Slashdot Mirror
Deloitte: Use a Longer Password In 2013. Seriously.
clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."
correcthorsebatterystaple. It's a perfectly long, easy to remember password. Just, nobody use it other than me, ok?
Shouldn't we just be using slower and slower hash algorithms to store passwords to compensate?
Why aren't passphrases more common?
Far easier to remember Hot grits down your pants with a petrified Natalie Portman than miJFsVXx3!, and potentially far more secure by virtue of character number.
I used my online banking today and they limit to 8 characters EXACTLY... even though they demand a non alpha-numeric character and mixed case. I keep thinking, these idiots still don't get it. Also, obligatory.
If computers were people, I'd be a misanthrope.
lastpass.
My computer has the same password as my luggage and to the oxygen on my planet. No one will ever be able to figure it out.
There's going to be a shift from passwords in general. Not only are they often insecure, but there's no verification that the person typing in the password is the user who owns it.
No, we're going to switch to biological means. This will be more secure, but as a side effect, there will be more assaults in which the eye/finger/penis is removed and used to gain access to these bio-protected systems.
Don't use a longer password, just use two factor authentication.
hunter22
We should have legislation prohibiting cleartext and unsalted password storage. At least for any site that handles money. That will help quite a bit to inhibit the sort of casual database cracking that goes on today.
I am becoming gerund, destroyer of verbs.
8 character passwords have been crap for a long time. Way to join the rest of us in the 21st century, Deloitte. Remind me, why is anyone paying you again?
Passwords must die!
It sounds like Deloitte has been partying like its 1999.
Childhood friend's first name.
Common household item.
What you ate for lunch.
Anitadildosandwich
DOH!
I'll change it to 123456
The relationship between password length and password strength is old news.
But don't tell users, tell the programmers and system admins. I regularly encounter systems where max password length is 12 or fewer characters. For some reason there are also systems that don't allow characters other than letters and numbers in passwords.
Let us make longer, more secure passwords. Let us use special characters, unicode, tabs and spaces!
An easy way to make a very complex password is this:
sentence
number (6 digits can work, there are a lot of 6 digit numbers)
Done.
If you want to re-use that password, add an extra factor to make each one unique:
encode the service name somehow, such as numbers and a-n gets replaced with 0 (note no caps, overcomplicates), and the rest of the alphabet and punctuation is A.
Or think of a very simple metaphor for the service, or relation to the service. (facebook - thewhorehole, youtube - wherethingsgotodie, etc.)
These will considerably improve the general security of your password.
Better than done.
And always use 2-factor auth if available.
None of this will protect you if databases are stolen, but they will stop brute-forcing and global hacks of your accounts. (unless your hacker also read my post and is smart)
dongle hangin!
We play the game with the bravery of being out of range
I try and use long (but easy to remember) passwords on all sites. Unfortunately, there are still a large number of sites that ridiculous cap on the maximum length of the password (12 characters max is more common than it should be). I'm all for giving up short passwords, but not all issues resolve around the user having poor password security.
I'd be more than happy to use long, more secure passwords if I'd be allowed to let my device memorize them. More and more sites are using the HTML option that denies autofill, keeping devices from memorizing passwords on them.
It should be possible to tell a device to ignore that HTML option if you have a passkey set on the device. Not letting devices remember passwords is less secure than just allowing it because people will use weaker, easier to type in passwords.
Not to mention Google's bad habit of making you reenter your password every so often. Just keep me logged in, damnit. My phone has a passkey.
Some password requirements are perfectly acceptable, even encouraged. There exist plenty, however, that just make one scratch one's head. Why would a maximum length any lower than several hundred characters ever be necessary? More egregious limitations include requiring an insanely complex number of symbol/letter/number combinations (easy for AI, hard for humans, as XKCD eloquently points out) and, of course, passwords restricted to numbers only. Sadly financial institutions seem to be fond of this one, possibly under the mentality that a PIN is just as good as a password, and customers won't forget that!
ÂHumans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices let's say you type your current 7-char password 2 times, is it harder to remember? I guess it will be even harder to remember to type it 3 times, if 14-chars are no longer safe enough in the future.
I think some places encourage short passwords. StudentLoans.com is Citibank's site for, you guessed it, student loans. The MAX password length is eight characters. That only encouraged me to pay off my loan to them faster just so I wouldn't have to deal with security like that.
Of course, nowhere in the signup do they warn you that only the first eight characters of your password will be accepted, nor does the login box limit you to inputting eight characters. I signed up with abcdef12345678 and tried signing in with abcdef12345678 but it gave me password refused. By luck, I tried abcdef12 and it worked. Screw Citi and all of the others still using password schemes from the early 90s
We should encourage the use of longer passphrases rather than passwords and eliminate or raise limits on their length. It's much easier to remember a sentence than a string of random characters.
Too many banks in the US also have limits on both user names and passwords. :(
Maybe we should deprecate the term password and ask people to pick a passphrase?
"isaw95giantbunnies@myparty!"
It's easy to remember and relatively easy to type even on a phone.
Though part of the problem comes from the developers of applications and manufacturers of devices. How many time as a web site prevented me from using a complex password? Heck, a few weeks ago, I worked with a Thecus NAS(Built on Linux). It took me forever to realize that there was a 12 character limit with no special character allowed!
The problem with this is that most people demand to use an easy to remember password and will stubbornly ignore their own password hints. This happened quite a lot at a fashion company I worked for (I wasn't responsible for the web end, thankfully), and customers kept complaining, no joke, "why should a password be case sensitive?"
