Slashdot Mirror

← Back to Stories (view on slashdot.org)

Your Passwords Don't Suck — It's Your Policies

Posted by timothy on from the all-birthdays-all-the-time dept.

First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"

11 of 487 comments (clear)

  1. another password revealed by ozduo · · Score: 5, Funny

    A white jacketed southern gentlemen's password is "This secret spice makes shit taste like chicken"

    --
    I got to the chocolate box before you, that's why the hard ones have teeth marks.
  2. Terrible password policies by bu11d0zer · · Score: 5, Insightful

    Any password policy that basically forces you to write down your password somewhere is broken. Sure, you can use a password vault but that's cumbersome for the various dozens of passwords strewn about the web and on mobile devices. But my biggest gripe is sites that lock you out (requiring a phone call) after 3 incorrect guesses. I could understand 100 incorrect guesses, but 3 guesses is not enough to recall a password when you have not used it in several months. One hundred guesses by a computer/hacker is nothing compared to the full password space.

  3. The main problem is... by k3vlar · · Score: 5, Insightful

    The main problem is indeed the policies. While I (mostly) agree with the main statements TFA makes, I have my own note to add:

    My bank's website enforces a MAXIMUM length. I'd love to have a password like "c0rr3c7 h0r53 b4773ry st4p13", but I can't use more than 6 characters.
    Yes, you read that right. 6 characters. Maximum.

    I fear for my online bank info constantly .
    Why would there ever be a reason to enforce such a small maximum length? I don't get it.

    --
    Unlike porn, which yada yada rimshot hey-ooh!
    1. Re:The main problem is... by Anonymous Coward · · Score: 5, Insightful

      It means they don't care. I do online banking security consulting, including almost all of the largest banks in Canada. They know that what they have is far from ideal, but the losses are not enough for them to want to make a change. It comes down to a formula of the costs of fraud vs the costs of adding additional security + help desk calls as a result + end user usability. One of the largest banks I worked with told me that banking with them is a cultural thing and that most of the citizens in the province will bank with them by default. They can afford to have minimal security and just cover the fraud loss out of their profit.

      And just so you know, Authentication is dead. If I've got malware on your machine, then I don't care how strong your password, OTP and biometric security is. I'm going to wait for you to login and then take over your session in the background. Security at this point is well beyond what's happening at the login stage. And don't get me wrong, the vendors that are doing the current security implementation for these banks have a lot more to offer, but it's the banks that are deciding that it doesn't matter to them.

  4. Re:This is too simple to fix by Anonymous Coward · · Score: 5, Insightful

    because it would take longer to type

    I disagree, my ability to type words in sequence each day has made me quite efficient at doing so, a garbled string on the other hand I am not. The lowercase, uppercase, numbers and symbols make passwords longer to type.

    With different passwords for each site (or at least each serious one such as banks) the garbled text approach is very inappropriate.

    As passwords are stored in as a hash created with a salt the password is always stored as a fixed value (128bit for MD5 etc) it requires no additional storage for the servers/databases.

  5. Re:Wrong by LordLucless · · Score: 5, Funny

    Of course, your fiendishly clever non-standard spelling of et cetera would fool any such dictionary attacks.

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  6. Wow... by NoMaster · · Score: 5, Insightful

    Congratulations on winning the Slashdot trifecta - you managed to invoke the GPL, cite XKCD, and slashvertise your own project all in one!

    --
    What part of "a well regulated militia" do you not understand?
  7. Re:XKCD by spazdor · · Score: 5, Insightful

    My problem with the xkcd scheme is that users are lazy and rather than pick 4 random words, they'll pick 4 words that are easy to remember in sequence: "haveityourway" "darksideofthemoon" "thesearenothtedroidsyourelookingfor", so with a phrase dictionary and some grammar rules, you still have a good chance at brute-forcing some user's passwords.

    You could perform this attack using Google's autocompletion database as a dictionary.

    --
    DRM: Terminator crops for your mind!
  8. Re:This is too simple to fix by Sancho · · Score: 5, Insightful

    we widely distribute a standard library method for computing password entropy and let people pick what kind of strong password they want to remember

    There are a few complications with this.

    1) Humans are incapable of picking entropic passwords. They think they can, but they can't. So the measure we need isn't actually one of entropy, though it looks like that to computers.
    2) Mostly due to (1) above, computers are incapable of correctly calculating the entropy of a human generated password. They can calculate the entropy of a string of characters if they presuppose that the string of characters was not generated by a human.
    3) Even if we assume that humans can create entropic passwords, it's difficult for a human to estimate that entropy. What happens when the password entropy checker rejects "This shit tastes like chicken"? How does the human know how to make that password more acceptable? Is "shit this tastes like chicken" any better? How about "chicken like this tastes shit"? Or "Tastes chicken shit this like"? How does that even compare to a shorter string of letters, numbers, and symbols which don't form a word? To the person behind the keyboard, such a comparison is nonsensical. They computer can't reasonably say, "Please add 4 bits of entropy to your password," and saying that the password isn't strong enough without providing any guidance as to why will just be frustrating.
    4) The library would need constant updating to be valid. Because "correct horse stable battery" and all of the permutations of that set of words (probably including pluralization and tense changes) are terrible passphrases now, but they would have been pretty good prior to Randall Monroe's comic. Each new song, book, poem, and speech decreases the value of passphrase word-sets.
    5) Assuming you ignore (4) above, you still basically eventually run into what we have now--some people have good passwords, some people have bad passwords, and the biggest problem is still reusing passwords combined with site compromises.

  9. Re:This is too simple to fix by pgpalmer · · Score: 5, Insightful

    "Your password must be six to eight characters and contain only letters and numbers."
    "Your password cannot be over twelve characters."
    "You have used this password before. Please enter a new one."

    I have my own password policies, and it's frustrating when I can't follow them.

  10. Re:This is too simple to fix by Drishmung · · Score: 5, Interesting
    We actually did something like this.

    Users were permitted to choose their own password. These passwords could be long. We had guidelines as to what were good schemes, but there was no enforcement of rules.

    However, we also

    1. ran a quick check on your password against a cracker and
    2. ran a password cracker as a constant background job.

    If your password was cracked by the quick checker, it was rejected and you had to choose another.

    If the background checker cracked your password, you were locked out. When you tried to log on and couldn't, and called to find out why, you were told your password had been cracked and you needed a new one. (Actually, I think we emailed you then locked you out, so if you were on-line, you could choose a new password then and there).

    It worked.

    --
    Protoplasm. Quiet Protoplasm. I like quiet protoplasm.