Slashdot Mirror
It's World Password Day: Change Your Passwords
An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."
Please.
Don't see what the point is
-- Tigger warning: This post may contain tiggers! --
Ludden was the best.
IT Workers rejoice!!
Followed by "Reset Your Password Day" tomorrow.
What a great time to sniff or keylog, knowing a lot of people will be changing their passwords!
I hope I'm wrong.
Passwords, and with them password reset questions, need to go away. There are proper authentication mechanisms. Passwords are not among them.
Let's celebrate with 8-16 characters that must include at least one capital, one number, and one symbol but not repeat any character more than twice. Ahh screw it, why don't we celebrate World Write Down Your Password On A Post-It Note Day?
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
worldp@sswordday14
That way you can remember it until next year!
Change your passwords today, so our new filters can capture them!
Ive used passphrases from passwdqc for quite some time. theyre just as complex and a whole lot easier to remember. The downside being many websites still restrict users to 8 or 10 character passwords whereas phrases can easily consume 17 or more characters.
Good people go to bed earlier.
That last sentence in the intro made me a bit ill.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
12345...7
so change it, already
if this is supposed to be a new economy, how come they still want my old fashioned money?
"password02". Done!
I have 400+ unique passwords. I don't think I'll be changing those for password day.
I suppose putting my trust in a password manager could also be considered a risk, but I use a passphrase long enough that even someone with an extensive dictionary attack would take years to get through it.
I thought that regularly changing one's password was unnecessary https://www.schneier.com/blog/archives/2010/11/changing_passwo.html. I thought that it needs to be changed if found to be hacked, but otherwise as long as its strong, there's no need to change it. So while promoting good password habits is a good idea, I'm not sure that "annually change all your passwords on the same day every year so that any eavesdropper/keylogger can look for possible password change activity on one day" is one of them.
Now I'm going to post as an Anonymous Coward for the next six months!
If you were going to install sniffers all over to collect passwords as people changed them, what day would be better than World Password Day...
I'll let the herds get culled as I watch from the hills above, thanks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
A new holiday will be sent to your email address.
Those passwords suck, and I hate you for even suggesting them.
Better idea, simple passwords. "Pencil".
Then lock the account after a reasonable number of attempts - like 50. How many tries to brute force a single word password? More than 50.
I use security tokens instead of passwords, and then external services use OAuth against this centralized service to verify my identity... passwords? What are those!?
if a legit user can hack you systems, the user password isn't your problem.
So many site make you enter a secure password to protect their systems. Ignoring the fact that a malicious person could set up an anonymous account.
The Kruger Dunning explains most post on
This is because Microsoft doesn't change stored passwords on Hotmail when they update policies for the service... Case in point, my dummy account from the '90's still has a password that is well under the minimum number of characters required to login. Very short, sweet, easy to remember, and cannot be brute forced because nobody would think to check a password outside of their "requirements"! (oh wait, fuck, I just admitted publicly there are passwords outside of their requirements)
due to all the past changes. My new password is "It's change your password day"
Table-ized A.I.
But when I do... http://memegenerator.net/insta...
Anything important should be changed more frequently. And anything less important... why do we have a special day for it? Waste of time. *shrug*
I work for the Department of Redundancy Department.
Although I do not have proof of this, I believe that the the password change policy came from the way early UNIX systems handled the password files.
Early UNIX systems did not separate the username file from the password file. Both were kept in /etc/password. This file had to be world readable in order for anyone to log in. So if you had any access at all, including guest access, it was easy to copy the password file. Although the passwords in the the file were hashed, it they could be cracked or a rainbow table created if you had access to a powerful enough computer. At the time, only mainframes or mini computers had the power needed, and cracking a password took between three to five months.
The thought process was that if someone did steal the password file, and you changed your password every three months, It was very likely that the password was changed by the time the passwords were cracked. These days, more powerful computers can crack the passwords much, much faster, and the UNIX/Linux systems have broken out the passwords from the password file and placed them in a shadow file that is not world readable.
The danger of the password file being stolen is no longer the same issue as it once was, but the "standard" password policy has never changed. Today, the reason most often given for a change policy is: "This is best practices, so we are going to do it." Few security consultants can give you the real reason for the policy, although many will refer to recent examples of passwords being stolen and tell you that you need to change a password often just in case someone does steal the password. The danger today is not that the person stealing your password will use it, but that they will sell it to someone else. On the one hand, that does give you a little time to change your password, but on the other hand, some people may feel that since their account was not cracked right away that their accounts are still safe.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
I am celebrating this day by changing my passwords from 'password' to 'password1'.
passphrases.
Because (ignore quotes) "bob is a dork and i hate my job" is largely easier to remember and more powerful than, "Tr0ub3c43r#$" [insert obligatory XKCD].