It wasn't uncommon for customers to blurt out their passwords on the phone either. One lady started giving me her credit card number out of the blue, thinking that was the problem. When these are the types of people you're dealing with, the lockout is quite a bit more of a hassle. I think they switched to OAuth as a result.
People are getting used to the idea of online security, but growing pains are plenty.
If computers were people, I'd be a misanthrope.
We should have legislation prohibiting cleartext and unsalted password storage. At least for any site that handles money.
Personally, I'm surprised PCI doesn't require this already.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Instead, store your password on a TPM chip, from where the hash can not be stolen and where the attempt rate can be regulated. This way even 7 character passwords can be quite secure.
passwordpasswordpassword
Have gnu, will travel.
Use keepassx. Usernames and password won't be stored into your browser and that could be annoying but you'll always be able to paste them into any login form. Or at least I never experienced any problem. There is also an Android version and you can copy the password db file among devices (dropbox or manual file copy).
Same thing for my boss...I insist that he uses long advanced passwords, but he's old and hates complex things in life, likes to play music and sing...and yet he runs a 6 digit company, the worst part is that he uses his silly easy passwords on hundreds of sites.
What this world is coming to - is for you and me to decide.
If 99% of sites didn't put such a restrictive short length on their password length. I can remember and don't mind typing a pretty long sentence, but then the site generally complains because of the spaces or because I exceeded something silly like a 33 character limit. I will also say that some forbid special characters, some require. If you are going to stick me with no more than about 12 characters and refuse use of symbols like & and $, it's asinine. If you see that I have a 48 character password and complain that not one of them is 'special', you are impairing my ability to use a memorable password of appropriate length...
XML is like violence. If it doesn't solve the problem, use more.
A team of expert consultants from Deloitte discovered in *2013* that Moore's Law kicks the ---- out of Darwin when it comes to the password arms race. And said consultant team's recommendation was:
Well gosh, people, you'll just have to try that much harder to come up with/remember passwords that are hard to crack.
Thanks guys!
Password length matters to brute force attacks - and if your application allows a brute force attack to happen, it is broken already, insecure by design.
Enforcing longer passwords will not improve security for real-life cases. Enforcing more cryptic passwords will actually reduce security for real-life cases. Why? Because people will need to type slower, making shoulder-surfing easier. People will start to write passwords down, and they will re-use passwords more often.
You can't solve this issue with simple solutions like "use longer passwords". The only thing that will do is make "password1234" the new standard instead of just "password".
Assorted stuff I do sometimes: Lemuria.org
Two reasons:
Firstly, because the attacker may not need to authenticate against the server, if they have managed to hack in and get the encrypted password or found a way to determine it by MITMing a legitimate authentication.
Secondly, because what you describe is itsself abuseable for DoS attacks. It allows an attacker to simply log in repeatedly with a bad password to disable an account. Even if the account can be reenabled after some effort, that's enough to cause serious disruption in some fields. Lock the competitor's salespeople out on the morning of a big conference, or use it to delay members of an opposing MMORPG team while your own people storm their territory.
http://xkcd.com/936/
I knew there'd be a back door
Nothing has changed.
When applying a hash+salt to a password to store in a database, you run it a bunch of times to take up an attacker's cpu time. By picking the number of repeated hashes, processing a password->hash attempt can be made to take any amount of cpu power. When designing a system, one attempts to choose a value such that, with current systems, it takes a reasonable amount of time to process a login but also too long for an attacker to brute force.
TFA talks a lot about the 'number of possible combinations', but in reality that is not strictly relevant.
What matters here is only how much more cpu power is available to attackers than to the site owner. This ratio is what determines the number of 'combinations' required to defend against attack by someone who steals the database. So, if attackers start using hardware to run hash algorithms, sites can as well, and the same balance would be maintained.
I've got logins for what... 200 sites? This is a problem for the sites, not me.
Passwords don't work. Think of something new. I can not remember 200 passwords that are 9+ characters, can't contain real words, have special charcters and God knows what else.
The solution for the end user? Don't use these sites for anything important. Don't store and personal information. Don't do business with sites that retain your credit card number and give you no option to not store it.
I speak all my passwords aloud into either my desktop microphone, laptop microphone or mobile microphone. This allows me to use the longest phrases without having any difficulty typing. People get a bit annoyed when I'm using the computers at the library but I explain it's all in the best interest of security.
Join the Slashcott! Feb 10 thru Feb 17!
A 12-character case-sensitive alphabetic password has 68.4 bits of entropy and a 15-character case-sensitive alphabetic password has 70.5 bits of entropy.
A 13-character case-sensitive alphabetic password has 74.1 bits of entropy and a 16-character case-sensitive alphabetic password has 75.2 bits of entropy.
A 14-character case-sensitive alphabetic password has 79.8 bits of entropy and a 17-character case-sensitive alphabetic password has 79.9 bits of entropy.
A 15-character case-sensitive alphabetic password has 85.5 bits of entropy and a 19-character case-sensitive alphabetic password has 89.3 bits of entropy.
Adding 3 or 4 extra characters is much easier than making the password case sensitive.
The real joke is forcing the password to be case sensitive.
So this (just use an 8 character password) is for sissies. I also don't write my passwords down and they include special characters, large and small letters, numbers, and are completely random. It's not possible to crack a 25 random character password. I suggest everyone follow me and use 25 characters at least.
