Slashdot Mirror
Applying Pavlovian Psychology to Password Management
Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt:
"For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."
From the article: "Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters." And sites like Phil's Hobby Shop have lowered "complexity" requirements for sufficiently long passwords. I'm glad the passphrase concept is catching on. To what extent can xkcd be credited with awareness of passphrases?
Long passwords composed of random words are highly random, highly resistant to bruit forcing, and relatively easy to remember. The battle to make users remember arbitrary characters isn't just foolish, it's insecure.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Include the quotes, and be even more secure!
"National Security is the chief cause of national insecurity." - Celine's First Law
Sure, implement this and watch most of your userbase write passwords down and keep them on the side of the monitor or under the keyboard.
And the featured article agrees. It mentions Stanford tapering down complexity requirements for longer passwords, dropping them entirely at over 20 characters.
When I say "nobeta=1" I mean "nobeta=1"
Here's a Pavlovian response. I type nobeta=1 into the URL. Slashdot directs me to a beta format story anyway. I stop coming back to Slashdot.
Such variance in expiration cycles would be too confusing to the average user.
Unless the developers have taken a belt-and-suspenders approach to guarding against cross-site scripting and Bobby Tables attacks by not only using parameterized statements but also stripping any punctuation characters that may have special meaning in HTML or in SQL. Angle brackets, ampersands, and quotation marks become an underscore, which is a more common (that is, less entropy) character in passwords.
How is offline cracking time relevant?
Surely it can't be brute forced online so why force changing the password?
Because all you are going to get is users deciding that they they cannot come up with a 10th password that year and just going picking "123456".
"I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few)"
What a joke. If every site used this method I, and many other people, would need to change multiple passwords every single day of the year. The entire system would break down and become completely unmanageable
Troll is not a replacement for I disagree.
I just say 'generate' to PasswordSafe (right now my tool of choice) and have a 8-character pile of gibberish that I can't pronounce and never read. If someone points a gun to my head (the NSA?) and asks for my online banking password, I can only - truthfully- say that I have no idea.
BTW, pavlovian to me implies egg whites and sugar, mixed and then baked. Then cream.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
The perception of website owners that I HAVE to remember their password just shows overblown feeling of self-importance for site owners.
The only sensible approach - completely random passwords, generated by some tool and stored in a key chain with good one master password.
Idea that user somehow would remember password for each site he uses is simply stupid. The number of passwords can easily go up to a hundred. And if all sites start insisting on changing them once in 3 days users will likely go insane.
And be damned those site owners who make it very difficult for browser to insert saved password. And the worst I've seen so far is Home Deport's credit services (owned by city bank, I presume).
And yes, I know, passwords are used not only on websites. Nevertherless - in ideal world user just plugs in his encrypted key chain and uses it to access everything he needs with one password. Well, maybe two - personal and work.
Bruce Schneier considers writing down passwords to be acceptably secure. Carrying around a card with your passwords on it isn't really any less secure than carrying around a piece of plastic with your credit card number embossed on it.
The computer will tase the users if they forget to change their passwords at the prescribed time. If they do remember, give them a biscuit, with a glass of milk if it's a strong password.
“He’s not deformed, he’s just drunk!”
Someone can still point a wrench to your head and ask for your PasswordSafe master password. What would be your truthful answer to the following question: "Do you know your online banking password, or any other password that can be used to retrieve your online banking password?"
my password! I'll just choose "5f4dcc3b5aa765d61d8327deb882cf99" without the quotes as my password. It will take forever for someone to brute force that! HAHAHAHA! (Yes, I know better.)
As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.
I should not have to remember a password, the system should handle it for me.
It's so much easier to read the sticky notes stuck in the top drawer of the desk, or call the help desk with the birthday, high school, home address and first car of your target?
There are many off-the-shelf two factor solutions today. Choose one.
That's fine if you only ever sign into one web site that uses two-factor authentication. But if every web site you sign into during the day insists on a different off-the-shelf two-factor solution, or if one of the solutions is pay-per-use, it could get very expensive. One such pay-per-use method that has become popular is receiving a text message on a cell phone.
"give me your password"
" i don't know"
*glug glug*
"wait stop the computer has it in PasswordSafe"
For example. if a password unlocks access to a bank account, it's reasonable for the bank to require more secure forms of access: including ones that are better than mere passwords, themselves.
