Posted by
Roblimo
on from the was-it-123456-or-654321? dept.
Cy Guy writes "The NY Times has an article on how users are coping with an overload of passwords. Helpdesk costs related to lost passwords are $340/user/year according to the Gartner Group estimate cited." (Free NYT account required to read.)
124 comments
Personal Certificates are the answer!
by
Anonymous Coward
·
· Score: 0
All of this password insanity has been driving me crazy for a couple of years now. The answer to it all (on the web anyway) is personal certificates. Whether issued and verified by an organization like Verisign or by the site wanting identification (like NYT or Slashdot), it is much easier to unlock a database of certificates on my browser with one password than it is to remember a zillion passwords.
Everyone's argument to this idea is always that nobody is going to pay Verisign for a personal certificate. That is fine. There is no reason that Yahoo! and Slashdot and the NYT cannot issue their own certificates for free! These certificates do not need to be as closely guarded as the ones issued by the bank. They are only for identification for use with some trivial service. Who really wants to break into my Yahoo! mail account anyway??
Re:Personal Certificates are the answer!
by
buttplug
·
· Score: 1
And if you expanded the concept, it could include some management program to keep track of your real Verisign cert, your "free" certs and anything in between. I think it would be just awesome if someone came up with the "marketing cert". You put whatever personal information you feel comfortable with inside a cert, then the website that wants it can come and get it from you, instead of those @*#&ing forms you have to fill out (which is the prompt for the password issue, anyway)./m
Fun with passwords
by
Anonymous Coward
·
· Score: 0
I had a girlfriend of about a year and a half and I knew her AOL password while I dated her. Turns out she used the same password for anything so I coulda completely screwed her over, but I wasn't so inclined.
I've been bitching about this for a while now. The sheer number of passwords one has to remember today to function is outrageous, and the amount of web pages that require you to log in (you're guilty too, Rob) doesn't help. I try to use the a-few-different-depending-on-security passwords approach, but because every password program has different restrictions it isn't always that easy. Usually I wind up recreating my accounts whenever I need access. And finally, don't forget with nearly each password comes a login name... There must be a better solution out there.
Finally, a little quote from the article I thought was fairly humorous:)
"Michael J. Koszenski, a computer technician in Lexington, spent 2,000 hours of his own time creating a password database software for his PC after being disappointed with various password tracking programs...who has 30 or so passwords and access codes to manage."
That's TWO HUNDRED AND FIFTY eight hour days! 66 days of work for each password! I hope that's a misprint:)
Re:Glad to see this covered!
by
Ed+Avis
·
· Score: 1
One of the biggest problems (for me, at least) is the differing 'security' requirements for how you should choose a password.
One system has a maximum length of eight characters, while a website has a minimum of ten. Some require mixed case, some don't. It would help enormously if webmasters were a little more relaxed and just allowed users to pick their own passwords - particularly for things like the NYT which are not exactly 'top secret'.
-- --
Ed Avis
ed@membled.com
Re:New MacOS (on topic, really)
by
HerrNewton
·
· Score: 1
In case any of you are interested at all about the Keychain and MacOS 9's voice passwords, AppleInsider has it all in its MacOS 9.0 archive:
A combination of a single easy to remember password and a substitution cipher based on the name of the thing that the password is for. Example, NYT would be encoded by making the first version of the alphabet (for the first letter of the password) start with N, the second letter Y=A, the third letter T=A, and then back to N=A until all the letters of your password are encrypted.
Of course there are more high tech ways to do this but you better not lose the program you used to encrypt your passwords unless you know how to rebuild it from scratch. (Still, writing a password encrypting program is fun for a rainy day, I think.)
-- All the creatures will die,
And all the things will be broken.
That's the law of samurai. (Jubai, 1605)
The more and more insignificant sites popping up that require login accounts, the more and more seldon my preferred login names (or any variant of any of them) are available.
So now regardless of how often I reuse a password or PIN, whether I can remember the login I chose for that site is hit/miss.
Open source program
by
Anonymous Coward
·
· Score: 0
I wrote a program a while ago that does the same thing. You can download it here. The source code is included, but some of it is in VB3 binary format, so you'll need VB3 to view it. It runs on Win95/98 with VBRUN300.DLL (and maybe Win3.1), an EXE is included.
Hmmph! Open source software developed on a closed source operating system using closed source development tools. Shame on you!
