Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For Lousy Passwords

Posted by CmdrTaco on from the love-for-the-lousy dept.

itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."

24 of 343 comments (clear)

  1. Bad usernames too by alphatel · · Score: 4, Interesting

    Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
    It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    1. Re:Bad usernames too by Anonymous Coward · · Score: 4, Funny

      Anytime I visit a site that wants a signup, I don't bother signing up.

    2. Re:Bad usernames too by zwei2stein · · Score: 3, Informative

      Ever heard of http://www.bugmenot.com/ ?

      It's nifty, use that instead ...

      --
      -- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
    3. Re:Bad usernames too by Anonymous Coward · · Score: 5, Funny

      Look it didn't even take me three minutes to crack his account.

    4. Re:Bad usernames too by eln · · Score: 4, Funny

      If none of these work, register an account with a throwaway email address (mailinator etc.) and share it on bugmenot and its clones.

      This seems like a good idea in theory, but it can backfire. For example, I used to use a particular email address for certain...less reputable sites. Since those sites occasionally do various email verification things, I had to check that email address every so often so I couldn't just throw it away. Over time, I started to use that address for more and more sites until I eventually remembered that address better than my actual email address. After that, it wasn't long before I instinctively started using is for *everything*.

      Anyway, long story short my primary email address is now midgetgrannyhorseporn@donttellmywife.org.

    5. Re:Bad usernames too by sideslash · · Score: 5, Funny

      Yeah, bugmenot is cool. I use it for my online banking.

    6. Re:Bad usernames too by stonewallred · · Score: 4, Funny

      So you are the prick that made me have to use midgetgrannyhorseporn22@donttellmywife.org.

  2. hard passwords just lead to post it's even more so by Joe+The+Dragon · · Score: 3, Insightful

    hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

  3. people write down hard passwords by alen · · Score: 4, Insightful

    one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security

    1. Re:people write down hard passwords by hey! · · Score: 5, Insightful

      Actually having a hard password and writing it down is not such a bad idea. It's leaving the password under the keyboard that's a bad idea.

      Look at this this way. That guy driving a Ferrari around town unlocks it with a key that *anyone* can use. It's reasonably safe, however, because he keeps the key in his pocket.

      Of course, wallets get stolen. So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket. You choose a memorable six character password and keep it in your head. Then concatenate the two to form your working password. That's poor man's two factor security.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  4. 160 seconds? Windows? Bad example by fahlenkp · · Score: 5, Interesting

    Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

    1. Re:160 seconds? Windows? Bad example by Culture20 · · Score: 3, Insightful

      The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

      I'm sure you've noticed from your logs that brute force attempts are made from botnets now too? A lot harder to block.

  5. Unrealistic time to crack a password? by GreatBunzinni · · Score: 4, Insightful

    The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.

    --
    Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
  6. Passwords are stupid by betterunixthanunix · · Score: 5, Insightful

    Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.

    --
    Palm trees and 8
  7. Re:Password keychains? by mcvos · · Score: 4, Insightful

    And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?

    As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.

    What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

  8. This is why... by RivenAleem · · Score: 5, Funny

    12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!

    I'd also like to add that I'm a giant douche and a poopy-head!

  9. Lots of bad password advice out there by ron_ivi · · Score: 3, Interesting

    This was one of the best password articles I've seen.

    I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.

    Someone who uses:
          mysecr1tword4gawker.com
    for fun and
          mysecr1tword4mybank.com
    for their bank isn't that much safer than if they had just used the same password for both.

    Much better to use throwaway ones for sites like gawker; and truly random ones for banking.

    IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.

  10. Re:hard passwords just lead to post it's even more by Vanderhoth · · Score: 3, Informative
    I would assume he meant "post it's" as in people just write all their passwords down and stick them all over their PCs

    Punctuation would have been useful

    hard passwords just lead to post it's. Even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

  11. Ophcrack by Kiaser+Zohsay · · Score: 3, Insightful

    If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.

    --
    I am not your blowing wind, I am the lightning.
  12. Re:Password keychains? by clone52431 · · Score: 3, Insightful

    Yeah, I just registered an online banking account and their password requirements were 8-12 characters, no special characters.

    WTF people?

    But then they use security questions as a second line of defense, which is just another password, and a much longer and therefore stronger one at that (if it’s done properly – which most people don’t do, of course). Now, hopefully they’d require someone logging in from an unrecognized IP address to pass a security question...

    --
    Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
  13. Lastpass by defaria · · Score: 5, Informative

    In a word - Lastpass. 'Nuff said.

  14. Re:Password keychains? by horatio · · Score: 3, Interesting

    Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

    When I worked for a major university a few short years ago, they contracted our paperless pay statements and W2s to Talx -- who only allowed numbers in the "password". Super frustrating, and of course no one in HR understood why I had a problem with this. They may have gotten smarter since then, but doubtful.

    --
    There is very little future in being right when your boss is wrong.
  15. TFS Fail... by fuzzyfuzzyfungus · · Score: 4, Interesting

    The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.

    Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.

    With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...

  16. Re:Password keychains? by Red+Flayer · · Score: 4, Funny

    Tell them your mother's maiden name is ct!h0Zf&.

    I usually just tell them my mother's maiden name is cthulhu, and then the bank gives me all their money.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai