Slashdot Mirror
Password Security: Why the Horse Battery Staple Is Not Correct
First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
> asserting that a single point of ultimate failure is the most important technology
Yeah, it's important all right. Critical, even.
We're being awfully slow about teaching people to adopt passphrases. Simple, no number no symbol nonsense.
"rrrybgdts" is a nursery rhyme. It doesn't even have to be written on a sticky.
For example I am not worried that someone might get my Slashdot password.
Email, shopping and banking passwords are the ones I worry about.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
1) Choosing a password should be something you do very infrequently
Wrong. Once your password is compromised (e.g. by use of a keylogger or otherwise), hackers can use it over and over again.
It is much better to use One-Time-Passwords (OTPs) such as the ones generated by two-factor authentication systems.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
Just because the author asserts that the password system is broken doesn't make Randall Munroe's point about passwords incorrect. "At least one security researcher rejects that theory." What theory does he reject? It's simple math that shows that Munroe's method is better for creating stronger passwords (at least for the average user), but that has nothing to do with relying on password managers...
Good, bad & ugly - Your password
PASSWORD REQUIREMENTS
A good password must have two properties:
1) It has been memorized by the user
2) It is difficult to guess for a third person (even if he/she knows the user well)
But in most cases another requirement is thrown into the mix:
3) The password shell be complex (have a high entropy)
Usually the requirements take the form of a password policy like this:
The password must be at least 8 characters long
The password must contain upper- and lower-case letters
The password must contain a number
The password must contain a non-alphanumeric character
You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.
THREATS TO PASSWORDS
Let us take look at how the security of password can be compromised:
- The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)
- The password has been re-used by the user in a different context where the attacker has access to it
- The attacker gained access to the encrypted storage of password and managed to extract it from there
- The password has been guessed by the attacker
How does having a complex password help you against these attacks?
In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.
If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.
In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).
One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).
Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.
DECRYPTING PASSWORDS
To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.
When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.
But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.
Does this case justify all the negative impact?
I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.
Remark: I did not specifically address the issue of an attacker
Entropy is key to a good Password. Increasing the password length is one of the easiest ways to increase entropy in a password. Very few people can remember a password like "Xl5xX8lB4XI5" which would take a single computer about 25 thousand years*
However, using long words "alligatorterrorizesnewyorkcity" would take 22 septillion years*
* according to https://howsecureismypassword....
That being said, I also agree that generating new passwords should be done with a Password Manager, however the first password is always the hardest. Which is why three long seemingly random words is much easier and safer, IMHO.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Even if we entertained the XKCD comic and started training users to select four random words instead of a complex single-word password, I argue that it would not amount to a significant increase in security.
People are not very creative and tend to think the same way when choosing passwords. This would lead to the exact same problem we have now, where a few passwords such as "password123" become very common. What is there to prevent “letmeinfacebook” from being the new most common four word password for Facebook accounts?
Umm, how would they "think" of random words? I think "random" means something like: you pick a dictionary, close your eyes, open it on a random page and put your finger; repeat as needed.
This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
Short Passwords lengths ARE useful, to learn how to avoid bad websites!
Sites that limit password lengths are also skimping on other security.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Leave it to a Great Old One to figure out a way to completely befuddle the password policy enforcer.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
The core problem is that security has many different approaches.
A password manager is great ... as long as it is available to you on all the devices that you use to login from. Which makes it vulnerable to being cracked when one of those devices is cracked.
And that isn't even addressing things like the recent rash of credit card cracks being reported. Even if you keep YOUR password secured the attackers can still attack the system when you use the secure information.
Instead, the focus should be on the knowledge that you will, eventually, be cracked. At least partially. So be prepared to mitigate the damage done at that point.
Too many people have too much access to your information without the personal incentive to keep it secure. Or the knowledge of how to secure it. Password managers are an improvement in many scenarios. But so is writing your passwords in a book that you keep at home.
While I agree with the researchers point that dictionary attacks are the biggest risk for passwords and that you shouldn't use the same password for every account you have I don't think that a password manager is required for all situations. For example I use the same password for Slashdot, Engadget, Toms Hardware and a few other entertainment accounts. None of these accounts can really cost me money so who cares if someone gets the password? I can just make a new one. So I don't think that sharing passwords in this case is bad. I call this password my "Insecure" password. Now for other services such as my bank, email, windows log in, work password. All of these passwords are unique but I don't have many of them so it isn't hard to remember them.