Re:Annoying free login thing
by
jilles
·
· Score: 1
Actually I tend to fill in as many 'bla' as I can. For instance when dowloading software (for instance a plugin) companies ask you all sorts of stupid question to which i always answer bla. Sometimes a stupid javascript tells me bla won't do so I then make it bla@bla.com. I have registered for NYT the conventional way,though, since it frequently has interesting stuff to read.
greetings, Jilles
--
Jilles
a very different and cool solution
by
JimBobJoe
·
· Score: 1
It's called passface and it is password like in the sense that something needs to be remembered, but what you need to remember is very different.
The principle is that humans are very good at remembering faces, so you can select a face out of a series of faces, and then a second, and a third, and a fourth. That is your password. When you want to log on, you are greeted with the series of faces, and then you choose one, and then you get a second series of faces...et cetera.
Re:340$ user/year? Ha!
by
nevercrywolf
·
· Score: 1
You have to keep in mind that not all helpdesk people know the root password on the machines they maintain. For example, where I work, a lot of what we do is done through sudo and we don't even need to know the root password on the machines... however if sudo is not enabled for changing a users password, you will need to know teh root password on that machine, and if it s not yours, tehre is time involved with contacting the owner of that machine and having them change the password.
Passwords suck
by
Anonymous Coward
·
· Score: 0
Smart cards and/or biometrics are the way to go. Re-usable passwords are not only hard to forget, but they're insecure. (No opinions here, nosiree bob.)
Free Certificates
by
Anonymous Coward
·
· Score: 0
Everyone's argument to this idea is always that nobody is going to pay Verisign for a personal certificate.
Thawte gives away personal certificates for free. They don't contain your name, only your email address (because Thawte can use an automated program to verify this), but they do everything that a Verisign personal cert would do. They will even sign a PGP key, so people know that the listed email address is really yours. They also sell other types of certificates for less money than Verisign, and they are listed as a trusted CA by IE and Netscape. http://www.thawte.com/certs/personal/
I've a little script called "ring" I use to look up phone lists. For passwords I just have a pgp encrypted file; I decrypt it and pipe it through ring to find the password I need for whatever obscure site I need to visit. I have a few shell aliases for storing (unexported) the passphrase for this file in my shell and for passing it to pgp for the pgp->ring lookup. Works just find. So I just make random passwords for sites and note 'em down. (md5 on an active log file is a handy way to get arbitrary strings for passwords).
What I usually do is have an easy to remember password that I use for things that I don't care much about the security of. Things like web based email accounts I signed up for and end up using as another address to use for those sites who make you fill out those surveys before you can download their product. For more secure things I usually make up random passwords in the form of three letters, two numbers, and then three more letters. I usually keep the case of the passwords mixed, but consistent so I can remember it. The result is a password that is fairly difficult to guess due to the mixed case and the numbers, but easy enough for me to remember since I know the pattern of the letters and numbers.
Some time ago Apple Computer included software called "Keychain" with its OS.
Keychain would keep all your passwords super-secure in a little pop-up window and you only needed to remember the one Keychain password to access it.
Keychain was great software. Unfortunately Apple is too daft to recognize a good thing and axed Keychain from the MacOS.
Pfft.
Peace
hrmm.. brute force finger attack on the ladies
by
Anonymous Coward
·
· Score: 0
Three digits is not extremely weak for a bathroom, you're gonna look kind of suss standing at the ladies bathroom doing a brute force finger attack on the pin as you work through up to 1000 combinations. 3 digits is fine for that..
Re:hrmm.. brute force finger attack on the ladies
by
Anonymous Coward
·
· Score: 0
only six (3*2*1) combinations. you look on the keypad to find three most frequently used keys and voila !
Re:hrmm.. brute force finger attack on the ladies
by
KFury
·
· Score: 1
That's three decimal numbers (10*10*10) Not three digits from a keypad of 3 where repeats aren't allowed (3*2*1)...
Re:Would you trust a closed source program for thi
by
thsths
·
· Score: 1
Yes, but what's the point of having really great and difficult to remember passwords for all these crappy accounts? You can use simple passwords for these (usually they don't check very much), and you can use the same one every time. So you can use your brainspace for the real passwords, that really have to be save.
Gartner Group
by
Anonymous Coward
·
· Score: 0
Hrm, keep in mind these were the same guys that published the study that helped motivate the "NC" disaster by stating PCs cost some godawful amount to maintain. They also claimed water coolers cost something like $250000 per year.
