Slashdot Mirror
Passwords Are the Weakest Link In Online Security
Orome1 writes "It's not surprising to find that 79% of consumers use risky password construction practices, such as including personal information and words. The recent Gawker breach and a detailed analysis of breached passwords show undeniably that passwords continue to be the Achilles' heel of the average Internet user. This insecure trend sadly doesn't shift as 26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites while 29% had their own email or social network account hacked, and over half (52%) know someone who has had a similar problem."
n/t
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
cation rather than passwords. clearly human beings are not going to make sure they are secure.
Use made-up words that come from your own brain. Let's see a brute-force script figure out a combination of seven to twelve letters and numbers that, other than as my passwords, don't exist anywhere besides in my head.
Of course, that's irrelevant in something like the Gawker breach, but still...
Living With a Nerd
Users are the weakest link.
Mod me down, my New Earth Global Warmingist friends!
Why not upon registration upload one's public GPG key to somesite and then, when logging in, having the server send a challenge (i.e encrypted with the public key) to the browser/user, where you use your normal secret key and its passphrase to respond. Voila! One keyring to rule them all...
What will be truly newsworthy is the day when passwords / users aren't the weakest link in security. Until that happens, I'll stay in my underground bunker sipping on Ramen and playing tower defense.
"I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
There's lots of buzz going around about the Gawker breach and discussions on how good/bad the passwords were. I looked at the websites that Gawker owned and most of them are tech websites, frequented by people that have some knowledge of security and computer systems.
I would assume that much of the readership is like myself. They know that access to their Gawker account is the most sacred and guarded of personal intrusions, and would thus treat security as the utmost important thing. My Gawker password was the ultimate in high security. It was a 280 character alpha-numeric password containing my social security number, all of my credit card numbers, my date of birth, my address, every password to every other website I use, plus all of my wife's data. That way I know that anyone who tried to crack my Gawker password could never do it, and all my information would be safe.
Wait, no, I got that backwards. Sorry, I used "cock" as the password for Gawker... probably. You see, if I were to log into Gawker, I would assume that the password was about as secure as writing it on the bathroom wall. In addition, I know my browser would remember whatever stupid password I typed and I wouldn't have to remember it for more than 30 seconds. Furthermore, if someone hacked it, and posted a stupid comment as "bullcrapgawkeruser222" I would likely neither notice nor care. If I did care, I would create "bullcrapgawkeruser223" with a password like "cockk".
Even more likely, if I ever commented more than once on any Gawker owned site, I probably just created a new account because I forgot I had an old one.
So, can we stop doing ultra-security analysis on what is probably a bogus set? Next I'm going to see an analysis on how insecure Masterlock combination locks are because the users don't use uppercase letters and punctuation.
Hang on, I have to look at my post-it note on the side of my monitor so I can remember all the 20 character complicated passwords for each web site I visit and secure application I use. Especially since I can't remember them as well since I started changing them every six weeks.
Passwords become pointless when you can't remember them and can no longer access the site/service/program that they were put there for to protect. Passwords are pointless when you have to keep cheatsheets in order to 'remember' them (cheatsheets that can be stolen, copied, or lost; making it impossible to for access what you need and possible for others to...).
Either some other method than passwords like those time based random PIN generator fob watchama-call-its we get to log into VPNs at some companies, or we just learn to deal with it.
-- I ignore anonymous replies to my comments and postings.
And I would say that it's even worse when you can't type your question. Too many people know my mother's maiden name, my first car, my high school -- and I assume much of this information can be had publicly as well. If I were to imagine trying to get this information on someone, I'd just call them or their family, pretend to be some High School Reunion Committee, and say "We are celebrating the class of 1987 at Shrub High" and they'd probably go "Oh no, I'm graduated in 1992 at Rose Garden High". Then reply "Oh really? I guess you're the wrong Joe Blow, I'm sorry for your trouble, thanks bye."
Multiple attack vectors over one secure password, ridiculous. I think GMail at least does the semi-sane thing and instead of security questions, uses a phone number to verify you if you would ever lose your password.
And that's what is needed, identity verification if the password fails. Not a cheap way to do that in an automated and very dumb way.
There was, also for years, really dumb advice such as to never write a password down. That is unrealistic given the number of passwords someone needs to know today and leads to using the same password again and again. Now, you don't have to write it unencrypted, you could use Rot13 or, even better, some other code of your devising -- but it's better than keeping all this in your head in this day and age.
It doesn't help that some sites restrict the character set and length of passwords.
Input 25 character password: "Error: password must be between 6-14 characters"
Input 8 character password with % and ] in: "Error: password can only contain alphanumeric characters"
__wHY&the&f**k]]can"t this l_i_n_e b3 m~y p45sw%rd?!__!?
Every time I need a password, I either beat out a spastic smattering of letters and numbers, or dream up a weird phrase, and use the first letters, with a few of them converted to numbers.
I'm fine, as long as no one gets to my written log of all those passwords. If that happens, I'm screwed.
I refuse to create any password that has the vaguest connection to anything. Which seems apt for today's disjointed world.
