Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Autocorrect Without Compromising Security (threatpost.com)

Posted by BeauHD on from the autofill dept.

msm1267 quotes a report from Threatpost: Intuitively, auto-correcting passwords would seem to be a terrible idea, and the worst security-for-convenience tradeoff in technology history. But a team of academics from Cornell University, MIT and a Dropbox security engineer say that the degradation of security from the introduction of such an authentication mechanism is negligible. The team -- Rahul Chatterjee, Ari Juels and Thomas Ristenpart of Cornell University, Anish Athalye of MIT, and Devdatta Akhawe of Dropbox -- presented their findings in a paper called "pASSWORD tYPOS and How to Correct Them Securely" at the recent IEEE Symposium on Security and Privacy. The paper describes a framework for what the team calls typo-tolerant passwords that significantly enhances usability without compromising security. The paper focuses on three common types of password errors that users make while typing: engaging caps lock; inadvertently capitalizing the first letter of a password; or adding or omitting characters to the beginning or end of a password. By instituting an autocorrect scheme, the researchers said in their paper that they could reduce common mistakes and user frustrations with logins. Recently, an anonymous user asked Slashdot how one creates a highly secure password after a study from Carnegie Mellon issued a warning about common user misconceptions. You can engage in the conversation and/or read the witty responses here.

140 comments

  1. f!rstPo$t by cyclomedia · · Score: 0

    Half of what TFA is suggesting is, essentially, making passwords case-insensitive. Which as far as I'm concerned is a good thing, I despise case-sensitivity in all its forms in computing, to a human filename is the same as Filename and FILENAME. It's only binary technical smart-asserry that distinguishes them. (I'm a C# coder and I have no problem with the IDE auto-correcting and formatting the cases on my variables so that code is readible and consistent, thus avoiding compile errors)

    --
    If you don't risk failure you don't risk success.
    1. Re:f!rstPo$t by marco.milone · · Score: 0

      case insensitive passwords? Mwahahahahahahah

    2. Re:f!rstPo$t by rastos1 · · Score: 3, Insightful

      So you are willing to reduce the search space by factor of 2^N where N is the length of the password?

    3. Re:f!rstPo$t by John+Allsup · · Score: 1

      Having a maths background, the ability to have x and X refer to different things is natural, useful, and the inability can be annoying. I haven't read the article, but essentially what I imagine is that, given a mismatch when checking exactly (that is, hash and compare to stored hash), it is then easy for the server to calculate say 1000 likely variants assuming the presence of a typographical error, and try those. The insecurity is mitigated by making your minimum length 2-3 characters more.

      --
      John_Chalisque
    4. Re: f!rstPo$t by Anonymous Coward · · Score: 0

      C# coder. Right. Says everything really.

    5. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      windows fanboy, huh? hate linux?

      (I'm a C# coder

      yup.

      you must really hate the interwebs, too, then; the majority of servers running it use case sensitive URI to match their native filesystems.

    6. Re:f!rstPo$t by Anonymous Coward · · Score: 3, Interesting

      If the alternatives are writing the password down or using short passwords, sure.

    7. Re:f!rstPo$t by TuringTest · · Score: 3, Interesting

      Yes, because that makes passwords more user-friendly, which ultimately makes them MORE secure (no need for the user to write them down in a post-it, and all that).

      If you remove capitalization as a factor, people would need to choose longer words and more symbols, so it even may prompt a net security gain overall.

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    8. Re:f!rstPo$t by Anonymous Coward · · Score: 1

      The filename is a variable, Filename is a class, and FILENAME is a constant. Or whatever your code convention says. As long as the codebase is consistent, it makes the code a lot easier to follow.

      That certainly is better than having to guess what it should be, or using a variation of pattern like filename_var, filename_class, filename_const.

      You also could similarly argue that long names are bad. Just use f for file name, etc. If you think that is bad, think about the reason (loss of information) and why some others prefer having case-sensitive names.

    9. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      No problem -- you can always add one character at the end to compensate. With this new system you don't even have to remember which character you added.

    10. Re:f!rstPo$t by Anonymous Coward · · Score: 1

      > would need to choose longer passwords

      See the optional part in that sentence?
      Thats why its not gonna happen.

      Also the most insecure passwords are already lowercase only.
      This would just make "password" as secure as "Password" - while atm the second is much more secure than the first one.

    11. Re:f!rstPo$t by michelcolman · · Score: 5, Insightful

      I suppose it's OK if, on login, if the entered password does not match, they try with simpler versions but NOT more complex ones.

      For example, if the password is "password", then "Password" and "password]" will be accepted as correct.

      However, if the stored password is "passWord]", then "passWord" will not be accepted and neither will "password]"

      So basically, the system should try removing capitalization and removing extraneous characters, but not adding them. This would indeed increase user-friendliness without affecting security much. Hackers tend to try the simpler versions first anyway.

      Another thing I wish people would implement everywhere, is not counting duplicate login attempts with the same erroneous password or pin towards your allowed number of login attempts. If someone types the wrong pin (not a typo, but just a mistake), he will usually try it a second time before realising it was a different one. Then, on the third attempt, a single typo can block his card. Counting multiple entries of the same code as a single miss will have absolutely no negative effect on security but will make a big difference in user-friendliness.

    12. Re:f!rstPo$t by Anonymous Coward · · Score: 1, Funny

      I'm a C# coder

      That explains a lot.

    13. Re:f!rstPo$t by Oligonicella · · Score: 1

      Yes, because that makes passwords more user-friendly

      That is nothing but an assumption on your part.

    14. Re:f!rstPo$t by Zocalo · · Score: 2

      I think they are going a bit further than that; based on the examples in the summary, then for the actual password of "p@ssword" the system would also accept "P@SSWORD", "P@ssword", "p@sswor" and "p@ssword1". That's all well and good if you have access to the original password and can apply the auto-correct algorithm to see if what was entered is good enough, but how is that supposed to work if you are taking password security seriously and using salted and hashed passwords? The article isn't totally clear on this, but it seems that in the event of an authentication failure they'll just retry with each auto-corrected variation in sequence until they either get a match or run out of permitted options. Unless both ends of the transaction are making allowances for this (allowing more than three retries for instance), that might actually cause more problems than it solves through locked out accounts, etc. and might also open up new means of attacking an account.

