Slashdot Mirror
Passwords That Are Simple — and Safe (?)
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
Why don't use simple words that can't easily be found using dictionnary bruteforce ?
And most hacked account come from shitty secret question/answer that can let you change password.
Call it a "passphrase." Ban that other word.
Recent paper by some microsoft folks at usenix security: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf)
The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.
To me it depends on two things:
1) How important is the data.
2) What level of access do un-authorized people have to the system.
For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).
Do I really need a password like 2wsx)OKMnhy6BGT%?
or does something simple like: 53xym@n cover it?
Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?
I'm not sure that allowing unique but simpler passwords is a better idea.
There is a misunderstanding here. The paper itself is proposing an additional mechanism for protecting against popular passwords. Let's say I give you the password "password" and you find it in the dictionary and send it back to me. Now I give you the password "p@ssword" and you again explain it must have an uppercase/lowercase mix as well as a special character and a number. So I give you "P@ssw0rd" and we go about on our merry business.
... and can be applied equally to the loosest and most stringent password requirements.
Unfortunately for the security of my account, I responded to your system's demands in a very algorithmic way. And, after millions of users try this, it might be safe for me to add in my dictionary attacks substitutions for characters in password.
I believe what the proposed paper is suggesting is that there is an oracle that alerts the user when their password is acceptable but is simply too common and therefore unsafe. The final piece of the puzzle is building in protection so that attackers cannot "query" the Oracle to find out what are popular passwords in your system that have reached their max. It's about managing entropy in the set of passwords that your user has with a new mechanism
After reading the paper (assuming you don't have this already), it is genuinely a way to increase your user's protection.
My work here is dung.
Just write down your password in a convenient & easily accessible location near entry point. Problem solved.
This only works for big servics: If you have only a couple of users, you will miss many of the easy-to-guess passwords. Instead of preventing users to pick the same password as other users, you should check the passwords against a pre-made dictionary. This is basically the same approach, only without relying on the users for building your dictionary.
In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.
Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.
Taxation is legalized theft, no more, no less.
Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.
I just love being required to use a SECURE PASSWORD for something totally meaningless like a forum or shopping cart. It usually goes like this: 1) Password rejected! All passwords must contain numbers. 2) Password rejected! All passwords must contain mixed case. 3) Password rejected! All passwords must contain at least one symbol. 4) Password rejected! Use only ASCII, ¥ and © are not allowed. 5) Password rejected! Your account has been disabled and a 24 hour block has been placed on your IP address. Please call customer service, the number is on another page of our website.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Not allowing duplicate passwords is often one of the first things that people that don't understand security think of. It's also one of the first things that people realize is a very stupid idea once they come to understand security. The problem is simple. If you tell somebody that the password entered is in use, you've just told them the password of another user. User names are not secret, so it's much simpler to fly through a list of users trying a single password than it is to fly through a list of passwords for a single user. Allowing multiple users to use the same password before it is locked out just makes it worse. If there are multiple potential hits, it's easier to find one account once you have a locked-out password.
Think about a sentence, take the first letter of each word, include a digit : you got your password.
If you automatically ban overly popular passwords, you have provided attackers with positive information about passwords in existence among the pool of users under the regime.
1) change password, repeat until
2) you hit upon a banned password
3) add password to the top of your dictionary
4) ???
5) profit
I've posted this as a potential answer on /. before though the original page on my site is no longer available. It's also been discussed here: http://www.schneier.com/blog/archives/2009/05/secret_question.html (find cipher.php)
I found my old page on the wayback machine...perhaps I'll move it back where it goes
http://web.archive.org/web/20060715223129/http://levii.com/cipher.php
I'd appreciate input on the method. You have your random card, your own ez phrase and you end up with properly complex passwords. I've implemented this in numerous business environements, and people seem very happy with the result. Every 60 days they choose a new ez passprase and/or get a new dynamically generated card.
This is definitely a pet peeve of mine. We recently introduced new password rules at work, despite me trying to convince them otherwise. Has to be 8 or more characters, must contain upper and lower case letters, numbers, and symbols. And it has to be changed every 3 months.
Wonderful. Now everyone has these horribly complex passwords, which around half the users are now posting next to their monitor on a sticky note. If they'd had made simpler passwords available, not nearly as many people would have resorted to that.