Every damned time you turn around the iPhone is asking you to enter your password for iTunes. And with the on screen keyboard it's torture to actually enter a password with mixed case, numbers and (heaven forbid) symbols.
I, for one, do not look forward to our excessively long password overlords.
Is it just my observation, or are there way too many stupid people in the world?
Bank of Montreal's passwords for online banking must be exactly 6 characters long, and contain no special characters.
Password length matters to brute force attacks - and if your application allows a brute force attack to happen, it is broken already, insecure by design.
Enforcing longer passwords will not improve security for real-life cases. Enforcing more cryptic passwords will actually reduce security for real-life cases. Why? Because people will need to type slower, making shoulder-surfing easier. People will start to write passwords down, and they will re-use passwords more often.
You can't solve this issue with simple solutions like "use longer passwords". The only thing that will do is make "password1234" the new standard instead of just "password".
You should get 10 chances to enter your password and then your data should self destruct if encrypted.
6 unique characters based loosely on the system I'm accessing, and a 12 character global key. System fails on really stupid sites with "maximum length" systems like the uk government webpages.
After three tries, the account is locked and you then have to go through a bunch of Q & A to get it unlocked?
As for those short passwords with the stupid rules. UGH! I can't remember them. Let me use a whole sentence!
... before I'll submit to an iris scan at a bank. Several local banks have tried using thumbprints on checks, and it is NOT well-accepted by their customers and others.
FTFA "Password vaults are likely to become more popular for managing multiple accounts and minimizing password re-use, but they will require strong multi-factor authentication." Make sure that vault comes from a trusted source... Who's that?
I typically use a 25 character password as an absolute minimum. I memorize the whole thing and it's easy for me to remember this stuff for some reason (I must be gifted). I don't remember it at first but when you gotta type something in every few minutes to install anything or do anything you remember it.
I haven't had a reason to use a 48 character password but I would have no problem remembering it if I needed to. Linux for example does not seem to put restrictions on the length of your root password or your passwords for certain things. But certain websites are ridiculous. They want to practically tell you your password by restrictions. You can't use too many of this letter or that, you can't use a password longer than this but shorter than that, for fuck sake why don't they just give me my one time password to my email address which is secured by at least a 25 character password and be done with it?
That's a bummer. I always use 12345. Knowing this, I'm changing it to 1234567890.
to teach people easy to remember passwords.
Examples:
All you kids, case appropriet, change vowels to numbers.
First line of you favorite poem, backwords with vowel substitution.
Hell: 1_L1k3_B1g_Butt5
The Kruger Dunning explains most post on
This strikes me as largely a non-issue caused by poor login security design.
Why not simply code the authentication such that for every successive request that fails to a given account, an enforced delay of, say, the square of the number of sequential login failures to that account, in seconds, is applied before the next attempt?
This would allow for actual humans to make several errors at an slowly-increasing wait each time, whereas for a scripted attack, after 200 tries we're up to 11 hours per try and growing fast. It seems that a brute-force attack becomes entirely unlikely to succeed under these conditions.
Standard Linux distros interject a delay between login attempts, why isn't this considered basic and expected good design for all login authentication contexts?
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
I used my online banking today and they limit to 8 characters EXACTLY... even though they demand a non alpha-numeric character and mixed case. I keep thinking, these idiots still don't get it. Also, obligatory.
There is really no reason not to use one time passwords for banking. The bank can email you a new password or text it to your phone every time you verify your identity with them.
Only one way to tell if you're password is truly secure, some techniques may be less obvious than others, but I like this one cause it shoves them in your face:
http://www.passwordmeter.com/
You can also theorize how long it would take to crack your password here:
http://daleswanson.org/things/password.htm
Of course, you can also always grab a copy of ophcrack (windows users... most of you) : ophcrack.sourceforge.net/ and test it out for yourself, just remember it's YOUR hardware that's testing the password, not a botnet.
So if I want to wipe out your data I just attempt to log in to your account 10 times using a bogus password. Even if your data's backed up, the next time you go to log in might not be a great time to have to do a restore.
That's one way to prevent people from using 'Password' as their password.
The Kruger Dunning explains most post on
Don't use a longer password, just use two factor authentication.
Use more than two factors and generate a one time password.
http://www.baekdal.com/insights/password-security-usability back in 2007. I don't deny that Randall Munroe has summarized the method very, very well however. I also wouldn't be surprised if he was familiar with Baekdal's article. So of course it's not just length alone, it's 3 or 4 common or uncommon words, with spaces acting as special characters. Please, read it. I think Baekdal understands this very well, both user-side and server-side. It may not be watered down enough for the non-tech layman to understand, but I think it's very well-written for anyone tech-savvy. And yes, he basically agrees server admins have a responsibility, too-- good password user policy, salt and hash on password databases, etc.
The only reason to restrict password length is to facilitate an inside job. Passwords should go up to 300 characters.
I created a 300 character password for the hell of it in Linux. It was fine but so inconvenient to type that I switched to 30 or so. Also there is no real security benefit beyond bragging rights of being able to memorize garbage like those people who memorize Pi.
batmansupermanspidermanwonderwomanrobingandalfgolemgreenlantern
Use keepassx. Usernames and password won't be stored into your browser and that could be annoying but you'll always be able to paste them into any login form. Or at least I never experienced any problem. There is also an Android version and you can copy the password db file among devices (dropbox or manual file copy).
