password. Ok, so it's not a novel idea, but still something we perhaps should consider (http://www.useit.com/alertbox/passwords.html)?
Or better yet, go with one of the old and proven password management tools. Applications like KeyPass or RoboForm; and services from http://www.myonelogin.com/ are pretty easy to use. Even a the most non-security conscientious employee can remember a single complex password. Oh, and a hint: If you find yourself opening a ton of free one-time or rarely-used account, pick a password that you don't remember or save. If you need to get back in, use the password recovery mechanism or open a new account.
I think it should be obvious to anyone at this point that the only way to truly achieve account security is to tie a user's account directly to their DNA profile, naturally this would mean that the larger websites (such as Facebook et al.) will be responsible for maintaining large unregulated databases of their users' DNA which might rise some privacy concerns; but seeing as how Facebook has a long and proud history of responsible handling of their users private data.
Admit nothing. Deny Everything. Make Counter-accusations.
People already know to keep track of their wallets. They already know that they need to report lost credit cards, etc., if they lose their wallets -- reporting a lost password would follow that familiar pattern.
Problem #1: Users use simple, easy-to-guess passwords.
Problem #2: Users write hard and long passwords down.
Solution: Let users' passwords be "AB", where A is long and hard string, written down and posted to their computer, and B is a small and short string.
Rationale:
1. The result is easy to remember;
2. The resulting password "jH329J#nBmbottle" is very secure from bruteforce attacks;
3. The resulting password is secure from local co-workers attacks, because the evil-doer won't know part B;
4. In case someone was hired and could have left will all parts A written down, you can simply change parts A for all users, and they will hardly even notice.
Did I miss anything?
Don't worry, be happy!
Okay, this is radical idea. But it seems to me all this complication of how to restrict passwords is working the wrong end of the spectrum. Why not instead simply trust the user to offer the level of security he cares about?
Just give him some information, so he can make an informed decision. Display the "weakness" of the password and probably even an ETA to being cracked. Sometimes I really don't care.
I mean really if I had to create an account for some random online calendar app or evite or whatever, what do I care if someone goes and RSVPs me to a bunch of parties.
Or similarly, if I have to log into an HR site for submitting vacation requests, which my manager must approve anyway, what do I care if someone steals the password. And certainly why do I have to change the password every month and be unique for the last 3 passwords used? Really? I'm talking iEmployee (a horrible service...don't use it if you can avoid it).
I prefer to remember one passphrase that unlocks them all.
I used to use Lastpass.
Its secure; your passwords are encrypted & decrypted client side, and you can use a unique terrible to remember password for each site.
The downside is that your master password must be very secure because it becomes the single attack surface, and without web access or your password dictionary file you loose access to your passwords.
I now use HMAC w/ SHA1 using a master passphrase as the 'key' and the domain name as the 'message' for my passphrase (truncated for limited length password fields).
I only have to remember one password, and every site gets a different secure password.
Since I can do this calculation via my computer, JS bookmarklet, on my phone, or even my TI calculator I'm never without my passwords even when I'm offline.
If your password is found written anywhere you are fired.
Places doing this consistently and fairly see all the sticky notes gone.
And to all those "oh please, evaluate why people are doing it" get a grip, the bucket must stop somewhere, at the end people are there to perform a job, and sometimes this is not done in the best of conditions, so the policies in place are there to mitigate risks, not to make users life pleasant.
If you have money for an elegant solution go ahead, by my guest, get yourself one of those SecureID or Safeword servers and a load of expensive tokens, or contract with on of those providers that allow you to send password tokens via SMS. And tell me how big was your bill.
If people can't be arsed to cooperate to keep security adequate then they should not be working for you.
IANAL but write like a drunk one.
Password policies should be just part of your overall security policy.
I keep reading people complaining about colleagues or users writing down their passwords and leaving them in full view. My reply to this is: why your security policy does not include a visual inspection of the work place?
Say what you may, but if passwords are not in full view or easy to reach then they are safe.
An employee writing passwords down and then locking them away is OK, the proverbial guy with sticky notes on his monitor is *your* fault for not having integrated security policies that are not constrained to computers only.
IANAL but write like a drunk one.
"Corporate security already implies a level of trust"
No wonder your post anonymously.
Rule #1: trust nobody, specially the people who already are in. Those are the most dangerous people. This is nothing personal and has nothing to do with respect or interpersonal trust, a security person should assume that anybody is a threat, anything less than that is laziness and complacency.
People should only have access to what they need to perform their work. Not a single bit more.
In a serious company to think that the server room is a vector of attack is laughable. All server cabinets would be locked, access would be severely restricted and logged, anybody entering would need to be escorted by a third party to ensure he is doing only what he is supposed to be doing.
If you have only 20 machines then the data is not writeable locally, all goes to a server which is secured properly.
As for getting a root password from a sys admin, the only way for this to happen is if you put a gun to the head of somebody, and even then there are techniques to know that the person is giving a password under duress and take action without endangering people's safety (i.e. switching to dummy data if such situation arises).
Guys, this is not new, stop the excuses, secure your systems properly.
IANAL but write like a drunk one.
adjective+noun+specific year I bought noun
so like
greencomputer09
for variation, I'll put the numbers in front.
I use 2 compound word passwords switching the numbers back and forth.
simple, easy to remember and effective.
I've always thought that unless you literally have millions of users it is quite acceptable just to block password attempts from come too quickly from a given ip address. For most sites more than 60 failed password attempts in a minute would be good enough to ban an ip address for 5 minutes. Yes there might be some people behind a proxy who end up with a message saying "wait 5 minutes", but that seems acceptable. This would mean the attacker needs to be in control of a considerable number of ip addresses to make an effective attack. If they have a botnet they might be able to do it, but lets face it, an attacker in control of a botnet of thousands of machines can already do some pretty unthinkable things.
The problem with traditional complexity rules is they forbid a lot of strong passwords, while leaving open a lot more weak ones. They rule out more strong passwords than weak passwords they rule out. Complexity rules encourage the users who would otherwise pick stronger passwords instead, to pick weaker passwords, because the complexity rules are draconian, destroy creativity in password selection, by stunting the user's chance to be creative in coming up with a strong password, they require a simpler a password to be able to remember it while meeting the rules.
Complexity rules can also reduce security, because hackers can predict how people will respond to complexity requirements, and what types of passwords are likely to be chosen, and what modifications to inherently weak passwords are likely to be done to meet the bare minimum requirements.
With concrete password selection rules, the 'hacker' also can know which passwords they should not waste time trying with brute force.
Password selection should involve the user asking the computer if a password is OK to use, first. The computer answering yes/no, and giving suggestions for [similar] passwords that would be stronger, if the answer is NO.
It should be easy to select a password that will be accepted. Strong passwords must never be rejected.
None of this "You must have 10 characters, at least one upper, at least one lower, at least one number, at least one symbol"
Where did we go wrong?
The most important thing is the password is not too similar to something someone else has tried or used, and it its not short (less than 5 characters).
Passwords with high entropy are secure, regardless of whether or not they have a symbol, numeral, or uppercase letter.
Example very strong passwords that don't meet the traditional "complexity" rules (before they are posted here)
Examples of grossly insecure (guessable) passwords that DO meet all "traditional" complexity requirements:
(1) At least 10 characters, (2) at least one upper, (3) at least one lower, and (4) at least one symbol
Lots of others.
How about one password that can be used anywhere, securely? GPGAuth.
It was built into FireGPG for the last few years, but when the shitty FireGPG dev (Maximilien Cuony) closed up shop and refused to let other developers continue on using the FireGPG name, it was split out and is currently being rebuilt for Firefox, Chrome, Safari, Webkit, etc...
There's no place like
First I have a sequence (this isn't really it), such as sunDAY, monDAY, etc. Then I have an appended sequence, for example sunDAY!!1, monDAY!!2, etc. Then, if necessary, I can put a sticky on my computer (since IT makes me change my password every week) with the sequence number, say 1 for sunDAY!!1. If IT requires longer passwords, then I can use more exclamation characters. It's easy to remember, and complex to crack.
