Slashdot Mirror
Passwords That Are Simple — and Safe (?)
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
Why don't use simple words that can't easily be found using dictionnary bruteforce ?
And most hacked account come from shitty secret question/answer that can let you change password.
Call it a "passphrase." Ban that other word.
Just write down your password in a convenient & easily accessible location near entry point. Problem solved.
In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.
Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.
Taxation is legalized theft, no more, no less.
People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.
I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.
*I suppose that depends how frequently you are talking
Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.
Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"
It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.
I'll meet you at the intersection of "Should be" and "Reality"
The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.
The best passwords I've found are sentences translated into passwords. For example:
My phone number is 555-234-2344 : Mp#i555-234-2344
I live at 2202 Park Street : Il@2202PSt
Four score and seven years ago : 4Sa7ya...
My wife won't go down on me since we got married! : Mww'tgdomswgm!
Whatever. You get the idea. All you have to remember is the sentence.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
If the password can be easily remembered, it will end up in a dictionary.
But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.
You have two different uses for passwords:
#1. Lets you login to your computer or account or whatever.
#2. Encrypts files that you don't want other people to read.
If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).
In case #2 then you want a HUGE key because the file can be attacked off-line.
Bad password. Too common.
People who argue that rotating passwords frequently is a good solution to password sharing are missing the point: password sharing means either:
1) People who should not have access to facilities are routinely being given it by others, or
2) People who should have access to facilities are not given reliable enough access to it in their own name.
Rotating passwords frequently does not address either of these problems. OTOH, it makes it more likely that people will be unable to remember their passwords and will, therefore, write them down somewhere near their computer for ready reference, which creates its own problems.
You can certainly redirect "My Documents" (and most other profile folders) to network locations, and you can make the rest of the C:\ drive writable only to administrators and not make normal users administrators. Problem solved.
And rotating passwords may limit the time of exposure to such attacks, but doesn't prevent them, so if there is anything truly sensitive exposed, it doesn't protect it. What an IT organization ought to do is deal with the reasons people are routinely sharing passwords.
I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...
This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.
Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.
You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.
Don't blame me, I voted for Baltar.
No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.
Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.
The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.
Your password policies should be geared towards the individual security requirements of ... the individuals.
Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.
Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.
If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Changing passwords frequently, as somebody writes below, leads to patterns, sticky notes on monitors, passwords kept in notepad files, etc. IOW, it MAKES THINGS LESS SECURE.
It is the most ridiculous policy I've seen in this field.
A better policy is:
1) force strong passwords
2) audit against week passwords using cracking tools
3) force a change of passwords when an incident occurs, or a person with a shared (ie: admin, root, database, etc) access leaves the company.
Forcing constant changes does not make you more secure if the password is strong to begin with and good policies around sharing and disclosing that password are followed (and they are more likely to be followed if you aren't forcing users to change the damned thing every month). Users will also be able to REMEMBER their STRONG password. Imagine that!
I set my password to "********". Eight asterisks. That way, if anyone ever cracks it or uses a keylogger or something, they'll say "What the hell? I still can't see it." If I need my password to be extra secure, I throw a few more asterisks in there.