Slashdot Mirror
Applying Pavlovian Psychology to Password Management
Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt:
"For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."
From the article: "Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters." And sites like Phil's Hobby Shop have lowered "complexity" requirements for sufficiently long passwords. I'm glad the passphrase concept is catching on. To what extent can xkcd be credited with awareness of passphrases?
Include the quotes, and be even more secure!
"National Security is the chief cause of national insecurity." - Celine's First Law
"highly resistant to bruit forcing"
Especially if you misspell words!
"National Security is the chief cause of national insecurity." - Celine's First Law
Sure, implement this and watch most of your userbase write passwords down and keep them on the side of the monitor or under the keyboard.
And the featured article agrees. It mentions Stanford tapering down complexity requirements for longer passwords, dropping them entirely at over 20 characters.
Unless the developers have taken a belt-and-suspenders approach to guarding against cross-site scripting and Bobby Tables attacks by not only using parameterized statements but also stripping any punctuation characters that may have special meaning in HTML or in SQL. Angle brackets, ampersands, and quotation marks become an underscore, which is a more common (that is, less entropy) character in passwords.
Because all you are going to get is users deciding that they they cannot come up with a 10th password that year and just going picking "123456".
"I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few)"
What a joke. If every site used this method I, and many other people, would need to change multiple passwords every single day of the year. The entire system would break down and become completely unmanageable
Troll is not a replacement for I disagree.
I just say 'generate' to PasswordSafe (right now my tool of choice) and have a 8-character pile of gibberish that I can't pronounce and never read. If someone points a gun to my head (the NSA?) and asks for my online banking password, I can only - truthfully- say that I have no idea.
BTW, pavlovian to me implies egg whites and sugar, mixed and then baked. Then cream.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Yes of course. Some of us just don't care enough if our random login to some website we visited once isn't secure.
The perception of website owners that I HAVE to remember their password just shows overblown feeling of self-importance for site owners.
The only sensible approach - completely random passwords, generated by some tool and stored in a key chain with good one master password.
Idea that user somehow would remember password for each site he uses is simply stupid. The number of passwords can easily go up to a hundred. And if all sites start insisting on changing them once in 3 days users will likely go insane.
And be damned those site owners who make it very difficult for browser to insert saved password. And the worst I've seen so far is Home Deport's credit services (owned by city bank, I presume).
And yes, I know, passwords are used not only on websites. Nevertherless - in ideal world user just plugs in his encrypted key chain and uses it to access everything he needs with one password. Well, maybe two - personal and work.
Bruce Schneier considers writing down passwords to be acceptably secure. Carrying around a card with your passwords on it isn't really any less secure than carrying around a piece of plastic with your credit card number embossed on it.
The computer will tase the users if they forget to change their passwords at the prescribed time. If they do remember, give them a biscuit, with a glass of milk if it's a strong password.
“He’s not deformed, he’s just drunk!”
Using either hyphens or underscores to replace spaces also helps, especially if you use both of them, e.g., This-is_an_example-of-a_passphrase.
Good, inexpensive web hosting
Someone can still point a wrench to your head and ask for your PasswordSafe master password. What would be your truthful answer to the following question: "Do you know your online banking password, or any other password that can be used to retrieve your online banking password?"
As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.
The battle to make users remember arbitrary characters isn't just foolish, it's insecure.
Which is not what this is about. The article is about varying the password expiration by whatever password grading system you have chosen
Without advocating a specific grading system.
But there are some pretty decent grading systems that use a graph-based approach to calculate an approximation of time to crack, based on application of different cracking techniques to different substrings within the password.
For example: for 3 common words strung together. You count the number of words in all the dictionaries that each word shows up in, and you figure time to crack for that substring as n/2; for each word, where n is the size of the smallest of the cracking reference dictionaries containing that word, and multiply those times together for the words strung together.
For common variants such as leet substitution, applying a misspelling, appending a digit, prepending a symbol, changing a case....
Of course, then, the approximate effect on crack time of all these things can be calculated.
Appending a digit multiplies it by 10.0. Prepending a symbol multiplies it by 6.0. Alternating the case of some letters multiplies the strength of that word by 2.0
Performing leet-speek substitution multiplies the strength of that word by 1.05
Applying a misspelling, single letter substitution, or transposition to a word multiplies time to crack that word by 26.0, etc.
There are many off-the-shelf two factor solutions today. Choose one.
