Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deloitte: Use a Longer Password In 2013. Seriously.

Posted by timothy on from the you're-gonna-need-a-bigger-post-it dept.

clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."

83 of 538 comments (clear)

  1. I Got It! by pmcizhere · · Score: 5, Funny

    correcthorsebatterystaple. It's a perfectly long, easy to remember password. Just, nobody use it other than me, ok?

    1. Re:I Got It! by Anonymous Coward · · Score: 2, Insightful

      awful password, only 4 symbols long

    2. Re:I Got It! by AliasMarlowe · · Score: 4, Funny

      I currently use "11111111", and Deloitte says I should use at least 9 characters?
      Easy peasy, I'll buy some time by making it 12 characters long: "111111111111".

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    3. Re:I Got It! by LoRdTAW · · Score: 5, Insightful

      A better question would be, what system would allow 1000 password guesses per second to be authenticated? Most systems lock you out after 3 to 5 unsuccessful attempts. And I would hope that smart developers would put a time delay between how fast a user can reattempt to authenticate. So a computer sending authentication attempts in less than one second would be immediately blacklisted as a automated attack. Inserting a second or two delay between attempts would guarantee that. Assuming a computer could brute force a password by trying all possible strings, what system could that possibly be effective against? I can see that it could be useful against an encrypted file but an online banking site or other eCommerce site sounds impractical. anyone care to elaborate?

    4. Re:I Got It! by OzPeter · · Score: 5, Informative

      A better question would be, what system would allow 1000 password guesses per second to be authenticated?

      Irrelevant, as the cracking will happen offline after the bad guys have stolen your PW DB by exploiting other weaknesses in your system

      --
      I am Slashdot. Are you Slashdot as well?
    5. Re:I Got It! by Archangel+Michael · · Score: 2

      The fastest typist can type 100 - 150 WPM, so lets use that metric for designing systems requiring "human" input, like passwords. Artificially limiting brute force attacks.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    6. Re:I Got It! by alvinrod · · Score: 5, Interesting

      It's bad because much like you can have a computer program randomly combine letters, numbers, and symbols to generate a password, you can simply have the same program combine dictionary words together. There are hundreds of thousands of words in the English language, which would make the number of combinations quite large, but most of those words aren't commonly used so you could ignore them. If you had people generate a four word pass phrase, it's quite likely that most of them would contain only words from a relatively small subset of the English language.

      When I use pass-phrases, I make sure to include some capital letters, numbers, and symbols. This makes it almost impossible to brute force. So for example, 2Correcthorse4batteryStapple! would be a much more secure password, that really isn't any more difficult to remember. It's only using 7 symbols, which makes it fairly easy to remember. Once you type it enough, muscle memory will allow you to enter it without too much issue.

      You could make it even more complex by using slang words, words from other languages, proper nouns, or other such words.

    7. Re:I Got It! by AndrewStephens · · Score: 5, Informative

      True, but nobody tries breaking into a system by logging in ten thousand times a second to a single account. The recent well-publicised break-ins resulted from the hashed password file being publicly available, either stolen through a vulnerability or maliciously leaked. If the attackers have the hashed passwords they can try them at a rate of millions or billions of attempts per second for as long as they want.

      --
      sheep.horse - does not contain information on sheep or horses.
    8. Re:I Got It! by Beardo+the+Bearded · · Score: 3, Interesting

      I'd just double the time it takes for each try.

      First bad password: 1 second to retry.
      Second bad password: 2 seconds to retry.
      Third bad password: 4 seconds to retry.
      Fourth bad password: 8 seconds to retry.
      Fifth bad password: 16 seconds to retry.

      You get the idea. It'll end brute-force and only mildly inconvenience clueless users with fat fingers.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    9. Re:I Got It! by cheater512 · · Score: 2

      I'd bet that 99% of all login systems on the internet not having any realistic brute force blocks.
      I believe that is a safe bet.

      Yes more security conscious places such as banks *should* have limits.
      That doesn't affect most of the internet however.

    10. Re:I Got It! by Rob+the+Bold · · Score: 3

      A better question would be, what system would allow 1000 password guesses per second to be authenticated?

      Irrelevant, as the cracking will happen offline after the bad guys have stolen your PW DB by exploiting other weaknesses in your system

      Which makes things even worse, since to protect your account, you're depending online service "X" to protect and secure their tables of passwords and account names with the best practices available (if convenient). And to make things even worse than that, those guys are counting on the general public to create more entropic and cryptographically secure passwords to secure their authentication data!

      --
      I am not a crackpot.
    11. Re:I Got It! by vux984 · · Score: 5, Interesting

      4 symbols chosen randomly from a dictionary of ~200,000 by a computer not by you because you won't choose words randomly.

      that makes it a 1 in 200000^4 to guess... or 1.6 x 10^21

      compare that to an 8 character password also randomly generated. Passwords which are drawn from a set of around 90 symbols. (50 letters including upper and lower case, 10 digits, and ~30 symbols)

      that's 90^8 or a measly 4.3 x10^15

      a 4 word randomly chosen password from a dictionary is by far the better password, and much easier to remember too.