However if all a website visitor has at risk is comments about stories. Comments that can be, and often are, as banal as I lik [sic] catz then even a 1 character password seems like overkill. As it is, the website owner often has a highly inflated idea of the worth of his/her/its website and maybe even an unbalanced paranoia towards security in general - maybe passwords aren't actually their biggest security problem. So I'd suggest the answer is for users to vote with their feet (or their passwords) and feed back to the admins what THEY think is the right level of annoyance they should be put to, in order to access websites' "riches". It might be a lot lower than the owners think it should be.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
If you're assuming your hashed password file is public or you allow unlimited login attempts without shuttering the connections, then this makes some sense. But if your pw file is public you need to force a change far before the average crack time (like 2 stddev), which probably means hours on an average of 3 days to crack.
But if your pw file isn't supposed to be public, then you're setting a policy assuming your system has been cracked and are passing bad math onto the users as annoyance. And then blaming them. If you fail to factor in the likelihood of the password file being taken, then all the "average time to crack" might not matter.
Yes, we're assuming that the hashed password file has a substantial probability of getting leaked, just as it was in several other high-profile breaches (Sony, Target, etc.). If it's impossible for an inside job to leak the password file, then how can the system 1. use the password file to authenticate users and 2. back up the password file in case of hardware failure?
We should increase password strength rules!
Right now, at most sites, the strength rules are such that they disallow a significant portion of the unconstrained search space.
If we keep increasing the number of constraints, we will further reduce the search space.
Eventually, we will get to the point where I only have to remember one password, because it's the only password I, or anyone else, is allowed to have.
Stop it with the reasonable questions.
For those interested in the kind of stuff that people do.. here is the top 100 list of passswords from the 130million that Adobe lost last year: http://stricture-group.com/fil...
The thing that amuses me (or terrifies) is that nearly 2million of the people had "123456" as their password..
nearly another million had one of these: "123456789" "12345678" "1234567", and "1234567890" ...345,000~ chose "password" as their password (good going adobe.. why is that even allowed?)
i like the people who chose "photoshop" as their password. ..
going through that list you can just see peoples minds working. it is crazy to see what people do.
A very simple problem opened up by making users rapidly change their passwords is that they will frequently forget what they just changed them to. They will change it last minute on Friday to something genius and on Monday scratch their heads and go, "Crap". So now they are going to call tech support who will walk them through some crude verifications and give them a new password.
A perfect example of this is a relative of mine who works for government. He was complaining about the frequent password changes he has to do. So I bet him that we could look under everyone's keyboard and find some passwords. Two of his people put them on post it notes under the keyboard, and another guy just had 30 passwords written on the bottom of his keyboard, which oddly provided some security as I couldn't guess which one was the newest.
But the best part was that I bet that with my relatives wallet and his most recent pay stub that I could talk IT into resetting his password. So I called them up and they promptly walked me through resetting his password; but they didn't ask me a single question. So in the end I asked them how they knew I was me (him) and they said, it was because of what phone I was calling from. I asked what they would have asked had I been home and they said, birthday, maybe the office's postal code.
So it wouldn't have mattered what genius password scheme they were using as the more genius it was the worse their social hacking problem would become.
A different relative who works for a different branch of government could even log in without her key fob as all she had to do was phone IT and whine until they let her in from home.
Now you might just wave your hand and say, no problem just bolster the security by telling them not to be nitwits. But those guys weren't being nitwits. In government or any large organization if you piss the wrong person off you will lose your job far faster than if someone hacks the system. So maybe for Sally secretary they might not be so persuaded but in the case of where I phoned in a forgotten password the person who should have been sitting at that desk could have an IT person's head very quickly. As could the other relative who whined past the need for a key fob.
So you assign it a time rating. When someone steals the entire password, the ones with associated with the shortest time limits will basically say "brute force these ones." It's the stupidest idea ever.
Here is wisdom. Let him that has understanding count the number of the beast: for it is the number of a man; and his number is Six hundred three score and six.
Solve that for my Slashdot password.
One day Pavlov walked into a bar and ordered a cognac. He was about to take a sip when the barkeep rang him up. He dropped his glass and shouted "Shit! I've got to feed the dogs!" and ran out.
.
Prisencolinensinainciusol. Ol Rait!
I really dislike any authentication system that rejects MY chosen password. It's my security, not yours, that I'm gambling on if I want a easy to type password. And the ones that make you change it x number of days are even worse.
