Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deloitte: Use a Longer Password In 2013. Seriously.

Posted by timothy on from the you're-gonna-need-a-bigger-post-it dept.

clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."

18 of 538 comments (clear)

  1. I Got It! by pmcizhere · · Score: 5, Funny

    correcthorsebatterystaple. It's a perfectly long, easy to remember password. Just, nobody use it other than me, ok?

    1. Re:I Got It! by LoRdTAW · · Score: 5, Insightful

      A better question would be, what system would allow 1000 password guesses per second to be authenticated? Most systems lock you out after 3 to 5 unsuccessful attempts. And I would hope that smart developers would put a time delay between how fast a user can reattempt to authenticate. So a computer sending authentication attempts in less than one second would be immediately blacklisted as a automated attack. Inserting a second or two delay between attempts would guarantee that. Assuming a computer could brute force a password by trying all possible strings, what system could that possibly be effective against? I can see that it could be useful against an encrypted file but an online banking site or other eCommerce site sounds impractical. anyone care to elaborate?

    2. Re:I Got It! by OzPeter · · Score: 5, Informative

      A better question would be, what system would allow 1000 password guesses per second to be authenticated?

      Irrelevant, as the cracking will happen offline after the bad guys have stolen your PW DB by exploiting other weaknesses in your system

      --
      I am Slashdot. Are you Slashdot as well?
    3. Re:I Got It! by alvinrod · · Score: 5, Interesting

      It's bad because much like you can have a computer program randomly combine letters, numbers, and symbols to generate a password, you can simply have the same program combine dictionary words together. There are hundreds of thousands of words in the English language, which would make the number of combinations quite large, but most of those words aren't commonly used so you could ignore them. If you had people generate a four word pass phrase, it's quite likely that most of them would contain only words from a relatively small subset of the English language.

      When I use pass-phrases, I make sure to include some capital letters, numbers, and symbols. This makes it almost impossible to brute force. So for example, 2Correcthorse4batteryStapple! would be a much more secure password, that really isn't any more difficult to remember. It's only using 7 symbols, which makes it fairly easy to remember. Once you type it enough, muscle memory will allow you to enter it without too much issue.

      You could make it even more complex by using slang words, words from other languages, proper nouns, or other such words.

    4. Re:I Got It! by AndrewStephens · · Score: 5, Informative

      True, but nobody tries breaking into a system by logging in ten thousand times a second to a single account. The recent well-publicised break-ins resulted from the hashed password file being publicly available, either stolen through a vulnerability or maliciously leaked. If the attackers have the hashed passwords they can try them at a rate of millions or billions of attempts per second for as long as they want.

      --
      sheep.horse - does not contain information on sheep or horses.
    5. Re:I Got It! by vux984 · · Score: 5, Interesting

      4 symbols chosen randomly from a dictionary of ~200,000 by a computer not by you because you won't choose words randomly.

      that makes it a 1 in 200000^4 to guess... or 1.6 x 10^21

      compare that to an 8 character password also randomly generated. Passwords which are drawn from a set of around 90 symbols. (50 letters including upper and lower case, 10 digits, and ~30 symbols)

      that's 90^8 or a measly 4.3 x10^15

      a 4 word randomly chosen password from a dictionary is by far the better password, and much easier to remember too.

      An 11 character password of completely random gibberish is about equivalent, to 4 random dictionary words. Good luck remembering somthing like `oN{/QM9PKb

      which is no better than:

      scald obsolescent period postpone

    6. Re:I Got It! by Anonymous Coward · · Score: 5, Interesting

      I used to do this to the college lab computers (running NT 4 at the time). I'd walk in with a floppy, reboot, copy the SAM file to disk, return to the dorms and crack away. Typically, I'd have the entire password file cracked in 10-12 hours. The machine doing the cracking was a P3 500Mhz. When I did the lab computers, I was shocked to find the administrator password on all the machines was the 5-character room number of the campus's IT department. And, it took about all of 10 seconds to crack. Getting password file without a bootable floppy proved a little harder, but not much. All you had to was replace the login screen's screen saver with a copy of cmd.exe, and be patient. Then, a little utility to dump the hashed password from memory. (For a long while, the login "screen saver" ran as SYSTEM). This also worked on Windows 2000 & XP which had an extra layer of encryption over the SAM.