Password manager tools are only useful when you are logging in from your own device. What do you do when you need to hop on a friend's computer, or the one at the public library? Or are there cloud based password managers out there (and if so... that just raises further questions).
Ideology: A tool used primarily to avoid the bother of thinking.
I've used Keepass for a long time, but I recently moved to Lastpass because getting Keepass to sync reliably is a major hassle, plus Lastpass works really well on Android, even for apps. I have a strong master password, which is easy to change regularly because I only have to remember that one password. I also have 2-factor authentication enabled through Google Authenticator. Every other password is randomly generated, I don't even know them.
Eat the rich.
Password managers don't really solve the problem. Many of them aren't really cross platform (by which I mean, they sync with and are accessible by all your programs/browsers for all of your devices), and as he recognizes, there will be some passwords that you can't store in the manager (e.g. the password to the manager itself, and for the devices that access your password manager). Beyond that, I didn't see any recognition anywhere that there are at least some services that you might want to access somewhere where you don't have access to a password manager. For example, the selling point of both webmail and services like Dropbox are that you can access your data on another person's computer. Are you going to want to download, install, and sign into a password manager on another person's computer.
So yes, password actually do need to be both memorable and strong.
However, I'd agree with him that really, passwords need to die. Or not actually die completely, but most sites should not require their own password. What we really need is some kind of standardized identity management system-- like you know how you can sign onto various sites using either your Facebook or Google+ sign-on? Like that, but standardized. We need a true single-sign-on solution that is easy to manage, hard to screw up and lose your identity permanently, and usable everywhere.
This has been obvious for well over a decade, but we can't do it because we don't create standards anymore. For any solution, Microsoft wants to have their solution, Facebook wants theirs, Google wants to do it their own way, and Apple wants to do something different from all the rest. Each company pretty much wants a solution that will benefit themselves and screw over their competitors. None are really focused on creating the best solution for social/economic/computing progress, and if they were, it would still be impossible to get others on board. So that's the real problem. Unwillingness to create standards.
> symbols, caps and numbers are still very useful when the site limits password length.
I disagree: Insist that there must be a cap, and it will be the initial letter in >90% of the cases.
Insist that it have numbers, and they'll either be trailing (often the year, especially if you require two digits)
Insist that it be symbols, and you'll probably find a period or comma at the end (the only symbols commonly available on the first smartphone keyboard screen).
So, now I've changed the two digits to one out of ten, and instead of a random character out of the 70 or so common ASCII characters, I'm probably starting with just one of the uppercase letters.
At one point when I was a system administrator and we only required 6-digit passwords changed every 90 days, I could log in to 3/4 of the computers with "spring", "summer", "autumn" or "winter". When we beefed up to 8 digits with numbers, it would be "spring95", "autumn96" etc.
You've got to make it more random: Pick a phrase, a song lyric, a movie quote. Change a word or two. Make some letters just the initials, a word all in caps, a number substitution: "You light up my life" -> "uL1GHT^ml". That's unlikely to be in a cracker dictionary (until today, of course).
Design for Use, not Construction!
Even with the best password, memorized or securely stored doesn't protect you against a password recovery process that's improperly engineered. Often an institution, even a BANK, will give you as a recovery password a choice from perhaps six possibilities, any of which can be divined from publicly available information or a little social engineering. Your password may be q4ot38yhewa;okl, but your password recovery phrase will be the street you lived on in high school or the name of your first dog. This is not secure.
And don't even get me STARTED about pin code security. When I set up my AmEx corporate card, the phone menu suggested strongly that I use digits that are easy to remember, like my mother's birthday. Ignoring the directions and entering a random code, I got rejected because my pin WASN'T A VALID DATE. I called tech support, told the tech monkey the error I was getting and he immediately said that I was to set it to my mother's birthday. I said I didn't want to use something that would so easily be discovered, and he seemed nonplussed. He had to consult with a supervisor. They eventually decided that I could use a random number, but I had to tell him the number over the phone so he could override the menu's requirements to use a valid date. This was AMEX!
Back to the lost password process, I give random strings as answers to the challenge questions, but I figure eventually banks won't let me use strings that aren't a valid dog's name or a listed street name in my home town.