To gain entry into the last datacenter I worked at I needed a cardkey to get through the first door (something I have). I then had to have my hand scanned at the entrance to a man-trap (something I am). Once inside the man-trap with the door closed I again had to scan my hand and then enter a PIN onto a keybad (something I know). Only then did I have access to the datacenter floor.
Doing two of these on the web should be fairly easy. Companies like eBay & Paypal have tested RSA SecurID fobs as a security token, but in this day and age where so many people have smartphones then using it to generate security keys should be very easy. I already have a Verisign app on my iPhone that generates a random key every 60 seconds like SecurID does. Unfortunately not very many websites support it. I wish more would. And I have no idea how something like biometrics could be applied to the web...
Often times the ridiculous password requirements that are imposed on some networks only force users to have to write the password down and keep it someplace close by. If all I have to do is lift up the keyboard to find a sticky note, your 12+ character alphanumeric with special characters password that changes every month becomes no more secure than "12345".
I don't have the best memory in the world, but I'm no moron either. I've resorted to using a password safe program because between work and personal life I'm expected to remember literally hundreds of passwords (now they're in a password manager i can count them). Guess what? Even with the safe I continue to use a couple of "low security" passwords for certain activities. That means most things at home I can work out remembering only about a dozen passwords. Work's a different story...
These posts express my own personal views, not those of my employer
Okay, a vulnerable email account can lead to compromising other accounts, banking and shopping sites can cost you money... since when is Twitter or Facebook an "important" account in the same category as your bank account!?
Bogtha Bogtha Bogtha
Humans are the weakest link. Humans want to exploit dominate and win against other humans. That goes double for the ones that already have obtained power and control.
That "detailed analysis" of the Gawker breach needs to be stricken from the web. The passwords that were decrypted were the easiest passwords in the set for the most part. That's why they were able to decrypt them. They were in dictionaries or their hashes were already on lookup tables. Then some joker takes those decrypted passwords and acts as if they are in any way representative of the rest of the passwords that could not be decrypted.
Idiotic.
1 (short ton / firkin) = 89.1432354 slugs / keg
I wrote SHA1 Pass and use it everywhere. Feel free to modify or implement it yourself: http://16s.us/sha1_pass/
Password expiration is the biggest problem, people have to remember several passwords at work that change constantly because of some misguided policy.
I wish I could work in a land where I could keep my password as long as the admins hadn't cracked it. As soon as they crack it my password expires. They would get to try each person's account 1 time per minute, so they could get through a basic dictionary attack in a matter of days. The stronger the password, the longer it lasts.
YOU are the weakest link. Good bye.
I give my clients a swap list(1=i, 3=E, 4=A, 5=S, etc...) and ask them to swap at least 2 alphas for numerals of their fav passwords, add a random cap and make it 9+ characters. We do a couple examples with words/phrases of their choosing. Most actually catch on quickly when they feel involved in the process...and a little L337. Changing passwords doesn't have to be like pulling teeth.
Goodbye '57 chevy', hello 'Ch3vy83l41R'.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
I recommend using KeePass on Windows and KeePassX on Linux. I carry my passwords around on a USB stick. I use a password I can remember to access the password database. That wouldn't be too hard to crack, but first the cracker would need to steal the physical stick. KeePass generates nice long unmemorable strings of random characters, so attack without stealing the stick is tough.
One word of warning: one oafishly implemented site I registered with silently truncated the 20 character password I pasted from KeePass to 12 characters.
Who cares about their password security on Gawker's sites and other like them. I personally use the crappiest password I can remember for stuff like that. Just keep that passwrd away from you email and bank account. If you feel the need to have an ultra secure random 25 character password to protect your Paris Hilton article clippings security is the least of your problems. On the other hand if you use your gawker password for your bank account also security is the least of your problems.
So, since they are an annoyance and don't give users any tangible benefits, you shouldn't be surprised when users choose their passwords so they require the least amount of effort: either to remember or to enter. As for enforcing rules to require users to change them regularly - you might as well forget it. All they'll do is take their core password and add a number onto it - I know: that's all I do.
Passwords have been in effect since the beginning of multi-user systems: what? 50 years or so. Surely in all that time the world could have come up with something better, easier, more reliable and keyed to the user rather than the piece of paper all the passwords are undoubtedly written on.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
We have discussed this ad nauseum - still nothing gets done. We have way to many passwords to remember. We have way too many different password policies to follow. What is a valid password on one site is not at another. It takes too much time to look up a password you have "written" down and you need a separate password to get into the list!. That supposes you have the list with you when you need it. Today the internet is mobile and not just used at home or at the office. Additionally, there are sites whose compromise could ruin you financially or ruin your reputation and sites where compromise doesn't matter. So most resort to a few easy to remember passwords, phrases or algorithms and these are probably easy to crack.
It's not clear what could be done. An RSA key fob and biometrics need a reader. You have to remember to have the fob with you. The blind can't read it. All this costs extra.
Passwords may be the weakest link, but they are not the most common attack vector because what they are protecting is of minimal worth. The most common attack vector is exactly what we have seen here: someone uses CSS/default password/other vulnerability and grabs the whole database. It's certainly sensible to keep good passwords on e-mail and financial accounts, but even there I'm much more worried about the backend being hacked than someone trying to brute force my password.