That's fine if you only ever sign into one web site that uses two-factor authentication. But if every web site you sign into during the day insists on a different off-the-shelf two-factor solution, or if one of the solutions is pay-per-use, it could get very expensive. One such pay-per-use method that has become popular is receiving a text message on a cell phone.
With anonymous posting, how do you prevent people from inserting off-topic advertisements?
For example. if a password unlocks access to a bank account, it's reasonable for the bank to require more secure forms of access: including ones that are better than mere passwords, themselves.
However if all a website visitor has at risk is comments about stories. Comments that can be, and often are, as banal as I lik [sic] catz then even a 1 character password seems like overkill. As it is, the website owner often has a highly inflated idea of the worth of his/her/its website and maybe even an unbalanced paranoia towards security in general - maybe passwords aren't actually their biggest security problem. So I'd suggest the answer is for users to vote with their feet (or their passwords) and feed back to the admins what THEY think is the right level of annoyance they should be put to, in order to access websites' "riches". It might be a lot lower than the owners think it should be.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
If you're assuming your hashed password file is public or you allow unlimited login attempts without shuttering the connections, then this makes some sense. But if your pw file is public you need to force a change far before the average crack time (like 2 stddev), which probably means hours on an average of 3 days to crack.
But if your pw file isn't supposed to be public, then you're setting a policy assuming your system has been cracked and are passing bad math onto the users as annoyance. And then blaming them. If you fail to factor in the likelihood of the password file being taken, then all the "average time to crack" might not matter.
So how do you plan on carrying this "system" everywhere you go and having it interface with every other piece of hardware that you use? If you plan to use your smartphone or pocket tablet to remember your passwords, can it emulate a keyboard to key in the password? Does the machine into which you must enter your password even have an accessible USB port?
Yes, we're assuming that the hashed password file has a substantial probability of getting leaked, just as it was in several other high-profile breaches (Sony, Target, etc.). If it's impossible for an inside job to leak the password file, then how can the system 1. use the password file to authenticate users and 2. back up the password file in case of hardware failure?
We should increase password strength rules!
Right now, at most sites, the strength rules are such that they disallow a significant portion of the unconstrained search space.
If we keep increasing the number of constraints, we will further reduce the search space.
Eventually, we will get to the point where I only have to remember one password, because it's the only password I, or anyone else, is allowed to have.
Are they really more annoying than the popups and popunders and intrusive audio ads?
For those interested in the kind of stuff that people do.. here is the top 100 list of passswords from the 130million that Adobe lost last year: http://stricture-group.com/fil...
The thing that amuses me (or terrifies) is that nearly 2million of the people had "123456" as their password..
nearly another million had one of these: "123456789" "12345678" "1234567", and "1234567890" ...345,000~ chose "password" as their password (good going adobe.. why is that even allowed?)
i like the people who chose "photoshop" as their password. ..
going through that list you can just see peoples minds working. it is crazy to see what people do.
Sure, and it's nice that you can type "echo -n password | md5sum" to a shell if you forget the hex. But it might be better to keep your password secret, unless you intend to google "No one will guess... site:it.slashdot.org" to retrieve it in the future. You might as well tell everyone that a great password is "correct horse battery staple" - no one would guess THAT - and it's easier for a human brain to remember than xkcd.com/936/
+1 to this, using foreign language characters in a passphrase is a great idea, it makes things more secure since it increases the number of combinations hackers need to try (assuming they even have the foreign language characters in their data sets which I doubt they do)
Passwords are an annoying hack. Trying to force users to accept more and more onerous conditions to satisfy this hack is just laziness. Think up a better system.
A very simple problem opened up by making users rapidly change their passwords is that they will frequently forget what they just changed them to. They will change it last minute on Friday to something genius and on Monday scratch their heads and go, "Crap". So now they are going to call tech support who will walk them through some crude verifications and give them a new password.
A perfect example of this is a relative of mine who works for government. He was complaining about the frequent password changes he has to do. So I bet him that we could look under everyone's keyboard and find some passwords. Two of his people put them on post it notes under the keyboard, and another guy just had 30 passwords written on the bottom of his keyboard, which oddly provided some security as I couldn't guess which one was the newest.
But the best part was that I bet that with my relatives wallet and his most recent pay stub that I could talk IT into resetting his password. So I called them up and they promptly walked me through resetting his password; but they didn't ask me a single question. So in the end I asked them how they knew I was me (him) and they said, it was because of what phone I was calling from. I asked what they would have asked had I been home and they said, birthday, maybe the office's postal code.