It seems common sense, but too many IT managers just don't get it - complex passwords are only useful until they hit the threshold at which the user sidesteps around the whole secrecy part of it.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.
Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"
It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.
I'll meet you at the intersection of "Should be" and "Reality"
When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.
And having written-down passwords negates the benefit of all those special characters.
Also, simply making it policy that users can't write the passwords down doesn't help...users either break the policy or often forget their passwords, forcing frequent use of the password recovery process, which can be costly and further weakens the security of your system.
If the password can be easily remembered, it will end up in a dictionary.
But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.
You have two different uses for passwords:
#1. Lets you login to your computer or account or whatever.
#2. Encrypts files that you don't want other people to read.
If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).
In case #2 then you want a HUGE key because the file can be attacked off-line.
Use your phrase. Just turn it into a password.
I Need My Morning Coffee!!
Then jam a number (your morning train, maybe) than makes sense onto it. Result:
inmmc!!650
I do this with song lyrics and quotes, going as far as to leave plaintext reminders on post-its - it's still impossible to guess.
"I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain"
Actually I don't have a problem with it. Once you get used to it and it's normal, then it's really not a problem. The thing with these people is that no matter how easy a password system is, they are going to complain about it.
The big problem with my employer, is that most of us have multiple platforms to log into, each maintained by a different group. Each with unique password policies
which means different expiry periods, different non-alpha character requirements, and different min/max character requirements.
Yes it's stupid.
Yes, it does drive many users to the post-it note solution
Yes we are a huge bureaucratic organization
And, no, there is no political will to merge or harmonize the systems or policies. "You want us to do things like *them*? Are you mad!"
Sigh. Only 5 years 'till early retirement...
---
"I can't complain, but sometimes still do..." Joe Walsh
No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.
Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.
The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.
Your password policies should be geared towards the individual security requirements of ... the individuals.
Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.
Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.
If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I set my password to "********". Eight asterisks. That way, if anyone ever cracks it or uses a keylogger or something, they'll say "What the hell? I still can't see it." If I need my password to be extra secure, I throw a few more asterisks in there.
If the password can be easily remembered, it will end up in a dictionary.
Frobgard.
The clock is ticking on your assertion...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Why not use a system of using simple phrases, including spaces and punctuation. Most systems allow that sort of thing. So the password "I love stinky cheese!" (including spaces and exclamation) is good for two reasons:
That said, I agree with the parent post: many times writing a password down is actually a good idea.
I find it amusing that people answer these questions honestly. My mother's maiden name was Johnson. A lot of people who know me know this. I think that it's silly that me telling anyone this could be considered a security risk. It's probably easily found out in public records that anyone can access.
That's why when anyone ever asks me, "For security purposes in case you lose your account information, what is your mother's maiden name?" I answer, "Brigadoon." That way if someone who knows me decides to have a good laugh on ol' Skippus and they call up some owner of an account I have and they ask, "Okay, for security purposes, what is your mother's maiden name?" and they answer, "Johnson," they will not be allowed access to whatever it was they were trying to get access to.
I have a list of stock answers to questions such as my mother's maiden name, my high school, my favorite pet's name, my favorite sports team, etc. Most of them are related. My mother's maiden name is Brigadoon. My high school was good ol' BHS. My favorite pet was Brigadot. My favorite team is the Brigands. You get the idea.
Of course, I've also lied about almost everything in this post. My mother's maiden name really isn't Johnson, and the name I give everyone isn't really Brigadoon, but the part about lying on those forms and using meta-passwords is true, and I highly encourage everyone else to do the same. Using actual facts or experiences that aren't so intimately personal that I wouldn't be telling anyone anyway as a security checkpoint is pretty damn stupid.
If they're not highly-trained enough to know to lock up a password, then they have no business being in charge of information that needs a password to access, and all of the worry about how they store their password is moot.
Problem #1: Users use simple, easy-to-guess passwords.
Problem #2: Users write hard and long passwords down.
Solution: Let users' passwords be "AB", where A is long and hard string, written down and posted to their computer, and B is a small and short string.
Rationale:
1. The result is easy to remember;
2. The resulting password "jH329J#nBmbottle" is very secure from bruteforce attacks;
3. The resulting password is secure from local co-workers attacks, because the evil-doer won't know part B;
4. In case someone was hired and could have left will all parts A written down, you can simply change parts A for all users, and they will hardly even notice.
Did I miss anything?
Don't worry, be happy!