Slashdot Mirror
Passwords That Are Simple — and Safe (?)
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
Recent paper by some microsoft folks at usenix security: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf)
Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.
Just use diceware. It's got more than enough entropy and uses real words that are easy to remember.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Not allowing duplicate passwords is often one of the first things that people that don't understand security think of. It's also one of the first things that people realize is a very stupid idea once they come to understand security. The problem is simple. If you tell somebody that the password entered is in use, you've just told them the password of another user. User names are not secret, so it's much simpler to fly through a list of users trying a single password than it is to fly through a list of passwords for a single user. Allowing multiple users to use the same password before it is locked out just makes it worse. If there are multiple potential hits, it's easier to find one account once you have a locked-out password.
If you automatically ban overly popular passwords, you have provided attackers with positive information about passwords in existence among the pool of users under the regime.
1) change password, repeat until
2) you hit upon a banned password
3) add password to the top of your dictionary
4) ???
5) profit
I once got locked from my bank account as I registered with a 14 character password which I spent some time memorizing.
Unfortunately after calling them up and resetting my account twice, I was informed that the system only allowed 10 character long passwords and they had not implemented any method of checking the length when you registered.
"I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain"
Actually I don't have a problem with it. Once you get used to it and it's normal, then it's really not a problem. The thing with these people is that no matter how easy a password system is, they are going to complain about it.
The big problem with my employer, is that most of us have multiple platforms to log into, each maintained by a different group. Each with unique password policies
which means different expiry periods, different non-alpha character requirements, and different min/max character requirements.
Yes it's stupid.
Yes, it does drive many users to the post-it note solution
Yes we are a huge bureaucratic organization
And, no, there is no political will to merge or harmonize the systems or policies. "You want us to do things like *them*? Are you mad!"
Sigh. Only 5 years 'till early retirement...
---
"I can't complain, but sometimes still do..." Joe Walsh
No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.
Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.
The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.
Your password policies should be geared towards the individual security requirements of ... the individuals.
Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.
Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.
If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I occasionally use simple, but misspelled words or names, or a combination of simple words that do not belong together, or simple phrases omitting spaces. One has to be careful not to choose common misspellings, or words that somehow go together, but a successful selection should be both easy to remember and immune to dictionary attack.
My brother and nephews and I play a game called "two great tastes" that involves choosing two foods that taste great, but not together. The purpose is to come up with the grossest combination. These words combined would make a combination of words that don't go together ("sauerkraut" and "candycorn" for example, or "Tabasco" and "milk"). There are a virtually unlimited number of foods that can be combined in this game.
Unfortunately, I cannot use these types for all passwords as some systems have strict rules in place which require numbers and/or characters or length restrictions.
Examples (none that I use, of course):
Misspelled:
elixabeth
zpecialist
Combinations:
applespongewrap ("apple" + "sponge" + "wrap")
mustardeyedrops ("mustard" + "eyedrops")
Phrases:
islitasheet (part of "I slit a sheet, a sheet I slit, upon the slitted sheet I sit" tongue-twister)
ilikemynewjob ("I like my new job")
"Lame" - Galaxar
That reminds me of a story one of my teachers used to tell: He was taking a class to go check out some new enterprise clusters and the PHB they had conduct the tour kept blathering on about how secure their place was thanks to their insane password policies. Finally Mike got tired of it and said "I'll bet you $100 and a steak dinner you let me loose in here for 15 minutes and I'll have access to your system". This of course annoyed the PHB who took the bet. Sure enough in 15 minutes he came back with 4 valid logins. When the PHB demanded to know how he did it he just started flipping keyboards over until he found post its with logins. He said the PHB stormed off in a huff and he never did get his steak or $100.
That is why I believe ultimately passwords will have to be done away with for smart cards or CC style password generators for large systems. It is just too hard for little Sally in the pool to remember the huge password, so you end up with a security theater system where the janitor has better access than many of the admins.
ACs don't waste your time replying, your posts are never seen by me.
I've used the same two passwords for over 25 years. Actually it was just one random alpha password that a mainframe spit out when I created one of my first password protected accounts, and I added the second because the original didnt have any numbers in it. I came up with that one the first time a system demanded that I put numbers in a password.
I did recently introduce a 3rd password for my email accounts since I've seen some malware or hackers get your email addy and password from some site you use, then try the same password on that email account, then look for emails from financial institutions and businesses that can be exploited with the same password. But the 3rd password is still the same original password with one number stuck in the middle.
I've never had anything whatsoever hacked into or had any problems of any kind related to the password, even though I've probably used it on more than a thousand systems from mainframes to minicomputers to networks to pc's to web sites.
When I worked for one company that enforced the fancy password rules of length and numeric/symbols and changing it frequently, I just wrote it on a piece of paper and stuck it under the keyboard, just like you're supposed to. I'm not a security guy, I have a different job and forgetting the stupid password sort of made doing that job difficult. While I'm sure that its some degree better to go through all these shenanigans, most users not only dont care or wont do it if they can avoid it, they dont want to do it and it probably doesnt make any difference in the grand scheme of things.
Shoot, I used a bank for over 20 years and was pretty happy with them until they introduced the complex password and rotating them every two weeks. I'm not going to remember that crap and I dont want to have to write down my banking password. Kissed them goodbye immediately and put my money in a bank that lets ME decide how much security I need around my password.
My solution to draconian password schemes is simple, use a hash of one of my more normal passwords AS the password for said system.
Good luck to the person who tries to brute force the 40+ character hex string :)
Problem #1: Users use simple, easy-to-guess passwords.
Problem #2: Users write hard and long passwords down.
Solution: Let users' passwords be "AB", where A is long and hard string, written down and posted to their computer, and B is a small and short string.
Rationale:
1. The result is easy to remember;
2. The resulting password "jH329J#nBmbottle" is very secure from bruteforce attacks;
3. The resulting password is secure from local co-workers attacks, because the evil-doer won't know part B;
4. In case someone was hired and could have left will all parts A written down, you can simply change parts A for all users, and they will hardly even notice.
Did I miss anything?
Don't worry, be happy!