Passwords That Are Simple — and Safe

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

deh.

Why don't use simple words that can't easily be found using dictionnary bruteforce ?

And most hacked account come from shitty secret question/answer that can let you change password.

Re:deh.

[Opportunist]

Pretty much this. Someone hand Mr. Anonymous a few mod-ups.

There are exactly 2 things in my experience (from various forensic examinations) that are responsible for almost all hacked passwords: Keyloggers and easily guessable recovery questions.

Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system.
Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.
Place of birth? Elementary school? Pet's name? Check the person' Facebook account.

It has never, in my experience, been a blunt dictionary attack within the last 5 years. Why? Because even a password susceptible to a dictionary attack requires a fairly weak login procedure to work. And every single password entry system I know of (at least when it's about more than something trivial like logging in to your pr0n account) either has a delay feature that keeps you from trying more than maybe 10 passwords a minute, or it even implements something like a "3 strikes" system before you have to contact a human being, or at the very least solve a captcha. Dictionary attacks are not really something anymore that you can easily use to crack passwords.

Oddly, such a safeguard is almost certainly missing when it comes to password recovery questions.

And I guess I needn't waste a character to write about keyloggers.

don't ever use the word "password"

Call it a "passphrase." Ban that other word.

Re:don't ever use the word "password"

[swilly]

I agree. There is only so much entropy the human brain can remember, but I can remember phrases quite well. Throw in a few digits and special characters instead of letters and you have the perfect balance between security and ease of use. Unfortunately I keep seeing maximum passwords lengths, which is just stupid. I suspect maximum password lengths are caused by lazy developers and web sites that store passwords instead of hashes of passwords.

Don't know if typing phrases would be better for everyone though. Interested to know how non-touch typists would deal with something like "It w@s the b3st of times, It was the worst of times".

changing passwords frequently makes no sense

[js_sebastian]

Recent paper by some microsoft folks at usenix security: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf)

Re:changing passwords frequently makes no sense

[Monkeedude1212]

People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.

*I suppose that depends how frequently you are talking

Re:changing passwords frequently makes no sense

[hal2814]

There's not always a sticky note on the monitor. Some people are security conscious. They hide the sticky under their mouse pad. Because really... who would ever think to look there?

Re:changing passwords frequently makes no sense

[DragonWriter]

People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.

People who argue that rotating passwords frequently is a good solution to password sharing are missing the point: password sharing means either:
1) People who should not have access to facilities are routinely being given it by others, or
2) People who should have access to facilities are not given reliable enough access to it in their own name.

Rotating passwords frequently does not address either of these problems. OTOH, it makes it more likely that people will be unable to remember their passwords and will, therefore, write them down somewhere near their computer for ready reference, which creates its own problems.

As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home.

You can certainly redirect "My Documents" (and most other profile folders) to network locations, and you can make the rest of the C:\ drive writable only to administrators and not make normal users administrators. Problem solved.

We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

And rotating passwords may limit the time of exposure to such attacks, but doesn't prevent them, so if there is anything truly sensitive exposed, it doesn't protect it. What an IT organization ought to do is deal with the reasons people are routinely sharing passwords.

Re:changing passwords frequently makes no sense

[SCHecklerX]

Changing passwords frequently, as somebody writes below, leads to patterns, sticky notes on monitors, passwords kept in notepad files, etc. IOW, it MAKES THINGS LESS SECURE.

It is the most ridiculous policy I've seen in this field.

A better policy is:

1) force strong passwords
2) audit against week passwords using cracking tools
3) force a change of passwords when an incident occurs, or a person with a shared (ie: admin, root, database, etc) access leaves the company.

Forcing constant changes does not make you more secure if the password is strong to begin with and good policies around sharing and disclosing that password are followed (and they are more likely to be followed if you aren't forcing users to change the damned thing every month). Users will also be able to REMEMBER their STRONG password. Imagine that!

Re:changing passwords frequently makes no sense

[DragonWriter]

We don't think of rotating passwords as a solution to the problem - we think of it as a countermeasure that will buy us time when issues arise.

Regular rotation clearly doesn't buy you time (it limits the time of exposure when a certain problems occur, but doesn't buy you time.)

What are we going to do to reprimand password sharing?

Reprimanding is not the solution.

The solution is:
1) Find out what the problem is in the existing system that people are working around by sharing problems, and
2) Address that problem in a way that removes the incentive to share passwords.

As IT we just police

This view is probably the source of many of your problems. As IT your mission should be marshalling technology to enable the broader organization to acheive its goals efficiently and safely, not being "just police".

Rotating the passwords gives us the time we need that when attacks come up - we can address them properly.