So it wouldn't have mattered what genius password scheme they were using as the more genius it was the worse their social hacking problem would become.
A different relative who works for a different branch of government could even log in without her key fob as all she had to do was phone IT and whine until they let her in from home.
Now you might just wave your hand and say, no problem just bolster the security by telling them not to be nitwits. But those guys weren't being nitwits. In government or any large organization if you piss the wrong person off you will lose your job far faster than if someone hacks the system. So maybe for Sally secretary they might not be so persuaded but in the case of where I phoned in a forgotten password the person who should have been sitting at that desk could have an IT person's head very quickly. As could the other relative who whined past the need for a key fob.
So you assign it a time rating. When someone steals the entire password, the ones with associated with the shortest time limits will basically say "brute force these ones." It's the stupidest idea ever.
YESSS!! Finally I'll be able to log into and post from the illustrious Anonymous Coward account!
Cwm, fjord-bank glyphs vext quiz
Precisely what I was thinking. I'm not sure what problem they're trying to solve by forcing users to change passwords. Besides which, tying expiration dates to each password basically just tells the attacker which passwords are likely the easiest to brute force. That may not be a problem if your expiration dates are always sooner than the amount of time necessary to brute force the passwords, but what's to stop an attacker from simply making a box that's twice as powerful? It's a silly pursuit.
Moreover, a service which provides this sort of an "incentive" is one which users will simply stop using, since nearly no one in the mainstream is even equipped to respond appropriately. The Slashdot sort of crowd is basically the only group using password managers. Trying to incentivize this sort of behavior before password managers are in the mainstream is like shocking your dog every time it fails to clean up its own crap in the yard, despite the fact that it has no comprehension for how to use tools, bags, or whatever else you might use.
One day Pavlov walked into a bar and ordered a cognac. He was about to take a sip when the barkeep rang him up. He dropped his glass and shouted "Shit! I've got to feed the dogs!" and ran out.
.
Prisencolinensinainciusol. Ol Rait!
What are these 'foreign' language characters you repeat twice?
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
I really dislike any authentication system that rejects MY chosen password. It's my security, not yours, that I'm gambling on if I want a easy to type password. And the ones that make you change it x number of days are even worse.
This is outright stupid. You can't force people to choose a decent password, they either will or they won't and no 'system' is going to force it upon them. At best, you're just creating a support irritation as people forget the password they were forced into changing.
Just dumb, can't say it enough. Leave me and my (in)secure passwords alone!
+1 to this, using foreign language characters in a passphrase is a great idea, it makes things more secure since it increases the number of combinations hackers need to try (assuming they even have the foreign language characters in their data sets which I doubt they do)
Enjoy being locked out when you realize that UTF8 != CP-1252 != UTF16LE, etc. Oh, and god help you if you need to use a different OS to login, or don't have rights on the given machine's account to change the input charset. And all this is before you get into the potential disconnect between the webapp's stated charset vs the backend password system's charset (your password text field input isn't being passed around as raw bytes no matter how much you might wish it to be, sorry).
There is no hell like charset encoding. Yes, in some imaginary world where everyone dropped IPv4 when IPv6 came out, simply because it was the correct technical solution, your idea might work due to ubiquitous, end-to-end UTF8.
Here in the real world, well, one time I got locked out of a shitty online banking system because I used a punctuation character in my chosen password while setting it and all non-alphanumerics were stripped from input in the login password field, thereby preventing me from ever being able to submit my chosen password.
The real world is horrific and soul crushing.
...let me give them an electric shock (say, through the keyboard) with voltage inversely proportional to password strength. That ought to encourage the use of something stronger.
How exactly does the attacker know the passwords expiration date? Your argument that the attacker will make a box that is twice as powerful to brute force passwords is irrelevant, because they already are doing that to brute force passwords (to whatever extent people who try to break into websites brute force anything these days). The idea that poor passwords should be prompted to be changed more often is, on the surface, a great idea, but it all falls apart when you know that anyone that chooses "1234ABCD" as their password will simply change it to "5678EFGH" when forced to change it every 3 weeks. People that make their password "GRSvD@wo0tzLeMUxzPWNZSD56qwertyioup)" don't NEED to be prompted to regularly change there password, because its insanely hard to crack compared to 1234ABCD, and they probably change it of their own volition because they understand passwords.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
How exactly does the attacker know the passwords expiration date?