If anything, situations like the Gawker security breakdown make me less likely to put effort into creating/maintaining passwords. It seems to me like accounts are more likely to be hacked by means where the hacker has your password, no matter what it is. For example I had my Warcraft account hacked, and the password I used was 10 characters and a mix of random symbols numbers and letters. The reason it was hacked was because a trojan found its way on to my system through a new, infected USB stick. I don't really see why any hacker would sit there and try and brute force their way into a single account without already knowing the login/password by some other means.
This isn't news. It's common sense. Of course people and their passwords are the weakest link. Same thing in physical space. You can have the best lock in the world, but if you make copies of the key and are careless with them you'll get robbed.
cation rather than passwords. clearly human beings are not going to make sure they are secure.
Nothing is more annoying than someone who starts a sentence in the subject and finishes it in the body except maybe someone who starts a WORD in the subject and finishes it in the body.
It doesn't matter what your privacy settings are. I would bet money that you could get access to 99% of Facebook targets' info by following that pattern. Social networks are practically designed for social engineering hacks.
as long as they're used correctly, both by the user and the system, and that they correspond to the amount of security a particular system requires. That includes the usual refinements such as salting, proper storage, moderate to high strength, etc. Saying that passwords are weak is like saying that hammers are dangerous. Tools, when used properly, will do the job.
I've used an online banking system that required entering a password, selecting an image and answering a question before being able to log in. These three systems in themselves are not particularly full-proof, but used together (and correctly) make for good security. Other systems also include a hardware token.
Exploits exist for routers and firewalls. Put more than one layer and getting in gets more difficult. Passwords are only one of many security schemes that exist and not all systems require the same amount of security. I'm quite happy slashdot doesn't need as many security elements as my bank does to log in.
When articles about passwords come up, the usual rant is mostly against users choosing weak passwords or writing them down. In cases where the security of an account is compromised, the user, that is, the customer, should never be blamed. It is the responsibility of the system to pick a suitable security scheme, enforce it and take all possible measures to avoid leaking the data. Blaming a customer for choosing hunter2 as a password and getting hacked is ridiculous. It's like blaming the customer for "excessive bandwidth" while using their 100Mbit/s line. Users will take what you give them.
You want strong security? Implement it. You don't need it? Stick with passwords.
Stop blaming the users.
"Genetic bum print accepted activating Poop-chute."
http://en.wikipedia.org/wiki/Zeroman
combination codes are the weakest link in bank vaults.
Yesterday our admins changed our wireless access from WEP to WPA in order to make our connections more secure - sadly the password we have been using for over a year stayed the same.
I went to battle M.C. Escher, but drew a blank.
Again, in a world - Lastpass!
How many places do need a login? Websites, computers, programs, ...
If all websites would use openID, that would solve already a lot. However many places give me my login and then ask me to change that every month. At work every first day of the month I change all my passwords. That takes me about 20 minutes.
So I have several passwords depending on level
1. Generic websites. Lowest security level (e.g. Pa55word)
2. Work related. These will change every month and will include some sort of year/month where only that part changes (e.g. 10Work12 for this month)
3) Provider related pass word for email and connection (Resused semi-random 8 charcater password)
4) Personal password for local system and openID and banking(Reused semi-random 8 carcater password. Different from 3)
5) Secure password for encryption, ssh and the like (Loooong semi-password of at least 16 characters.)
So the moment I am forced to change passwords where I used first 3 or even 5, I will go back to less secure of 2.
The main problem is that each security person treats their security as if they are the only one and treat security with the standard error. Solving a social problem with a technical solution. It is very hard to explain people that changing passwords every month will LOWER the security.
It is the nature of people to find the way of least resistance and as long as security people do not understand that, nothing will change.
I sometimes feel that it is not about security, but about reliability. Reliability is moved from the IT department to people who do not understand security, because they 'did something' and now it is not their issue anymore. That is why they also look only to the security of 'their' system and not at security as a whole.
Don't fight for your country, if your country does not fight for you.
If you're using real, common words and phrases and just transcribing them to 1337, I'm pretty sure there are password cracking tools out there to account for that.
I use pwgen. It is much better at generating truly random strings than I am.
Keep it with your credit cards and cash.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
me to, but I refuse to write them down, exactly for the reason you mention.
posting as AC, having a little logon problem at the moment.
paranoid253 (aka paranoid1 - 252)
People nowadays have on the average 15 passwords they need to memorize. E-mail accounts (work and personal), ATM pin, bank web accts, shopping accts, etc. Chances are you can't memorize 15 different ones, so they are the same password or very close variation. More likely you use 10 of those accounts on a daily basis and the other 5 on an occasional basis, so those 10 you may get away with memorizing because you use it often. But those other 5, you probably forget what they are if they were totally unrelated passwords. This doesn't even give credit to all the people (which is the majority) that set on their PCs/laptops/smart phones to memorize the password, so they shave the extra 10-15 secs of typing username and password. Which when they need to change the password and need the current password, they won't remember.
Now, you're telling us we are not secure because most of our passwords are similar or same, but the same lecture about how dangerous if we write the information down anywhere (on a piece of paper/notepad file) because the majority of us do not have the memory of an elephant.