How? Regular rotation of passwords does nothing to delay the impact of an attack. Selective forced expiration of passwords in response to an identified attack may by some time, but that's very different than a regular and frequent rotation policy.

Re:changing passwords frequently makes no sense

[Bigjeff5]

Real security requires you to balance out risks, figure out who is the main threat and make passwords to combat that.

That is exactly right.

The security in any system is only as strong as the weakest members, and the end user is almost always the weakest member of the security question. So before you can do anything, you need to strengthen the security that the users themselves practice. You need a comprehensive training program for all your employees - and it has to be a good one. You've got to make the security problem relevant to them before you'll be able to get any real behavior change.

Once you've done that, you need to implement sane policies that a reasonable individual can handle. Just because you have developed a system to memorize a random 20 character password at the drop of the hat doesn't mean your end users have (in fact, they almost certainly have not). Requiring a 20 character password with four upper and four lower case characters, four numbers, and four symbols (yeah, you get a whole 4 characters that you can make whatever you want!) that changes every month is not going to work, ever.

I worked at a National Guard armory on an army base for a while (I was a civilian contractor) and the problem with security that didn't take the users into account was glaringly obvious. The security there was intense - access cards that were bio-metrically linked to the individual (via fingerprint), an 8 digit PIN number for the card access, and a 10-15 character passwords that had to have 2 upper and lower characters, 2 numbers and 2 symbols in case you locked out your card with the wrong PIN.

You couldn't just unlock your PIN. If you locked it out, you needed to set a new one. To do this you had to scan your fingerprint at the issuing office. Your PIN could not be the same as any of the last 10-15 PINs you used, I don't remember the exact number. Since this was a constant problem, if you locked your card out you could expect to spend a half hour to an hour unlocking it. The password was a backup - you could get on to your system with your password. The trouble was nobody used their password, so unless they had it on a sticky they couldn't use it to get in to their system.

The PIN numbers were changed so frequently people started putting them on stickies on their monitor. Then they'd step out and forget their access card in the machine. Now you have zero security. None, nadda, zilch. For all your system does to keep it secure, you can just walk in to almost any empty but open office and find a card in a machine with the correct PIN stickied to the monitor.

You must design your security system to the limits of your users, not to the limits of the technology.

I'm personally a big fan of pass-phrases. It doesn't matter if you use dictionary words in a pass phrase, you're looking at 50,000+ possibilities for each word in the phrase, so for a 5 word passphrase you're looking at about 3^20 permutations. Add in capital letters and punctuation and it is more like 1^25 permutations. Compared to 9^20 for the 20 character password I described above, and that's not too far off. Most places recognize that a 20 character password will never work, and they generally use at most a 15 character password. Without any of the lost-options caused by adding restrictions (so many of x, y, or z type digit) that's 3^15 permutations, a hell of a lot less than the much easier to remember 5 word pass-phrase.

So you can have your insane levels of security if you're smart about it. If someone wants to use their daughter's birthday, "Shelly's birthday is on July the 20'th" is nearly uncrackable and extremely easy to remember.

The only way to limit sharing of passwords is to: a.) give them a secure and convenient way to do the same thing, b.) educate them about why they should not be sharing their passwords amongst themselves and make it relevant to them personally, and c.) enforce the policy with serious conse

SImple non-dictionary passwords

[ceswiedler]

The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

Re:SImple non-dictionary passwords

[ArcherB]

The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

The best passwords I've found are sentences translated into passwords. For example:

My phone number is 555-234-2344 : Mp#i555-234-2344
I live at 2202 Park Street : Il@2202PSt
Four score and seven years ago : 4Sa7ya...
My wife won't go down on me since we got married! : Mww'tgdomswgm!

Whatever. You get the idea. All you have to remember is the sentence.

Re:SImple non-dictionary passwords

[alexo]

My wife won't go down on me since we got married! : Mww'tgdomswgm!

Bad password. Too common.

Depends on the importance and access

[FictionPimp]

To me it depends on two things:

1) How important is the data.
2) What level of access do un-authorized people have to the system.

For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).

Do I really need a password like 2wsx)OKMnhy6BGT%?

or does something simple like: 53xym@n cover it?

Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?

Write it down

[glittermage]

Just write down your password in a convenient & easily accessible location near entry point. Problem solved.