Keepass doesn't work for certain sites. Certain sites still make you type everything in character by character.
There have been a few stories in the last year or two with analyses of stolen password databases. The overwhelming majority of the passwords were based around a few simple schemes like abc123, ABC123, 123456, etc. Wouldn't it be possible to simply not let users choose those passwords? If you know what the 10,000 most common passwords are, you can hook the list into your account creation routine and reject them. Seems like an big improvement for very little effort on the user or server end.
Visit the
The only long term solution is to increase the processing power required to hash the password. Hoping that people will use ridiculously long and difficult passwords instead of adapting to the real world is just stupid.
it seems there are so many sites requiring registration with account name and password. then business and work sites keep asking to update passwords. there's just so many of these that I have to write them all on a piece of paper. and I'm be damned if that paper is lost or stolen.
My data is backed up to the cloud. Try wiping that.
Deloitte predicts that 8-character passwords will become insecure in 2013
I'm gonna say he hit the nail on the head there since 22 letter passwords were insecure in 2012.
Password length doesnt mean squat. That entire thing reads like some amateur tht fancies themselves a technological and computer know it all.
The two biggest problems are as follows and if corrected would solve the vast majority of security problems.
1) Dont use "password" as your password or any of the other extremely commonly known retard passwords.
2) Be smart. Use security measures that are quite simply common sense like securing your wireless access with a password, dont share your passwords, log off when done, and so on.
Iris scanners, fingerprint ID, dongles and so on are just fluff. If you have those measures they dont mean dick because if someone wants in they will get in despite any fancy measures you take. Besides the point of the article was simply that the most common passwords will leave you accessible meaning if you look at steps 1 and 2 above you will find they will solve the vast majority of security issues.
Everything broken into is broken into for 2 reasons. 1) Because the security was mishandled by laziness and lack of common sense. Whether it be not locking your front door or not having a password on your router they will be broken into because you didnt use simple common sense to put up a simple barrier that will stop 95% of people who will break in simply because youre letting them. Most crooks if a door is locked will walk on by your car in the parking lot but if you leave it open they will go through your stuff and the same applies for the everyday person in a electronic security as well 2) Because you have something someone wants bad enough to get at that no security measures will stop them.
Everything is insecure, every month we need to change the password, use a better password, use a better username etc.... Here is a new concept, lets only use biometrics that are also paired with a one time pass, the encrypted entry is generated at access time and is valid for 20 seconds and if you miss it your locked out for 24 hours no matter what. That would be secure, anything less by next month will be insecure.
"You should get 10 chances to enter your password and then your data should self destruct if encrypted."
Idiot. Now people will go around nuking your data by simply maxing out the password attempts...
You can compare the hash of what the entered to a rainbow table of most common hashes and not allow those.
The Kruger Dunning explains most post on
So if I want to wipe out your data I just attempt to log in to your account 10 times using a bogus password. Even if your data's backed up, the next time you go to log in might not be a great time to have to do a restore.
Also I would be tipped off that someone is trying to access my data if it's destroyed. Basically if you have precious data then back that up to the cloud and the rest of it you should care more about privacy of the data than the data itself.
Forcing people to change their password to comply to "their" rules only makes passwords weaker.
Users should be teached to create passwords with a formula or pattern for each separate site or service and to NEVER EVER use the same password twice.
For example, name of the site, year of signup, a non character and a non guessable unique postfix: slashDot2012@noncoward
And no, this is not my formula nor my password, heh...
Also, strictly reinforcing policy forcing people to change it every X weeks, will eventually lead to people writing it down on a post it and stick it underneath their keyboard or even on a visible place. Just walk through an office and look around.
Google gets it, I have the same password since signup, years ago. They warn sometimes, but you can click that away without forcing you to change it or else you cannot login. When a site or service forces me to change my password, they essentialy tells me they are insecure about their security...
KERNEL PANIC -SIGFAULT AT ADDRESS #51A54D07
His password:
" I_Like_To_Play_Misic_4_u."
The Kruger Dunning explains most post on
It does prohibit storing and transmitting passwords in cleartext
8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
The problem is most companies still aren't PCI compliant, or they would rather pay the fines than fix their system issues.
Its actually a good question.
Make it 12 characters long. Now you don't need case sensitivity.
The Kruger Dunning explains most post on
Password vaults are likely to become more widely used out of necessity.
BULLSHIT! If my password was omgponies1 then my new password is now omgponies1omgponies1. I can remember it and you can't crack it.
The thing you have is the phone, not the generator, so it is two factor.
The replaces the phone with the specific computer as "the thing you have". Still two-factor.
"Most organizations keep usernames and passwords in a master file. That file is hashed... master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers."
Yes. See, PBKDF2.
Also, there are even algorithms like scrypt which deliberatly use a large amount of RAM as well.
Many websites these days allows you to try 3 passwords, then requires captcha and/or waiting period, possibly combined with email, etc...
In these cases password size doesn't matter
In fact it only matters if the hash of the password is publicly available or the password is used for encryption of sorts. This is not common for websites.
Why not fit PCs with an automotive style ignition lock? You could have just another car key on your keyring. Modern ones have embedded codes. You could even go farther and embed an RSA-style code generator in the key. You wouldn't need a display or a button to press, since you're downloading a code to the ignition lock anyway.
Do not mock my vision of impractical footwear
My solution would be to allow for each user to select a self destruct sequence option where if the hashes do go missing and this does occur that their data will be destroyed in this case so that hackers have no chance of accessing it. Some people would rather destroy the data than let it get into the wrong hands.