Here is a quick and easy method for generating passwords on a Linux system. Just open a terminal and enter the following command:
openssl rand -base64 20 | tr -d '/' | cut -c1-X
Substitute the final "X" with the number of characters desired (e.g. 12, 16, etc.).
This will produce very strong passwords that can be pasted into any application. The only remaining problem is remembering the password, but most browsers provide a method for storing and retrieving the passwords that are used for on-line accounts. Otherwise, a simple text file can be used for storage and retrieval.
There is no excuse for using weak passwords.
I'm facing more restrictive password policies at work every day. Some expire every 14 days. Some require that they start AND end with an alphanumeric character, include a symbol from a short list of acceptable symbols, upper and lower case characters, and be 8-11 characters long. These restrictions broke my normal conventions. I'm pretty much forced to keep a cheat sheet of hints to my passwords. Today I have 11 unique passwords shared among 22 different systems comprising 32 different hosts and services. That's just work. I'm required to change at least one password 4 out of 5 days a week. Some of these require me to use unique passwords, not using any of the 5 to 8 previous passwords. Some deny using duplicate sequential characters, some any duplicate characters, some deny using specific words, one denies using any character that is in my master employee ID (8 chars, 1 alpha & 7 numeric), and some restrict using the same password as other systems that use the same authentication server - yes, our SSO server is no longer SSO, depending on the service it is supporting. They still call it SSO. Perhaps 5 of these systems permit me to recovery my password by resetting it via a process or phone call. Two of them require managment approval for a password reset. One, the magic one, requires me to get upper management approval for resetting a password, and this system will expire my password if I don't log in before the periodic change period expires. This password expires every 30 days, and I need to use it ever 30 days. Yup, I make a note to log in mid-month to keep it alive. Most users only use it monthly, and it is designed that way. Several services delete my user account if I let a password expire, requiring a new user ID setup. I also have to watch for my access being denied due to any of various initiatives, Sarbanes-Oxley regulations, arbitrary system resets, etc., but that's just corporate policy. The weasels think they are winning.
No fix is in sight. This company is proud of their record of zero breaches ever. But I spend a noticeable amount of time managing passwords, and am delayed in work by failed authentication. Security for my position is becoming an impediment to work. I am in a relatively unique position, requiring a lot of access to several different systems, and combinations that bring me to the attention of our Corporate Lawyers occasionally, and I'm not even doing anything wrong, just my job. I'm not proud to say I've never looked up sensitive data out of curiosity. If I got caught, it would be my dismissal. And they watch specifically for that stuff.
For my personal business, I have only 7 specific payroll, banking, or healthcare sites I need to maintain passwords for. Some expire, some don't. Some require specific rules, some don't. Two of them show me their score for relative strength of the password I'm trying to use.
Then I have all the other stuff. I easily have 30+ logins to various technical and social sites, probably 50+. Some I don't use for years. I use a lot of conventions to manage them by role and relative importance to me. Don't get me started on usernames.
My only, ONE AND ONLY password breach was thanks to my lovely wife, who was too lazy to change the Facebook page to HER signon, and clicked away on a bunch of quizzes, tests, free stuff, and finally an auction link. eBay had me down to buy a bunch of stuff and I got the emails confirming it. I cancelled them all with eBay's help, they tracked down the offending user which was pointless as they don't exist, and I avoided bad feedback and PayPal problems. Looks like the seller was creating fake buys to get feedback and enhance their rep enough to attract more willing victims. My wife was shocked. Then she was angry with me. Then she started playing Farmville. I got her a computer of her own. Grrr...
Passwords are not enough. My home notebook has a fingerprint scanner I use, wish I could teach it some tricks. I use a couple of password keyrings online, but not for everything. I'm using OpenID more, but I can't yet see the value.
We need something better. Fingerprint scanners or camera-based something that isn't fooled by a photo.
deleting the extra space after periods so i can stay relevant, yeah.
My passwords are easy to remember when you know the trick, but look like a big, incomprehensible string of letters numbers and special characters. Good luck trying to bruteforce that!
Clearly the weakest link is website administraters without the common sense to use encryption, and those who do encryption wrong. Is it really so hard just to generate a random salt for every password and store it along with a salted hash? And I'm not even talking about the fact that you can't even know what the websites intentions are. For all you know, they could be storing it in plain text and harvest it for id theft.
So the best plan is to have unique passwords for every little site/service/forum wich requires registration you ever use. Another method is to have seperate tiers of passwords important and less important thngs. Both are a hassle.
Passwords: Convinience, Security. Pick one or suffer in both.
Maybe a better way is to have every user generate their own certificate (simplified compared to those currently in use in other areas) based on a passphrase. The user could easily generate it again if lost, or maybe even on the fly during authenticating, or generate a new one if he needs another identity. Others will not be able to authenticate as the intended victim without a matching certificate. But for this to work it would have to be able to be integrated into OS and/or and websites in a way that is easy to use.
Does anyone else find it ironic that they're using information obtained from a cracked server to determine that the weakest security is the password? Anyway, I think the passwords are only weak because the users get to choose them, and *users* are the weakest link in the security chain.
Check out my sysadmin blog!