Patterns are better. What I tell my users is, pick a three, four or five letter word. Capitalise the first letter and put a number and special character between the two. For example the word is Bob and the number is 6 the easiest to remember password is:
/.ers have pointed out, keylogers and password sharing has created more security breaches and brute force attacks are less common for breaking passwords.
Bob6^Bob.
All the user needs to remember is Bob6 and essentially to double it. Even if the number and special character are the same physical key it creates a strong password which is easy to remember and not in a dictionary. Otherwise most users go with Robert6, which is more vulnerable to brute force cracking as after a dictionary attack the first thing a cracker would do is run through that dictionary with a number attached to the end of common words.
But as a few
I do the same thing with PIN's, I use a square of four numbers and commit a pattern to muscle memory, that way I can use the same pattern to generate four separate PIN's. I.E.:
5 6
2 3
Will generate 2563 and:
7 8
4 5
Will generate 4785 with the same pattern.
Calling someone a "hater" only means you can not rationally rebut their argument.
I usually have a set of few medium sized passwords and use
a combination of them.
Consider how many logins/passwords for n number of websites/emails/work/home we have these days. It's out of control.
Byline: Simson Garfinkel. Bad jokes and crazy conspiracy theories commence in 3...2....1....
How about using a usb key in combination with the use of a passphrase to secure files? I've been doing that lately and have had no worries with anyone getting into my files. I'm sure that most corporate offices are starting to use it, but I'm sure that the use of usb authentication will start to spread to Windows 7 computer users if it hasn't been done already.
For web-based stuff, I use the PwdHash add-on for Firefox, which works great. Basically, you just choose a single password and it hashes it based on the domain it's meant for. So, e.g., I could have a single password such as "shitfaced55" which actually gets hashed BEFORE being sent to a particular web site. This results in having different passwords for each web site:
Slashdot.org: 2g1bYcfwf3n3D
Facebook: 6VO3LkHWNvbZW
Twitter: GAPMnL7GtD0wk
All I have to do is, in a given password field, type @@ followed by "shitfaced55" and when you tab out of the field, PwdHash hashes it for that particular site. Works great!
You need to choose your password from a large enough "pool" of possible passwords that brute-forcing them is not likely to be succesful.
I chose my root password from "the set of 8 character lower case letters", or about 208 billion possibilities. Is this a bad password? No not at all. A password from a pool of 208 billion is just fine. If you chose a line from a nursery rhyme and substitute 1 for i and 0 for o, you have a mixed-case with digits password, which on the surface looks as if it comes from a very large pool. But in fact there are not that much nursery rhymes, and just a few rules to modify them. In the end the pool isn't quite as large.
Some people I know chose a password as following: Take a vegetable capitalize the first letter and substitute i by 1, and o by 0. Mixed case, and only maybe 100 options. Not good. Quite awfully bad actually.
I always use concatenated passwords for instance "Slashdot was recomended by Peter, is it #1?" becomes "SwrbPii#1?", easy to remember when each letter represents a word in a private sentence.
...I put two post-its with "NOT HERE!" written on them under my keyboard and mousepad ;-)
In the long run we are all dead. - John Maynard Keynes (1883 - 1946)
Simply use a Single Sign On mechanism. Be it Kerberos, a solution that fills your password (passlogix.com), .... You only need remember one password (or better a PIN to your smarcard) and have strong password for all your applications.
Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"
Let's see, I have a bunch of algorithms:
The first one proves that "Purple Elephants [...]" is much easier to crack than the keyboard hamfist one, yes? ;-)
Of course it doesn't. This goes to show that one ought to be aware of what the cracker is doing. That kinda' makes sense if you generalise it: if you want to protect something, it is probably useful to know which dangerous things happen to it (i.e. which pass phrases are attempted, how often, at what time and in which order).
Pick a random day in a random month, choose a password like, "Expense Report due today!". All you need to remember is the month and day.
body massage!