How exactly WOULDN'T they? If the attacker is doing offline brute forcing of passwords, that means they've obtained at least a partial copy of the database for the site (since they have to have the hashes and salts), at which point it's probable that they would have also obtained the expiration dates linked to each password.
Your argument that the attacker will make a box that is twice as powerful to brute force passwords is irrelevant, because they already are doing that to brute force passwords (to whatever extent people who try to break into websites brute force anything these days).
That was more or less what I was getting at. Anyone who implemented such a system would be constantly needing to tweak the expiration dates to keep up with whatever the latest password cracking hardware and methodology happened to be so that they could ensure the expiration dates were always sooner than the brute force time necessary. It's a high maintenance system and a silly pursuit, as I said before.
The idea that poor passwords should be prompted to be changed more often is, on the surface, a great idea, but it all falls apart when you know that anyone that chooses "1234ABCD" as their password will simply change it to "5678EFGH" when forced to change it every 3 weeks.
I disagree that it sounds good on the surface, since it would lead to a horrid user experience, but I do agree that it falls apart. That's why I was pointing out that it's a worthless thing to incentivize, since the people you're trying to encourage are technologically incapable of equipping themselves in most cases with the tools necessary to circumvent the disincentive, and, frankly put, they have more important things to be spending their time on than dealing with some random site forcing them to reset their password once a week. Again, it falls apart because we're asking people to change without giving them the tools to do so.
zxcvbn rates that as 78 bits of entropy; 72 without the ~.
But if everyone starts using some foreign words or terms with accented characters transliterated, it becomes just another part of a cracker's dictionary, and not much better than "The boy causes rain." (59 bits, still an excellent password).
Spelled perfectly. It's a European thing: "highly resistant to noisy forcing"
Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence
... i should change them weekly as well?
To whoever was talking about the Adobe password hack. I don't think anyone cared about that password. It was forced on them by Adobe for one marketing reason or another. Or because of the idiotic cloud suite thingy.
Now the passwords that really are important to me... those are hard to crack, don't worry.
I apologize for the lack of a signature.
Is the duty for password complexity correctly placed on the users shoulder? I think not...
The users has two jobs:
1. Select a password he can remember
2. Choosing a password someone else does not associate with him
Raising password complexity requirements makes those two jobs harder. In my observation, with rising password complexity, the users tend to re-use passwords more often (which is more detrimental to security than a less complex password).
For password complexity to matter, the service provider must have failed (lost the data) and succeeded (choosen a half-way decent algorithm) at the same time.
Therefor i consider the burden of password complexity wrongly plaxced at the users end.
Limit attempts to log in to any specific account to once every minute or so. Failure locks the account for a minute, so it doesn't matter what IP or console or program the request comes in from, etc., it's once per minute, period. That's 1440 attempts / day, max.
Attempts to try every password will take forever on even a moderately stiff PW. So ensure passwords are at least moderately stiff. Or better.
After some small number of failed attempts from one IP, blacklist the IP or console. After some small number of highly concurrent failed attempts from multiple IPs, blacklist all of them.
This prevents using constant PW attempts as a trivial DOS and causes uniform attrition in botnets -- not only can that IP or console not attack that user, they can't attack any other, either.
If you've allowed people to get ahold of your password hashes or lists, you're completely hammered. So create a password server that does nothing else. Provide hardened physical security for same. Create a custom hardware bridge that does nothing but handle passwords in a very specific manner, complete with the built-in delays. No other connectivity. Passwords are now as secure as your physical plant allows for.
This puts the least load on the legit user and transfers such heavy work to the cracker that it becomes pointless to try. It's not even all that technically challenging.
Now, making your actual application secure... that, apparently, is beyond the ability of most programmers today. Sigh.
I've fallen off your lawn, and I can't get up.
I don't understand the question. Those things are all annoying. Are you implying we have to pick one?
Personally, I would say that they are more annoying than popups and popunders, because popups and popunders are conveniently encapsulated and marked as bullshit by virtue of being in their own unsolicited window. But less annoying than those autoplay audio ads for sure, which are a blight far beyond any advertising the Internet had ever seen before.
For those random sites that require a complex password I just enter some crap and forget it.
IFF I ever revisit I just click on forgot password and let them email me a link.
Too many crappy sites think they need NSA level security to protect their users.
We (CMtelecom) built a pretty elegant system to solve this.