    7. Re:I Got It! by interkin3tic · · Score: 5, Interesting

      Naive question, does anyone still brute force attack passwords? Are there websites out there that will allow you to try more than, say ten times before locking your account? If you're talking about the difference between 10 million different passwords and 4 billion, but facebook will lock down your account after 20 tries, there's not really a significant difference between the two. It seems like my accounts are always being locked down due to trying the wrong password from trying to "brute force" using every password I remember.

    8. Re:I Got It! by dgatwood · · Score: 5, Insightful

      Your definition of "common words" is off by about an order of magnitude from reality, though. A typical person only uses about 10,000–25,000 words on a regular basis, depending on their level of education.

      Even assuming the upper end of that, nearly all people would typically choose from about 3 * 10^17 possibilities, which at 350 billion attempts per second, would take only around ten days to crack. On the lower end, a sizable percentage of people would choose from about 1 * 10^16, which would take about eight hours to crack.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    9. Re:I Got It! by buchner.johannes · · Score: 5, Funny

      Use a 2 for extra security. Computers can only find ones and zeros.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    10. Re:I Got It! by Anonymous Coward · · Score: 5, Insightful

      Password too long, please enter 8-12 characters.

  2. Until artificial limits are removed... by eksith · · Score: 5, Insightful

    I used my online banking today and they limit to 8 characters EXACTLY... even though they demand a non alpha-numeric character and mixed case. I keep thinking, these idiots still don't get it. Also, obligatory.

    --
    If computers were people, I'd be a misanthrope.
    1. Re:Until artificial limits are removed... by eksith · · Score: 5, Interesting

      That's usually a guarantee they don't hash passwords :/

      Or they use some kind of encoding scheme instead that just lengthens with password size and letter case (DB field width will get maxed out) and don't use parameters for DB inserts/updates so special chars would wreak havoc with queries. Sometimes that's because they're running ancient software, but other times it's pure and simple laziness or disregard. It's hard to care about a project under near-slave-labor conditions in some of those sweatshops.

      --
      If computers were people, I'd be a misanthrope.
    2. Re:Until artificial limits are removed... by mentus · · Score: 5, Interesting

      Don't complay too much. The convenience vs security balance can all too quickly pend to the [lack of the] former. Doing online banking in Brazil in any of the major banks is becoming a major PITA. Santander for instance, requires you to install a browser plugin (available in native version for IE or Firefox, or via Java in the case of Chrome) just to be able to login to the IB. You also need a special IB-only password which must be numbers and letters (mixed-cased), and if you type it incorrectly more than 2 times, they automatically suspend your IB password and you need to talk to your account manager to be able to unblock it.

      Do you think that's all? Nope. With that you can only use IB in 'read only mode', not being able to perform any transaction that might make a debit to your account. Then you have to request a 'codes card', with is basically a very cheap version of a token, albeit a little less secure. Upon completion of each transaction you'd be required to type one of the codes in your card. Thing is, fraudters caught up to that pretty quicly, and started sending phising mail where they'd lead the baits to a website passing as the bank asking them to type all their codes for 'security purposes'.

      So then they made it compulsory to register each computer you use IB with, therefore forcing you to use a whitelist to enable trusted computers. You actually have to go in person to an ATM machine and use your debit card + 3 letter PIN + 4 digit debit PIN to authorize each computer. Thing is, so many people have machines so full of malware that this wasn't enough to stop the fraudsters.