      An 11 character password of completely random gibberish is about equivalent, to 4 random dictionary words. Good luck remembering somthing like `oN{/QM9PKb

      which is no better than:

      scald obsolescent period postpone

    12. Re:I Got It! by kiddygrinder · · Score: 3, Insightful

      4 symbols, about 180k common words in the english language = 1,049,760,000,000,000,000,000 unique passwords. this thing can do 350 billion password attempts a second, and unless my math is wrong (which it most likely is) it would take 95 years to try all of those combinations.

      --
      This is a joke. I am joking. Joke joke joke.
    13. Re:I Got It! by Anonymous Coward · · Score: 5, Interesting

      I used to do this to the college lab computers (running NT 4 at the time). I'd walk in with a floppy, reboot, copy the SAM file to disk, return to the dorms and crack away. Typically, I'd have the entire password file cracked in 10-12 hours. The machine doing the cracking was a P3 500Mhz. When I did the lab computers, I was shocked to find the administrator password on all the machines was the 5-character room number of the campus's IT department. And, it took about all of 10 seconds to crack. Getting password file without a bootable floppy proved a little harder, but not much. All you had to was replace the login screen's screen saver with a copy of cmd.exe, and be patient. Then, a little utility to dump the hashed password from memory. (For a long while, the login "screen saver" ran as SYSTEM). This also worked on Windows 2000 & XP which had an extra layer of encryption over the SAM.

    14. Re:I Got It! by interkin3tic · · Score: 5, Interesting

      Naive question, does anyone still brute force attack passwords? Are there websites out there that will allow you to try more than, say ten times before locking your account? If you're talking about the difference between 10 million different passwords and 4 billion, but facebook will lock down your account after 20 tries, there's not really a significant difference between the two. It seems like my accounts are always being locked down due to trying the wrong password from trying to "brute force" using every password I remember.

    15. Re:I Got It! by dgatwood · · Score: 5, Insightful

      Your definition of "common words" is off by about an order of magnitude from reality, though. A typical person only uses about 10,000–25,000 words on a regular basis, depending on their level of education.

      Even assuming the upper end of that, nearly all people would typically choose from about 3 * 10^17 possibilities, which at 350 billion attempts per second, would take only around ten days to crack. On the lower end, a sizable percentage of people would choose from about 1 * 10^16, which would take about eight hours to crack.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    16. Re:I Got It! by vux984 · · Score: 3, Informative

      If you had people generate a four word pass phrase, it's quite likely that most of them would contain only words from a relatively small subset of the English language.

      Which is why the computer would generate the phrase.

      2Correcthorse4batteryStapple!

      Varying capitalization, and optionally separating the 4 words with 3 character symbols adds: 2*2*2*2*90*90*90*5*4*3 possible permutations: 6.9e8

      Now that's not bad, and it definitely is more secure than the plain 4 words. BUT:

      Assuming 200,000 words in the dictionary. Simply adding 3 more words to the end gives you 8e15 additional permutations.

      8e15 is a LOT bigger than 6.9e8

      And now we are at 7 symbols either way.

      Remembering 3 more words is both easier and ridiculously more secure too.

      Peppering a passphrase with difficult to remember symbols is missing the point. If you want more security, just add another random word or two. Either method increases its brute force complexity, but perhaps counterintuitively, adding a few words is far more secure than mangling the pass phrase with a few symbols.

    17. Re:I Got It! by tattood · · Score: 4, Interesting

      You could also use a password manager, which creates a random, unique password for every site for you. You have to remember one master password to use the program, and it automatically enters the username and password for you when you log into a website.

      Unless your computer is hacked and the master database stolen, it's a pretty decent way to use unique passwords.

      --
      WTB [sig], PST!!!
    18. Re:I Got It! by kelemvor4 · · Score: 2

      Naive question, does anyone still brute force attack passwords? Are there websites out there that will allow you to try more than, say ten times before locking your account? If you're talking about the difference between 10 million different passwords and 4 billion, but facebook will lock down your account after 20 tries, there's not really a significant difference between the two. It seems like my accounts are always being locked down due to trying the wrong password from trying to "brute force" using every password I remember.

      I've often wondered the same thing, and for the same reasons. I'm thinking brute force techniques would only be good against something like encrypted data that the attacker already has but needs the key in order to decrypt. Passwords are out of hand, and it seems to me like password managers are a bad idea from a security perspective. Things like iris recognition sound like a great idea, except the world can't even seem to get simple biometric readers like those on my kids' laptops to work reliably.

    19. Re:I Got It! by dcollins · · Score: 2

      "2Correcthorse4batteryStapple! would be a much more secure password, that really isn't any more difficult to remember."

      For most people, this is false. Among the things I teach are remedial community college arithmetic & algebra classes, as taken by about half the nation's college students, and frankly, they can't remember dick. For example: About 1/2 of our arithmetic students can never remember the one-digit multiplication table; about 1/2 of our algebra students can never remember operations on negatives.

      Yes, systems allowing for very long passphrases are necessary and desperately needed, and it's shameful to not have them yet. But you're entirely missing the point to argue that we need to go back and insert more symbolic gobbledygook into them. Whatever you think you're gaining from that: just make the passphrase longer by what it takes to get the same information content, and then it's still secure and memorable to non-technical people.