Here's an excerpt from an article I wrote for my law school's paper about online security w/ some suggestions about passwords. (I doubt there's any interest in the whole article but here's the link if you are for some reason: http://law.gsu.edu/thedocket/node/519 )
-----
1) Stop using the same password for everything. At a minimum come up with a base password and then append (or prepend) it with something unique for each application. If your base password is "fido" then for Twitter you could use "fidotwit" or "twitfido."
2) Don't use "Fido" as your password. One of the most common passwords is the name of the user's pet (Paris Hilton's Sidekick was hacked because the cracker knew her dog's name was Tinkerbell). Teenage guys often use the type of car they drive. Parents often use the names of their children. Law geeks often use the name of their favorite Justice.
3) Change your passwords occasionally. Just because you haven't noticed anything amiss doesn't mean that your emails aren't being accessed. If you have a base password of "fido" (which you won't because you're faithfully adhering to #2, you might change it to "fidomarch2010."
4) Avoid dictionary words (even non-English words). One fairly simple technique is to come up with a phrase that has some meaning to you and then use the first letter of each word. "I love taking Fido to the park when it's sunny" becomes "iltfttpwis" which could be used as your base password. Applications that allow you to use upper-case and lower-case characters as well as numbers and symbols exponentially increase the complexity of your password. "I love taking Fido 2 the park when it's sunny!" then becomes "IltF2tpwis!" and you have a fairly robust base password; when combined with a variation for each site and occasional changes you should have a decent password system.
JAGga.me ----> Producing video games addressing emotional health and wellness issues affecting teens.
It was recently reported that the sky is BLUE and the Earth is NOT FLAT!!! File this under "DUH!"
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
Why not a universal authenticator? At the very least, I could see a common system setup by the banks here in North America allow the use of any debit card to work on almost every debit machine.
I'm not sure why my video game character is the most secure bit of digital data I have.
My students using 300 nodes of a computing cluster were able to crack 57K DOD spec passwords (7 characters, upper, lower, symbol, number) in a few hours (Windows 2003 enterprise server). The goal was to crack 450K passwords in 24 hours but we had to call off the last run due to finals. Nothing about this project was hard. Using F/OSS and a lot of computing cycles cracking them was a piece of cake. Simple two-factor authentication is horrible. Especially when you give up the userid as an email address, or use a standardized naming scheme. Yes this would have required basically physical access to the server. Still as a test with enough horsepower and some tuning you can break even tough passwords quickly. We were basically trying to up the ante on a previous example where a person did 400K passwords in a few months using commodity hardware.
--- Location Unknown
The right responsible thing for website and application developers/owners to do is NOT allow users to create their own passwords. Generate one for them.
But that doesn't mean the passwords have to be hard to remember. Four randomly chosen 3-5 character words from the standard 25k word dictionary on Solaris is identical in strength to an 8 character purely random password that that uses all possible keyboard characters (26 lower case, 26 uppper case, 10 numbers, 12 special characters). Three of those is identical in strength to a 6 character password, which is certainly far more secure than 95% of the stuff I see people using, even "professionals".
ex: fuse larva elite scare
Question -- why doesn't Firefox or Windows or Linux come with a little application that GENERATES a secure password for the user? Why do people who make operating systems and Browsers expect USERS to generate passwords themselves, and then you wonder why they are so insecure?
In my professional opinion -- the professionals are to blame.
*** WHERE is an average user supposed to get a properly generated secure password? ***
Linux has a perfectly good random number generator based on proper entropy collection, does Windows? Unfortunately, neither is usable as is by an end user. Don't point me to some idiot website run by who knows who. Unless someone big like google or yahoo have an SSL page that I know I can trust to have done it right and/or not be tracking IPs and passwords for latter exposure.
(Disclaimer - I am a professional, and in the small company that I work at, I've been slowly eliminating all of the "luser generated" passwords for quite some time now, and forcing them to use ones that have been properly generated.)
The second thing to do would be to get things like OpenID working and make users aware of them, do things to encourage them to use it. Unfortunately I tried to use OpenID myself (as a user) a year ago -- and I was *really* unhappy with how hard it was. There's no way in hell I can recommend friends and family to use it. There's huge usability problems with it impo. It requires way way too much expertise and willingness to screw around.
We need something conceptually simple to USE, but that still doesn't present a single target that would result in all of the end user's accounts being violated if a single site is penetrated. This is an excercise left to the reader. :)
This is why we should be having real discussions about standardizing on better authentication methods (OAuth, etc.) and multi-step auth instead passwords. I personally think password + hardware (phone / SD / etc.) + retina scan would be a good base to run an auth server off of. I also think identity should be in the browser (see sig).
Put identity in the browser.
This is why you don't use simple passwords.
You use an epic passpoem, detailing the life and works of seven mythical Norse heroes.
o/~ Join us now and share the software
It would help if Slashdot didn't limit the subject line to something ludicrously short. I've often had to result to continuing the subject line in the body, because I couldn't come up with something sufficiently pithy for Slashdot's subject line policies. I have to admit, though, that breaking a word between the subject line and body is a crime against nature.
