Slashdot Mirror
Password Strength Testers Work For Important Accounts
msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."
is not more reliance on passwords, but an infrastructure which replaces all of that.
I don't pretend to be a security expert, but why not ask for a public key instead, so I can authenticate with my private one, as with SSH? Or provide a pointer to some authentication server, so I can have a safely "shared" yet easily changed password for multiple sites? (and I am NOT talking about Facebook)
"National Security is the chief cause of national insecurity." - Celine's First Law
The long and the short of it: Not Much!
Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.
They claim it was for "important accounts" but how important would the account be that was being used in a study?
Lots of people re-use passwords on "nothing accounts" simply to prevent having to remember a gazillion passwords.
That doesn't mean they reuse all passwords.
Its probably more important to not log in using the same user name on many different sites than it is to have passwords consisting of crazy strings of random characters that you can't even type consistently let alone remember. If someone guesses your re-used password in one site they have a much better chance of guessing your other logins.
Sig Battery depleted. Reverting to safe mode.
The growing number of places you need a password on just to access some content is a sure cause for increased password reuse.
Humans are simply not suited to remembering random enough password to cover all the sites on internet.
The save password option on the browser might help...
but more and more sites use the "no not save passwords" option.. forcing people back to reusing passwords.
Well, personally I just use fairly random passwords and "rememberpass" extension on firefox to force saving password even when the site does not want you to do that.. as the lesser of the evils.
I might be the exception because one of my passwords is 27 characters and I have never needed to write it down. But most people do need to wrong down long meaningless strings of gibberish, especially if they many of them. Just like people know to find the car keys above the sun visor in a car, or under the rug at the house door, people know to look in or under the desk drawer to for the computer password.
Few people get a chance to sit at your PC, though. Network access is the greater risk, and that often has no password need because people just click on the link to the dancing squirrels and let their computer be taken over. We also need LESS use of passwords when connecting to things on our networks. Everything should be strong crypto authenticated, even inside private LANs.
now we need to go OSS in diesel cars
Now tell us what percent of breakins are due to guessing passwords. Maybe 2%. The rest are social engineering, default accounts, keyloggers, vulnerabilities, malware, misconfigured networks and people leaving their phones in bars.
How good are the meters as an indication of password strength? If you've got a meter that calls "Password1" (nine characters, mixed upper and lower case with a number) strong, it doesn't matter if the meter has an effect or not.
Password strength is inherently impossible to measure (it's related to the password's Kolmogorov complexity, which is incomputable). A good heuristic meter would check the password against the output of a few password-cracking programs and assign a strength based on how long it takes the password to show up, but I doubt anyone's doing that.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
You're absolutely right. For fifteen years, my job was preventing brute force attacks and the use of compromised credentials. (I wrote the Strongbox system.) The well known xkcd comic illustrates why the popular rules for "good passwords" are wrong, wrong, wrong. The LENGTH of the password is by far the most important thing. Password! is a really bad password, but would be considered "very strong" by most meters.
Probably the best thing we could do for password security would be to replace the word "password" with "pass phrase" or better yet "secret sentence". It's extremely unlikely anyone would ever crack the password "Ray eats cherry pie alamode", yet it's very ready for the user to remember.
http://xkcd.com/936/
...and very difficult to remember making the use of such a system insanity.
Maybe a brainfart..but here goes..
.. with a resolution of .002 seconds..and someone who can flip a coin, catch it, and click the second character consistently because of muscle memory and repetition. (random specs..but you get the picture)
Has anyone worked on a time based password system..such as.. the timing between the entry of the characters? So 11 then isnt the same as 1 1
I find that I have a few passwords that I use that I end up with a typing rhythm for certain character sets. I could logically break and wait on some.. or speed some up and slow some down consciously.. the intent of course being to add another completely random variable into the password thing..
You could have different timing resolutions for different levels of security. Imagine the difficulty of a password with only 2 characters exactly 1.756 seconds apart
And then the same scheme with a 1.5 second resolution for not so strict security. (again..random specs..but you get the picture)
Of course you would have words or phrases with timings in between so that...
"the l a z y dog" isnt the same as
"t h e lazy do g"
simply by the timing between the characters.
You would need to add or change passwords by typing them a few times until you can get the timing right for the resolution..and I would think a test or two before setting the password with timing..somthing like the voice recognition training...
and theres my brainfart for the day..enjoi.
> Of late I've been using LastPass.
That's great! Except... you know that LastPass had their entire database compromised, right? Fool me once...
At first glance, telling your users they must use a 9 in their password sounds dumb. "Hey, everyone is going to have at least one guessable character". But what in fact happens is most people who make a password on your site will not be using a reusable password from another site which is one of the biggest flaws in security right now. Your site's users are less likely to be hacked if another site's security goes down.