      --
      We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
    20. Re:I Got It! by Cramer · · Score: 2

      ALL passwords are security through obscurity. The whole point of the password is that no one else knows what it is, or what it looks like. To that end, his password is perfectly secure... until a hacker knows it's mostly periods. That's not something any random hacker is going to know, or even try.

    21. Re:I Got It! by buchner.johannes · · Score: 5, Funny

      Use a 2 for extra security. Computers can only find ones and zeros.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    22. Re:I Got It! by Anonymous Coward · · Score: 5, Insightful

      Password too long, please enter 8-12 characters.

    23. Re:I Got It! by AmiMoJo · · Score: 2

      We need to stop trying to remember multiple passwords entirely. Most browsers already remember passwords for you, with only a single master one needing to be committed to memory. The problem is they tend not to share the information between PCs and other devices.

      An NFC enabled phone would be ideal. Store passwords on the phone, and when they need to be typed in beam them to whatever PC or device you are using via NFC. That way there is no need to trust the device receiving the password to protect your password database (or the credentials needed to access/decrypt it) and everything is stored in one place that you always have access to.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    24. Re:I Got It! by SethJohnson · · Score: 4, Insightful

      Beardo, This is a great mechanism for me to abuse to lock all your users out of the system.

      Great thinking, there.

      Seth

      --
      $5 / month hosted VPS on linux = awesome!
    25. Re:I Got It! by tibit · · Score: 2

      You mean "o31pe41na59lsoso26onagain54" is easy to find? You on crack or something? Protip: passphrases can be sprinkled with "line noise". Someone may use prime number sequence to space line noise, and digits of pi for line noise proper. Someone else may use, well, something else. You see where it's going. Good luck with figuring it out.

      --
      A successful API design takes a mixture of software design and pedagogy.
    26. Re:I Got It! by vux984 · · Score: 4, Insightful

      An NFC enabled phone would be ideal. Store passwords on the phone.

      Meanwhile police around the country are facing an epidemic of cell phone thefts.

      everything is stored in one place that you always have access to.

      Well, you have access to it unless it was stolen.

      Or you dropped and it now its broken.
      Or the battery is dead.
      Or ...

    27. Re:I Got It! by anubi · · Score: 2

      What if you used an image as a password?

      Or hash a 1 Kilobit key from that image?

      If you took the image yourself with your own camera, you can be pretty sure you are the only one in the world who has an exact digital copy of it.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

    28. Re:I Got It! by DarkOx · · Score: 4, Informative

      The answer is yes but its not the guy you think doing it. We still live in a largely single factor authentication world. Since you used facebook as an example I will too, but hopefully you can see how and why similar issues could come up in other organizations.

      You correct in that there are very few online brute force attacks, because as you say effective controls exist timeout intervals, lock outs etc on most systems. Somewhere there this is a file or table with password hashes, ideally salted. This is vulnerable to brute force because you don't use the 'system' to try and log in you build your own hash generator that works through a word list generating hashes and seeing if any match. The size of a good word list, say the Oxford dictionary, with each word also spelled with some typical numeric substitutions and followed by various arrangements of !, 4theWin! etc is pretty large. When you then multiply that out by the number of possible salt values you end up with a word + set of hashes that is many TB in size. Its to large to search efficiently with out special purpose built systems. This is known as a rainbow table; it used be popular but CPUs and GPUs have gotten so much faster they make sense in fewer cases.

      Because searching the rainbow table takes so long and salts are now known to you its actually faster to generate the [list of salts] * [word list entries] on the fly and see if you match any of the password hashes. If you do match one you know know the password. This is the sort of attack people mean when they say brute force password attack now most of time.

      So how would an attacker get the password file? Well in many cases it would be an inside job. Let assume facebook has a policy that employees are not allowed to bypass the privacy controls and access the pages of celebrities, politicians, etc. Admins can do it because its sometime a requirement of their job but the back end systems always audit this sort of activity. So someone abusing the master key will be punished. Now lets also suppose access to the master password file is also protected fairly well. Attempts to read it by non-authorized process etc are logged. Ah but what about if someone replaces a raid disk in a authentication server that was not really bad? Is it possible it could be read off a backup tape by an operator who knows the key etc. There are probably holes, insiders might use; even in mostly secure environments.

      So now mister admin that really wants to know who K.Stu is banging this week can take the password file home with him and brute force it. Once he has her password, he can log in as her. The password not been rest, which might have been logged, or noticed by the user and reported etc, so chances are he can do whatever he wants with very little chance of detection and no audit trail that will point back to him, remember he has stolen the users identity. So yes he might have gotten the data anyway through other means but this way he can do it with everyone being unaware.

      This is one of the hole that strong passwords and semi frequent rotation are seeking to close. The hope is if it takes enough weeks to brute force, you will have changed it by the time its been cracked.

         

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    29. Re:I Got It! by Luckyo · · Score: 4, Insightful

      No. But it makes good headlines and sells whatever "security expert of the day" happens to be peddling.