I've got maybe 12 or 15 keys on my ring, all bound together to form one not too large of an object. It's easy to keep track of where it is and keep watch over it. But if my key ring had several dozen keys on it, and if I had to take keys off the ring and hand them to someone else to get various doors open, and oh by the way, I had to make the keys myself (with more secure keys being larger, heavier, and more difficult to make than less secure keys), then you'd see the same problems with physical keys as you do with passwords.
The problem is less that people don't understand the concept of secure passwords, and more that developing and remembering secure passwords for the myriad of sites people use is very difficult. I personally understand the concept quite well, and yet I reuse a handful of passwords over and over... because I simply can't remember a secure password for a site that I might visit once or twice a month. I've recently thrown up my hands and bought a copy of 1Password, because I just can't keep track of all the passwords I'm expected to.
Security 'experts' who have came up with the idea of 'security questions' that can often be answered just by Googling a person. ...Unless, of course, one is smart enough to use false information. My mother was indeed the Queen of England, and my first car was the HMS Victory. *nods*
ok, so that's password no.1 .
Most people need 20, maybe more by the time they have all their online utility bills, social media, work accounts, banking accounts, etc. Some of these have specific formats you have to follow (6-8 characters, 6-12 characters, at least one upper and one lower case letter and a number and a non alphanumeric, etc).
So now try and hold all 20 of these in your head with these different formats. And probably some of these have to be changed every three months or so (e.g. decent work passwords).
This is the big problem: the number of different passwords in varying formats that people have to remember, and change on occasion to fit in with the security systems.
If everybody only had to remember one password, this would not be the security issue that it is.
... in these people's lives? While I'm not the world's biggest geek, I'm far from a non-tech user, and I can't keep my logon details straight either. I use dozens of secured websites, each of which has slightly different rules for constructing the username: is it my e-mail address? Which e-mail account did I use? Or is this the one that allows underscores but not periods? Was this the site where I could only have a 9 character username... etc. Passwords are just as bad: is the site that limited me to 8 characters, or the one that required 15 characters including 1 lowercase letter, 1 uppercase letter, 1 number, and 1 special character?
Sure, there are a lot of dumb people out there. But remembering all these usernames and passwords is legitimately hard.
My favorite: web sites that force on you a password that's so ludicrously complex that there's no possible way to remember it, and then allow you to recover/reset by providing your mother's maiden name. There's one site I have to use a few times a year that I literally have to reset the password every time I use it, because the passwords are so ludicrous that even if I could remember them, I'd practically never actually be able to type them without making an error. But that's ok, because I (or anyone else) can just get access by knowing my mother's maiden name.
I used to have one bank account and every time I loged in it had a login, pass phrase, password, and icon with no alt text that required a one word description to validate me. That was a very strong and very annoying, it took about 5 minutes to login and frankly I just don't have that much money. "We" really need a new way to validate our usage. I don't remember George Jetson, Nero or Han Solo having these kinds of problems. When will then be now?
I do not play in the middle of the road
I provide basically zero contact data on mine. Because after all, do you really trust Zuckerberg with your personal info? If people find me on FB and want to contact me, they can send me a Facebook message.
While scanning 300 responses do I really want to have to work through 300 wordy "sentences"? Pithy is good..
Have you fscked your local propeller head today?
My generic password is my sigma 9 mainframe account number from 1980.. but then on each site I use it, I add a suffix thats easy to remember. Having spent so many years typing the first part and the 2nd part is usually easy to guess even if I forgot it.. But the end result is that if someone gets a password to one of my accounts, it won't work on another account. Although having the first part the same for many passwords is weak, I find it acceptable security..
Have you fscked your local propeller head today?
Cause of Gawker and Rockyou leaks: compromised servers. Total accts compromised because of security pros: >= 32 + 1.2 million. Total accts compromised because of users: X. Before we launch yet another round of blame the user don't we need to show that X is greater than 33.2 million?
OpenID?
A definitely non-trivial problem is that different sites have different acceptable passwords. Some don't like special characters. Some don't like 12 characters.
+1 PKI
So now all I have to do is remember four randomly chosen words... for each of the dozens of websites I use that require a password. That'll be no problem.
Look, the users may be dumb, but that's only part of the problem. Even if all users were as smart as you, no one can remember the 20 or 30 passwords required just to go about your normal life on the web, especially when you consider that you don't use all of them on a daily basis. And there are no really good tools to help you keep your passwords straight. As you say, OpenID has issues. I recently purchased 1Password for the same purpose, and it's been excruciating - trying to change a password to something secure, and then have 1Password remember and be able to accurately fill the password into the website has been incredibly painful, particularly when there's anything not absolutely standard about the way the website handles password entry (I just spent no less than 15 minutes trying to change my online bank password, requiring multiple rounds of "I've lost my password" with the site, because to change your password you have to go to a different page than the login screen and 1Password was unable to figure out how to match the order of entries on the "change password" screen to that on the logon screen).
The situation as a whole is just a mess, and it's not fair to blame all of it on dumb users.
Sure, but typically you don't have the option of scanning 300 pithy subject lines. In reality, what you're going to get is a whole lot of subject lines continued in the body. Wouldn't it be better to just give people another couple of words?
For me, that location is in a password protected Word file buried deep in a directory structure on a USB flash drive that is always in my pocket. That way, I only have to remember one password. The others I may or may not remember (generally do after a few uses), but if I don't I can always recover them.
