Passwords That Are Simple — and Safe

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

deh.

Why don't use simple words that can't easily be found using dictionnary bruteforce ?

And most hacked account come from shitty secret question/answer that can let you change password.

Re:deh.

[Opportunist]

Pretty much this. Someone hand Mr. Anonymous a few mod-ups.

There are exactly 2 things in my experience (from various forensic examinations) that are responsible for almost all hacked passwords: Keyloggers and easily guessable recovery questions.

Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system.
Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.
Place of birth? Elementary school? Pet's name? Check the person' Facebook account.

It has never, in my experience, been a blunt dictionary attack within the last 5 years. Why? Because even a password susceptible to a dictionary attack requires a fairly weak login procedure to work. And every single password entry system I know of (at least when it's about more than something trivial like logging in to your pr0n account) either has a delay feature that keeps you from trying more than maybe 10 passwords a minute, or it even implements something like a "3 strikes" system before you have to contact a human being, or at the very least solve a captcha. Dictionary attacks are not really something anymore that you can easily use to crack passwords.

Oddly, such a safeguard is almost certainly missing when it comes to password recovery questions.

And I guess I needn't waste a character to write about keyloggers.

don't ever use the word "password"

Call it a "passphrase." Ban that other word.

Re:don't ever use the word "password"

[swilly]

I agree. There is only so much entropy the human brain can remember, but I can remember phrases quite well. Throw in a few digits and special characters instead of letters and you have the perfect balance between security and ease of use. Unfortunately I keep seeing maximum passwords lengths, which is just stupid. I suspect maximum password lengths are caused by lazy developers and web sites that store passwords instead of hashes of passwords.

Don't know if typing phrases would be better for everyone though. Interested to know how non-touch typists would deal with something like "It w@s the b3st of times, It was the worst of times".

SImple non-dictionary passwords

[ceswiedler]

The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

Depends on the importance and access

[FictionPimp]

To me it depends on two things:

1) How important is the data.
2) What level of access do un-authorized people have to the system.

For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).

Do I really need a password like 2wsx)OKMnhy6BGT%?

or does something simple like: 53xym@n cover it?

Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?

Passwords aren't the weak point

[Darkness404]

In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.

Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.

Eventually they will be in dictionaries.

[khasim]

If the password can be easily remembered, it will end up in a dictionary.

But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.

You have two different uses for passwords:

#1. Lets you login to your computer or account or whatever.

#2. Encrypts files that you don't want other people to read.

If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).

In case #2 then you want a HUGE key because the file can be attacked off-line.

Re:changing passwords frequently makes no sense

[DragonWriter]

People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.

People who argue that rotating passwords frequently is a good solution to password sharing are missing the point: password sharing means either:
1) People who should not have access to facilities are routinely being given it by others, or
2) People who should have access to facilities are not given reliable enough access to it in their own name.

Rotating passwords frequently does not address either of these problems. OTOH, it makes it more likely that people will be unable to remember their passwords and will, therefore, write them down somewhere near their computer for ready reference, which creates its own problems.

As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home.

You can certainly redirect "My Documents" (and most other profile folders) to network locations, and you can make the rest of the C:\ drive writable only to administrators and not make normal users administrators. Problem solved.

We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

And rotating passwords may limit the time of exposure to such attacks, but doesn't prevent them, so if there is anything truly sensitive exposed, it doesn't protect it. What an IT organization ought to do is deal with the reasons people are routinely sharing passwords.

Re:Simple

[iluvcapra]

When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.

I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...

And having written-down passwords negates the benefit of all those special characters

This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.

Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.

You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.

Re:changing passwords frequently makes no sense

[SCHecklerX]

Changing passwords frequently, as somebody writes below, leads to patterns, sticky notes on monitors, passwords kept in notepad files, etc. IOW, it MAKES THINGS LESS SECURE.

It is the most ridiculous policy I've seen in this field.

A better policy is:

1) force strong passwords
2) audit against week passwords using cracking tools
3) force a change of passwords when an incident occurs, or a person with a shared (ie: admin, root, database, etc) access leaves the company.

Forcing constant changes does not make you more secure if the password is strong to begin with and good policies around sharing and disclosing that password are followed (and they are more likely to be followed if you aren't forcing users to change the damned thing every month). Users will also be able to REMEMBER their STRONG password. Imagine that!

Re:changing passwords frequently makes no sense

[Bigjeff5]

Real security requires you to balance out risks, figure out who is the main threat and make passwords to combat that.

That is exactly right.

The security in any system is only as strong as the weakest members, and the end user is almost always the weakest member of the security question. So before you can do anything, you need to strengthen the security that the users themselves practice. You need a comprehensive training program for all your employees - and it has to be a good one. You've got to make the security problem relevant to them before you'll be able to get any real behavior change.

Once you've done that, you need to implement sane policies that a reasonable individual can handle. Just because you have developed a system to memorize a random 20 character password at the drop of the hat doesn't mean your end users have (in fact, they almost certainly have not). Requiring a 20 character password with four upper and four lower case characters, four numbers, and four symbols (yeah, you get a whole 4 characters that you can make whatever you want!) that changes every month is not going to work, ever.

I worked at a National Guard armory on an army base for a while (I was a civilian contractor) and the problem with security that didn't take the users into account was glaringly obvious. The security there was intense - access cards that were bio-metrically linked to the individual (via fingerprint), an 8 digit PIN number for the card access, and a 10-15 character passwords that had to have 2 upper and lower characters, 2 numbers and 2 symbols in case you locked out your card with the wrong PIN.

You couldn't just unlock your PIN. If you locked it out, you needed to set a new one. To do this you had to scan your fingerprint at the issuing office. Your PIN could not be the same as any of the last 10-15 PINs you used, I don't remember the exact number. Since this was a constant problem, if you locked your card out you could expect to spend a half hour to an hour unlocking it. The password was a backup - you could get on to your system with your password. The trouble was nobody used their password, so unless they had it on a sticky they couldn't use it to get in to their system.

The PIN numbers were changed so frequently people started putting them on stickies on their monitor. Then they'd step out and forget their access card in the machine. Now you have zero security. None, nadda, zilch. For all your system does to keep it secure, you can just walk in to almost any empty but open office and find a card in a machine with the correct PIN stickied to the monitor.

You must design your security system to the limits of your users, not to the limits of the technology.

I'm personally a big fan of pass-phrases. It doesn't matter if you use dictionary words in a pass phrase, you're looking at 50,000+ possibilities for each word in the phrase, so for a 5 word passphrase you're looking at about 3^20 permutations. Add in capital letters and punctuation and it is more like 1^25 permutations. Compared to 9^20 for the 20 character password I described above, and that's not too far off. Most places recognize that a 20 character password will never work, and they generally use at most a 15 character password. Without any of the lost-options caused by adding restrictions (so many of x, y, or z type digit) that's 3^15 permutations, a hell of a lot less than the much easier to remember 5 word pass-phrase.

So you can have your insane levels of security if you're smart about it. If someone wants to use their daughter's birthday, "Shelly's birthday is on July the 20'th" is nearly uncrackable and extremely easy to remember.

The only way to limit sharing of passwords is to: a.) give them a secure and convenient way to do the same thing, b.) educate them about why they should not be sharing their passwords amongst themselves and make it relevant to them personally, and c.) enforce the policy with serious conse