Passwords That Are Simple — and Safe

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

changing passwords frequently makes no sense

[js_sebastian]

Recent paper by some microsoft folks at usenix security: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf)

Compuserv had it right

[pcjunky]

Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.

Reality Check

[BitZtream]

No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.

Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.

The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.

Your password policies should be geared towards the individual security requirements of ... the individuals.

Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.

Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.

If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.

Re:Write it down

[hairyfeet]

That reminds me of a story one of my teachers used to tell: He was taking a class to go check out some new enterprise clusters and the PHB they had conduct the tour kept blathering on about how secure their place was thanks to their insane password policies. Finally Mike got tired of it and said "I'll bet you $100 and a steak dinner you let me loose in here for 15 minutes and I'll have access to your system". This of course annoyed the PHB who took the bet. Sure enough in 15 minutes he came back with 4 valid logins. When the PHB demanded to know how he did it he just started flipping keyboards over until he found post its with logins. He said the PHB stormed off in a huff and he never did get his steak or $100.

That is why I believe ultimately passwords will have to be done away with for smart cards or CC style password generators for large systems. It is just too hard for little Sally in the pool to remember the huge password, so you end up with a security theater system where the janitor has better access than many of the admins.