I mean really. If a person makes a passphrase as a full sentence (i.e. spaces, punctuation, capitalization, all the things grammar teachers teach), then that will give some part of school you likely never cared about some meaning in your life, and it would make your passphrases much more secure and easier to remember (i.e. it tells you a lot about your passphrase already).
Although the most annoying part (as always) is typos.
That way, when I forget it, the software/site will come back and tell me "Your password is incorrect', so I don't have to remember it at all.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Those passwords suck, and I hate you for even suggesting them.
Better idea, simple passwords. "Pencil".
Then lock the account after a reasonable number of attempts - like 50. How many tries to brute force a single word password? More than 50.
Yikes, that's horrible, horrible advice.
You need to stay away far, far from single dictionary word passwords. If the hashed password database is compromised, you need a password that will at least withstand a basic dictionary attack, since obviously it's beyond locking because of failed attempts at that point. If there's any significant amount of time between when the breach occurs and when it's discovered, your only defense is a password long and complex enough to withstand any brute-force attempt within a reasonable period of time.
Incidentally, if everyone took your advice (and many seem to, unfortunately), a significant number of people would still get hacked just because the bad guys happened to guess the correct dictionary word they used. All they have to do is try the first 50 most used words and phrases for every account, and with millions of users, they're bound to guess a few thousand correctly.
My advice: install LastPass or some other password manager, and then have it generate absolutely random noise passwords - you can even set parameters for sites that don't allow symbols or have length restrictions, etc. Those are automatically filled in when you visit the site. Either your browser will remember them in it's password manager, or a plugin, like LastPass uses will fill them in for you. There's very little reason for a typical user to change a password when it's randomly generated gibberish.
Irony: Agile development has too much intertia to be abandoned now.
The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.
I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"
I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)
My favorite incident of what I call "security by handwaving" was my bank changing the wording on their site from password to passphrase, but they rejected the space character and limited the "passphrase" to 16 characters.
So what if this is a ruse to get people to change passwords on the one day that security exploits are in place to capture the new passwords? Buck the trend and change them some other day or not at all.
Salt doesn't necessarily solve the breached hash problem if you're using simple dictionary words. It forces a per-hash computation, so they can't use a rainbow table of pre-computed hashes, but dictionary words will still be the second thing criminals will try (the first thing is a quick-list of top password offenders). Sure, it significantly slows the process down, but once the database is offline, there's plenty of CPU horsepower available to do that sort of thing.
Actually, it may be more accurate to say that there's plenty of GPU power available for that, as cracking software often makes use of banks of high-end videocard GPUs to perform massive amounts of hash calculations per second. GPUs are optimal for this task because of the massive number of parallel processing cores in each card. The only real way to thwart this sort of decoding effort is to use memory-hard hashing algorithms, but I don't think those are in wide-spread use yet.
So, let's assume a worst case of a billion hashes a second, which I don't think is out of line for today's top-of-the-line video cards, easily within financial reach of your typical internet low-life. We'll use a dictionary of perhaps 20,000 of the most common English works, and let's say we'll throw in enough combinations to round it up to a million hashes that we'll try per user (capitalization + common numeric suffixes). That means that even something like "Pencil92" isn't safe. Let's also assume that we've got a million user hashes to check in total. Total calculation time for a first-pass dictionary attack on every entry in the database? About 1000 seconds. That means we've got plenty of time to try even more complex combinations of passwords after the simple first-pass check.
Ultimately, the best defense is password complexity, since no amount of hardware can possibly cover all the combinations of a very long and complex password, since length + variation = a combinatorial explosion of possibilities.
Also, sorry to hear about the storm mess. Never fun to clean up after stuff like that.
Irony: Agile development has too much intertia to be abandoned now.
The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.
I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"
I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)
If you look at those who have analyzed cracked databases to see what passwords people actually used, you'll find that people get hacked because they're using passwords like "password", "123456", "monkey", and so on.
Honestly, I've found that a password manager is really the only sane way to use cryptographically secure (and completely different) passwords on every site without worrying about losing those passwords. I use Lastpass, since it syncs between machines automatically and has a plugin which automatically fills in the username and password for you, and will detect when you change existing passwords or create new ones. There are a bunch of other good ones too if you don't like the idea of your encrypted password database being store online (note: it's encrypted locally, so Lastpass never sees anything but a binary blob).
Irony: Agile development has too much intertia to be abandoned now.
Why cannot we force all websites and services to comply with a common password complexity rule? There is a wide variation in the rules that phone companies, banks, utilities and various online services enforce when I create passwords. As a consequence, it becomes difficult to decide on a password-generating algorithm to create and remember passwords across these websites/services. So, coming back to the question, can we not have a standard password complexity rule which every website/service has to stick to? Instead of those irritating, little info boxes near the password field listing different passwords rules for different websites, we could have a URL pointing to the standard password rules which in turn would be maintained by an independent organisation. Obligatory: https://xkcd.com/927/
Does that mean today is World "I Forgot My Password" day?