This is outright stupid. You can't force people to choose a decent password, they either will or they won't and no 'system' is going to force it upon them. At best, you're just creating a support irritation as people forget the password they were forced into changing.
Just dumb, can't say it enough. Leave me and my (in)secure passwords alone!
Does that mean the password has changed when I start salivating?
...let me give them an electric shock (say, through the keyboard) with voltage inversely proportional to password strength. That ought to encourage the use of something stronger.
Had the same user chosen "t3st123@##$x", he would either have the password written on a piece of paper or he would himself forget it in 3 days.
Difficult passwords get written on post-it notes stuck to the monitor, or in a diary etc. if they get changed regularly.
Spelled perfectly. It's a European thing: "highly resistant to noisy forcing"
Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence
... i should change them weekly as well?
To whoever was talking about the Adobe password hack. I don't think anyone cared about that password. It was forced on them by Adobe for one marketing reason or another. Or because of the idiotic cloud suite thingy.
Now the passwords that really are important to me... those are hard to crack, don't worry.
I apologize for the lack of a signature.
Is the duty for password complexity correctly placed on the users shoulder? I think not...
The users has two jobs:
1. Select a password he can remember
2. Choosing a password someone else does not associate with him
Raising password complexity requirements makes those two jobs harder. In my observation, with rising password complexity, the users tend to re-use passwords more often (which is more detrimental to security than a less complex password).
For password complexity to matter, the service provider must have failed (lost the data) and succeeded (choosen a half-way decent algorithm) at the same time.
Therefor i consider the burden of password complexity wrongly plaxced at the users end.
Limit attempts to log in to any specific account to once every minute or so. Failure locks the account for a minute, so it doesn't matter what IP or console or program the request comes in from, etc., it's once per minute, period. That's 1440 attempts / day, max.
Attempts to try every password will take forever on even a moderately stiff PW. So ensure passwords are at least moderately stiff. Or better.
After some small number of failed attempts from one IP, blacklist the IP or console. After some small number of highly concurrent failed attempts from multiple IPs, blacklist all of them.
This prevents using constant PW attempts as a trivial DOS and causes uniform attrition in botnets -- not only can that IP or console not attack that user, they can't attack any other, either.
If you've allowed people to get ahold of your password hashes or lists, you're completely hammered. So create a password server that does nothing else. Provide hardened physical security for same. Create a custom hardware bridge that does nothing but handle passwords in a very specific manner, complete with the built-in delays. No other connectivity. Passwords are now as secure as your physical plant allows for.
This puts the least load on the legit user and transfers such heavy work to the cracker that it becomes pointless to try. It's not even all that technically challenging.
Now, making your actual application secure... that, apparently, is beyond the ability of most programmers today. Sigh.
I've fallen off your lawn, and I can't get up.
That's not Pavlovian Psychology. That's Operant Conditioning
We (CMtelecom) built a pretty elegant system to solve this.
1) you get an app from us with unique address / destination
2) we authenticate that app with your phone number (like whatsapp et al do)
3) the app gets a unique destination number - like a fake phone number
The website owners pay for each authentication, or either the user or website pays a flat-fee for just the app.
We send a one-time-password which first gets sent via push to your handset. If we detect the push message doesn't arrive, we follow it up with an SMS (iOS requires user-action to verify arrival of the push, Android does not). We can even roll this over to a voice-call with text to speech.
Now what's interesting, is because the app has a unique destination number, we can distribute this to websites etc and they can tie this to your username. They send us the unique destination number and passcode and we lookup in our databse whose phone number belongs to it and send the password. Protects your phone number from irritating websites too.
Lastly, for ultra-secure requirements, we can lockdown the app itself with a pincode, and encrypt the push message (or just do a database call from within the app triggered by the push message) for the passcode.
Oh, and we're partnered with all the major 2FA providers.
Because password strength is the most important attack vector ever to threaten the security of our systems. Because nobody has ever implemented throttling. [/sarcasm]
How about this Pavlovian technique:
- every time a sysadmin puts a strong password requirement, kick him in the balls
- every time a sysadmin accepts simple passwords or completely skipping auth for trivial stuff that nobody ever care to "hack", give him his salary
[...mutters something about 80 accounts for a person, from which 78 are trivial accounts, while searching for a sysadmin to beat to death ...]