I know why they do this -- it cuts down on service calls to require shlubs to use passwords that are easy for them to remember. But geeze... I foresee a time when we'll all be required to use the common name for an eating implement. Everyone will choose "spoon". The institution will be able to cut customer support back to one person in north-eastern Poland. Or perhaps they already have.
(I use Poland not to denigrate the Poles, but because a company I do business with was quite proud of the low low DL price they got for customer support hotline personnel in eastern Poland. To cover North American accounts. Because that makes sense. Really.)
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
1) Choosing a password should be something you do very infrequently.
horse battery type passwords encourage this by making the password relateable as well as affording excellent bruteforce protection. Bruteforce accounts for most password compromises outside of data breeches, which ultimately serve as a direct path toward and a source from which additional attacks can be performed.
2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.
yes but this is infrequent and has little to do with password structure. in the article the NSA is sighted, but thats not exactly how they work. Youre more likely to have a secret court order Google to cough up your data, not your password. Your computer password on the other hand would be demanded at penalty of spending the rest of your life in contempt of court or guilty by default. either way they win.
3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password.
I would argue the question is whether this password has ever been compromised or the breadth to which it is used online. more exposure means a greater chance of compromise. horse battery tries to get people to think creatively to avoid duplication however its not perfect.
4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords.
absolutely. this and two-factor, which is mentioned in the article, are critical steps in ensuring online services and applications encourage strong passwords. I think the attacks on horse-battery passwords are unmerited, and ultimately irrelevant once paired in a two-factor environment with a private or yubikey solution. intelligent service responses to bruteforce attempts, RBL's that blackhole compromised machines and subnets, and application support for longer than 8 character passwords are also important.
Good people go to bed earlier.
1) The frequence of choosing a password is not within the end-user's control, and hence has no impact on whether or not the end-user chooses to include special characters vs several simple words.
The vast majority of passwords and resets are controlled by the user. Websites do not often force people to reset passwords. In a corporate environment people will be forced to change passwords more frequently, sure. But email, 20 social networking sites, shopping sites, and even banks will typically not force a reset unless they've been compromised.
2) Protecting against a brute force attack does not, in any way, break protection against "informed statistical" attacks.
XKCD's shitty advice is protecting against brute force attacks by using length (even though in many cases the effective length is still limited to something stupid like 16 characters). By following XKCD's shitty advice, you open yourself up to statistical attacks - your search space is just a combination of a few words. People generally only use a few thousand words, and when you want them to be random about it they'll likely pick common ones, fairly short ones, mostly nouns, etc.
3) End-users do not typically know how many other people have chosen that same password, but can protect themselves against accidentally choosing a common password by doing exactly what the XKCD comic recommends (picking four random words and juxtaposing them). Just don't use the specific password chosen in the comic.
Humans are terrible at being random. Any magician, con-artist, or statistician will tell you that. The most commonly-picked "random" cards are the ace of spades and the queen of hearts, for example. The 4 "random" words scenario will give you a search space many orders of magnitude smaller than a good, traditional password.
4) Disallowing common passwords is not within the end-user's control. It is a good practice, but does not in any way change the password-selection logic that end users should use as per the XKCD comic.
The only contradictory point mentioned is the "change password strength meters", which might mean "require special characters and numbers," which is exactly what the comic demonstrates to offer no value. The intent here seems to be the avoidance of common passwords, and that can be done without forcing special characters, which makes passwords hard to memorize.
Disallowing common passwords is within the user's control. Don't use a fucking password you've heard of before. If your password manager, or a site, tells you that the password is shitty, maybe don't use it.
The XKCD comic is fucking wrong. Symbols, numbers, and capitalization, all increase the search space exponentially. Special characters do not make passwords harder to memorize. I find they make it easier. They provide a cadence in may of the passwords I use. Instead of just a slurry of letters, a password with digits or symbols is less likely to get twisted about in someone's mind. alhysuidopmnah will be subject to transposition on shit like the ui, mn. alhys5idop#nah doesn't have that problem, and is much easier to compartmentalize (alhys5 idop# nah). This may or may not be true for all users for fixed length (and it certainly depends on the specific password itself). Beyond that, for passwords of a given strength those with symbols and shit will be easier to memorize than those without, if only because they'll be much shorter.