      On most of the web, a good secure 8 random character password that you don't reuse on other sites is about a few orders of magnitude too secure for hackers to even bother thinking about cracking. The "account hacks" are usually about people managing to steal a list of user names and passwords from some shitty forum that has old version of BBS software, and then trying those combinations of user names and passwords on other sites. Pretty much all brute force methods require direct access to database that is badly encrypted (perhaps behind a weak password that they intend to crack?).

      Other then these scenarios, vast majority of "your password is too short and as a result not secure" is scaremongering bullshit.

      Full disclosure: I have several battle.net accounts, a LoL account and countless other similar game accounts that are very much wanted in hack and sell world, all under the same email. I get absolutely hammered by "your account is being closed for hacking, click here to fix" phishing emails and other similar bullshit on that email address. My WoW account was very valuable for a couple of years (very good server, easily within top 0.1% of people in terms of wealth and in top 1% in terms of rare items and progression, legendary and so on). Didn't get hacked a single time. Several guildies and countless people I know had their accounts hacked during this time, some more then once. I used, and still use a short UNIQUE password for each account. Not a single account breach.

      Why? Because no one sane brute forces remote passwords when doing actual hacking for profit. It's bloody stupid to even bother trying. There are far more profitable and easier methods, that actually work.

    30. Re:I Got It! by dgatwood · · Score: 4, Funny

      And then you have a password that you won't readily remember, because you haven't seen the word "turgid" since the SAT.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    31. Re:I Got It! by camperdave · · Score: 3, Funny

      What, like "12characters"?

      --
      When our name is on the back of your car, we're behind you all the way!
    32. Re:I Got It! by anagama · · Score: 2

      You may have a problem with true random number generation if you let a computer pick for you.

      You could try diceware instead -- it's pretty unlikely you'll end up with dice that have some kind of vulnerability built into them that will compromise your password picks. Plus it costs a tiny fraction of a true random number generation card.

      http://world.std.com/~reinhold/diceware.html

      --
      What changed under Obama? Nothing Good
    33. Re:I Got It! by tibit · · Score: 2

      I think it goes like this. The world moves ahead. We're arriving at a society where people who don't dig technology at the basic level become third class citizens. Demonstrably, some logical thinking and memorization skills that go beyond the rudimentary are becoming a thrive-or-perish kind of a thing. Technology has started applying selection pressure, and I'm only happy that it's becoming so. There is a point at which you just can't help people who don't grok some things. They have to die out, and only hope that the next generation of their kin is any better. People with silly passwords and risky online behaviors will negatively affect their workplaces, so they'll have problems with their jobs, they'll be fighting stolen identities, they'll be really in for a world of hurt. Again, I'm OK with that.

      We've arranged a global civilization in which most crucial elements profoundly depend on science and technology. We have also arranged things so that almost no one understands science and technology. This is a prescription for disaster. We might get away with it for a while, but sooner or later this combustible mixture of ignorance and power is going to blow up in our faces.

      Carl Sagan, The Demon-Haunted World: Science as a Candle in the Dark

      We're at a stage where it blows up in our individual faces. Eventually it'll affect the larger human collective as well.

      --
      A successful API design takes a mixture of software design and pedagogy.
    34. Re:I Got It! by fredprado · · Score: 2

      Just add a fifth word. Still easy to remember and brings the time to something near what he wants, even with 20K or so "common" words.

    35. Re:I Got It! by MadKeithV · · Score: 2

      And then you have a password that you won't readily remember, because you haven't seen the word "turgid" since the SAT.

      Inconceivable!

  2. Until artificial limits are removed... by eksith · · Score: 5, Insightful

    I used my online banking today and they limit to 8 characters EXACTLY... even though they demand a non alpha-numeric character and mixed case. I keep thinking, these idiots still don't get it. Also, obligatory.

    --
    If computers were people, I'd be a misanthrope.
    1. Re:Until artificial limits are removed... by DigiShaman · · Score: 2

      Some financial, investment and health insurance sites (I will not site for my own protection) specifically will not allow upper case and special characters (! @ # $ % etc). Oh, and they must be minimum of 8 but not more than 12 or some such. WTF? How is that secure?!

      --
      Life is not for the lazy.
    2. Re:Until artificial limits are removed... by eksith · · Score: 5, Interesting

      That's usually a guarantee they don't hash passwords :/

      Or they use some kind of encoding scheme instead that just lengthens with password size and letter case (DB field width will get maxed out) and don't use parameters for DB inserts/updates so special chars would wreak havoc with queries. Sometimes that's because they're running ancient software, but other times it's pure and simple laziness or disregard. It's hard to care about a project under near-slave-labor conditions in some of those sweatshops.

      --
      If computers were people, I'd be a misanthrope.
    3. Re:Until artificial limits are removed... by mentus · · Score: 5, Interesting

      Don't complay too much. The convenience vs security balance can all too quickly pend to the [lack of the] former. Doing online banking in Brazil in any of the major banks is becoming a major PITA. Santander for instance, requires you to install a browser plugin (available in native version for IE or Firefox, or via Java in the case of Chrome) just to be able to login to the IB. You also need a special IB-only password which must be numbers and letters (mixed-cased), and if you type it incorrectly more than 2 times, they automatically suspend your IB password and you need to talk to your account manager to be able to unblock it.