I use PasswordSafe - open source - and have a copy on my Win mobile smartphone. So no more password rememebring issues. Just one passphrase to remember.
and then you switch the keyboard layout (via the Systray/etc icon)
Provided that such a layout switch is present in the taskbar of the computer that you're using at the moment, and that it works the same way as the one on the operating system on the computer that you use at home.
Call it a "passphrase." Ban that other word.
Can you type a password as long as the comment that you just posted, without typos, the first time, blind? All you'd see is
Quoting Jakob Nielsen:
It is unfortunate and possibly ironic that in a discussion about passwords, Slashdot labels an illustration of a common problem with long passwords as "Filter error: Please use fewer 'junk' characters." If asterisks are 'junk' characters restricted in comments, then why does Slashdot display such junk characters when the user is entering a password?
If your password is found written anywhere you are fired.
Places doing this consistently and fairly see all the sticky notes gone.
Places that make it impossible for employees to remember their password see all the employees gone.
If people can't be arsed to cooperate to keep security adequate then they should not be working for you.
But it turns out that most "people can't be arsed to cooperate to keep security adequate". Good luck running a business with no people working for you.
Passwords in my opinion should be pronouncable, the odd number is workable, but lose the symbols, and they should not be case sensitive. Not real words, just pronouncable.
When something is pronouncable it is easy to remember, easy to type, and you can have a longer password which you don't need to write down.
For example: fairoowoopha
Easy to remember, easy to say, easy to write, but that's 12 characters.
The command "pwgen" is good for creating passwords like this, found in all good linux distribution repositories.
Windows supports it via Systray.
Not everybody knows how to get to Control Panel > Regional and Language Options > Languages > Details > Preferences > Language Bar > Show the language bar on the desktop (this is XP's procedure; it probably differs on Vista, 7, Mac OS X, and GNOME). And a lot of PCs in public places have the Control Panel blocked. So instead of memorizing that, a lot of users just stick with QWERTY.
if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills.
And with information that so many millions of Facebook users make public, a random black hat can elevate to family or friends privileges. That's why "secret questions" for resetting the password, like the ones that rcam.target.com uses, are so ill-advised: they encourage the user to enter the same information that's already on the user's public profile at a social networking site.
Gee - maybe the person(s) who wrote this should have gotten together with the folks who created this. If you try their suggested p@$$word - the result is weak! https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link
memorize with as much precision as you want your key's profile. Now, try to open the door without a key.
But note you still *need* the token, so it's not a "something you know" device.
And you still need the keypad connected to the door (and not an empty PS/2 socket to which nobody has yet connected a keypad) in order to input a PIN, so a PIN is not a pure "something you know" either. I'm not saying that either is less valid, only that the distinction between have and know is artificial because one can be transformed into the other.
Thus making a fingerprint not the perfect "something you are" test, not throwing any logical fault to the premise.
I think Bruce Schneier's thesis is that there exists no perfect "something you are" test.
Thus making the testing device buggy
Like all testing devices.
Would you consider a theoretical flaw in the login/password concept the fact that some login software has a bug such as password "42" always matching?
A biometric identification measure is only as good as its best implementation. To take your analogy, it would be as if nobody had yet produced correct login software.
You can take common words or phrases and remove certain letters. Like "better" without the t's. Oh wait... Or swap out certain letters for numbers and symbols, like "e" becomes "@, "i" becomes "!", or "s" becomes "5". In other words, type like they do on MySpace. (Seriously, those are good ideas, just don't be so lame and obvious about it. Or "1mnD0Bv5". "Lame and obvious", with vowels removed, l become one, o becomes zero, s becomes 5, and, letters without openings become uppercase.)
yay!!! i'm an anonymous coward :)
you can make ur password with 2 parts....1st part related to the site or software that u are going to use....and second part common for all ur passwords.....and third just for extra security
each part can be approx 5 letters..... like for slashdot....u can have -- dot(name)(initial)(luckynumber) for a slash dot password