Bullshit... this guy is working in some fantasy world separated from reality.
Anecdotal example: I used to work for AT&T back in the 90s. They wanted to improve the security of an application so they changed the password requirements and had it require a 30 character pass phrase that included capitals, lower case, numbers, special symbols, no numbers could repeat, etc... The result? Everyone had a posit note with their password stuck to their monitor within a week.
All of your security measures are meaningless if no-one follows them. There was no way in hell we were going to remember our 30 character password without writing it down.
Password safe huh? And how do I log onto the computer in the first place? Or remember the password for the password safe? I need 2 passwords just to get into the safe! I have to pick a less secure password to protect the thing I keep all my passwords in?!?!
6 to 8 characters
make us change it every 90 days
Special characters don't matter
4 attempt lockout
done
If they can guess your password in 4 attempts, they know your god damned password.
So, which password manager do you use that is open source, safe, works on Linux, does not rely on or expose your secrets to a centralize party?
There are now lists of millions of stolen passwords, and frankly none of them are safe. Why shouldn't someone set up a password security app (like captcha, but in reverse) so that a large web site could
- download a large stolen password list (even 1 billion would only be a few GBytes)
- checks (a salted hash) of your password against the list (say, salts changed every day or hour or...) and
- if yours is on the list, tells you to do better
It seems this would be much safer than just having some app that counts punctuation characters and tells you your password is strong if it has more than 3.
Not effective. Proxies are too easy.
Yeah, I try to make this point all the time. I run into IT people and companies whose idea of a "strong password" is something like: have 8 characters, one capital letter, one number, and one symbol/punctuation-mark, and rotated every few months without repeating for the past 5 passwords.
You know what people do? They rotate through the following passwords: Password1!, Password2!, Password3!, Password4!, Password5!
Actually, if you think about it, standardizing on those kinds of requirements is kind of dumb, since it limits the combinations of different passwords people can use. If an attacker knows these requirements, and wants to attempt a brute-force attack, he start by ruling out anything with fewer than 8 characters, and any combination lacking in symbols, capital letters, etc. Now, that doesn't cut out that many possible combinations, but you can start by ruling out short words, assume that the first letter will be capital, assume that the numbers will be at the end, and there's a good chance the whole thing ends in an exclamation mark. I've seen a lot of passwords, and it's always an exclamation mark at the end.
And then there's always someone who pops up with the clever advice of substituting symbols for letters. "The password 'password' is completely insecure. Instead, use 'P@ssw0rd!'. Hackers can't guess your password if it has symbols, numbers, and punctuation!" Ummm... no. those kinds of substitutions have been included in dictionary attacks for a long time now. "P@ssw0rd!" is not a strong password.
The "correcthorsebatterystaple" is actually pretty good advice at this point, all things considered.
Like my bank, which has to keep the answers to my security questions in plain text. Otherwise, the last time I got locked out, I would not have had the rep say, "Alright, now what is your mother's maide.... Good lord." The answer, by the way, was Mrs. Farty Pants.
He not only makes the unrelated point, but then goes on with nonsense about when you do need to choose a password:
Even if we entertained the XKCD comic and started training users to select four random words...[w]hat is there to prevent âoeletmeinfacebookâ from being the new most common four word password for Facebook accounts?
Bzzzt. Failure to understand the meaning of the word "random" rules you out as an authority on passwords.
After Heartbleed I brought up my password manager and changed 140 passwords in a few hours. If it wasn't for my password manager I would have never even known I had 140 passwords to change.
These things are amazing. Randomized passwords for all my accounts. In the event of a catastrophic failure all I have to do is remember three passwords to get everything back. My email password. my cloud password and the password to the encrypted db of passwords. As a person who deals every day with people who "don't even remember setting a password for that" I wish more people used these.
Ascii artist &
The only reason they started with 6 chars was so they could generate an error message:
"penis is too short"
when someone tried to use that for a password...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
I like to concatenate song lyrics first letters.
My favorite password, which I can't take credit for was:
sdftr,ndtwtsotr!
Translates to:
Seasons don't fear the reaper, nether do the wind, the sun, or the rain.
Needs more cowbell!