      Do you think that's all? Nope. With that you can only use IB in 'read only mode', not being able to perform any transaction that might make a debit to your account. Then you have to request a 'codes card', with is basically a very cheap version of a token, albeit a little less secure. Upon completion of each transaction you'd be required to type one of the codes in your card. Thing is, fraudters caught up to that pretty quicly, and started sending phising mail where they'd lead the baits to a website passing as the bank asking them to type all their codes for 'security purposes'.

      So then they made it compulsory to register each computer you use IB with, therefore forcing you to use a whitelist to enable trusted computers. You actually have to go in person to an ATM machine and use your debit card + 3 letter PIN + 4 digit debit PIN to authorize each computer. Thing is, so many people have machines so full of malware that this wasn't enough to stop the fraudsters.

      Next in line was their latest addition: now in order to be able to make transactions online, not only you must have the IB password, install a proprietary browser 'security plugin', the token card, authorize your machine previously on an ATM with your debit card + 3 letter PIN + 4 digit debit PIN, you also must have a mobile phone on your file with the bank. Then, after you use all your passwords and code card in a trusted machine, they then generate a 7-digit code that is send via SMS to your mobile phone (which can also be only updated in person or in an ATM with both pins).

      What if you don't have a mobile phone? What if you don't have signal at the moment you want to perform the transaction? What if your phone battery is out of charge? Well, tough luck, you'll have to go to a Santander ATM machine, because all these security paranoia features are mandatory...

      The thing is, this a perfect example of adverse selection in effect, so now every bank is demanding you to install proprietary plugins (which are usually modified rootkits themselves..) to ensure the safety of your machine before being able to use any IB. Some are already demaning the use of SMS on a per-transaction basis and the process of using IB is getting more inconvenient by the day...

      When I compare that with the breeze that is using the IB for my HSBC account in the US... it makes me wonder how much inconvenience is enough to tolerate...

  3. Re:Passwords are shit. by maxwell+demon · · Score: 2

    But it takes much longer to type in

    --
    The Tao of math: The numbers you can count are not the real numbers.
  4. Two factor authentication by pwnies · · Score: 4, Insightful

    Don't use a longer password, just use two factor authentication.

    1. Re:Two factor authentication by swilde23 · · Score: 3, Insightful

      As long as it's actual two-factor authentication. None of the fake crap that people call two-factor.

      For the record, asking me to pick a picture isn't a second form. Something you know, something you have, etc...

      --
      There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
    2. Re:Two factor authentication by swillden · · Score: 4, Insightful

      As long as it's actual two-factor authentication. None of the fake crap that people call two-factor.

      No kidding. My bank (I really need to change) uses two factor authentication. To log in you have to know both the username and the password! In order to make this more secure, they apply password quality requirements to both. Yes, that's right, your username must be mixed case and contain alphabetic and numeric characters, and must be at least 8 characters in length. Symbols are not allowed, however, since that would just be weird.

      For the record, asking me to pick a picture isn't a second form.

      Most places that use a picture aren't using it as a second authentication factor. It's an anti-phishing countermeasure. The idea is that you pick a picture when you set up your account and then every time you log in you should see your picture. If you don't see your picture, then you know you aren't really looking at your bank's (or whatever) web site, but an attack site. Of course it's not an effective countermeasure against attack sites that use your credentials to connect to the real bank site in the background, get the picture from the bank and then show you what you expected to see. But it does prevent some phishing.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Two factor authentication by xaxa · · Score: 2

      The Google Authenticator thing is open source etc -- you can add it to PAM (on Linux), so you can authenticate for SSH or sudo.

      I followed this a while ago, and didn't have any problems: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ (although I haven't kept using it, it was just an experiment).

      There were some notes on making the implementation more secure, but I can't find the bookmark.

    4. Re:Two factor authentication by swillden · · Score: 2

      That's actually a reasonable two-factor approach, IMO. The second factor is something you have: the phone. It's on you to give them a number for a phone you have fairly exclusive access to, but that's not too hard.

      As for the fact that they use it to mark your computer as "trusted", that's also quite reasonable. What they're actually doing is converting the phone call/SMS second factor into a cookie second factor. Essentially making your trusted computer's browser's cookie store the second factor. That's not tremendously secure, but it's also not bad unless your computer is compromised. The thing about many two-factor schemes is that they slow down authentication so much that people refuse to use them. So the bank allows you to degrade the security slightly via the authentication cookie (which likely expires after a while) in order to make login more convenient. If you don't want that greater convenience, don't ever check the "remember this computer" checkbox. Most people do.... and yet it really does significantly increase the obstacles for an attacker.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Two factor authentication by AmiMoJo · · Score: 3, Insightful

      Apologies for picking on you, but I'm getting fed up with deliberately unverifiable anecdotes on Slashdot. You could easily say which bank with no risk to yourself or the bank, simultaneously allowing us to confirm what you say and avoid said bank ourselves. But no, you deliberately keep it vague and avoid mentioning the name.