      As always, it sounds like the devil is lurking in the details...

      --
      UNIX? They're not even circumcised! Savages!
    15. Re:f!rstPo$t by Anonymous Coward · · Score: 5, Funny

      to a human filename is the same as Filename and FILENAME

      But to the same human, jack and Jack is not the same.

      "I helped my uncle jack off a horse"
      "I helped my uncle Jack off a horse"

    16. Re:f!rstPo$t by Anonymous Coward · · Score: 1

      The whole concept of locking an account for too many login attempts is broken. It's nothing more than a denial of service vulnerability.

      (Locking out the IP address is another matter in most cases).

    17. Re:f!rstPo$t by Bengie · · Score: 1

      Correction, 26^N

    18. Re:f!rstPo$t by allo · · Score: 1

      That's bullshit, because you already CAN use lowercase passwords, but you do not need to.

    19. Re:f!rstPo$t by Zocalo · · Score: 3, Interesting

      With salted and hashed passwords it would need to be the client generating the auto-corrected versions - the server should never, ever, have any idea what the actual password was and just retain a copy of the hash to mitigate against brute forcing, but otherwise yes, the lost security would be offset by adding a few more characters. What I'm currently trying to figure out is what additional impact (if any) combining this with a scenario involving dictionary attack and rainbow tables might have on the net security of the system. My initial gut feeling was that you would need to add more than 1,000 extra combinations to the password through additional characters to offset the loss of allowing 1,000 variants - and possibly a lot more - but I'm coming up short on actually quantifying it; ultimately you *still* need an exact match, so all the proposed system is doing is a small scale version of a dictionary attack, so maybe there's no change there at all.

      One way it absolutely weakens your overall security though is account lockouts through retries; you are going to need to allow a lot more retries for this to work, which is going to allow kiddies trying lists of popular passwords a *lot* more attempts before they trigger an account lockout. Tools like Fail2Ban are incredibly effective when you only allow three attempts before blacklisting the IP (bonus points if you do so across your entire estate), but if you need to set that to a few thousand to allow for auto-corrected variations then what's the point?

      --
      UNIX? They're not even circumcised! Savages!
    20. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Windows has the issue of ivory tower with MS telling you what's best for you, while Linux has the issue of anti-intellectualism.

      Windows fanboi? nah. Linux distros, pure crap, unless you mean Slackware. Full of cargo-cult programmers who think they're cool because they're not using Windows. Crap is crap no matter what OS they're using, they just get to circle jerk with a bunch of other yuppies who think they're awesome for hating on M$. *BSDs have my favorite type of people. It may not be perfect, they still make mistakes, but they're much more mature and realistic.

    21. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Half of what TFA is suggesting is, essentially, making passwords case-insensitive. Which as far as I'm concerned is a good thing, I despise case-sensitivity in all its forms in computing, to a human filename is the same as Filename and FILENAME. It's only binary technical smart-asserry that distinguishes them. (I'm a C# coder and I have no problem with the IDE auto-correcting and formatting the cases on my variables so that code is readible and consistent, thus avoiding compile errors)

      Grow the fuck up, you big baby.

      If you can't be trusted to get case correct in code, you can't be trusted to write code. Period.

    22. Re:f!rstPo$t by currently_awake · · Score: 2

      Having auto-correct eliminates deliberately misspelled words, and thereby reduces attacks to a dictionary attack (the simplest kind).

    23. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Really not that hard, you just store all the allowed versions encrypted, its only like 4 or 5. Then compare against them all.

      Store encrypted values of "p@ssword", "P@SSWORD", "P@ssword" if entered value matches any you are good

      Store encrypted value of "p@sswor" , drop last character of entered value and if matches you are good

      Drop last character of entered value and if matches you are good, ie "p@ssword1" or ("p@sswordX", "p@sswordY" "p@sswordZ") is valid against encrypted "p@ssword"

    24. Re:f!rstPo$t by fnj · · Score: 1

      The insecurity is mitigated by making your minimum length 2-3 characters more.

      I didn't think so, so I ran the numbers. Disregarding dictionary attacks, you have to brute-force 26^8=2^10^12 tries to nail "password", and 52^8=1x10^14 tries to brute-force "passworD", but 26^10=1x10^14 for "passwordab", which adds only 2 letters.

      You're absolutely right. Doubling the character set from lower case to both cases only gives you a puny increase in entropy for passwords of non-trivial length. Clearly adding digits and punctuation characters doesn't help much either. A time-honored myth disposed of so readily.

      But I still think a truly random word sequence is better[*]. If the following sequence of words is randomly chosen from a 100,000-word dictionary, it has an entropy of 100000^4=1x10^20.

          unpleasantly limiter's citified chronicles

      Note: that's only a sequence of 4 to memorize, rather than 8-10.

      [*] CERTAINLY not a phrase or sentence that appears in literature, which is a siren song to choose. Whether an extemporized grammatically-correct and meaningful phrase or sentence is OK, can be argued. It's certainly a lot easier to remember.

    25. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Passwords aren't supposed to be user friendly. They're supposed to be secure!

      to a human filename is the same as Filename and FILENAME.

      B.S! They're all three different and if you can't see that you're blind.

      Case-insensitivity leads to crappy programming languages like Visual Basic. It makes it difficult if not impossible to understand what the original author of a program meant if they use "myField', "mYField" and "MyFiElD" or various incarnations through out the code. It's makes programmers lazy and complicates code.

    26. Re:f!rstPo$t by lucm · · Score: 1

      Linux distros, pure crap, unless you mean Slackware. Full of cargo-cult programmers who think they're cool because they're not using Windows. Crap is crap no matter what OS they're using, they just get to circle jerk with a bunch of other yuppies who think they're awesome for hating on M$.

      Yeah those people are not as sophisticated as those who think they're awesome for hating on M$ AND Linux. Clearly the more O/S you hate, the more awesome you are. That's why I hate Windows, Linux and *BSD. I prefer OpenVMS, which is not perfect but those people are a lot more mature and realistic.

      --
      lucm, indeed.
    27. Re:f!rstPo$t by lucm · · Score: 1

      I'm a C# coder

      That explains a lot.

      Oh I see, it's funny because you imply that being a C# coder is bad! Good one!

      --
      lucm, indeed.
    28. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      I'm a C# coder

      That explains a lot.

      Oh I see, it's funny because you imply that being a C# coder is bad! Good one!

      And you missed that, too.

      GP post pointed out that you're being a C# coder is what allowed you to get away with believing case-sensitivity is extraneous.

      Or maybe you and Jack do jack off horses.

    29. Re: f!rstPo$t by Anonymous Coward · · Score: 0

      Interesting how your said you're a "coder" instead of "programmer," which implies that you're just a code monkey instead of actually thinking and designing software, like a programmer does. Makes sense though because there's no way you could be any better than mediocre with computers if you can't stand case sensitivity. It's a basic underpinning of how computers work.

    30. Re:f!rstPo$t by Anonymous Coward · · Score: 1

      There are plenty of sites that require at least one uppercase letter in a password. And others that require at least one number. And others that require a non-alphanumeric 'special' character "()(*&^%$#@!". And others that do not ALLOW a non-alphanumeric character. And in some technological backwater there are probably sites that require ONLY uppercase or ONLY lowercase. The result is conflicting requirements that make it much harder for people to create and remember strong, long passwords.

      If every site allowed a password like "MyPasswordOnSlashdotIsUnicornDroppings", it would be easy for people to have a mental system in place to create strong, unique passwords for every site. Autocorrect would help usability here, but would still not make a dictionary attack feasible when there are 7 or 8 dictionary words strung together.

      Yes I know some people think XKCD is wrong and everybody should be using random passwords and a password manager, but personally I think A) they are full of shit, mainly because cross-device password manager usability sucks (especially when you're unwilling to trust your passwords to a cloud service, as I am), and B) that's just never going to happen anyway - people aren't going to switch to password managers en-masse ever.

    31. Re:f!rstPo$t by Anonymous Coward · · Score: 1

      With salted and hashed passwords it would need to be the client generating the auto-corrected versions.

      That is not correct.

      There is already code on the server that generates a hash from the user input, in order to compare the new hash against the stored version. That's the code that would generate hashes from the auto-corrected variants as well.

    32. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      If your password is 7 or 8 dictionary words strung together, no brute force dictionary search is going to find it in a practical time. Not today and perhaps not in the next 2 or 3 decades.

    33. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Also the most insecure passwords are already lowercase only.

      SO REQUIRE THE PASSWORDS TO BE ALL CAPS?
      GEE, DO I NEED TO DO ALL THE THINKING HERE?

      (oh, AND THROW IN A FEW LOWERCASE LETTERS, JUST TO PLEASE THE /. COMMENT AUTOCORRECTOR)

    34. Re:f!rstPo$t by Zocalo · · Score: 1

      No, it's not four or five additional entries - that's just how many examples are given in the summary. The "extra characters" option blows that away since it could be *any* extra character, so unless you start getting clever with keyboard layouts and adjacent keys that could potentially mean almost any character on the keyboard, shifted, unshifted and so on. Technically though you could certainly have the server store all the acceptable hashes, which gets around the breakage of tools like Fail2Ban as you'd have to hit a valid match (including typo variants) within a much smaller number of retries, but that does nothing to fix the issue of a kiddie doing brute force attacks of common passwords as they could send "P@ssword" and still have all the auto-correct variations (whether it's just three/four, or thousands) tried in a single hit.

      --
      UNIX? They're not even circumcised! Savages!
    35. Re: f!rstPo$t by chispito · · Score: 3, Insightful

      There is nothing wrong with an all lower case password of an appropriate length.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    36. Re:f!rstPo$t by Ly4 · · Score: 3, Insightful

      Are you positing that the client creates the hash from the user password?

      That's not how it works. If the client generated the hash, then the hash would essentially become the password, and all of the benefits of hashing and salting would be lost.

      There's a pretty good discussion here about why hashing occurs on the server:
      http://security.stackexchange....

    37. Re:f!rstPo$t by DrXym · · Score: 1

      If you don't want case sensitivity then don't create passwords with mixed case. The purpose of course for mixed case is to increase the key strength for any given length of password.

    38. Re:f!rstPo$t by EmeraldBot · · Score: 2

      There are plenty of sites that require at least one uppercase letter in a password. And others that require at least one number. And others that require a non-alphanumeric 'special' character "()(*&^%$#@!". And others that do not ALLOW a non-alphanumeric character. And in some technological backwater there are probably sites that require ONLY uppercase or ONLY lowercase. The result is conflicting requirements that make it much harder for people to create and remember strong, long passwords. If every site allowed a password like "MyPasswordOnSlashdotIsUnicornDroppings", it would be easy for people to have a mental system in place to create strong, unique passwords for every site. Autocorrect would help usability here, but would still not make a dictionary attack feasible when there are 7 or 8 dictionary words strung together. Yes I know some people think XKCD is wrong and everybody should be using random passwords and a password manager, but personally I think A) they are full of shit, mainly because cross-device password manager usability sucks (especially when you're unwilling to trust your passwords to a cloud service, as I am), and B) that's just never going to happen anyway - people aren't going to switch to password managers en-masse ever.

      No, they wouldn't. You seem to assume users have a set amount of effort they'll spend on a password, correct? That's a false assumption - because, most users will spend as little effort as possible. If FOOTBALL is the same as football, do you think they'll switch to something like "football12468;|"? No, they'll pick... football. But now, it's also Football. And fOotball. And FOOTBALL. Some limited forms of autocorrect don't really weaken security, but if we go to password case insensitivity, you are striking out a significant amount of work, and not only is cracking passwords quicker but it's more likely you'll have collisions (and yes, I know about salts, but many web developers don't).

      What we need to do is to educate people on why strong passwords are important - and recommend some simply tricks that really can add security with a trivial amount of overhead, such as maybe adding a single phrase to the end of them all, so they remember it as "password" + extra phrase. Another method is to try to remember a catchy made up sentence, XKCD style, and then add some special symbols at the end like $$$ or <3 or whatever to help defeat dictionary attacks, and you've got a reasonably secure password with little extra effort.

