Slashdot Mirror
Password Strength Testers Work For Important Accounts
msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."
is not more reliance on passwords, but an infrastructure which replaces all of that.
I don't pretend to be a security expert, but why not ask for a public key instead, so I can authenticate with my private one, as with SSH? Or provide a pointer to some authentication server, so I can have a safely "shared" yet easily changed password for multiple sites? (and I am NOT talking about Facebook)
"National Security is the chief cause of national insecurity." - Celine's First Law
The long and the short of it: Not Much!
Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.
They claim it was for "important accounts" but how important would the account be that was being used in a study?
Lots of people re-use passwords on "nothing accounts" simply to prevent having to remember a gazillion passwords.
That doesn't mean they reuse all passwords.
Its probably more important to not log in using the same user name on many different sites than it is to have passwords consisting of crazy strings of random characters that you can't even type consistently let alone remember. If someone guesses your re-used password in one site they have a much better chance of guessing your other logins.
Sig Battery depleted. Reverting to safe mode.
Who can they know that password is not reused from another service such as gmail, facebook, or whatever?
The rules that define them need improving. It's all you must have at least 1 number, symbol and capital; but when you have a 20 something character, couple of obscure words joined together password (much easier for humans to remember bluesunsuperpartytime than 1s0stat1C) it isn't going to matter much if you put in a % sign at the end.
Rocket Surgeon.
The growing number of places you need a password on just to access some content is a sure cause for increased password reuse.
Humans are simply not suited to remembering random enough password to cover all the sites on internet.
The save password option on the browser might help...
but more and more sites use the "no not save passwords" option.. forcing people back to reusing passwords.
Well, personally I just use fairly random passwords and "rememberpass" extension on firefox to force saving password even when the site does not want you to do that.. as the lesser of the evils.
According to the article:
Soo... the summary sentence actually says nothing. What was the result? It also sounds like they're reporting on whether people noticed the meter, not whether the meter was successful in getting people to use better passwords.
I'm out of my mind right now, but feel free to leave a message.....
I pictured big banks and the like hiring people to try to break passwords of employees or customers.
I eat only the real part of complex carbohydrates.
I might be the exception because one of my passwords is 27 characters and I have never needed to write it down. But most people do need to wrong down long meaningless strings of gibberish, especially if they many of them. Just like people know to find the car keys above the sun visor in a car, or under the rug at the house door, people know to look in or under the desk drawer to for the computer password.
Few people get a chance to sit at your PC, though. Network access is the greater risk, and that often has no password need because people just click on the link to the dancing squirrels and let their computer be taken over. We also need LESS use of passwords when connecting to things on our networks. Everything should be strong crypto authenticated, even inside private LANs.
now we need to go OSS in diesel cars
Now tell us what percent of breakins are due to guessing passwords. Maybe 2%. The rest are social engineering, default accounts, keyloggers, vulnerabilities, malware, misconfigured networks and people leaving their phones in bars.
But the one thing that's been annoying me lately is websites that have a minimum password requirement (must be 8 letters, must have a number) but they don't tell you about it until after you've filled out the entire registration and pressed submit. By then I've already added the password to my keychain, and have to go back and fix it and try again.
Some places I use "qwerty" because I don't care if my account is hacked. Now I have to switch to the more convenient "qw3rtijim09!" to pointlessly satisfy a robot.
How good are the meters as an indication of password strength? If you've got a meter that calls "Password1" (nine characters, mixed upper and lower case with a number) strong, it doesn't matter if the meter has an effect or not.
Password strength is inherently impossible to measure (it's related to the password's Kolmogorov complexity, which is incomputable). A good heuristic meter would check the password against the output of a few password-cracking programs and assign a strength based on how long it takes the password to show up, but I doubt anyone's doing that.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Why not in addition to requiring a password... give the user a 255x255 grid (Total 65,000 boxes). Require the user to place 3 symbols on the grid, by clicking, not within the vicinity of any two symbols lining up horizontally, diagonally, or vertically, and not within a certain euclidian distance of any other symbol.