âoeAny society that would give up a little liberty to gain a little security will deserve neither and lose both.
"26% of users reuse the same password for important accounts such as email, banking or shopping and social networking sites." Since when have social networking sites been important? Ditto shopping accounts. Those are only important if they store your credit card details, and most of them will let you opt out of that. Even email, I'd only consider one of my personal accounts important. The rest are glorified spam-traps. It's not terribly easy to memorize unique, complex passwords for every single web site you visit that demands enrollment. Most people toss off the same cruddy credentials for everything not deemed important. Short of a password database, it's the only practical solution. Protect those accounts that grant access to your money. The rest, don't bother securing them unless it's a problem.
Support more choices in goverment-Vote 3rd party.
...then all interactions with the site might be like an SSH session, but what a pain to set up!
Uh, Linux geek since 1999.
Then the keystore would be organized as a hashmap of [loginURL,key]
That way each site was secure with a separate authentication key for each site to securely visit.
As always, the worry then would be to keep the browser from getting compromised by malware that would try to steal the keystore of a user.
It would be a pain to maintain, as a user would have to export the keystore and distribute it to each computer they used to access such stuff....
Uh, Linux geek since 1999.
Absolutely correct. And then try being a webmaster. I have over 75 accounts with passwords for control panel, ftp, site admin, database, etc, etc, etc. My Firefox password store has over 500 passwords saved in it.
âoeIn theory, theory and practice are the same. In practice, they are not." â Albert Einstein
Here is a video I did for people who can't remember passwords or use extremely weak ones. This is meant for the Average Home User. http://www.youtube.com/watch?v=_6ACcIGuFhw Passwords seem to be a problem for everyone to remember or using something extremely simple. And of course not remembering them either.
...passwords continue to be the Achilles' heel of the average Internet user.
This just in from the No Shit News Network: Water is wet, it gets dark at night.
The worst part is the response to this kind of thing... Propeller-heads around the world will set their Password Service to require more complex content, such as 14 punctuation marks, etc.
Personally, as a published expert on this subject, I think that is the worst thing to do. THe problem is, that as more sites "tighten" to stronger content, people start to write them down and that's far worse... Lose the little black book or the iPhone and everything is gone. Make your rules that much more complex and suddenly the patterns people have been using for years (patterns, not always values) no longer work, forcing the "backup" system to memorizing it.
The other thing is that some sites simply need to get over themselves... A donut shop need not require 16 character passwords, email confirmation and CAPCHA just to get info about the latest sales...
To paraphrase somebody else: Passwords are a horrible form of authentication, just better than everything else [for typical uses].
A good application wouldn't allow a user to create a "weak" password. It would check that it had X character, a few upper cases, some symbols, some numbers and wasn't a dictionary word spelled out in l33t. Oh yes, it would also disable the account after the user failed to enter the password a few times, completely eliminating the ability to brute force the passwords.
Yeah, and then someone tattoos their cat with your barcode.
Nerd rage is the funniest rage.
FTFY. Whether they’re using passwords like 12345 or writing their password on a Post-It or telling it to whoever calls them and claims to be tech support, dumb users are almost always the weakest link.
Quite possibly the only time there’s a link that’s weaker than the users themselves is if you have really, truly incompetent admins (when they store passwords in clear-text databases or something royally stupid like that)... but in general, users are the weakest link.
Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Honestly now, how many people really, ultimately give a rat's ass about having their gawker (or any other commenting account) compromised? These are such low-importance accounts that it's really worth wondering why they need secured user accounts at all. Spam is probably the only real concern, but is easily defeated by other means (including moderation) -- what this actually does is put the responsibility for filtering spam on the users rather than on the site's engineers. However, using automated spam filters would preclude harvesting people's email addresses.
Some users might want secure accounts in order to build up their "rep", and yet, does anyone really care who is on the other side of a comment post? No. For all intents, we might as well all be posting as anons. The artificial "need" to create dozens of secure accounts with passwords desensitizes people to the importance of passwords, and becomes just another hoop for them to jump through to get to the things they need to do. And realistically, very few people are going to go through the trouble of inventing and memorizing a new password for every application that requires one.
Posting as AC because commenting accounts are stupid.
Every website has different rules for their passwords. Some sites require at least 6 characters. Some require at MOST 10 characters. Some require special characters; some forbid special characters. Because each site has completely different rules, this leads people to develop lowest-common-denominator passwords that work across sites. If there were standard rules for passwords - at least 8 characters, must contain 1 letter, 1 number, one "special" character, max length 100 characters - then people would be able to create very strong passwords that are easy to remember, and use them across sites if they wanted. Imagine attempting to bruteforce this password:
I wuz bron on the 21st Day of January, 1966
A simple phrase with personal meaning and some misspellings. Create 3 tiers of passwords - one for throwaway sites, one for semi-important stuff (maybe Facebook/Twitter), one for critical stuff (email account, banking). Since no two sites seem to have compatible password rules this can't currently be done. I remember GoDaddy as being unbelievably strict to the point that I need to reset my password every single time I want to log in because I have to create such an impossible password for them that I can never remember it.
rooooar
I disagree. A good application would have password requirements in line with the security requirements of the application. Users don't want or need a long, convoluted password of caps and numbers and symbols with a dictionary check for their twitter account or for a Mazda RX-7 enthusiast forum. I could understand having more security on something like an online bank account service, but even that leash could be kept loose, depending on what features are available on the site. My bank only offers a debit transaction listing. Everything else has to be handled in person.