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    39. Re:f!rstPo$t by JustAnotherOldGuy · · Score: 1

      Ummm....having case-insensitive passwords is a Terribly Bad Idea(tm), which you'd realize if you'd thought about for even a moment or two.

      So..."MyPaSwoRDsTrinG" should be equivalent to "mypasswordstring"? Really?

      What kind of head injury do you have??

      --
      Just cruising through this digital world at 33 1/3 rpm...
    40. Re:f!rstPo$t by pezpunk · · Score: 1

      your password is "Not today and perhaps not in the next 2 or 3 decades."? that's pretty good. not sure I would have posted it on the internet, though.

      --
      i could live a little longer in this prison
    41. Re:f!rstPo$t by Dragonslicer · · Score: 1

      That's all well and good if you have access to the original password and can apply the auto-correct algorithm to see if what was entered is good enough, but how is that supposed to work if you are taking password security seriously and using salted and hashed passwords?

      If you don't have access to the password that the user entered, how do you check their password at all?

    42. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Ummm....having case-insensitive passwords is a Terribly Bad Idea(tm), which you'd realize if you'd thought about for even a moment or two.

      So..."MyPaSwoRDsTrinG" should be equivalent to "mypasswordstring"? Really?

      What kind of head injury do you have??

      Can't break what don't work in the first place...

    43. Re:f!rstPo$t by dpidcoe · · Score: 1

      No, they wouldn't. You seem to assume users have a set amount of effort they'll spend on a password, correct? That's a false assumption - because, most users will spend as little effort as possible.

      You seem to assume that users will have a choice in the matter. I would expect that any site implementing a password autocorrect feature would also increase the minimum length to something significantly over 8 characters so as to prevent usage of single words as passwords.

    44. Re:f!rstPo$t by EmeraldBot · · Score: 2

      No, they wouldn't. You seem to assume users have a set amount of effort they'll spend on a password, correct? That's a false assumption - because, most users will spend as little effort as possible.

      You seem to assume that users will have a choice in the matter. I would expect that any site implementing a password autocorrect feature would also increase the minimum length to something significantly over 8 characters so as to prevent usage of single words as passwords.

      Ahhh... but if the only requirement is length, you don't think we'll see "passwordpasswordpassword" become popular?

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    45. Re: f!rstPo$t by Anonymous Coward · · Score: 0

      OpenVMS? What are you some kind of hipster. Carrier pidgeons, it's the only secure way to go. The bad part is, it takes them so long to send and return, but I'm no Luddite so I put up with it.

      Get off my lawn.

    46. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      It prevents brute forcing the account from a bot net which is a far bigger risk. There currently isn't any malware that goes around locking people's accounts until they pay up. Of course now there probably will be. Thanks for that.

    47. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Forget that, get a better IDE that color codes your different variable types and then use names that are easy to type and make the code readable.

    48. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      Non sequitur. That won't stop people from using short passwords or writing them down; the only people it will effect are those who already use mixed case in their passwords, and the only effect it will have is reducing security. People who use 'password' or 'iloveyou' or 'hunter2' are not even going to notice.

    49. Re:f!rstPo$t by TuringTest · · Score: 1

      >Yes, because that makes passwords more user-friendly

      That is nothing but an assumption on your part.

      What, that accepting a correctly-typed password will be more welcoming than rejecting it because of a system mode error? I have empirical evidence for all the times my password has been rejected by typing it with Caps Lock enabled.

      Heck, the Windows login screen had to include a warning for Caps Lock due to all the users failing because of it.

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    50. Re:f!rstPo$t by TuringTest · · Score: 1

      That's bullshit, because you already CAN use lowercase passwords, but you do not need to.

      You don't understand the problem. Having a lowercase password won't help you when you happen to type it with Caps Lock enabled.

      Not that it prevented you from posting an inflammatory post.

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    51. Re:f!rstPo$t by TuringTest · · Score: 1

      Ahhh... but if the only requirement is length, you don't think we'll see "passwordpasswordpassword" become popular?

      So? That's not inherently less secure than the shorter PasswordPassword, even if the later is caps-sensitive.

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    52. Re:f!rstPo$t by plover · · Score: 1

      So you'd create an Auto-Mistake generator based on common typos. The problem is that people make a LOT of different typos. PBKDF2 would be running until next week keeping up with all the variants on a single password.

      --
      John
    53. Re: f!rstPo$t by Anonymous Coward · · Score: 0

      There is nothing wrong with an all lower case password of an appropriate length.

      Sneaky bastard, for a second there I thought you had my actual password. It's super secure!

    54. Re:f!rstPo$t by Maxwell'sSilverLART · · Score: 1

      This would almost certainly require storing passwords with reversible encryption instead of a hash; how else can you check for "sufficient" similarity or dissimilarity without knowing the password? What algorithm would you use to determine "this character can be dropped, but that one can't?"

      --
      Moderate drunk! It's more fun that way!
    55. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      So good luck if something ever happens and you don't have access to your regular IDE.

    56. Re: f!rstPo$t by Anonymous Coward · · Score: 0

      I think instead of "programmer" you mean "software developer."

    57. Re:f!rstPo$t by EmeraldBot · · Score: 1

      Ahhh... but if the only requirement is length, you don't think we'll see "passwordpasswordpassword" become popular?

      So? That's not inherently less secure than the shorter PasswordPassword, even if the later is caps-sensitive.

      But it's not an improvement. If anything, it's worse, because it leads to a false sense of security. It's a much better use of effort to convince people why it's important, after which they'll naturally adopt strong passwords, as opposed to trying to force them into something they don't want to do.

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    58. Re:f!rstPo$t by coolsnowmen · · Score: 1

      Sure, but to brute force my account it would take millions of tries not 3. The limit is off by MANY orders of magnitudes.

    59. Re:f!rstPo$t by Aighearach · · Score: 1

      You're redefining words like "correctly" to only match certain reduced values. Correct is normally understood to mean correct; not partially correct, or correct-except-for-details.

    60. Re:f!rstPo$t by michelcolman · · Score: 1

      User enters "password]"

      Does the hash for "password]" match? Nope
      Does the hash for "password" match? Yes, acces granted.