Re:Write it down

[hairyfeet]

That reminds me of a story one of my teachers used to tell: He was taking a class to go check out some new enterprise clusters and the PHB they had conduct the tour kept blathering on about how secure their place was thanks to their insane password policies. Finally Mike got tired of it and said "I'll bet you $100 and a steak dinner you let me loose in here for 15 minutes and I'll have access to your system". This of course annoyed the PHB who took the bet. Sure enough in 15 minutes he came back with 4 valid logins. When the PHB demanded to know how he did it he just started flipping keyboards over until he found post its with logins. He said the PHB stormed off in a huff and he never did get his steak or $100.

That is why I believe ultimately passwords will have to be done away with for smart cards or CC style password generators for large systems. It is just too hard for little Sally in the pool to remember the huge password, so you end up with a security theater system where the janitor has better access than many of the admins.

Passwords aren't the weak point

[Darkness404]

In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.

Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.

Compuserv had it right

[pcjunky]

Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.

Re:Compuserv had it right

[jandrese]

Interesting. According to the internet, the average educated adult knows about 20,000 words. Assuming a loose definition of "punctuation" we have about 32 punctuation keys on the keyboard. This means there are around 12,800,000,000 possible passwords under that system. That compares alright (but not spectacularly) to 8 random lowercase letters (208,827,064,576 combinations). It falls completely on its face against requirements like "add random punctuation, numbers, and at least one capital letter (6,095,689,385,410,816 combinations).

12 billion sounds like something a computer could brute force these days, although it depends a lot on the algorithm.

This is also why on Windows you want to have a 15+ character password. For 14 characters and below, Windows stores the passwords as two 7 byte fields for backwards compatibility purposes (darn Windows 95/98!). This is bad because a 7 byte field with just lowercase letters has only 8,031,810,176 combinations, 16 million if you use the full 14 characters, but most people have 8 character passwords for historical reasons (DES salt length of all things), and that last character is basically worthless. It's a bit of a pain, but 15 character passwords can be made reasonable (assuming your security policy doesn't require 25% punctuation or something) and will be stored a much more secure way on Windows hosts.

My favorite

[DNS-and-BIND]

I just love being required to use a SECURE PASSWORD for something totally meaningless like a forum or shopping cart. It usually goes like this: 1) Password rejected! All passwords must contain numbers. 2) Password rejected! All passwords must contain mixed case. 3) Password rejected! All passwords must contain at least one symbol. 4) Password rejected! Use only ASCII, ¥ and © are not allowed. 5) Password rejected! Your account has been disabled and a 24 hour block has been placed on your IP address. Please call customer service, the number is on another page of our website.

Pass Phrases

[Lifyre]

Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.

Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"

It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.

Eventually they will be in dictionaries.

[khasim]

If the password can be easily remembered, it will end up in a dictionary.

But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.

You have two different uses for passwords:

#1. Lets you login to your computer or account or whatever.

#2. Encrypts files that you don't want other people to read.

If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).

In case #2 then you want a HUGE key because the file can be attacked off-line.

Re:Simple

[iluvcapra]

When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.

I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...

And having written-down passwords negates the benefit of all those special characters

This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.

Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.

You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.

Reality Check

[BitZtream]

No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.

Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.

The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.

Your password policies should be geared towards the individual security requirements of ... the individuals.

Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.

Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.

If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.

Best password ever.

[trevdak]

I set my password to "********". Eight asterisks. That way, if anyone ever cracks it or uses a keylogger or something, they'll say "What the hell? I still can't see it." If I need my password to be extra secure, I throw a few more asterisks in there.

This is why I lie.

[KingSkippus]

Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system. Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.

I find it amusing that people answer these questions honestly. My mother's maiden name was Johnson. A lot of people who know me know this. I think that it's silly that me telling anyone this could be considered a security risk. It's probably easily found out in public records that anyone can access.

That's why when anyone ever asks me, "For security purposes in case you lose your account information, what is your mother's maiden name?" I answer, "Brigadoon." That way if someone who knows me decides to have a good laugh on ol' Skippus and they call up some owner of an account I have and they ask, "Okay, for security purposes, what is your mother's maiden name?" and they answer, "Johnson," they will not be allowed access to whatever it was they were trying to get access to.

I have a list of stock answers to questions such as my mother's maiden name, my high school, my favorite pet's name, my favorite sports team, etc. Most of them are related. My mother's maiden name is Brigadoon. My high school was good ol' BHS. My favorite pet was Brigadot. My favorite team is the Brigands. You get the idea.

Of course, I've also lied about almost everything in this post. My mother's maiden name really isn't Johnson, and the name I give everyone isn't really Brigadoon, but the part about lying on those forms and using meta-passwords is true, and I highly encourage everyone else to do the same. Using actual facts or experiences that aren't so intimately personal that I wouldn't be telling anyone anyway as a security checkpoint is pretty damn stupid.