      Next in line was their latest addition: now in order to be able to make transactions online, not only you must have the IB password, install a proprietary browser 'security plugin', the token card, authorize your machine previously on an ATM with your debit card + 3 letter PIN + 4 digit debit PIN, you also must have a mobile phone on your file with the bank. Then, after you use all your passwords and code card in a trusted machine, they then generate a 7-digit code that is send via SMS to your mobile phone (which can also be only updated in person or in an ATM with both pins).

      What if you don't have a mobile phone? What if you don't have signal at the moment you want to perform the transaction? What if your phone battery is out of charge? Well, tough luck, you'll have to go to a Santander ATM machine, because all these security paranoia features are mandatory...

      The thing is, this a perfect example of adverse selection in effect, so now every bank is demanding you to install proprietary plugins (which are usually modified rootkits themselves..) to ensure the safety of your machine before being able to use any IB. Some are already demaning the use of SMS on a per-transaction basis and the process of using IB is getting more inconvenient by the day...

      When I compare that with the breeze that is using the IB for my HSBC account in the US... it makes me wonder how much inconvenience is enough to tolerate...

  3. Git Rid of Asinine Password Requirements First by Secret+Agent+Man · · Score: 5, Insightful
    • Minimum lengths? Sounds good.
    • Require a non-alphanumeric symbol? Sounds good.
    • Must have at least one lowercase letter, capital letter, punctuation, number? Uh...
    • Max length of 12 characters. Wat?

    Some password requirements are perfectly acceptable, even encouraged. There exist plenty, however, that just make one scratch one's head. Why would a maximum length any lower than several hundred characters ever be necessary? More egregious limitations include requiring an insanely complex number of symbol/letter/number combinations (easy for AI, hard for humans, as XKCD eloquently points out) and, of course, passwords restricted to numbers only. Sadly financial institutions seem to be fond of this one, possibly under the mentality that a PIN is just as good as a password, and customers won't forget that!

  4. Secret Plans by SJHillman · · Score: 5, Informative

    I think some places encourage short passwords. StudentLoans.com is Citibank's site for, you guessed it, student loans. The MAX password length is eight characters. That only encouraged me to pay off my loan to them faster just so I wouldn't have to deal with security like that.

    Of course, nowhere in the signup do they warn you that only the first eight characters of your password will be accepted, nor does the login box limit you to inputting eight characters. I signed up with abcdef12345678 and tried signing in with abcdef12345678 but it gave me password refused. By luck, I tried abcdef12 and it worked. Screw Citi and all of the others still using password schemes from the early 90s

  5. Re:I love old news. by SuricouRaven · · Score: 5, Informative

    xapsdogien32
    > Error: Must include at least one punctuation character.
    xapsdogien32!
    > Error: Must not contain a dictionary word.
    xapsd_ogien32!
    >Error: Maximum length twelve characters.
    psd_ogien32!
    > Error: Must include an uppercase character.
    A1!
    > OK

  6. Re:I love old news. by swillden · · Score: 5, Interesting

    12? I know a freaking BANK where the character limit for the password is 8. Yep 8 character password to online banking.

    I was an IBM security consultant for about 10 years. I worked for all sorts of corporations big and small, talking to them about their security practices. Do you know which industry consistently had the worst security practices? Banking. It's amazing. I once talked to a bank that moves very large amounts of money (9+ figures) daily in wire transfers, communicated by kermit transfer of unencrypted files over a dialup modem. This was around 2005, and it actually wouldn't shock me to learn they're still doing it the same way.

    Now I work for Google, and part of my job entails setting up secure communications with banks. Almost without exception every bank tries to argue us into lowering our security requirements. It's not like we're asking for anything crazy, either: strong encryption and mutual authentication using standard algorithms and protocols and adequately-large keys (e.g. 2048-bit RSA, 128-bit AES, etc.), with proper key exchange protocols and periodic key rotations. It's not rocket science, but it's beyond the IT staff of most banks.

    I am frankly amazed that there aren't more major security breaches in our banking infrastructure.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.