BlameBillCosby.com
But I digress - the point here is this: once you fix the security of primary access you will find out that password recovery is shit, one you fix this you will find out that the password DB of the site was at the same time not properly hashed and not properly protected from theft. One you fix this you will notice that your device is compromised, your 'yellow stickers' with pwd to password manager have been seen by evil person (wife?) and somebody compromised not only the reader of your chip card but also the they eavesdropped pin of that. Then we find out what the best way of the authentication and authorization are - NSA, IS and other friends will use it to track you in a perfect way.
To me it looks like lose-lose situation and one that thanx to galloping technology and 'user friendliness' is getting worse as we speak.
It gets hashed down to 28-64 characters and written into the database?
Sigh. You really expect people to remember a phrase that changes every 90 days?
1978:
password
1983: Rule: Don't use 'password', too common.
passgas
1990: Rule: Must contain at least one digit
passgas7
1995: Rule: Must contain mixed case
Passgas7
1999: Rule: Must contain at least one punctuation character
Passgas7&
2004: Rule: Must change every 2 months
Passgas7& ... Passgas8* ... Passgas9( ... Passgas1! ...
2015: Rule: Must be at least 20 characters long
Passgas711111111111$ ... Passgas177777777777$ ...
2017: Rule: Can't use any patterns guessable by AI
Oh f$ck it, just hack me already, dammit @666
(Courtesy c2 wiki)
Table-ized A.I.
The password manager only needs 1 password, and the file could be anywhere (ie: different people will keep them in different places), making mass harvesting tricky. And you have to get to the file in the first place (ok, if everyone puts in on iCloud we're back to square 1...)
Getting people to create 1 strong password, and use the manager for the others is one thing.
Getting people to do it 50-100(!!!) times and remember all of them, for all the accounts and services people have to manage in 2014, is insane and won't happen.
I agree its definately an half solution, but its better than the alternative. The password could be biometric too, solving part of the issue.
IMO the biggest problem left is input of long, complex password. Typing out an extremely long password on systems where I can't copy paste (ie: my TV or on home appliances) is crazy.
"You can't use PasswordABC as your password, because user Smith15 already uses it as a password" :P
Oh wait
Hyperom.com
One of my older passwords for important stuff was an Office 2000 key I learned by heart. 25 characters, letters mixed with numbers, not including dashes. If special characters were required, then I'd use dashes, otherwise not.
Save for VL keys, they were unique so the chances of someone guessing that were very, very slim.
And just for kicks I wrote a password manager which allowed you to use any key on the keyboard, including ctrl, shift, alt, caps lock, Win key, you name it. How about using ctrl, shift+num*, backspace, backspace, F1, Esc, Scroll Lock, Winkey as a password? :)
(the only problem was that if you fatfingered a key you would have to wait for the 10 second cool off and try again when prompted)
The application could also be configured to give you a "wrong password" result if you entered the right password, with a configurable delay during which you were expected to do nothing to go through. There was no visual feedback when pressing the keys, only sound.
But a regular user would be driven mad by such a login method, heh-heh.
There are many ways to make an environment secure password-wise. But Average Joe wants it quick and easy, so as long as people aren't educated, nothing would really be secure enough.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
No more so than it would if you manually submitted a preposterously long value to any given HTTP post field.
IT companies like Microsoft? You've just described the exact password policy that the largest software company in the world uses to enforce a "strong password", under the guises of best practices. I don't know why you blame the end user, when the manufacturer is the one perpetuating this system through documentation, training certifications, and the operating system itself.
But all that aside, those passwords are plenty good enough. Any system that allows an attacker to brute force passwords, especially online, has a design problem. It would take an idiot to build a system that allows 1000 password guesses per second without a timeout. Guess wrong 5 times, and you get locked out for 10 minutes, and a warning email sent. Suddenly you've increased the brute force time to thousands of years, and the target is aware. This is basic stuff, and just about any dictionary word is safe.
Ever increasing complexity is an unnecessary solution. Password breaches are not being done through brute force, there's no real reason to make brute force harder.
Not only that, but remember multiple different passwords like that, because some websites/databases don't allow the carat symbol.
I have over 20 different passwords for different sites at work. Some of them don't allow a password under 12 characters, some don't allow a password over 8 characters. Some don't allow a number or symbol in the first space. Some only allow 6 different symbols to be used. Some don't allow capital letters. Some require capital letters.