1) you get an app from us with unique address / destination
2) we authenticate that app with your phone number (like whatsapp et al do)
3) the app gets a unique destination number - like a fake phone number
The website owners pay for each authentication, or either the user or website pays a flat-fee for just the app.
We send a one-time-password which first gets sent via push to your handset. If we detect the push message doesn't arrive, we follow it up with an SMS (iOS requires user-action to verify arrival of the push, Android does not). We can even roll this over to a voice-call with text to speech.
Now what's interesting, is because the app has a unique destination number, we can distribute this to websites etc and they can tie this to your username. They send us the unique destination number and passcode and we lookup in our databse whose phone number belongs to it and send the password. Protects your phone number from irritating websites too.
Lastly, for ultra-secure requirements, we can lockdown the app itself with a pincode, and encrypt the push message (or just do a database call from within the app triggered by the push message) for the passcode.
Oh, and we're partnered with all the major 2FA providers.
Because password strength is the most important attack vector ever to threaten the security of our systems. Because nobody has ever implemented throttling. [/sarcasm]
How about this Pavlovian technique:
- every time a sysadmin puts a strong password requirement, kick him in the balls
- every time a sysadmin accepts simple passwords or completely skipping auth for trivial stuff that nobody ever care to "hack", give him his salary
[...mutters something about 80 accounts for a person, from which 78 are trivial accounts, while searching for a sysadmin to beat to death ...]
If someone can 'offline' crack your password, then that means: he has the password database/file.
In other words the complete system is already compromised!
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
How exactly does the attacker know the passwords expiration date?
How exactly WOULDN'T they? If the attacker is doing offline brute forcing of passwords, that means they've obtained at least a partial copy of the database for the site (since they have to have the hashes and salts), at which point it's probable that they would have also obtained the expiration dates linked to each password.
Expiration dates != expiration time of current password. If you assume some maximum password expiration time (lets say 3 months) then as long as user is registered for at lest that amount of time the password expiration date doesnt provide any useful information about it. Unless of course hacker gets multiple database snapshots from widely different days, but then the system is probably doomed anyway.
how?because to perform the attack they would need a copy of the passwords database. the whole server side operation of things would be suspect at that point.
this scheme fails on several levels, first it must perform analysis on how hard the password is to crack and then pester the user to change it.
the other level is that this is only going to provide any extra security _after_ the hackers already have obtained the password database and all the passwords need changing anyways in a situation like that.
you and the article author seem to think that snagging the encrypted ssl back and forth between the server and the client would be used for the "offline password cracking" to obtain the password(so you would loose the "password hash" to the attacker when using public wifi, and as such would need to change it before the attacker cracks it). only problem is that is not how it(your ssl connection to the server security) works and cracking the encryption on that communication has shit all nothing to do with how hard your password is(because your password has nothing to do with that encryption, and if they crack that connection due to some ssl flaw or being a middleman then they have your password no matter how long or complex it is !!!!!).
world was created 5 seconds before this post as it is.
This should be the first thing you tell your mother or Aunt Tilly [tm].
If you do the occasional shopping, email and Facebook usage you only really need to know one password; your email account. The others can be stored in your browser/app or reset if you ever forget. Having to do a password reset before doing your "once-a-year" ordering of photo-books is a minor inconvenience compared to having to remember loads of different passwords or worse; using the same password for all sites.
Teach Aunt Tilly [tm] the typical password-reset procedure and tell her that she doesn't have to remember these passwords, so there's no need for the password to be simple.Shopping sites really should move away from using passwords anyway. They can store a token in your browser and perform a reset using your email address if you're using a browser without the token. They can also do periodic resets of the token.
Just make sure that Aunt Tilly [tm] knows that there is one password that needs to be GOOD and she needs some way of remembering it; her email account. Having access to your email account would give criminals many great ways of screwing you over, since they can reset nearly all your passwords that way.
If she really can't remember a complicated password, then writing it down on a piece of paper in her house is much less likely to cause her trouble than using "mathilda" or "whiskers" as her password.
According to "security experts" a human being is supposed to remember 100+ unique passwords with no English dictionary words that's rotated every x days and absolutely never ever make a password list. I'd like to meet and test the "security expert" who lives by this rule, because for the vast majority of human beings, this isn't possible. So maybe they should try to figure out a realistic solution. Solutions like this will only cause more centralized password lists which really defeats the purpose of these hard to crack passwords, if one password gets them all.