What about a variant of Rodney McKay's password from Stargate Atlantis? "16431879196842" -- use the year of Isaac Newton's birth, the year of Albert Einstein's birth, your birth year, and the number 42. You could swap out the birth years of other famous supergeniuses and even add a third person for added security. I bet CowboyNeal uses the birth years of CmdrTaco and his mom for his password,. . . ;-)
There is a breaking point to this. If you force people to use increasingly long and complicated passwords and force them to change them periodically, eventually they will wind up putting their passwords on post-it notes just to get their work done. So all you have to do is go to their desk or break into their homes and look at the stuff stuck to their monitors. Which is a lot easier than cracking an eight-character password.
People just need to stop thinking about passwords and start thinking about pass phrases: "Iliketoeatgreencakeonsunday" is reasonably hard to guess. Hard to crack if hashed. But at the same time easy to remember.
I at least try to use better passwords for more important logins. I don't waste brain power or worse resuse high quality passwords for sites where it really doesn't matter if my account gets hacked.
The annoying trend I see that the sites that most often enforce "better" passwords are the ones I don't care about. Must have at least one upper and one lower character, must have a non-alpha numeric character, no more than two consecutive characters: All this just so I can post to a web forum. Meanwhile the bank will accept almost anything.
I don't think people have quite got the implications of google's new headwear (Project Glass). Others have gone before - but Google have shown they can push into the mass market.
I think you should assume from this point forward that anyone wearing eyewear is recording everything they're looking at in sufficient resolution and frame rates to play back your typing later and thus discerning your password.
Previously you'd call this "shoulder surfing" - but they human eye doesn't really do "zoom". Digital zoom from digital eyewear, on the other hand, means your password could reasonably be read off your moving fingers from a bus-length away.
A second factor is now a requirement, IMO. Interesting times.
No matter how strong your password is... If you use the same password on all systems, and ANY of them at all stores it in plain text, consider yourself screwed. You've just given someone your password.
Also, if your username is your email address and you accidentally type your email password into a non-email system... you may just have given away your email password. Change it.
I use different passwords on different systems. I learned the hard way to keep private and professional passwords separate. Nowadays I also have different password policies for systems that I visit for leisure, systems that know something about me and systems that have power over my money (ebay, paypal, banking and such).
Think of some sort of algorithm to apply to your passwords based on these criteria. You'll have different passwords for anything you visit, yet your password will be easy to remember (to you) yet hard to guess. Mass password breach on one site? Not to worry. They only captured the one password that you'll be changing as soon as you hear about said breach.
thissentenceismypasswordandiconsiderittobereasonablysecure
...I can guarantee that it isn't completely cracked by a dictionary of common words, not to mention I add my own salt to the password that's unique to each site. For example, if my password was "69foobarredOnPinkFloyd_sWall", I might add the word "movies" or "Movies" somewhere in there for a site like Redbox.
I believe this is the real problem. People can use passwords, passphrases, etc., but without a reasonably secure method, there's little point in it other than to keep your friends and parents off your Facebook (why the f*** would you use that site?!), except in the case of you already having given a friend the password. My method also helps to keep angry spouses/exes away as well unless they have a good enough memory to learn it after using it once or twice because if you make it longer, it's already hard to remember. Add something specific to the site, especially in a random order, and it's sensible, yet difficult to figure out. After all, one might add "Redbox" or "redbox" or "dvds" or "dollarRentals" or whatever, using the Redbox example again. It's not like it's difficult. You just keep track of one password and remember where you placed the salt phrase and what the salt phrase is. You might even extend it to do something like "2foobarredOnRedboxPinkFloyd_sWall", where the 2 represents the position of the word in the original phrase that the salt phrase comes after, assuming a 1-based word indexing scheme.
My voice is my passport. Verify me.
I use KeyPass to manage my passwords. The only password I need to remember is the one for KeyPass. I don't even know some of the passwords it uses. This should be a feature built into browsers.
It's 2155, and Daniel Vectorstar, our resident security analyst, states that everyone this year should keep their passwords to a minimum of at least 3 pages, single-spaced...
I'd tried accessing a 401k account with JP Morgan a while back and had to call their 800 #.
Interestingly enough, their voice system asked for my password. Not only had they dropped case out the window, but for each character in the password they'd also managed to condense from 3 letters and 1 number down to just 1 number.
Who cares about data, what about bank PINs that are limited to four characters in length?
Hell, make it 13 characters long (just add '~' at the end to indicate snarky,) that way all the haxxors will be confused because they didn't guess you were being snarky.
"Password vaults are likely to become more widely used out of necessity."
A long time ago I memorized my passwords. They started with simple six character passwords to more complex 10 characters. Later as complexity requirements became more disparate between systems, including aging and having to retire otherwise good passwords, I gave up and started saving them, instead.
I use the built-in password saver in Firefox with a master password and FIPS enabled (http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html) and with my user profile encrypted by Windows EFS. I use apg (http://www.adel.nursat.kz/apg/) to generate random passwords as long as 48 characters and with character sets dependent upon site requirements.
To my aggravation many web sites do not allow me to save my password. To mitigate this I have a bookmark button with Javascript code to strip all autocomplete=off from the forms. I get more aggravated with sites which have maximum lengths or do not allow certain special characters. So far as I know, if you hash what you get from the user it should not matter what is used for the password,assuming it meets complexity requirements.