If someone can 'offline' crack your password, then that means: he has the password database/file.
In other words the complete system is already compromised!
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
This should be the first thing you tell your mother or Aunt Tilly [tm].
If you do the occasional shopping, email and Facebook usage you only really need to know one password; your email account. The others can be stored in your browser/app or reset if you ever forget. Having to do a password reset before doing your "once-a-year" ordering of photo-books is a minor inconvenience compared to having to remember loads of different passwords or worse; using the same password for all sites.
Teach Aunt Tilly [tm] the typical password-reset procedure and tell her that she doesn't have to remember these passwords, so there's no need for the password to be simple.Shopping sites really should move away from using passwords anyway. They can store a token in your browser and perform a reset using your email address if you're using a browser without the token. They can also do periodic resets of the token.
Just make sure that Aunt Tilly [tm] knows that there is one password that needs to be GOOD and she needs some way of remembering it; her email account. Having access to your email account would give criminals many great ways of screwing you over, since they can reset nearly all your passwords that way.
If she really can't remember a complicated password, then writing it down on a piece of paper in her house is much less likely to cause her trouble than using "mathilda" or "whiskers" as her password.
According to "security experts" a human being is supposed to remember 100+ unique passwords with no English dictionary words that's rotated every x days and absolutely never ever make a password list. I'd like to meet and test the "security expert" who lives by this rule, because for the vast majority of human beings, this isn't possible. So maybe they should try to figure out a realistic solution. Solutions like this will only cause more centralized password lists which really defeats the purpose of these hard to crack passwords, if one password gets them all.
The proposed scheme sounds more like operant conditioning than Pavlovian conditioning. Pavlovian conitioning made dogs salivate at the sound of a bell, without being given meat, just because the bell had been sounded when they got their meat earlier.
Making users change their passwords sooner if the quality is judged sufficiently low is simple feedback. Until they actually change to high-quality passwords (which hasn't been demonstrated yet), no kind of conditioning has taken place. And if it does happen, it is operant, not Pavlovian.
Or have I been trolled?
People who choose "correct horse battery staple" would always choose good passwords, would not reuse the same passwords for all their accounts. People who choose 12345, if forced to choose "correct horse battery staple", would write it on a post it note and very cleverly tape it to the underside of their keyboards instead of the monitor and congratulate themselves on their devious ingenuity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Being a psychologist, this proposal fails the Pavlovian test in every bit. What classical conditioning shows is that for consequences to be effective, they have to be delivered immediately. Telling users they will have to change their passwords in 5 days because they are not secure enough is not going to work at all...
"Your password must contain at least one Eskimo word, one bizarre foreign character, and oh, can't match any of the last 42 passwords you've used."
"In other news, click here for great partner discounts on Secret Server ... "
(The above is a joke, not a commercial or referrer link of any kind.)
You have complete freedom to use whatever password you wish and to change it whenever you wish but the company has a rack or 3 of kit dedicated to cracking passwords. If yours gets cracked then you get forced to change it. If it gets cracked again your collegues (and manager, and staff) also get told so that they can provide peer pressure/ridicule/helpful advice.
The cracking software can be aware of common passwords, your previous passwords and things like the names of projects you're working on. There can even be a 'submit a crib' internal website where others can upload the criptic post-it that's on your desk to see if it gives password hints.
Depending on the exact situation of your working environment the penalties might be far harsher.
Obviously if you work for a very big company they might use a rather large value of 3.
If tracking is so all encompassing and accurate in spite of all efforts to subvert it, why do we need passwords at all?
I am 65, on SS, broke and live 10 miles out in the country with just my wife and no one else within miles. I am FORCED to enter a password to use my computer. After entering a password that is displayed as dots so my wife (who has all my passwords) can't see over my shoulder and steal it, I want to see my email, so I get to enter another password which she also knows and is displayed as dots - so I don't know if I typed it right or not, even though to get to my email client I had to log into my computer first. I then want to play some MMO games and of course have to log into them, even though I am accessing them from a computer that only I have access to and have already logged into. Then I step out of the room to get a cup of coffee and when I get back I get to log into the computer again, because someone decided it might not be sage to have my computer in my house out in the country 10 miles from anywhere unattended for 5 minutes.
I go through this all day every day - and NONE of it is helping me be safe and secure from all harm... In fact it does almost nothing to help me be secure.