      No need to reverse the hash.

      Not that that is not the approach taken in the paper, theirs is quite a bit more complicated.

    61. Re:f!rstPo$t by skids · · Score: 1

      But that's not how the secure password systems these days work. The ones that are worth their salt (no pun intended) never actually send a password to the remote host. They use the password to create a crypt which the remote server can re-create using what it knows of the password. The only way to actually do this sort of "auto-correction" is to make multiple actual attempts against the auth server. The auth server cannot tell whether these attempts are auto-correct attempts, or someone trying to brute force the password, because it cannot see that "oh that's the right password just with capslock on", all it sees is "0xa1362356322bcba173823cd1763726372323d != 0xf563782893287facde". So you have to decrease the security because the auth server has to be told to allow more bad authentications before it starts tar-pitting or locking the account.

      (Still waiting for XKCD to do a ven diagram of "things you should not use as passwords" against "things banks ask you for security questions")

      --
      Someone had to do it.
    62. Re:f!rstPo$t by michelcolman · · Score: 1

      You have a point there.

    63. Re: f!rstPo$t by Anonymous Coward · · Score: 0

      Did you even read what the other ACs said? I will quote it again, for your convenience.

      See the optional part in that sentence?

      Thats why its not gonna happen.

      Your lower case password may be secure. Your users will not be.

    64. Re:f!rstPo$t by lgw · · Score: 1

      TFA didn't suggest case-insenstive, but rather "caps lock on" and "first letter unintentionally capitalized". That costs 2 bits of password entropy, not bad.

      But really, case insensitive doesn't cost you that many bits of entropy for most passwords.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    65. Re: f!rstPo$t by Anonymous Coward · · Score: 0

      "coder" may mean that his heart keeps stopping. A side effect would be loss of brain function during these times.

    66. Re: f!rstPo$t by lucm · · Score: 1

      I wonder if the NSA can snoop on carrier pidgeon traffic.

      --
      lucm, indeed.
    67. Re:f!rstPo$t by Anonymous Coward · · Score: 0

      There are systems such as SRP that never send the password to the server, don't lose the benefits of hashing, is salted, and don't allow impersonation of the user elsewhere if server is broken into (since the server isn't even keeping a hash of the password)

    68. Re:f!rstPo$t by TuringTest · · Score: 1

      If my fingers produce the exact sequence of key presses that constitute my password, how is that sequence not correct?

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    69. Re:f!rstPo$t by TuringTest · · Score: 1

      People will never "naturally adopt strong passwords", and pretending that "they will, if only technicians bother them sufficiently" is the main reason why security by passwords is the clusterfuck that it is.

      Designing the security system around the behavior of its users is the proper way to do it, rather than forcing users to adopt the behavior requirements of a bad system.

      In the meantime, I welcome any attempt to make the life of password users less miserable. The password system is NOT secure as commonly implemented throughout the IT systems of the world, so we might as well make it more forgiving, until we get to replace it by something better.

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    70. Re:f!rstPo$t by Ly4 · · Score: 1

      Ahh - good point. I spend my time worrying about authenticating users using web browsers, so I haven't used any of the zero-knowledge protocols. Maybe some day things like SRP will become commonly available in the web world, but I'm not holding my breath ...

    71. Re:f!rstPo$t by allo · · Score: 1

      > would also increase the minimum length to something significantly over 8 characters so as to prevent usage of single words as passwords
      how long?

      Come for a visit to germany and meet the Donaudampfschifffahrtskapitaen.

    72. Re:f!rstPo$t by allo · · Score: 1

      YOU don't understand. But think you for flaming.

      The point is, you should not make passwords case insensitive, but you should not force upper case letters either. Because you would rule out all all-lowercase passwords, thus making the set of possible passwords smaller.

      And for caps lock there is an easier solution: show the user an indicator (or fully ignore the capslock). The indicator has some advantage, when the user uses caps lock on purpose.

    73. Re:f!rstPo$t by dpidcoe · · Score: 1

      Designing the security system around the behavior of its users is the proper way to do it, rather than forcing users to adopt the behavior requirements of a bad system.

      Too many security people don't understand this. Obvious there are degrees of compromise, but I've seen way too many instances of security necessarily hassling people to the extent that they circumvent it in a manner that's even more unsafe.

    74. Re:f!rstPo$t by TuringTest · · Score: 1

      Showing the indicator is almost useless, as proven by the Windows login dialog; people typing either from muscle memory or hunt-and-peck will most of the time ignore it until it's to late.

      Ignoring the capslock is a much better strategy, and it outweighs the marginal benefit of easing out an ALL CAPS password (which is not much better than an all lowercase one).

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    75. Re:f!rstPo$t by TuringTest · · Score: 1

      Then they are not good security people. The weakest link in security is most often the human element; if you don't understand humans well, it's impossible to build a secure system, no matter how much of a cryptographer wizard you are. How good is the best encryption scheme if its user is socially engineered to unlock it for you?

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    76. Re:f!rstPo$t by allo · · Score: 1

      I guess ignoring caps lock (or showing indicator) will not work for web pages. OTOH, how often does it happen? Then the people type in the password a second time, so what.

    77. Re:f!rstPo$t by TuringTest · · Score: 1

      Then the people type in the password a second time, so what.

      You've never heard about death by a thousand papercuts?

      Every single misstep caused by a user interface makes people mistrust technology; and the effects are cumulative. This carelessness by developers is what makes end users badmouth tech and think it's too complicated.

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
    78. Re:f!rstPo$t by Aighearach · · Score: 1

      No, here you use the word "exact" but you left out the equivocation. Here, you're completely wrong. Above, you were wrong because you were using a non-standard value of the word "correct." Here, with the bare unaltered word, you're just being a tool.

      Now you're wrong about what "exact" means and what "correct" means.

      If you type exactly the same thing 2 times, they're the same. If you change a "system mode" that determines the value of the keys pressed, and then press the same keys, then you typed something different. And indeed, you even press a key to change that system mode, so it isn't even the same keys pressed.

      You try to play semantic games with the words, but you have to choose words within your vocabulary for that to work.