Sure, I could get a third party password utility, but I feel that I should be allowed to use the built-in utilities available to me. While my way does have its weaknesses, and I know not everyone manages passwords much worse, the situation is no less aggravating.
Meanwhile, I just get your data off the cloud. You backup your data on a system you have little control over, but have a burn feature locally. Doesn't make much sense.
We did solve this one already and it's called the iButton. The only place I've actually seen them used correctly is The UPS Store. The local one uses them for everything, locks, copiers, you name it. They have them in the wall, in the floor, wherever it's most convenient for them to be to relate to a particular function.
You can get a Java Crypto iButton which is pretty much what it sounds like, so not only can you get one with a crypto accelerator but you can actually upgrade the software that runs on it.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Either you misspelled "Music" or you forgot your clever "~" at the end of the password.
Does you parole officer require you to post to slashdot multiple times a day as evidence that you are integrating with society, or do you just do it because Jody Foster still doesn't return your calls?~
gabriel janice maximillian kevin patrice
That's 40 letters (including the spaces).
Or, the full name of my cat:
eric the ring tailed chickabeastie defender of the realm
I think it would help if we could use "forbidden" chars like { or or $ etc.
Shoes for Industry. Shoes for the Dead.
The ultimate solution would be highly accurate and tamper proof consumer grade biometrics, like finger print scanners built in to everything. Until then, my password system is simple. I have a default password I use, which has meaning to me but tough to guess. For example, 1H@t3C0lDWin7eR$ (I Hate Cold Winters, no not my real password). Then I either append, or prepend a quickly calculate able slug to the front of the end depending on the website I am on. So for example, if it was Slashdot.org, I may append sHtG to the front of it, a pattern based on the domain name (first, fifth and last character of the domain, and the last character of the tld). So my password becomes 1H@t3C0lDWin7eR$-sHtG - which is now 21 characters of letters, numbers and symbols, which would be insanely difficult to crack, and impossible for one site to know the password for another :-)
Although, I much prefer key files or fobs for security when available - Everyone, and everything should use fobs
Most awful password experience?
"Password must be at least 12 characters, with one number, one upper case letter, and one special character."
Thisis1passwordsystemthatsucks!
I had to call support when logging in for the first time, and then I learned that there is an unpublished maximum length. Wow.
I keep sending emails to company security admin people about their poor security practices, and I don't think they care.
Security questions?
Pictures?
Forcing some format?
Jeez... at least get with the freaking late twentieth century and let me use up to 256 characters...
Best passwords ever, and easiest to remember: Pick a song that's important to you, and use your favorite line. Ain't nobody going to guess which Celine Dion song I picked...
People still use 8 character passwords? Heh. I wish sites would allow us to log in using GnuGP encryption keys. Seems then you could have 1 password that's not really breakable. You'd only have to keep safe a couple files (the public & private key), like physical keys to your house or car. I think most people could handle that.... and it would really simplify password management.
Yes, why should a fashion company have long customer passwords? Nothing much bad happens if it is compromized. Use the hard requirements where they are needed - the lightweights don't go there anyway.
---
The criteria that a lot of websites need:
- uppercase and lowercase
- must have digits
- must have some non-alphanumeric chars [many don't allow the full set but underscore is usually safe]
I created a very simple perl script to do this. Here are some generated passwords from common phrases that are 2-4 words in length:
12_kCq_wRb_xFn_205
16_pMj_rVd_yZl_sGd_221
37_lPp_dNs_gNr_S_99
193_mSh_rTs_cVs_194
104_mRt_pCn_T_105
109_lCn_lBd_D_180
55_mRt_tSn_kCr_pSf_nSr_S_186
The mangling isn't trying to be cryptographically hard by any means. I don't consider the mangling to particularly clever. But, these seem to me to be sufficiently strong passwords. I haven't run them over a PW strength assessment algorithm but they're stronger than PWs I've used at various websites that rate my personal ones as strong.
The groupings used here are deliberate as one PW in a group might clue in the other(s). If you'd like to take up the challenge, a few hints: (1) phrases you've surely typed before, (2) a common comparison, (3) part of a well known company logo/trademark, (4) an author, a novel, and the author's real name.
[If anyone's interested] I'll post the original phrases, the algorithm description, and the perl script [if I can figure out the html tag slashdot needs for unformatted] tomorrow as a reply to this post.
Like a good neighbor, fsck is there
I can admit immediately that I know incredibly little about this subject. So, I'm wondering if the cure for this issue is not necessarily longer passwords, but a different style of passwords? Ignoring the shear inconvenience of a model like any of the following, would they indeed solve the problem? 1) Require captcha every time we enter a password? 2) Include a captcha style word displayed on the page that is tacked on to the end of your personal password? (If my password is 'dogs1337,' and the captcha is 'gelmug,' the new password would simply be 'dogs1337gelmug') 3) Require two distinct 8+ character passwords? Any of the above would at least allow for a significant increase in possible password combinations if all we are worried about is the ability to brute force 8 character passwords. But, I suspect that might not be the only worry?
One of the reasons I find myself needing a password vault is the bizzare array of password policies out there today. Take Chase Bank, for instance, who only allow alpha-numeric characters.
But the worst part is often the why: In an effort to assist you in securing your password, some sites want to perform password validation server-side. Just stop and think about that for a moment. Why would a website exclude characters like apostrophe, percent, semicolon, etc, from a password field?