People who choose "correct horse battery staple" would always choose good passwords, would not reuse the same passwords for all their accounts. People who choose 12345, if forced to choose "correct horse battery staple", would write it on a post it note and very cleverly tape it to the underside of their keyboards instead of the monitor and congratulate themselves on their devious ingenuity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Being a psychologist, this proposal fails the Pavlovian test in every bit. What classical conditioning shows is that for consequences to be effective, they have to be delivered immediately. Telling users they will have to change their passwords in 5 days because they are not secure enough is not going to work at all...
"Your password must contain at least one Eskimo word, one bizarre foreign character, and oh, can't match any of the last 42 passwords you've used."
"In other news, click here for great partner discounts on Secret Server ... "
(The above is a joke, not a commercial or referrer link of any kind.)
Another fun one is a password containing a backslash. To make matters worse, the customer support is not willing to reset the password, because the web site offers a way to retrieve the password already via e-mail, despite the fact that entering the exact password as it appears in the e-mail does not work. And the fact that the password can be retrieved at all (instead of only reset) is not a good sign either.
Any website that doesn't hash the passwords in their database should fire whoever on their development team is responsible for security (although to be fair sometimes its not the fault of the dev team, its the fault of some no-nothing PHB that thinks users need to be able to get their passwords back for some reason)
You have complete freedom to use whatever password you wish and to change it whenever you wish but the company has a rack or 3 of kit dedicated to cracking passwords. If yours gets cracked then you get forced to change it. If it gets cracked again your collegues (and manager, and staff) also get told so that they can provide peer pressure/ridicule/helpful advice.
The cracking software can be aware of common passwords, your previous passwords and things like the names of projects you're working on. There can even be a 'submit a crib' internal website where others can upload the criptic post-it that's on your desk to see if it gives password hints.
Depending on the exact situation of your working environment the penalties might be far harsher.
Obviously if you work for a very big company they might use a rather large value of 3.
I, for one, always include at least one ' in a passphrase. Just to see whether the server admin did his homework.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes. It's way easier to adblock than to trollblock.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I am 65, on SS, broke and live 10 miles out in the country with just my wife and no one else within miles. I am FORCED to enter a password to use my computer. After entering a password that is displayed as dots so my wife (who has all my passwords) can't see over my shoulder and steal it, I want to see my email, so I get to enter another password which she also knows and is displayed as dots - so I don't know if I typed it right or not, even though to get to my email client I had to log into my computer first. I then want to play some MMO games and of course have to log into them, even though I am accessing them from a computer that only I have access to and have already logged into. Then I step out of the room to get a cup of coffee and when I get back I get to log into the computer again, because someone decided it might not be sage to have my computer in my house out in the country 10 miles from anywhere unattended for 5 minutes.
I go through this all day every day - and NONE of it is helping me be safe and secure from all harm... In fact it does almost nothing to help me be secure.
Then I am told that I need to have different passwords that look like 12xfeg^&*snbtr for each account I have anywhere, so I am secure. I am expected to change my password (sometimes forced to change it) once a month into something I have not every used before and also can't remember. Then I am reminded that writing down my password could lead to plagues and pestilence, so I am expected to use passwords that no reasonable person could possibly remember and told not to write down and when I type them in they are displayed as dots to protect me...
I would like the option to OPT OUT of all this bullshit. Entering passwords 20 or 30 times a day is more than a little silly. It is well past time that we have secure connections and biometric security on my computer - worst case.
Then people wonder why passwords like 123456 are so popular.
The whole issue starts at "why is offline cracking possible in the first place?".
Offline cracking requires the attacker to have access not only to the machine (ok, in a time of VPN that's not as big a feat) but to the password database. If you assume or at least fear that a potential attacker can have access to the password database, and not only that but actually gain access without you noticing it immediately (else, just invalidate all pws when you notice it and be done with it), you have FAR bigger problems at your hands than figuring out password expiration dates.
First things first. Dear CISO: Instead of bossing around your users with harebrained password changing chores (including the usually impossible to fulfill requirements akin to "100 letters, at least 20 numbers and not even similar to the last half a billion passwords that were used in the company"), do you fuckin' job and make sure that nobody can steal your pwdb!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I use Keepass and let it generate random 6-8 character unique passwords with numbers and lower case only (for ease of typing on a phone/tablet) letters. For the stuff you use a lot those turn out to be easy enough to remember anyway. That's more than adequate for a online service, though obviously not as a key for local encrypted data.