    79. Re:f!rstPo$t by BranMan · · Score: 1

      So, basically getting rid of uppercase letters essentially shortens your effective password by 2 letters? OK, makes sense.

      On the subject of dictionary based sequences of words - how much entropy would be added if you deliberately misspelled one of the words in the password phrase? Would you get the entire sequence of characters for entropy in that case - 26^42 in your example, since the codebreaker would have to go back to fully brute force? (I get 2 x 10^59)

  2. "user frustrations" by Anonymous Coward · · Score: 0

    If common problems include Caps Lock being on and the first letter being capitalised, sounds like the user frustration is with the input device.

    We don't need more Clippy, "It looks like you're trying to enter a password - would you like some help with that?" Just make sure that it's obvious for the user how to do exactly what they want to do, and stop "helping" them. Artificial intelligence is almost always a hindrance. Hell, I spend more time correcting auto-correct than being corrected properly by it - it's more a source of amusement than a useful function. (Mind you, the first thing I do when installing a word processor is turn off live spellcheck - if I don't know how a word is spelled, I don't know whether I'm using the right word. If I am using the right word, it's useful to know how to spell it.)

    1. Re:"user frustrations" by lucm · · Score: 2

      If common problems include Caps Lock being on and the first letter being capitalised, sounds like the user frustration is with the input device.

      I have a coworker who is Caps Lock challenged, so I configured her computer to have that key behave like Shift. Life has been a lot easier for everyone since then.

      --
      lucm, indeed.
    2. Re:"user frustrations" by Anonymous Coward · · Score: 0

      If common problems include Caps Lock being on and the first letter being capitalised, sounds like the user frustration is with the input device.

      I have a coworker who is Caps Lock challenged, so I configured her computer to have that key behave like Shift. Life has been a lot easier for everyone since then.

      This may be one of the only known instances of using technology as a workaround* for human stupidity.

      * I wouldn't really call that a fix. A fix would involve learning a basic thing and then showing understanding of that basic thing. Perhaps showing her how easy it is to teach it to a small child would provide more motivation? I bet one of those sign language-using apes could also learn this. Years ago, did she also complain that her VCR wouldn't stop flashing 12:00?

    3. Re:"user frustrations" by Big+Hairy+Ian · · Score: 2

      I mistype passwords all the time due to manual dexterity issues (You try having a stroke) what they are suggesting sounds like a horrible cludge the only functionality I'd like is to be able to select a few of the characters in my masked password and be able to sneak a peek at just the selection.

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    4. Re:"user frustrations" by lucm · · Score: 1

      In a business context, leadership is all about leveraging people's strengths, not fixing their flaws. So when I have an opportunity to solve a problem quickly and get the resources focused on value-added tasks, I take it.

      --
      lucm, indeed.
  3. pwgen by Anonymous Coward · · Score: 1

    I just let pwgen generate my passwords. I basically use two: low sec (e.g. my login passwords) are eight characters, hi sec (hd and backup media encryption, ssh key passphrase, bank token) are 16 characters.

    I just generate one, i.e. I don't pick a "nice" one, so I'm out of the equation.

    I memorize them. I never use the same password twice.

    Seldom used passwords are in an encrypted file. Passwords I use frequently are just in my head. I don't even trust firefox with them (heck: I trust my browser with as little as possible).

    At first, memorizing a 16-length pwgen seemed hard. These days it just takes me about two days. In this time, I carry it on a little paper slip in my pocket (I'm especially vulnerable at these times, like a lobster changing its skin: I love this image :-)

  4. Fixing first characters would be nice by Anonymous Coward · · Score: 0

    I had a phone with a bad habit of prepending a space a lot of the time when you start typing in a field. Yes, it was terrible software and it shouldn't have existed, but you have to deal with what you're stuck with. It would have been nice to have something like this.

    Going to wait for smarter people to weigh in on what it actually means for security, but it always seems like bits of entropy isn't all that important compared to 1) preventing brute force with rate limiting, 2) enough complexity to avoid dictionary attacks while still keeping your rate limits non-punishing, and 3) at least a token effort to make things hard to keyboard surf.

    Captcha: twitter, where I just got compromised a few days ago. I probably reused a password from LinkedIn, and they probably let you log into Twitter by email address.

  5. Obligatory XKCD by Errol+backfiring · · Score: 1
    https://xkcd.com/936/

    It seems that all major research starts on XKCD...

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    1. Re:Obligatory XKCD by rebelwarlock · · Score: 1

      That's not even related to the article, except that they both have the word "password".

  6. Facebook does something like this by Anonymous Coward · · Score: 0

    I saw an article once talking about how Facebook stores both your hashed+salted password and its case-flipped version. So, leave capslock on and it'll match, for a pretty small loss of protection.

    1. Re:Facebook does something like this by arth1 · · Score: 2

      I saw an article once talking about how Facebook stores both your hashed+salted password and its case-flipped version. So, leave capslock on and it'll match, for a pretty small loss of protection.

      Pretty small? I would think that having two hashes from a reversible permutation of the plaintext can have a very significant impact on how easy it is to break.

  7. Keyboard layout by kubajz · · Score: 3, Interesting

    In my country, along with caps lock, many people will switch between local and English keyboard layout so instead of 123 they will type ÄÅÄ. Another one back home is qwertz versus qwerty. I wish someone implemented this a long time ago along with the 'caps lock ignore' feature. By the way, it is quite unlike case insensitivity because you just accept two versions - Password and pASSWORD - pAsswOrd would not be accepted. That actually till keeps the security pretty high I would say, with a decrease of the search space to one half of the original for each 'forgot to switch' factor.

    1. Re:Keyboard layout by _merlin · · Score: 1

      That's not how caps lock works on a Mac for example. On a Mac Caps-Shift-A will produce capital A as well (shift doesn't negate caps lock on letters).

  8. Transition period by jenningsthecat · · Score: 1

    If this ever starts to take hold it might really screw up those people who use the same password in multiple places. If I use a password frequently in a place where autocorrect is implemented, I might re-memorize the password incorrectly both in mind and in muscle memory. Then, when I enter the 'same' password in the place where I use it less frequently, and where autocorrect isn't implemented... OOPS!