Well done: In order to assist your security today, I'll be storing your information alongside a plain-text history of your passwords - you can trust us! Now, obviously, if we allowed funny characters into those passwords, all hell could break loose. But by restricting you to easier to crack passwords, and then storing them in plain text too, the only risk is if we screw something up in the code that checks incoming passwords. We just proved we're smart enough to have already thought of that!
-- A change is as good as a reboot.
What the blaze is a six digit company? Ranked in Fortune 999999, or something?
When our name is on the back of your car, we're behind you all the way!
Who in their sane mind (in ITSEC, that is) is still dabbling with brute force problems? Seriously, Deloitte, stick with economy audits, at least there you can't do much more harm than has already been done to this economy, but stay out of real work, will ya? At least we could do without your "recommendations" to your clients to require bizarre combinations of characters from their employees that only leads to them noting them down on a post-it and stick it underneath their keyboards (which, oddly, you do NOT have a recommendation against ... but I ramble).
Whether your password has 3 or 30 characters, and how many special characters in what odd combination and how many generations back you may not repeat even 2 of those characters again is moot. NOBODY on the "other side" bothers with brute forcing anymore. Passwords are being sniffed, hacked or simply lifted in other ways, from keyloggers to the good old "this is your IT-department on the phone, we need your password". And when I have your secretary TELL me her password, it's frickin' pointless to make it 100 chars long. Only means I have to talk to her longer. Which, I admit, may or may not be a nuisance to me when I get tasked with testing something you "secured". Depending on how nasty the voice of the person I audit is.
The security hole is NOT the length of your password. Get with the times, brute forcing just simply and plainly takes too long. Even if it's only a 3 char password, there are simply ways that get the attacker access far easier, more reliably and with a lot less effort.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
the bobs hive is not exactly the first place i tend to think of when i want to know about information security trends... maybe they should stick to their core competencies. like really busy powerpoint templates that the government likes and "anybody whoever built an empire..."
Wait, that's the combination on my luggage!
Am I the only person who generates easy to remember yet difficult to read / crack passwords based on things like movie / cartoon / book quotes or music lyrics? I don't think I have ever make a totally random password for myself and instead create easy to remember passwords from all sorts of phrases. The only problem with this is when sites disallow long passwords (so many limit passwords under 10,12,20 characters).
Take for example (random things off the top of my head) the sun will come up to morrow, to morrow. Tswcu2m2m. Or Dance your cares away Worrys for another day DycaWfad. Throw in a few !! or $$ at the beginning or ending and you're set.
TruePunk | Games
I only have to have a password stronger than yours.
What the blaze is a six digit company? Ranked in Fortune 999999, or something?
You seriously underestimate the size of the economy. A mom-and-pop store is a six-digit company...
"Little does he know, but there is no 'I' in 'Idiot'!"
Well for hashes of passwords if you made the requirement to do 10,000 iterations then 8 characters is still okay. What is really needed is more complex algorithms that require more time.
Now for data at rest that is a different matter. Just takes AES encrypted ZIPs which have a checksum which makes verifying brute force attempts much quicker.
I smash my forehead into the keyboard at the EXACT same position every time when I'm prompted for a password. I don't know the phrase which adds extra security if in case someone were to try to get me to tell them my credentials.
Works every time.
There are a variety of workarounds for that problem.
Some I've seen are:
1. Browser plugin.
2. Bookmarket
3. Use of console to enter Javascript
http://superuser.com/questions/405877/is-there-a-browser-extension-that-bypasses-restrictions-of-pasting-passwords
I like that Google asks you for your password again for certain tasks. I don't tell my google password to anyone, but I do often leave my session open when I walk away (who doesn't?). I'm willing to take the risk that someone could get 5 minutes looking at my inbox, but I don't want to take the risk that the person could read my web history or change my password.
Prompting you again for these tasks makes perfect sense.
Last week I ran into the first site that actually REQUIRED a punctuation character in the password. My immediate thought was of the time a couple of years ago when I seemed to keep running into sites that refused to accept my firstname.lastname@gmail.com, address when I tried to register because no e-mail address would have a period in it.
Honestly it feels to me that the whole username/password regime is on its last legs, and is about to collapse under its own weight.
I really don't want biometrics, but I could certainly live with a minimal RFID/NFC key (just like my car, or maybe my phone) that would authenticate me on whatever machine I'm using. If we need something, I want it easy and portable. Maybe a pinky ring with embedded chip?
Meanwhile I'll stick with one long complex tricky password for sites that actually matter (like banks); and another short snappy one for stuff like slashdot and forums that don't (90% of places). About four times a year I change them both to keep stuff fresh.
For everything else my password is "Forgot password? Click here to reset."
Three Squirrels
http://xkcd.com/936/
My pasword is the toughest!
It is...
chucknorris
*kicks* facebook in the head!
At first, I used complex alphanumeric passwords.
Then some system asked me for some Case. So I added up some actual Easily Guessable Case.
Then some system asked me for some Sp#ci@l characters. So I added them (@g@!n e@sy to f!nd).
Then some system decided it didn't like Sp#ci@l characters. So I only added them when needed only
Then I tried migrating to Pass Phrases. However, the Sp#ci@l still needs to be there sometimes, and sometimes they don't like that, and sometimes, spaces aren't supported, and sometimes, there's a limit of 15 characters.
Then, I found one site that actually asked me for PRECISELY 8 characters, with mixed, number and special. The frag!