Then I am told that I need to have different passwords that look like 12xfeg^&*snbtr for each account I have anywhere, so I am secure. I am expected to change my password (sometimes forced to change it) once a month into something I have not every used before and also can't remember. Then I am reminded that writing down my password could lead to plagues and pestilence, so I am expected to use passwords that no reasonable person could possibly remember and told not to write down and when I type them in they are displayed as dots to protect me...
I would like the option to OPT OUT of all this bullshit. Entering passwords 20 or 30 times a day is more than a little silly. It is well past time that we have secure connections and biometric security on my computer - worst case.
Then people wonder why passwords like 123456 are so popular.
When will members of the IT security community start to get realistic with passwords. The typical user has to write down their convoluted password, leading to a genuine security risk. Why aren't systems designed with an increasing delay period between failed attempts and an eventual lockout. This allows the user to create a memorable password, and hackers won't have the ten thousand years required for a brute force attack.
The faulty assumption of this article is that it would take three days to crack such a week password. It's been demonstrated many times that it takes no time at all: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
If someone is forced to change a password every 2 days because they choose passwords that can be cracked on average every 5 days, then you are gaining nothing. That "on average" means that sometimes it is guessed in 1 day.
Forcing password changes greatly increases the likelihood that the user will forget the password, necessitating some password recovery method which can also be a target of exploitation.
I use Keepass and let it generate random 6-8 character unique passwords with numbers and lower case only (for ease of typing on a phone/tablet) letters. For the stuff you use a lot those turn out to be easy enough to remember anyway. That's more than adequate for a online service, though obviously not as a key for local encrypted data.
Works well apart from from obnoxious password strength checkers that think it's easy to guess just because there are no upper case letters or symbols. A more intelligent checker would be very welcome.
What about: 54690fc6479de2dfd4a3a513db2be92e205494d7? I could output B64 if special chars and cases and crap are needed.
That's what my password generator spits out for slashdot.org with the above 3-day password. I could use that same password and generate a new password on every website. I can change the hash's salt to change all my passwords on the entire Internet without changing my 3-day password. keep two copies of the hash generator, (new / old) and if the new one doesn't work, use the old one and immediately change my password to the new one.
Why don't most password systems support unicode passwords? Besides the small accessibility problem, I'd like someone to try to crack some japanese, chinese, thai, or arabic text, whether it makes sense or not.
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
It seems that the logic here might not be applied consistently.
If we are shortening password change time for poor passwords, under the argument they are easy to crack; then likewise hard passwords that would take a "forever" to crack should have no expiry. The rules have decided to be altered, except for the ones that are established orthodoxy, those must blindly be followed without adjudication for all time.
Perhaps the real pavolvian behavior here is the bell that rings every 90 days.
How about this: sites that have their password databases breached pay a $1B fine, the fine paid in part by the company, the management, and the devs responsible.
The users are not the ones in need of training here.
-Chris
Great idea, let's make it the users problem that we don't throttle logins or trust our software to not leak password hashes...
Or then just find a write only method for validating logins and throttle attempts?
Interesting discussion. I can think of one instance where a strong password mattered. When the torrent site Oink had their servers grabbed by Interpol, the people with easy passwords were the ones that were prosecuted. It wasn't worth the time or the hassle to go after the harder to crack passwords.
I have a brain injury that destroyed my short term memory and ability to organize. Passwords are my personal hell.
I'll choose an impossibly hard password (which doesn't have to be changed for 2 years) & write it down and stick it somewhere convenient.
This is a US specific problem - being charged for receiving calls or text messages.
Why do dumbass businesses allow login anywhere but work and from your particular machine? And have a "register tonight only" capacity for logging in from home to register that address.
Design a product and stop exposing dangerous APIs without restriction.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
My password is #_DR00L
If someone is able to cross reference the user identities against the time required for a password reset then it would be easier to figure out who to socially engineer in an organization as well as give hints on what accounts to focus attacks on.
Aww, man, every 90 days?
Now I'll have to get a new set of password tatoos on my groin.
Passwords and their complexity and strength come up quite often because they are used by most people. But for sites that use certificates and keys to log in, rather than passwords, nobody seems to mention anything regarding policy, except maybe key length and algorithm. But did anybody study how safe it is to tag along a certificate or key for 5 years? Are these safer because the only way to compromise your accounts is to actually get a copy of your key from your computer, with no brute force option? And lets say your keys are password protected with a decent password that you can still remember easily without writing it down, so they actually have to be lifted from your key agent's memory instead. Then you're pretty much fucked as much as the weak password guys.