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    1. Re:Transition period by Anonymous Coward · · Score: 0

      So don't reuse your passwords!

  9. Stupid by SuperDre · · Score: 2

    So instead of just making sure the user learns from the bad input, we'll just let them go ahead.. Sorry, but to me it's just stupid, yes it might be annoying at times, but if it happens a lot, then you might want to consider fixing the problem yourself and not let a system help you with your own faults during entering the password.. If the capslock is on, just tell the user the capslock is on, not help them circumvent it..

  10. No, it's the goddamned asterisks! by Applehu+Akbar · · Score: 4, Insightful

    Instead of weakening passwords by assuming that some combinations are errors, let's fix the main cause of password typos, the masked entry field.

    Think back on the last hundred times you logged into something with a password. Other than at the ATM, in how many of these cases could someone have been looking over your shoulder? The only times when you need a masked field is when you're standing at a dedicated device with people lined up behind you. On computers, a 'mask this password' checkbox option will cover that occasional instance when you're in a public environment.

    1. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      As a practicing Muslim, I take offense to your damning of Allah in the subject line. No virgins for you.

    2. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 1

      The only times when you need a masked field is when you're standing at a dedicated device with people lined up behind you. On computers, a 'mask this password' checkbox option will cover that occasional instance when you're in a public environment.

      No, the reason you mask the password is to prevent the chance of a malicious third-party seeing it. Just because there's no one standing behind you at the time, doesn't mean that someone or something isn't monitoring your screen / device. A camera planted discreetly could take photos or video of your screen. The machine itself might have been compromised to take screenshots. The "display password" toggle to remove the asterisks is a better idea.

      Back to the topic: is it me or is correctly password typos akin to saying, "Well, you almost had it right, I'll let you in anyway." Which is a bit like the lock on the front door of your accepting a badly cut key, because it's mostly the same. If it's not 100% correct, it should fail.

    3. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      That's a client-side approach, so it's off topic. If you are certain nobody will ever look over your shoulder because you don't receive visitors in your cave, you can just use a browser that doesn't mask passwords, or use a password unmask application.

    4. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      >Just because there's no one standing behind you at the time, doesn't mean that someone or something isn't monitoring your screen / device

      This third party, they have such deep access to your PC they can monitor your screen, but they are unable to monitor keystrokes?

      How does that work?

    5. Re:No, it's the goddamned asterisks! by Applehu+Akbar · · Score: 1

      As a practicing Muslim, I take offense to your damning of Allah in the subject line. No virgins for you.

      That particular dhow sailed a long time ago.

    6. Re: No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      My Windows computers have let me peek at password fields for years.

    7. Re:No, it's the goddamned asterisks! by Applehu+Akbar · · Score: 2

      "Just because there's no one standing behind you at the time, doesn't mean that someone or something isn't monitoring your screen / device."

      The cheapest and most likely way for the bad guys to capture logins is with a keylogger, against which masking is useless.

    8. Re:No, it's the goddamned asterisks! by ray-auch · · Score: 2

      Why not simply have a button/control/shortcut/whatever that briefly _shows_ the masked password - that way the default is safe and you can check for shoulder surfers before you make it unsafe, but you have the ability to check the password if you are unsure about your typong.

      Simple, easy, helpful, safe-by-default.

      And also, already there on anything from phones to desktops (std disclaimer: your chosen OS may vary)

    9. Re:No, it's the goddamned asterisks! by Culture20 · · Score: 1

      They walk into your cubicle silently as you type, and you're not allowed to face the screen away from the opening because of some middle-management power play. I have an office with a door, and I close it when I need to read confidential stuff on the screen. Thankfully no windows (but unfortunately, one Windows).

    10. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      If someone has a keylogger its game over and nothing matters else anyway.

    11. Re:No, it's the goddamned asterisks! by pezpunk · · Score: 1

      sure, and I do use a demasker, but that's beside the point. The complaint is that the field mask has negligible security benefit and is really there mainly for the illusion of security for the user. It makes them feel good but does practically nothing to protect their password from being stolen, while it does in fact create significant issues -- most people are far more prone to typos if they can't see the text they're typing, which then leads to this kind of ridiculous autocorrect idea for password fields. if we got rid of the mandatory password field mask, i suspect we'd eliminate any demand for password autocorrect.

      --
      i could live a little longer in this prison
    12. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      At work I have had several instances where someone is on a webex and enters their password.

      That is a HUGE 'over the shoulder' issue.

    13. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      Lowercase g: non-specific. What do you suppose Applehu Akbar's religion is? Hint: it's not Islam.

    14. Re:No, it's the goddamned asterisks! by Anonymous Coward · · Score: 0

      TEMPEST is an old attack, and although modern hardware may emit weaker signals, the technology to detect the signals has improved too.

  11. Or just a notice if capslock is on by Anonymous Coward · · Score: 0

    Can be done easily in many languages and doesn't reduce security like this would.

  12. Awesome by Anonymous Coward · · Score: 0

    It's annoying when I type to fast and punch in 12346 and I have to retype my password.

  13. Simple tests by Anonymous Coward · · Score: 0

    Testing and displaying the status of caps lock is a generally good idea, as long as it is done unintrusively (some people DO use caps lock). I do also like trimming password strings off their leading or trailing spaces. The rest... Well, if some javascript shit starts reading a password, it is just so easy to send it wherever...

  14. no typos = password is too easy by Anonymous Coward · · Score: 0

    What surprises *me* is that typos aren't measured as a marker of password complexity. I expect that one day I'll log in to a dialog that says:

    "You've only entered an incorrect password once this month; your password is obviously not hard enough. You have to change it."

  15. Not "typo-tolerant passwords" by Anonymous Coward · · Score: 0

    They are not proposing a special class of passwords, but a login system that fuzzes the submitted password and checks the hashes of a small number of variants. This seems safe.

    But what does this mean:

    Facebook already has such scheme in place where it corrects capitalization errors on password submissions.

    Is Facebook really comparing passwords in cleartext, instead of hashed? Because I don't see how they could "correct capitalization errors" in a hash. The server-side logic should never know the cleartext password. Ideally (but the web is not there yet) a password should never even be transmitted in cleartext.