Works well apart from from obnoxious password strength checkers that think it's easy to guess just because there are no upper case letters or symbols. A more intelligent checker would be very welcome.
Long passwords composed of random words are highly random, highly resistant to bruit forcing, and relatively easy to remember. The battle to make users remember arbitrary characters isn't just foolish, it's insecure.
What's not easy to remember, at least for me, is which long string of random words corresponds to which login.
I am not a crackpot.
Here is wisdom. Let him that has understanding count the number of the beast: for it is the number of a man; and his number is Six hundred three score and six.
Solve that for my Slashdot password.
Dude, that password was so easy.
I've updated your password to the answer to a new riddle:
Why is a raven like a writing desk?
Good luck spelling it correctly!
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
There is three ways you can test whether someone is who he claims to be: Ask him for something he knows, something he has or something he is. Those are the ONLY things that work as "passes".
You can either ask him for a password, ask him to show you some kind of token that is only handed to people who may pass, or ask him to show you that he is who he claims to be with you holding a database of people who are allowed in. That's, btw, why biometry alone is worthless. You can only tell that he is actually he, but that alone doesn't tell you yet whether he is allowed to come in. Biometry by itself identifies, it does not authenticate.
Either of these three ways has its advantages and drawbacks. Passwords have the neat advantage that they're dirt cheap to implement, and hence they're so popular. Every other kind of authentication not only requires special hardware if you want to do it from afar (which pretty much rules it out for "anything internet" that doesn't concern itself with high value targets where the investment is justified), it also requires very keen knowledge of security to do it at least halfway right.
Hence the popularity of passwords.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I thought we're looking for a solution that doesn't "only work" but is also secure?
Or do you really want to sell your smartphone as a secure device that I can trust? Hell, I wouldn't even trust it if it was mine! Correction, if I paid for it, because there's a really good chance that it would STILL not be "mine".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why don't most password systems support unicode passwords? Besides the small accessibility problem, I'd like someone to try to crack some japanese, chinese, thai, or arabic text, whether it makes sense or not.
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
It seems that the logic here might not be applied consistently.
If we are shortening password change time for poor passwords, under the argument they are easy to crack; then likewise hard passwords that would take a "forever" to crack should have no expiry. The rules have decided to be altered, except for the ones that are established orthodoxy, those must blindly be followed without adjudication for all time.
Perhaps the real pavolvian behavior here is the bell that rings every 90 days.
That's exactly what I was going to say. This has absolutely nothing to do with classical conditioning. Operant conditioning? Maybe... if the person successfully associates having to change their password constantly with bad password strength.
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
How about this: sites that have their password databases breached pay a $1B fine, the fine paid in part by the company, the management, and the devs responsible.
The users are not the ones in need of training here.
-Chris
I'm aware of that, which is why I was very careful in my claims, specifically saying that it would help find the ones that "are likely the easiest", rather than saying it would certainly find the weakest ones. Assuming the system has been in use for awhile, you're quite correct that there will be stronger passwords with expiration dates coming up as soon as weaker passwords, but the stronger passwords would also be spread out over a wide range of dates, whereas the weaker ones would all be clustered around a set of dates that were near. As such, the weaker passwords will represent a disproportionately larger share of the passwords set to expire soon, simply on account of the fact that they are constantly expiring.
So, sure, you'd have no way of knowing if any particular password is a strong or weak one, but given a set of randomly selected passwords from that database, the ones with nearer expiration dates are the ones most likely to be weak passwords.
Interesting discussion. I can think of one instance where a strong password mattered. When the torrent site Oink had their servers grabbed by Interpol, the people with easy passwords were the ones that were prosecuted. It wasn't worth the time or the hassle to go after the harder to crack passwords.
I have a brain injury that destroyed my short term memory and ability to organize. Passwords are my personal hell.
I'll choose an impossibly hard password (which doesn't have to be changed for 2 years) & write it down and stick it somewhere convenient.
This is a US specific problem - being charged for receiving calls or text messages.
Why do dumbass businesses allow login anywhere but work and from your particular machine? And have a "register tonight only" capacity for logging in from home to register that address.
Design a product and stop exposing dangerous APIs without restriction.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Aww, man, every 90 days?
Now I'll have to get a new set of password tatoos on my groin.