Does it look like it's safer to login with a physical token (Google Authenticator on your mobile phone) because it makes it so much harder to lift your private key, since it's not actually in your computer? Is it still safer even if that's all you use, and no password at all? What you know is your account ID (no password), and what you have is your phone with Google Authenticator. My bank does this and I can't find a flaw in the idea. No password to write down on a sticky note, and I don't care who gets my username.
Passwords you can remember are over. To make them feasible to use with fast hashing for web servers, etc. you need to make them long and properly random. And then protect them with strong encryption in your password manager which can happy run 10s or hundreds of thousands (or more) rounds of encryption so that your pass-phrase to get into THAT is manageable.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Well good thing he doesn't post his paper to the internet for you. The odds of a random person being able to deduce his algorithm are much smaller than the average slashdotter.
I don't see where Pavlov comes into this, but I should probably read the story.
I like the idea, it's a great way to educate people. It's a stretch to call this conditioning, as was the case with Pavlov's dogs. People are never going to salivate at the thought of having to change their passwords using a strong password. As a user and a someone who manages thousands of user accounts, I'd be all for a system like this.
... not likely. I always use linux, and utf8. My native language is not english - so having a setup beyond ascii is given.
As for the bank where you set a password that cannot possibly work - well that is just a call to support.
Making people change passwords frequently is a security risk - period. So ditch the "every 3 months" rule or "every year" rule or whatever. Get a strong password, and change it only if there is a breach. A long hairy password is ok if you can cling to it for decades. People who change every third month always pick easy passwords. Or write it on a scrap of paper. Or use serial passwords like mypassword01, mypassword02, ... The latter offering NO security in the case where one of the earlier passwords were cracked.
When I'm bruteforcing your password, I only need to guess the password you have today. The fact that you changed it yeasterday don't make my hacking any harder at all. The fact that you'll change it again tomorrow won't keep me out either - when I get in, I install a backdoor of some sort.
Do cell phone companies still charge for text messages?
People who use a cell phone to replace a house's primary land line tend to have plans with unlimited (or at least very generous) talk and text airtime. But people who use a cell phone as a secondary phone to make short, urgent calls ("can you pick me up in a few minutes?") tend to be on pay-as-you-go plans that cost $10 per month or less. For example, Virgin Mobile's least expensive advertised plan for basic phones requires a minimum payment of $20 plus tax every 90 days to maintain service. These pay-as-you-go plans charge per voice minute on both outgoing and incoming calls and both sent and received text messages.
And for a non-financial account - who cares?
Because more accounts are financial than one might initially guess. Amazon, Apple, and Google all save payment information. Besides, a growing number of web sites are relying on third-party identity proofing that uses the mobile phone network as a root of trust. For example, commenting on The Huffington Post requires signing up for Facebook, "verifying" the Facebook account by linking a globally unique phone number to it through SMS, and linking the Facebook account to the Huffington Post account. Yahoo even requires SMS just to create an account.
Hey, if you want to log into work, you're going to need something work-issued to do that.
"I'm sorry; I'm out of the office. I won't be near something work-issued for 64 hours." Some managers would find this unacceptable.
password's aren't echoed on the screen
Bruce Schneier agrees with Jakob Nielsen that mandatory password masking is another thing that needs to go away.
Alleged enemy combatants don't get lawyers.
The PolyPassHash system to which you're referring will lock everyone out after a reboot. It takes a quorum of system administrators logging in after a server restart to get the authentication system back online. This might work for some sites but not for all.
TheRaven64 disagrees with you that the average workstation in developed countries should be run through a UPS. Besides, what will you truthfully say about your password if it turns out that the government agent gets smart and shuts down the system in an orderly manner by unplugging the UPS?
It's nice to see that some things never change.
Introduce a profound article on /. and the community... bickers about something completely different.
I, for one, applaud the policy described in TFA. Calculating the median time to crack weak passwords, then requiring the password to be replaced within that time frame, is nothing short of brilliant. It's a practical approach to security; something they should have been doing all along. Can't wait until this elevates to law-of-the-land status.
Until then, please, keep discussing whatever it was you felt was so important.
This post © Copyrite Duggeek, all rights reversed.
should follow ignition keys and blu-ray out the door