      I'm willing to give you the benefit of the doubt here. You probably aren't karma whoring with a make-up anecdote that is sure to please the Slashdot masses. A lot of posters clearly are being deliberately non-specific to make their made-up story impossible to disprove though.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Two factor authentication by swillden · · Score: 2

      You could easily say which bank with no risk to yourself or the bank, simultaneously allowing us to confirm what you say and avoid said bank ourselves. But no, you deliberately keep it vague and avoid mentioning the name.

      I didn't do it deliberately, just didn't do it.

      First Bank of Colorado. http://www.efirstbank.com./ Though if you really want to check my anecdote you'll have to go to a branch and open an account.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Duh...OK. by Ol+Biscuitbarrel · · Score: 4, Funny

    hunter22

    1. Re:Duh...OK. by Capt.DrumkenBum · · Score: 2, Informative

      44 actually.
      You are only young once, but if you are lucky you can be immature forever. :)

      --
      If I were God, wouldn't I protect my churches from acts of me?
  6. Re:Why the heck are faster computers a problem at by wiredlogic · · Score: 3, Insightful

    We should have legislation prohibiting cleartext and unsalted password storage. At least for any site that handles money. That will help quite a bit to inhibit the sort of casual database cracking that goes on today.

    --
    I am becoming gerund, destroyer of verbs.
  7. Deloitte, get out from under the rock by jfurcean · · Score: 2

    It sounds like Deloitte has been partying like its 1999.

  8. I love old news. by mcmonkey · · Score: 4, Insightful

    The relationship between password length and password strength is old news.

    But don't tell users, tell the programmers and system admins. I regularly encounter systems where max password length is 12 or fewer characters. For some reason there are also systems that don't allow characters other than letters and numbers in passwords.

    Let us make longer, more secure passwords. Let us use special characters, unicode, tabs and spaces!

    1. Re:I love old news. by SuricouRaven · · Score: 5, Informative

      xapsdogien32
      > Error: Must include at least one punctuation character.
      xapsdogien32!
      > Error: Must not contain a dictionary word.
      xapsd_ogien32!
      >Error: Maximum length twelve characters.
      psd_ogien32!
      > Error: Must include an uppercase character.
      A1!
      > OK

    2. Re:I love old news. by swillden · · Score: 5, Interesting

      12? I know a freaking BANK where the character limit for the password is 8. Yep 8 character password to online banking.

      I was an IBM security consultant for about 10 years. I worked for all sorts of corporations big and small, talking to them about their security practices. Do you know which industry consistently had the worst security practices? Banking. It's amazing. I once talked to a bank that moves very large amounts of money (9+ figures) daily in wire transfers, communicated by kermit transfer of unencrypted files over a dialup modem. This was around 2005, and it actually wouldn't shock me to learn they're still doing it the same way.

      Now I work for Google, and part of my job entails setting up secure communications with banks. Almost without exception every bank tries to argue us into lowering our security requirements. It's not like we're asking for anything crazy, either: strong encryption and mutual authentication using standard algorithms and protocols and adequately-large keys (e.g. 2048-bit RSA, 128-bit AES, etc.), with proper key exchange protocols and periodic key rotations. It's not rocket science, but it's beyond the IT staff of most banks.

      I am frankly amazed that there aren't more major security breaches in our banking infrastructure.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  9. Git Rid of Asinine Password Requirements First by Secret+Agent+Man · · Score: 5, Insightful
    • Minimum lengths? Sounds good.
    • Require a non-alphanumeric symbol? Sounds good.
    • Must have at least one lowercase letter, capital letter, punctuation, number? Uh...
    • Max length of 12 characters. Wat?

    Some password requirements are perfectly acceptable, even encouraged. There exist plenty, however, that just make one scratch one's head. Why would a maximum length any lower than several hundred characters ever be necessary? More egregious limitations include requiring an insanely complex number of symbol/letter/number combinations (easy for AI, hard for humans, as XKCD eloquently points out) and, of course, passwords restricted to numbers only. Sadly financial institutions seem to be fond of this one, possibly under the mentality that a PIN is just as good as a password, and customers won't forget that!

    1. Re:Git Rid of Asinine Password Requirements First by PRMan · · Score: 2

      Why would a maximum length any lower than several hundred characters ever be necessary?

      Because it's on a mainframe. I worked for a place where there was a limit of 8 alphanumeric characters because they didn't want to change the width of the mainframe column. I finally convinced them to have a long, hashed web password separate from the mainframe that then looked up the (of course unencrypted) mainframe password and then fed the mainframe password into it for the call. While still insecure internally, at least we were secure EXTERNALLY.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  10. Secret Plans by SJHillman · · Score: 5, Informative

    I think some places encourage short passwords. StudentLoans.com is Citibank's site for, you guessed it, student loans. The MAX password length is eight characters. That only encouraged me to pay off my loan to them faster just so I wouldn't have to deal with security like that.

    Of course, nowhere in the signup do they warn you that only the first eight characters of your password will be accepted, nor does the login box limit you to inputting eight characters. I signed up with abcdef12345678 and tried signing in with abcdef12345678 but it gave me password refused. By luck, I tried abcdef12 and it worked. Screw Citi and all of the others still using password schemes from the early 90s

  11. Re:Passwords are shit. by LordLucless · · Score: 4, Insightful

    Probably not. I can type my mis-spelt Shakespeare quote of a passphrase faster than I can type an obtuse non-alphanumeric-laden password, because I'm far better at typing English sentences than I am weird symbol sequences.