Passwords you can remember are over. To make them feasible to use with fast hashing for web servers, etc. you need to make them long and properly random. And then protect them with strong encryption in your password manager which can happy run 10s or hundreds of thousands (or more) rounds of encryption so that your pass-phrase to get into THAT is manageable.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Because the whole point of a "correct horse battery staple" password is to make a password you can remember simply as a story. It is counterproductive to add in foreign words (to the extent that makes a story harder) or other rules like how to represent accented characters or what punctuation to put between words.
Well good thing he doesn't post his paper to the internet for you. The odds of a random person being able to deduce his algorithm are much smaller than the average slashdotter.
I don't see where Pavlov comes into this, but I should probably read the story.
I like the idea, it's a great way to educate people. It's a stretch to call this conditioning, as was the case with Pavlov's dogs. People are never going to salivate at the thought of having to change their passwords using a strong password. As a user and a someone who manages thousands of user accounts, I'd be all for a system like this.
I've updated your password to the answer to a new riddle:
Why is a raven like a writing desk?
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.
Good luck spelling it correctly!
My mother was eaten by Cthulhu you insensitive clod!
Do cell phone companies still charge for text messages?
People who use a cell phone to replace a house's primary land line tend to have plans with unlimited (or at least very generous) talk and text airtime. But people who use a cell phone as a secondary phone to make short, urgent calls ("can you pick me up in a few minutes?") tend to be on pay-as-you-go plans that cost $10 per month or less. For example, Virgin Mobile's least expensive advertised plan for basic phones requires a minimum payment of $20 plus tax every 90 days to maintain service. These pay-as-you-go plans charge per voice minute on both outgoing and incoming calls and both sent and received text messages.
And for a non-financial account - who cares?
Because more accounts are financial than one might initially guess. Amazon, Apple, and Google all save payment information. Besides, a growing number of web sites are relying on third-party identity proofing that uses the mobile phone network as a root of trust. For example, commenting on The Huffington Post requires signing up for Facebook, "verifying" the Facebook account by linking a globally unique phone number to it through SMS, and linking the Facebook account to the Huffington Post account. Yahoo even requires SMS just to create an account.
Hey, if you want to log into work, you're going to need something work-issued to do that.
"I'm sorry; I'm out of the office. I won't be near something work-issued for 64 hours." Some managers would find this unacceptable.
password's aren't echoed on the screen
Bruce Schneier agrees with Jakob Nielsen that mandatory password masking is another thing that needs to go away.
Alleged enemy combatants don't get lawyers.
My smartphone is always with me, and it does interface with the internet just fine.
Not if you have zero bars or you fall behind on your phone bill.
Slashdot moderation works because it has enough people interested in adding legitimate comments to attract a large number of volunteer moderators. A lot of blogs with less sophisticated (or even just lower-traffic) comment sections don't have that luxury.
The PolyPassHash system to which you're referring will lock everyone out after a reboot. It takes a quorum of system administrators logging in after a server restart to get the authentication system back online. This might work for some sites but not for all.
TheRaven64 disagrees with you that the average workstation in developed countries should be run through a UPS. Besides, what will you truthfully say about your password if it turns out that the government agent gets smart and shuts down the system in an orderly manner by unplugging the UPS?
It's 616 actually...biblical scholars sucked at math (amongst a few other things.)
It's nice to see that some things never change.
Introduce a profound article on /. and the community... bickers about something completely different.
I, for one, applaud the policy described in TFA. Calculating the median time to crack weak passwords, then requiring the password to be replaced within that time frame, is nothing short of brilliant. It's a practical approach to security; something they should have been doing all along. Can't wait until this elevates to law-of-the-land status.
Until then, please, keep discussing whatever it was you felt was so important.
This post © Copyrite Duggeek, all rights reversed.
I've seen similar instances, ISTR back in the day Solbourne's fork of SunOS somehow not handling punctuation in passwords. I'm constantly astounded (though I guess I really shouldn't be) when I encounter systems that downright won't accept a password with characters other than [A-Za-z0-9]. A related yet perhaps lesser hell is having either a) A name that doesn't conform to FIRST MIDDLE LAST, ie. multiple middle names as I think is common with eg. some Hispanic cultures b) A name that includes a hypen or apostrophe (or non-ASCII characters like ø) For a while I had *both* and the degree to which software out there is broken is amazing. I regularly get physical mail with HTML-type encoding in the middle of my name. Because, you know, Europe doesn't exist >_. One airline, eg. accepted my full legal name when signing up for their FFM program, but not when booking travel, so there was no way to associate the FFM account with the reservation.