So while security "experts" think forcing you to use one uppercase letter and at least one !@#$%^&*() makes your password harder to guess, what it really does is make you write a password custom to the site. If sites were smart, they'd all have different password rules instead of conforming to this. This means one site would ask you for pick one "^&*(" and one "abcd", and another site would ask for you to pick one" #$%^" and one "wxyz"
God spoke to me
I use KeePass. I have 1 strong password stored in my brain. I have 1 crappy password for places like fark, /., and ars. My passwords for my 2 investment firms, my bank, ebay, paypal, email accounts, etc, are all different and I have no idea what they are as I let KeePass generate them. I just open up KeePass, copy the password to the clipboard, then paste.
To make it portable whenever I add a password to KeePass on my laptop I copy the database to my phone. As I never access my sensitive accounts from anywhere but my phone I'm good.
In short, it's simple, free, and as long as my 1 strong password is good I'm in good shape.
Attackers are not trying just one account, but many. They don't try a single account from a single IP sequentially. If you have 1 million accounts and a four digit pin to get in, you get 100 accounts unlocked on average with every sweep of a single pin on those 1 million accounts. Get your botnet to do the sweep, give it a little time so people will log in and reset the counters and in a few months you'd have all the accounts unlocked with almost no lock-outs. You might need a little intelligence put in so you'll delay attempts on accounts that got locked out, not use botnet IPs that got locked out for a week or so if you really want to keep a low profile, but other than that, a 4 digit pin is trivial.
I was promised a flying car. Where is my flying car?
Yes, they have. However, it requires client side applications and it is depending on the keyboard you are using. If you have to type your password on a different keyboard, your timing will differ because of the different placement and mechanics of the keyboard. It is only a reliable extra factor if you use a single type of hardware in very similar locations.
I was promised a flying car. Where is my flying car?
I'd say I'm a pretty security aware individual, what with working in IT and all that. I do defense in depth on computer and physical security, I'm proactive about things, etc. Seems to have worked, I've never had a system owned.
So I never reuse passwords, right?
Wrong, I do all the time. Almost every forum online I have the same password for, and it is a weak one. Why? Because I don't care. Oh no, someone might hack my forum account and... I dunno, post something as me! Whatever would I do? I'm not going to bother to generate a great, unique, password for every site.
However my bank account? Random password (I don't seem to have trouble remembering them), long, and it requires two factor authentication. That protects my finances, and those matter. So security on that is pretty high.
The idea that everyone is going to have a high security password for every site and not reuse it is silly. There are plenty of things where if your account got compromised, you just don't care so much.
Also it can make sense to group systems. All my systems at home use a single password. There is no reason for them not to. They are all in the same security context, basically. It is no different than at work where my single account gets me access to any domain system.
For example the powers that be at work decided that the important thing was 3 of the 4 groups (upper, lower, numbers, and punctuation are the groups), and length, with 14+ being what makes it happy. So you input a short phrase like "I like puppies" it'll call it strong and take it. However if you input "@la2wo!d?o-z4" it'll call it weak because it is too short. Input something like "niecrlazleswiariucriuml7priu8roab7iuyluc0oawr1u5pl" and it'll reject it because there are only 2 of the 4 groups).
There's no further analysis, it is just a length and groups thing, with rather poorly defined groups.
Also in terms of strength, while there's no perfect one, measuring bits of entropy, which you can do, is pretty good. However few sites use anything that advanced.
Every website appears to have an over inflated sense of its own importance... Why shouldn't i use a "weak" password on a site I deem unimportant?
Many of the password strength checkers are also deeply flawed, as they allow common dictionary words to slip through with trivial changes, eg Password1! is considered strong by most such checkers.
Also, how can i be assured that a site i sign up to is going to store my details securely? What's the point in having a strong password if its going to be stored in plain text or using a weak hashing algorithm?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And then they write them down, stick them on sticky notes, and put them under their keyboards, or in their drawers, completely destroying the security, but maintaining the administrators' beliefs in it.
It's almost as good of an idea as making people change their password once a month, which also encourages people to write them down, re-use their weak passwords or choose passwords that are easy to guess.
And how about those password retrieval questions?
What's your favorite color or your mother's maiden name? No one can guess those.
To most of those password checks I've encountered, "P@ssw0rd" is very strong, but a thousand random digits is unpermissably weak.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
This is what I have been saying for a dogs age. Security "professionals" have this all wrong because they neglect a very simple concept - NOT ALL ONLINE DATA IS EQUALLY IMPORTANT.
Frankly, I don't care if someone hacks my slashdot account. I don't care if someone hacks the account to the deals forum I visit. The worst that will happen is it will be a minor inconvenience to get the password reset, and they might post some troll information about me.
The only accounts that I have that I care about security are my banking accounts, my Facebook account, and my email account. That is pretty much it. I don't even care about Twitter really.
By forcing all random accounts to have strong passwords, you make the password management problem a lot more difficult than it should be for the average user.
Furthermore, all of these random one-off sites should be using OpenID / Google Login / Twitter / Yahoo / Facebook Login / SOMETHING, some form of identity federation... preferably supporting multiple of these. There is no reason that a mom & pop shop website should be managing identity credentials in this day and age, it is not required. Everyone on the planet has an account with SOME ONE of these providers, or an OpenId provider.