It's insane. It's not possible for my coworkers to remember them all, so they get written down, which certainly doesn't increase security. Many times people keep their passwords in their phones. Some write them down on paper and keep them in their wallet. Some folks leave them on notes in their cubicle.
Then, to top it off, some require the password to change every 30 days. Some every 60 days. Some every 90 days.
These insane attempts to force password security have actually destroyed it.
If these signs
Were here today
The final one
Would likely say
Myanmar Shave
It's also a potential DOS for the server if a bunch of people start submitting preposterously long "passwords" anywhere they have a password box.
Nobody's asking for sites to allow you to use your favorite novel as a password, but limiting to some insanely short value is not the right way to solve the problem.
Set a limit of 255 characters for the password, and you won't get any complaints about too short a limit while keeping the computing requirements for the hash creation reasonable.
And yet this exact 'verification' was a way to steal control of accounts a while back.
Basically, apple asked for the first four digits of your CC for secure verification, Amazon asked for the last four. Each were happy to give the four digits at the opposite end of your account and, worse, Amazon would let you add a new CC to your account, verify yourself with that credit card, then provide the other four digits of your other card. This was used, successfully, to attack a person's Icloud account. I am not sure about now, but I really hope both companies have changed their policies, particularly in regards to phone support and scripted replied to requests for control of accounts.
http://www.wired.com/2012/08/a...
...
The Social Security Administration online services for business, which I and probably 90% of other businesses use once per year, has a password expiration policy of every 90 days. If you don't login in that period and change the password, you get locked out, requiring you to call and talk to an operator.
If you are not allowed to question your government then the government has answered your question.
Aldermore: a bank!
They ask for e.g. first, third and fifth characters of a password that must be between eight and twelve alphanumeric characters, and the dropdowns to make the selection are lower case only.
This means they're storing the password unhashed, at best locally encrypted but decrypted to check the user login. Once past that, the second and final step of the login is to answer one of five questions as previously stored.
Ydco co
It's insane. It's not possible for my coworkers to remember them all, so they get written down, which certainly doesn't increase security. Many times people keep their passwords in their phones. Some write them down on paper and keep them in their wallet. Some folks leave them on notes in their cubicle.
The question whether this increases or reduces security depends on what kind of attack you expect. If you expect to be specifically targeted, by a human being that can gain access to your personal space in such a way as to read the notes on your keyboard or cubicle walls, then writing down passwords is Bad. Making a conspicuous display of user/pass combinations could certainly make you a specific 'target of opportunity.' But if your primary security concerns are compromise of some bank/website's database or scripted attacks on internet services, then it hardly matters if a physical representation of your password exists, and it really helps to have different codes.
I imagine that any decent system, once it finds a valid user/pass combination, promptly runs off and tries that everywhere: every bank, every ISP, every email service, every social networking site, every game server. Site-specific passwords will hugely reduce the damage due to a successful hack. Storing your user/pass combinations on a hackable device might not be the best solution, but for most of us semi-anonymous internet denizens, a system that a human would rapidly recognize may still defeat a script.
XKCD's shitty advice is protecting against brute force attacks by using length (even though in many cases the effective length is still limited to something stupid like 16 characters). By following XKCD's shitty advice, you open yourself up to statistical attacks - your search space is just a combination of a few words. People generally only use a few thousand words, and when you want them to be random about it they'll likely pick common ones, fairly short ones, mostly nouns, etc.
4 words from a list of 1000 words = 10^12 possible passwords
10,000 uncommon words, 4 symbol replacements on average , 2 digits of numbers , numbers at the start or end. capital/non capital at the start.
10,000 * 16 * 2 * 2 * 2 = 1.28 * 10^7.
A lot less passwords.
Any other ways you can think of to increase the passwords complexity?
Humans are terrible at being random. Any magician, con-artist, or statistician will tell you that. The most commonly-picked "random" cards are the ace of spades and the queen of hearts, for example. The 4 "random" words scenario will give you a search space many orders of magnitude smaller than a good, traditional password.
That is why you need a randomizer to pick the words rather then you picking them.
My Transformation Website
Kindle Books http://www.catprog.org/rev
Interactive CYOA http://www.catprog.org/st
Sorry the calculation should be
10,000 * 16 * 100 * 2 * 2 = 6.4 * 10^8
My Transformation Website
Kindle Books http://www.catprog.org/rev
Interactive CYOA http://www.catprog.org/st