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  12. Re:Passwords are shit. by Wonko+the+Sane · · Score: 4, Insightful

    Because a lot of websites, especially financial sites, have stupid limitations on password length and/or complexity.

  13. Use TPM by Chemisor · · Score: 4, Interesting

    Instead, store your password on a TPM chip, from where the hash can not be stolen and where the attempt rate can be regulated. This way even 7 character passwords can be quite secure.

  14. Re:Sites that prevent the browser from remembering by pmontra · · Score: 2

    Use keepassx. Usernames and password won't be stored into your browser and that could be annoying but you'll always be able to paste them into any login form. Or at least I never experienced any problem. There is also an Android version and you can copy the password db file among devices (dropbox or manual file copy).

  15. It would be nice... by Junta · · Score: 2

    If 99% of sites didn't put such a restrictive short length on their password length. I can remember and don't mind typing a pretty long sentence, but then the site generally complains because of the spaces or because I exceeded something silly like a 33 character limit. I will also say that some forbid special characters, some require. If you are going to stick me with no more than about 12 characters and refuse use of symbols like & and $, it's asinine. If you see that I have a 48 character password and complain that not one of them is 'special', you are impairing my ability to use a memorable password of appropriate length...

    --
    XML is like violence. If it doesn't solve the problem, use more.
  16. Re:Biological validation by Anonymous Coward · · Score: 3, Insightful

    From the point of view of an remotely-accessible device, biometrics and passwords are identical. Any device can send a bit string and claim to have obtained it from a biometric scan, even if the bio in question is not present. As a result, they do not solve the problem of verifying the identity of a user.

    Even worse, you end up using essentially the same password for everything, it can never be changed, and you carry it around everywhere you go on your face or hands.

  17. no solution by Tom · · Score: 4, Insightful

    Password length matters to brute force attacks - and if your application allows a brute force attack to happen, it is broken already, insecure by design.

    Enforcing longer passwords will not improve security for real-life cases. Enforcing more cryptic passwords will actually reduce security for real-life cases. Why? Because people will need to type slower, making shoulder-surfing easier. People will start to write passwords down, and they will re-use passwords more often.

    You can't solve this issue with simple solutions like "use longer passwords". The only thing that will do is make "password1234" the new standard instead of just "password".

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:no solution by GWRedDragon · · Score: 2

      Isn't it funny how "require more complex passwords!" has risen to the level of knee-jerk groupthink mantra, and typically anyone questioning it is shouted down as ignorant?

  18. Re:99% blame on system administrators. by SuricouRaven · · Score: 2

    Two reasons:
    Firstly, because the attacker may not need to authenticate against the server, if they have managed to hack in and get the encrypted password or found a way to determine it by MITMing a legitimate authentication.
    Secondly, because what you describe is itsself abuseable for DoS attacks. It allows an attacker to simply log in repeatedly with a bad password to disable an account. Even if the account can be reenabled after some effort, that's enough to cause serious disruption in some fields. Lock the competitor's salespeople out on the morning of a big conference, or use it to delay members of an opposing MMORPG team while your own people storm their territory.

  19. not my problem by Charliemopps · · Score: 3, Informative

    I've got logins for what... 200 sites? This is a problem for the sites, not me.
    Passwords don't work. Think of something new. I can not remember 200 passwords that are 9+ characters, can't contain real words, have special charcters and God knows what else.

    The solution for the end user? Don't use these sites for anything important. Don't store and personal information. Don't do business with sites that retain your credit card number and give you no option to not store it.

  20. Just use voice recognition already! by sl4shd0rk · · Score: 2

    I speak all my passwords aloud into either my desktop microphone, laptop microphone or mobile microphone. This allows me to use the longest phrases without having any difficulty typing. People get a bit annoyed when I'm using the computers at the library but I explain it's all in the best interest of security.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  21. I already use a 25 character password. by elucido · · Score: 4, Funny

    So this (just use an 8 character password) is for sissies. I also don't write my passwords down and they include special characters, large and small letters, numbers, and are completely random. It's not possible to crack a 25 random character password. I suggest everyone follow me and use 25 characters at least.

    1. Re:I already use a 25 character password. by drinkypoo · · Score: 2

      I can't tell if you are joking. Why would it be impossible to crack?

      Serious whoosh. Everyone knows that a 25 character password will only be impossible to crack until 2038.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  22. Er... "delay loop"? by Empiric · · Score: 2

    This strikes me as largely a non-issue caused by poor login security design.

    Why not simply code the authentication such that for every successive request that fails to a given account, an enforced delay of, say, the square of the number of sequential login failures to that account, in seconds, is applied before the next attempt?

    This would allow for actual humans to make several errors at an slowly-increasing wait each time, whereas for a scripted attack, after 200 tries we're up to 11 hours per try and growing fast. It seems that a brute-force attack becomes entirely unlikely to succeed under these conditions.

    Standard Linux distros interject a delay between login attempts, why isn't this considered basic and expected good design for all login authentication contexts?

