Passwords That Are Simple — and Safe

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

deh.

Why don't use simple words that can't easily be found using dictionnary bruteforce ?

And most hacked account come from shitty secret question/answer that can let you change password.

Re:deh.

[Opportunist]

Pretty much this. Someone hand Mr. Anonymous a few mod-ups.

There are exactly 2 things in my experience (from various forensic examinations) that are responsible for almost all hacked passwords: Keyloggers and easily guessable recovery questions.

Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system.
Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.
Place of birth? Elementary school? Pet's name? Check the person' Facebook account.

It has never, in my experience, been a blunt dictionary attack within the last 5 years. Why? Because even a password susceptible to a dictionary attack requires a fairly weak login procedure to work. And every single password entry system I know of (at least when it's about more than something trivial like logging in to your pr0n account) either has a delay feature that keeps you from trying more than maybe 10 passwords a minute, or it even implements something like a "3 strikes" system before you have to contact a human being, or at the very least solve a captcha. Dictionary attacks are not really something anymore that you can easily use to crack passwords.

Oddly, such a safeguard is almost certainly missing when it comes to password recovery questions.

And I guess I needn't waste a character to write about keyloggers.

don't ever use the word "password"

Call it a "passphrase." Ban that other word.

Re:don't ever use the word "password"

[swilly]

I agree. There is only so much entropy the human brain can remember, but I can remember phrases quite well. Throw in a few digits and special characters instead of letters and you have the perfect balance between security and ease of use. Unfortunately I keep seeing maximum passwords lengths, which is just stupid. I suspect maximum password lengths are caused by lazy developers and web sites that store passwords instead of hashes of passwords.

Don't know if typing phrases would be better for everyone though. Interested to know how non-touch typists would deal with something like "It w@s the b3st of times, It was the worst of times".

Passwords aren't the weak point

[Darkness404]

In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.

Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.

Eventually they will be in dictionaries.

[khasim]

If the password can be easily remembered, it will end up in a dictionary.

But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.

You have two different uses for passwords:

#1. Lets you login to your computer or account or whatever.

#2. Encrypts files that you don't want other people to read.

If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).

In case #2 then you want a HUGE key because the file can be attacked off-line.

Re:changing passwords frequently makes no sense

[DragonWriter]

People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.

People who argue that rotating passwords frequently is a good solution to password sharing are missing the point: password sharing means either:
1) People who should not have access to facilities are routinely being given it by others, or
2) People who should have access to facilities are not given reliable enough access to it in their own name.

Rotating passwords frequently does not address either of these problems. OTOH, it makes it more likely that people will be unable to remember their passwords and will, therefore, write them down somewhere near their computer for ready reference, which creates its own problems.

As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home.

You can certainly redirect "My Documents" (and most other profile folders) to network locations, and you can make the rest of the C:\ drive writable only to administrators and not make normal users administrators. Problem solved.

We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

And rotating passwords may limit the time of exposure to such attacks, but doesn't prevent them, so if there is anything truly sensitive exposed, it doesn't protect it. What an IT organization ought to do is deal with the reasons people are routinely sharing passwords.

Re:Simple

[iluvcapra]

When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.

I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...

And having written-down passwords negates the benefit of all those special characters

This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.

Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.

You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.

Re:changing passwords frequently makes no sense

[SCHecklerX]

Changing passwords frequently, as somebody writes below, leads to patterns, sticky notes on monitors, passwords kept in notepad files, etc. IOW, it MAKES THINGS LESS SECURE.

It is the most ridiculous policy I've seen in this field.

A better policy is:

1) force strong passwords
2) audit against week passwords using cracking tools
3) force a change of passwords when an incident occurs, or a person with a shared (ie: admin, root, database, etc) access leaves the company.

Forcing constant changes does not make you more secure if the password is strong to begin with and good policies around sharing and disclosing that password are followed (and they are more likely to be followed if you aren't forcing users to change the damned thing every month). Users will also be able to REMEMBER their STRONG password. Imagine that!