The symbol in a box can be placed in the center, left edge, right edge, bottom edge, top edge, upper-left corner, upper-right corner, lower-right corner, or lower-left corner.
In addition to the password, the placement of the symbols must be remembered (which box, and where in each box, each marker was placed).
The result is an extra ~19 bit field.
Then a heavy work-factor PBKDF2, BCrypt, or SCrypt hash of this 19-bit field could be appended to the password.
Thereby, creating a password augmentation that will be very difficult to brute force
I've been using "Imightbetheexceptionbecause" for years. We should do lunch, Skapare!
You're absolutely right. For fifteen years, my job was preventing brute force attacks and the use of compromised credentials. (I wrote the Strongbox system.) The well known xkcd comic illustrates why the popular rules for "good passwords" are wrong, wrong, wrong. The LENGTH of the password is by far the most important thing. Password! is a really bad password, but would be considered "very strong" by most meters.
Probably the best thing we could do for password security would be to replace the word "password" with "pass phrase" or better yet "secret sentence". It's extremely unlikely anyone would ever crack the password "Ray eats cherry pie alamode", yet it's very ready for the user to remember.
http://xkcd.com/936/
I find it hard to believe when any important account would/should lock out out after a couple of tries would be vulnerable to even a 4 digit pin of only numbers (2 months of 4 tries per day locks you out on average, at some point your bank should really be contacting you) would be vulnerable to a brute force attack. On the other hand, key loggers make even 128 character long truly random, 46 options per character passwords are easily broken. Even more annoyingly are the fucking stupid "password helpers" that say well just follow this simple rule and you'll make your password virtually unbreakable. Word to the wise, if you're following a rule, you've added 1 bit of entropy, that's it. Nothing more.
Of late I've been using LastPass. I don't know any of my passwords by memory, simply because they're just random garbage.
Q908j0U9$!!uOVgJ2R!0XC*mN
4$J0X3B7d63r6Sr29&z9r0hdx
They all look like that. They are all unique per site too, so if Yahoo loses control of its passwords again, for example, the rest of my stuff isn't hosed.
Go ahead. Generate a rainbow table that takes into account 25 (or more) characters of pure junk.
--
BMO
You could do all of that, or you could gain more entropy by making the passphrase three characters longer. Really, the way to get more bits of enyropy is to use more bits. Any of the three sentences in this post has a lot of bits.
Maybe a brainfart..but here goes..
.. with a resolution of .002 seconds..and someone who can flip a coin, catch it, and click the second character consistently because of muscle memory and repetition. (random specs..but you get the picture)
Has anyone worked on a time based password system..such as.. the timing between the entry of the characters? So 11 then isnt the same as 1 1
I find that I have a few passwords that I use that I end up with a typing rhythm for certain character sets. I could logically break and wait on some.. or speed some up and slow some down consciously.. the intent of course being to add another completely random variable into the password thing..
You could have different timing resolutions for different levels of security. Imagine the difficulty of a password with only 2 characters exactly 1.756 seconds apart
And then the same scheme with a 1.5 second resolution for not so strict security. (again..random specs..but you get the picture)
Of course you would have words or phrases with timings in between so that...
"the l a z y dog" isnt the same as
"t h e lazy do g"
simply by the timing between the characters.
You would need to add or change passwords by typing them a few times until you can get the timing right for the resolution..and I would think a test or two before setting the password with timing..somthing like the voice recognition training...
and theres my brainfart for the day..enjoi.
You seem to be thinking of targetted attacks on a specific person. That's probably fewer rhan 1% of all attack attempts. Based on statistical analysis of thousands of attacks (tens of millions of login attempts), I'd estimate password guessing at more like 92%. There are many bot nets constantly trying dictionaries against random sites. As a rough guesstimate, there are maybe a few tens of millions of dictionary attempts by http EVERY DAY. The combos admin/admin and admin/password work all too often.