And I have two places where I need to switch passwords every now and then (3 months and 6 months)
So I freaking gave up. At home, my crap is seriously secure. It's long pass sentences with some mistakes in them, it's easy to remember them, and hard to figure them out. Whenever I can, I use these pass sentences, always different, because my brain actually remembers these passwords, and they are kind of related to the system in question, for example, on a Fruity system, I might write "I SIRIously love cider" ;)
Everywhere else, the "dick" sites and systems, I have 3-4 passwords, precisely 8 characters in length, with option@1 specials and one ever incrementing character somewhere... Because I need to remember these.
Oh and then, for crappy sites I couldn't care less about, I'm in the top 50 easiest passwords to find. Find them, I couldn't care less. :)
What the blaze is a six digit company? Ranked in Fortune 999999, or something?
You seriously underestimate the size of the economy. A mom-and-pop store is a six-digit company...
You haven't answered the question. what is a six digit company?
When our name is on the back of your car, we're behind you all the way!
Don't mistake inconvenience for security. A lot of security theater is very inconvenient, often on the premise that if it hurts more it must be working better. Real security improvements have little or no effect on usability, and can actually go either way easier or harder.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Except you would have to dedicate as much time to it as it would lock someone out. For instance, 5 bad attempts take you 0s + 1s + 2s + 4 + 8s = 15s and locks them out for the next 16s. So, if you wanted to lock someone out for a day, you have to spend a day (less one second) locking them out. Even if you automated this attack, surely IT could handle that.
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
It turns out that the numbnuts at PogoPlug have somehow arranged to forbid pasting userid or password into their login form. I emailed them about it and their response was that they would consider changing it as a feature enhancement. So keepass is useless there and I have to hand type my complex password. Idiots!
Always wait exactly three seconds between password entry and returning ANYTHING WHATSOVER to the user/network.
Eliminate a whole category of timing attacks and make true brute forcing completely impractical with this one simple rule, that many people seem incapable of grasping (my theory is, poor math skills).
This security bulletin brought to you by the number 1979 and the letters D, E, and C.
The issue appears to be using a password that is one of a top N passwords.
The XKCD comic is laughably inaccurate, .e.g, in that it says that the presence or absence of capitals is one bit of entropy. Of course it is -- if you regard the first character ONLY as the candidate for capitalization.
tone
tone
...don't let people have access to the hashed passwords for your system.
From the user's perspective, it's don't use the same password in more than one place, so that if one place does let its hashed passwords loose, it can't be used against you.
paintball
It's made of simple, common words (to me), but they're in English, Dutch, Latin, Malagasy, and bash.
For a shorter one, I use my dad's boat license, which I saw constantly for 15 years. Or his old phone number (can't remember his new one).
Why should we? you going to hammer my server with an attack? all that overhead of php -> mySQL -> php and the http protocol overhead + TCP connection overhead involved:
1) bandwidth limits - mine and yours; but internet gets faster. Latency hasn't improved much. That still costs you a lot in TIME.
2) server limits - LAMP stacks are not that fast (sadly, java even is worse.) You will DoS the server in no time (or bandwidth DoS) plus a loaded server will add to the latency of the process.
3) server clusters - possible added Latency due to sync; less able to trigger a DoS - but still possible your attacks are stuck on 1 server so that gets slow.
4) network, ISP protections and measures taken to identify DoS attacks - a brute force will look like a DoS attack.
So then you have to use a distributed brute force attack and not hammer it too much or get too many nodes banned for DoS. This creates a really SLOW number of tests you can realistically do. This on a site without much protection! Easier to look for a CMS bug or other attack to get the hashes.
My 9 character password has been busted for two years now. I now have a system that gives me 13 character passwords that are now different for each site. Unfortunately, not every account, something I've been thinking about. That seems adequate for now, my wife was bitching about how she had to go with the new system when I was trying out Win 8 Consumer Preview since I was using my Hotmail account.
Maybe using 4 "symbols" as it were, but I wouldn't limit myself to seven characters, I'm thinking about adding in a number sequence that not many people would actually know (phone number from the '60/'70s, my first work data entry machine (029 and 129 would NOT be the numbers! :), possibly the now current address of a former home that was only a RR number back then, actually, quite a few of those...), and finally adding something to identify the site to identify the account.
Of course, I always had to deal with the sites that only allowed 8 characters way back then. Some would take more, but the actual password was limited to 8. Sad actually.
Passwords are on their way to being dead. It really is only a matter of time.
I was one of the lucky 250K+ of Twitter that had to reset their passwords.
Bryan
unix has session tracking. HTTP and UDP stuff does not. So, to do a delay between attempts you have to track the user so you can limit them. however, any attacker with a brain will clear your cookie, etc. Ok, so now you track them by the account name they are trying to get in with... well that could easily turn into a DoS against all your users because you foolishly use emails for account names like soooo many servers love to use. Best in that case is to track by account name and make a time limit rather than block accounts (still DoS potential for users being attacked but the legit user might get in during the interval... which means that you should make such an interval random enough they can't predicatively lock it out.)
Besides, serious attacks to login are foolish; the delay between attempts is significant enough to make it quite slow; plus attacks would look like DoS attacks so the ISP and server hosting IT would spot something.
Not to mention that email account names let you track users down so once you get their PW you got access to everything online they do. Its like putting your home address on your KEYS and not thinking you could ever get robbed if you lost your keys!
PCI was written by banks and, worse, credit card processors.