    --
    ~ Whence do you come, slayer of men, or where are you going, conqueror of space?
  23. Re:There should be a limit to password retries. !0 by elucido · · Score: 4, Funny

    My data is backed up to the cloud. Try wiping that.

  24. When do "they" ever learn? by futhermocker · · Score: 2

    Forcing people to change their password to comply to "their" rules only makes passwords weaker.
    Users should be teached to create passwords with a formula or pattern for each separate site or service and to NEVER EVER use the same password twice.

    For example, name of the site, year of signup, a non character and a non guessable unique postfix: slashDot2012@noncoward
    And no, this is not my formula nor my password, heh...

    Also, strictly reinforcing policy forcing people to change it every X weeks, will eventually lead to people writing it down on a post it and stick it underneath their keyboard or even on a visible place. Just walk through an office and look around.

    Google gets it, I have the same password since signup, years ago. They warn sometimes, but you can click that away without forcing you to change it or else you cannot login. When a site or service forces me to change my password, they essentialy tells me they are insecure about their security...

    --
    KERNEL PANIC -SIGFAULT AT ADDRESS #51A54D07
  25. Rodney McKay's password? by cashman73 · · Score: 2

    What about a variant of Rodney McKay's password from Stargate Atlantis? "16431879196842" -- use the year of Isaac Newton's birth, the year of Albert Einstein's birth, your birth year, and the number 42. You could swap out the birth years of other famous supergeniuses and even add a third person for added security. I bet CowboyNeal uses the birth years of CmdrTaco and his mom for his password,. . . ;-)

  26. Re:Biological validation by elucido · · Score: 2

    There's going to be a shift from passwords in general. Not only are they often insecure, but there's no verification that the person typing in the password is the user who owns it.

    No, we're going to switch to biological means. This will be more secure, but as a side effect, there will be more assaults in which the eye/finger/penis is removed and used to gain access to these bio-protected systems.

    If someone has to remove your penis to get your password perhaps you should choose another profession.

  27. Password strength should match importance by erice · · Score: 2

    I at least try to use better passwords for more important logins. I don't waste brain power or worse resuse high quality passwords for sites where it really doesn't matter if my account gets hacked.

    The annoying trend I see that the sites that most often enforce "better" passwords are the ones I don't care about. Must have at least one upper and one lower character, must have a non-alpha numeric character, no more than two consecutive characters: All this just so I can post to a web forum. Meanwhile the bank will accept almost anything.

  28. Re:Passwords are shit. by bjourne · · Score: 2

    My bank (not named to protect the guilty) has the following restrictions on password:

    Name and shame away! Stupid password restrictions like that is a telltale sign that they are storing your password in plain text. Probably on some really arcane or buggy system if it doesn't even handle case-sensitivity correctly. The only way that companies are going to get their act together is if customers change to a competitor because they are fed up with crappy account security.

    --
    Football Odds
  29. Re:Passwords are shit. by mrbester · · Score: 2

    Verified by Visa is like this with the added hassle of asking for three specific letters from the password. This is bloody annoying as it means having to tick off letters on your fingers / some mental map to pick the right ones. Even if you have an eight letter word as the complete password who keeps it stored as a byte array in their head? It only adds security by irritation to the one person who is actually authorised to use the damned thing.

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  30. Sneakers by naroom · · Score: 2

    My voice is my passport. Verify me.

  31. Future Article: by virgnarus · · Score: 4, Funny

    It's 2155, and Daniel Vectorstar, our resident security analyst, states that everyone this year should keep their passwords to a minimum of at least 3 pages, single-spaced...

  32. Re:Make a bigger effort by Daetrin · · Score: 2

    Examples:
    [...]

    Hell: 1_L1k3_B1g_Butt5

    How DARE you rip off Jonathan Coulton like that?!?!??!

    --
    This Space Intentionally Left Blank
  33. Deloitte, get with the times by Opportunist · · Score: 2

    Who in their sane mind (in ITSEC, that is) is still dabbling with brute force problems? Seriously, Deloitte, stick with economy audits, at least there you can't do much more harm than has already been done to this economy, but stay out of real work, will ya? At least we could do without your "recommendations" to your clients to require bizarre combinations of characters from their employees that only leads to them noting them down on a post-it and stick it underneath their keyboards (which, oddly, you do NOT have a recommendation against ... but I ramble).

    Whether your password has 3 or 30 characters, and how many special characters in what odd combination and how many generations back you may not repeat even 2 of those characters again is moot. NOBODY on the "other side" bothers with brute forcing anymore. Passwords are being sniffed, hacked or simply lifted in other ways, from keyloggers to the good old "this is your IT-department on the phone, we need your password". And when I have your secretary TELL me her password, it's frickin' pointless to make it 100 chars long. Only means I have to talk to her longer. Which, I admit, may or may not be a nuisance to me when I get tasked with testing something you "secured". Depending on how nasty the voice of the person I audit is.

    The security hole is NOT the length of your password. Get with the times, brute forcing just simply and plainly takes too long. Even if it's only a 3 char password, there are simply ways that get the attacker access far easier, more reliably and with a lot less effort.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.