At first glance, telling your users they must use a 9 in their password sounds dumb. "Hey, everyone is going to have at least one guessable character". But what in fact happens is most people who make a password on your site will not be using a reusable password from another site which is one of the biggest flaws in security right now. Your site's users are less likely to be hacked if another site's security goes down.
So while security "experts" think forcing you to use one uppercase letter and at least one !@#$%^&*() makes your password harder to guess, what it really does is make you write a password custom to the site. If sites were smart, they'd all have different password rules instead of conforming to this. This means one site would ask you for pick one "^&*(" and one "abcd", and another site would ask for you to pick one" #$%^" and one "wxyz"
God spoke to me
The 'Syrian Electronic Army' is contracted and financed and managed with Presidential Oversight by the US Department of Justice !
Most of "lost password" break-ins are due to the companies demanding you use passwords not storing them properly, giving a hacker a nice database of non or trivially encrypted passwords to use. Password reuse wouldn't be a problem if the password wouldn't be stolen from compromised websites.
I was promised a flying car. Where is my flying car?
I use KeePass. I have 1 strong password stored in my brain. I have 1 crappy password for places like fark, /., and ars. My passwords for my 2 investment firms, my bank, ebay, paypal, email accounts, etc, are all different and I have no idea what they are as I let KeePass generate them. I just open up KeePass, copy the password to the clipboard, then paste.
To make it portable whenever I add a password to KeePass on my laptop I copy the database to my phone. As I never access my sensitive accounts from anywhere but my phone I'm good.
In short, it's simple, free, and as long as my 1 strong password is good I'm in good shape.
Attackers are not trying just one account, but many. They don't try a single account from a single IP sequentially. If you have 1 million accounts and a four digit pin to get in, you get 100 accounts unlocked on average with every sweep of a single pin on those 1 million accounts. Get your botnet to do the sweep, give it a little time so people will log in and reset the counters and in a few months you'd have all the accounts unlocked with almost no lock-outs. You might need a little intelligence put in so you'll delay attempts on accounts that got locked out, not use botnet IPs that got locked out for a week or so if you really want to keep a low profile, but other than that, a 4 digit pin is trivial.
I was promised a flying car. Where is my flying car?
Yes, they have. However, it requires client side applications and it is depending on the keyboard you are using. If you have to type your password on a different keyboard, your timing will differ because of the different placement and mechanics of the keyboard. It is only a reliable extra factor if you use a single type of hardware in very similar locations.
I was promised a flying car. Where is my flying car?
So I make my password 912345 instead of 12345. Big deal. I use the same password as my matching luggage everywhere. I just put the mandatory characters in front of it. That way, I still have to remember a single password and I can read what to put in front of it on the site itself. Highly convenient and extremely secure.... not.
I was promised a flying car. Where is my flying car?
I'd say I'm a pretty security aware individual, what with working in IT and all that. I do defense in depth on computer and physical security, I'm proactive about things, etc. Seems to have worked, I've never had a system owned.
So I never reuse passwords, right?
Wrong, I do all the time. Almost every forum online I have the same password for, and it is a weak one. Why? Because I don't care. Oh no, someone might hack my forum account and... I dunno, post something as me! Whatever would I do? I'm not going to bother to generate a great, unique, password for every site.
However my bank account? Random password (I don't seem to have trouble remembering them), long, and it requires two factor authentication. That protects my finances, and those matter. So security on that is pretty high.
The idea that everyone is going to have a high security password for every site and not reuse it is silly. There are plenty of things where if your account got compromised, you just don't care so much.
Also it can make sense to group systems. All my systems at home use a single password. There is no reason for them not to. They are all in the same security context, basically. It is no different than at work where my single account gets me access to any domain system.