  16. Favorite password by Scarred+Intellect · · Score: 1

    TRIGGER WARNING: Anecdotal evidence

    One of my favorite passwords was based on the word wizard. I didn't often type z's, let alone x's...I set up a new Linux box and my root account (before all this safe don't-ever-use-root-use-sudo bullshit). Trying to log on to my system the first time, I couldn't get the password right no matter how careful I was.

    Finally, I decided to type it quickly and see what "muscle memory" did. wixard.

    Ahh! There it was, a simple typo (I had to type it at the prompt to see what the text actually came out to be), but made my "wizard130" intended password a little bit stronger: "wixard130". Not much, but a bit. Me and a buddy used variations on that for years. I still use it on some of my offline Linux boxes because that's one that I'll never forget.

    Autocorrect be damned; let the users mess up their own shit and quit automatically fixing stupid.

    1. Re:Favorite password by Anonymous Coward · · Score: 0

      Did you then put on your wizard robe and ....

  17. False Entropy by Anonymous Coward · · Score: 0

    The problem here is people are making the assumption that entropy exists where it doesn't. Is a capital letter required in your password that should almost double the possible combinations per letter of password right? However if 99% of the people will make it the first letter and only the first letter suddenly you've gained almost nothing.

    1. Re:False Entropy by Guybrush_T · · Score: 1

      You have gained exactly nothing if the Capital first letter is enforced by the password policy.

      Those password policies drive me crazy. They make no sense from the average user perspective, only to the CIO that can say "see, we're very annoying with our password policy, so that makes us very secure". And if anyone chooses Password1! as a password, it is their fault !!

  18. Shoulder surfing by Anonymous Coward · · Score: 0

    Congratulations, you just made shoulder surfing even easier.

  19. Watchmen by Quirkz · · Score: 2

    Computer: > Password
    User: > Rameses
    Computer: > Uh, you want to tack on anything there buddy?
    User: > 2?
    Computer: > Come on in

    --
    The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
    1. Re:Watchmen by pezpunk · · Score: 1

      haha, yeah. to be fair it was written in 1986 ... but yeah that scene is beyond ridiculous, even by 80s computer depiction standards.

      for those who don't know what we're talking about -- http://i.stack.imgur.com/LgT6s...

      --
      i could live a little longer in this prison
  20. Security questions by jdavidb · · Score: 1

    Maybe they can apply this to those terrible security questions. Was my high school mascot the Cardinals or the Red Cardinals? Which one did I type when I was first asked this question, because we used to call ourselves both when I was in school. And did I capitalize it? And did I pluralize it? I got locked out of an important system because of this, and it was a system that didn't need that level of security.

    --
    Secession is the right of all sentient beings.
    1. Re:Security questions by Anonymous Coward · · Score: 0

      And are all the limited choices of "secret questions" something that could be easily found via 5 minutes on Google

    2. Re:Security questions by cwsumner · · Score: 1

      And are all the limited choices of "secret questions" something that could be easily found via 5 minutes on Google

      Um ... you know you are supposed to lie, right? ;-)

  21. Dropbox = optional passwords by matt_j_99 · · Score: 1

    Given that Dropbox has previously considered passwords to be optional, I'm not convinced that Dropbox engineers adds much credibility to this research.

    http://techcrunch.com/2011/06/...

    And how are they hashing the passwords if they are allowing for typos?

  22. Experience with millions: trim spaces, warn caploc by raymorris · · Score: 4, Interesting

    I spent 15 years developing a log in and security system used by about 80,000 web sites, and have had the opportunity to analyze millions of log in attempts. Based on that experience, heres what I do. People copy-paste user names and passwords and when they do, they get extraneous spaces at the beginning and end. So we trim spaces from the beginning and end (not the middle).

    Some people use caps lock when they set their password, but most don't, so we show a big warning message if caps lock is on. Later, gdm (the Linux log in) started doing the same.

  23. Fun story... by Junta · · Score: 1

    20 years ago I was working on a SunOS setup, and we would periodically crack our own users passwords to let them know when they were vulnerable.

    I don't recall the specifics, but one user was failing with something like 'Password'. The user was befuddled because they swore they used much longer passwords with a bunch of hardening tacked on the end. They had been dutifully typing the 20 character password they had selected, not knowing the SunOS system at the time would truncate to 8 and check only that.

    Anyway, the discussion around 'helpfully' automatically helping user have an easier password reminded me of that. Our systems were 'helpfully' allowing users to mess up things after the first 8.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Fun story... by cwsumner · · Score: 1

      A lot of systems have old habits from back in the 1970's, like short passwords.

      But if the new versions allow 120 characters for just the first name, I think they could afford a longer password and hash. 8-P

  24. IP lockout + CGNAT = DoS by tepples · · Score: 1

    (Locking out the IP address is another matter in most cases).

    That still allows a bad actor behind a carrier-grade network address translation (CGNAT) to DoS a hundred legitimate users behind the same CGNAT. And with IPv4 address exhaustion, many mobile ISPs and ISPs in late-developed countries have deployed CGNAT so that the Internet can have more than 4.2 billion users.

  25. I have a Cunning Plan by cellocgw · · Score: 1

    From now on, my systems are going to require that all passwords include an emoji character.

    Crack that, you rotten blackhatters!

    And while we're ranting about capitalization and special characters (%$*&#), why not just give up and realize that everything inside a computer is 1s and 0s? Require all passwords to be a string of at least 110111110111 1s and zeros.

    --
    https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
    1. Re:I have a Cunning Plan by Anonymous Coward · · Score: 0

      From now on, my systems are going to require that all passwords include an emoji character.

      (facepalm)

    2. Re:I have a Cunning Plan by Anonymous Coward · · Score: 0

      "Our password requirements have recently changed. For your new password, please enter at least 48 1s and 0s..."

      Then the joke is that it's still stored as a string

  26. This Girl Will Solve Your Cybersecurity Problems by iq145 · · Score: 1

    http://www.newser.com/story/21...

  27. Dumb idea by ebvwfbw · · Score: 1

    What's a BOFH to do? With auto correct this could cut down trouble calls a lot. It's a BOFH's highlight of the day to get those calls.
    http://bofh.bjash.com/