Forcing asinine levels of security on everything is just going to make users write their passwords down. This is especially true of sites that require frequent password changes.
I do something similar, however the first part is part of the sight in question.
Forums, use the name of the first forum i had an account with,
Games, usually have quake or doom as the first part of their
generic websites with accounts use another format.
For numbers it is the house number I was living at the time it was created. it worked well as over a course of 6 years the USPS changed the house number 5 times. No new neighbors they just kept changing it.
i thought once I was found, but it was only a dream.
the USPS changed the house number 5 times. No new neighbors they just kept changing it.
So that's their new business model!
If libertarians are so opposed to effective government, why don't they all move to Somalia?
A good application wouldn't allow a user to create a "weak" password. It would check that it had X character, a few upper cases, some symbols, some numbers
Because Abc123. is a great password? And users will never write down complex hard to remember passwords that they have to change frequently?
Trying to make up for a poor authentication method by externalizing a burden upon users of the software is bad design. Kind of like the plumber who designed your house's piping saying... "Oh, by the way, make sure to always keep a pan under this sink and periodically dump it outside. Otherwise it will fill up with water seeping from the sink's drain pipe."
And then somehow claiming when the pan overflows that it's the user's fault, not bad plumbing.
I would suggest you go read So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. and listen to Security Now, Episode #229
it would also disable the account after the user failed to enter the password a few times, completely eliminating the ability to brute force the passwords.
Because legitimate users always remember their strong passwords perfectly never typo their strong password a few times?
Because bad guys never take advantage of account lockout mechanisms to annoy the legitimate user?
I often use the same password on sites where I just don't care, and by that I mean I really just don't care.
That is, I don't care if my "account" is "breached". I don't care if someone gets my login from one stupid web site that I don't care about and uses it in another stupid web site I don't care about. Nothing about it will get you into any site where I *do* care.
-fb Everything not expressly forbidden is now mandatory.
I think some people have a distorted view of what is really important. Banking obviously. Email yes because it is used to verify password reset requests. Shopping maybe, if the shop keeps your credit card details on file. Social networking? Only if you suffer anxiety problems that would cause you to have a breakdown if someone posted false information to your profile/wall whatever.
Well look at the parent's subject line.. "Maybe we should have some other method of authentication". He could of easily typed.. "Some of method of Authentication?" or "Other methods?" The meat is in the reply really..
Have you fscked your local propeller head today?
Most people never ask you any questions. Only the dumb ones ask dumb ones. You forget the sensible but boring ones. You are confounding the left tail of the distribution with the middle.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
> that location is in a password protected Word file buried deep
> in a directory structure
Try using some encryption instead: GPG, PGP, etc.
Everything I write is lies, read between the lines.
Since we are all accustomed to using physical keys, how about using one for the Internet? the physical key would be a USB stick that is used by the browser to store a randomly generated password/username (or other credentials) which would then be used to logon to a site. All the users would have to do is to have this 'key' with them.
passwords are just plain bad at what they are supposed to do: authenticate users. But authentication is only half the equation. Important sites like bank sites and such should require identification (proving that it is actually, physically you that is logging in... web cam facial recognition maybe?), as well as authentication (proving by some token that you are authenticated to use that site and have an account there).
Passwords fulfill the authentication part of the equation, but do it badly, because it's very easy to hack etc. I don't know anyone that does identification on the net. It would be better if I didn't have to remember 200 passwords at all. I like the model of "something you physically possess and something you know" as authentication and my "e-legitimation" or e-identification that is contained on a standard chip and pin credit card performs that function very well, because I have a card reader, and a card with a chip on it, which fulfills the physical thing, and I havea 6-digit pin code for the thing I know part. This works great with the 6 or 7 state sites that are tied into e-identification (which is inappropriately named) as it's only authentication.
It would be great if state owned sites or banks could tie in to a state issued ID card. If some sites did not want to rely on national ID they could issue third-party independantly issued cards, so that there could be competition between state issued ID and competitors and run that system in parallel with a national-id system.
Im not saying this to troll for national ID. I belive that ID cards have some great benefits, and the technology is sound, but people jump on the privacy bandwagon, and yes, it's a great concern, but with the right mechanisms in place within the implementation of national-ID, it could make snooping,harvesting,spying etc. very difficult. As to whether private persons could rely on the government to actually implement those mechanisms or not is another issue.
Hasn't this already been hacked on for years though? Didn't we already come to the comclusion that passwords are not the way to go? What happened to the solution?
"Everyone knows that vi vi vi is the number of the beast" -- Richard Stallman
Forget about phones, forget about passwords.
Since brute force attacks rely on many password crack attempts, a system that would
1. allow three tries for an account, then
2. not allow any tries to the accuont for 15 minutes before resetting to "step 1"
Would also help people's accts stay secure.
Uh, Linux geek since 1999.