For example the powers that be at work decided that the important thing was 3 of the 4 groups (upper, lower, numbers, and punctuation are the groups), and length, with 14+ being what makes it happy. So you input a short phrase like "I like puppies" it'll call it strong and take it. However if you input "@la2wo!d?o-z4" it'll call it weak because it is too short. Input something like "niecrlazleswiariucriuml7priu8roab7iuyluc0oawr1u5pl" and it'll reject it because there are only 2 of the 4 groups).
There's no further analysis, it is just a length and groups thing, with rather poorly defined groups.
Also in terms of strength, while there's no perfect one, measuring bits of entropy, which you can do, is pretty good. However few sites use anything that advanced.
Every website appears to have an over inflated sense of its own importance... Why shouldn't i use a "weak" password on a site I deem unimportant?
Many of the password strength checkers are also deeply flawed, as they allow common dictionary words to slip through with trivial changes, eg Password1! is considered strong by most such checkers.
Also, how can i be assured that a site i sign up to is going to store my details securely? What's the point in having a strong password if its going to be stored in plain text or using a weak hashing algorithm?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And then they write them down, stick them on sticky notes, and put them under their keyboards, or in their drawers, completely destroying the security, but maintaining the administrators' beliefs in it.
It's almost as good of an idea as making people change their password once a month, which also encourages people to write them down, re-use their weak passwords or choose passwords that are easy to guess.
And how about those password retrieval questions?
What's your favorite color or your mother's maiden name? No one can guess those.
To most of those password checks I've encountered, "P@ssw0rd" is very strong, but a thousand random digits is unpermissably weak.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I ruse random passwords. There are quite a few terminally stupid p"password Testers", that will happily refuse 16 digit and letter passwords as weak, but call 8 digit/letter with a special character "strong".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This is what I have been saying for a dogs age. Security "professionals" have this all wrong because they neglect a very simple concept - NOT ALL ONLINE DATA IS EQUALLY IMPORTANT.
Frankly, I don't care if someone hacks my slashdot account. I don't care if someone hacks the account to the deals forum I visit. The worst that will happen is it will be a minor inconvenience to get the password reset, and they might post some troll information about me.
The only accounts that I have that I care about security are my banking accounts, my Facebook account, and my email account. That is pretty much it. I don't even care about Twitter really.
By forcing all random accounts to have strong passwords, you make the password management problem a lot more difficult than it should be for the average user.
Furthermore, all of these random one-off sites should be using OpenID / Google Login / Twitter / Yahoo / Facebook Login / SOMETHING, some form of identity federation... preferably supporting multiple of these. There is no reason that a mom & pop shop website should be managing identity credentials in this day and age, it is not required. Everyone on the planet has an account with SOME ONE of these providers, or an OpenId provider.
javascript:(function(){var%20ca,cea,cs,df,dfe,i,j,x,y;function%20n(i,what){return%20i+"%20"+what+((i==1)?"":"s")}ca=cea=cs=0;df=document.forms;for(i=0;idf.length;++i){x=df[i];dfe=x.elements;if(x.onsubmit){x.onsubmit="";++cs;}if(x.attributes["autocomplete"]){x.attributes["autocomplete"].value="on";++ca;}for(j=0;jdfe.length;++j){y=dfe[j];if(y.attributes["autocomplete"]){y.attributes["autocomplete"].value="on";++cea;}}}alert("Removed%20autocomplete=off%20from%20"+n(ca,"form")+"%20and%20from%20"+n(cea,"form%20element")+",%20and%20removed%20onsubmit%20from%20"+n(cs,"form")+".%20After%20you%20type%20your%20password%20and%20submit%20the%20form,%20the%20browser%20will%20offer%20to%20remember%20your%20password.")})();
ignores autocomplete="off" so that firefox can remember the password
Paste that JS into a bookmarklet and then every time you get a form that says "don't remember", click your bookmarklet. And then you just have no problem.
If websites stopped allowing any logins from eastern Europe my accounts would be much more secure.
Re: Natural Gas (Methane) -> Propane: Fischer-Tropsch process