M$'s solution to this problem
by
linuxghoul
·
· Score: 1
Is it just me, or have others also noticed a couple other articles on this topic? It seems to me, all of these are just a preamble of a hype-storm for the Microsoft solution to this problem. go take a look at this Hotmail is already using this, but i don't know of any others yet. i am thinkink this could really become big, and could really give MS a monopoly on website user authentication. How about moving quickly, and developing an open source standard similar to this?
Linuxghoul
-- Sigura Non Grata
Re:M$'s solution to this problem
by
flathead
·
· Score: 1
I first heard about this through a marketing survey. It seems that you just give your information (Name, credit card number, etc.) and when you want to buy something, you just let your trusty third party company (and who is more trustworthy than Microsoft?) handle the dibursement of your name, credit card number, etc. for you.
Can you imagine the money you could make selling information on what products a person buys, if you know that person logs all exchanges through you? I think I can handle the burden of retyping my credit card number each time I use a different business.
An open source standard wouldn't do anything. This is pure capitalism.
Would you trust a closed source program for this?
by
seanb
·
· Score: 1
'Please enter all of your passwords, pin #'s, etc. into this form. Click the "OK" button to send this to^H^H^H^H^H^H^H^H^H^H^H^H store this information in encrypted form.' Any program I used for such a purpose I would want line-by-line audited, much like OpenBSD.
Okay, so I forgot a '0'.. $11,900,000... The rest of the math was right...297 1/2 people changing passwords....
jf
Re:Would you trust a closed source program for thi
by
Jburkholder
·
· Score: 2
No. Which is why I said I'd never put a real system account into this, just all my crap webmail passwords that I really couldn't care less if they are compromised.:-)
as people have often access to more than one machines (shell), and sometimes more than one email address, it means one password for each of them! Even if i have about 15 sheel/email i use 4 or 5 passwords, easier... the poll are fucked, but here's a link of poll about number of email address, another link which is the same subject?!? and link to the password one. also what happened to this poll of Aug 4th? -- http://www.beroute.tzo.com
-- "Science will win because it works." - Stephen Hawking
Only One Password Needed
by
Anonymous Coward
·
· Score: 0
if we had a kerberos server that we could trust MIT uses one for all their internal authentication; it makes things there a lot simpler.
Re:Someone Wanna Grab that Palm Pilot?
by
piloteer
·
· Score: 1
I wrote Strip, the Password and Account manager for the Palm Pilot. I am not trying to plug the product but since its been mentioned twice already I feel more comfortable. Strip will protect against user stupidity. It encrypts EVERYTHING before it goes into the palm databases. Furthermore, if you leave it on in the back seat of the taxi it locks the program when the palm automatically powers off. Idea is the same algorithm used in PGP, so its heavily tested and secure. Its open source, so you can look at the crypto code and compile it yourself if you want to. Strip does specific and comprehensive memory wiping of unused data, so even if your would be attacker got an actual RAM image off your palm they would not find your key, or any of the data that has been displayed during Strip's use.
I do it the same way you do. Sometimes I recycle old high-security words and use them at the mid-security level. If I forget one, it makes it a little easier to guess.
Re:Good use for a PalmPilot
by
Tau+Zero
·
· Score: 1
At least with a Palm you can use physical security. I dunno about you, but I'd feel a lot safer cracking into a networked box somewhere than trying to take a Palm off of someone my size.;-)
-- Time is Nature's way of keeping everything from happening at once... the bitch.
We set up an new Intranet web server then gave folks their passwords. Afraid that they weren't going to remember that they could be mixed-case, I put the following on the entry page:
Remember: Your password is case-sensitive.
Looking through the logs a while later - I saw multiple entries of people trying to use "case-sensitive" as their password...
I can type fast and obscured enough so that noone can read, what Im typing. But if I have my pws on a PalmPilot or whatever I have to make them visible, at least long enough for me to read. Or do you hide under a newspaper everytime you want to enter a password:)
Re:340$ user/year? Ha!
by
Anonymous Coward
·
· Score: 0
The real cost comes from knowing who rang in and asked for the CEO's password to be reset, along with resetting the password to the payroll system.
I remember reading this from a computer magazine about 5 years ago. The secret to maintaining password security is to store them in clear text, in a file which is globally readable, but pick a file that no one would ever bother opening.
Dowload some shareware, say, a typing tutor, or something equally useless. Install it. Go to the directory where the software is installed, and you'll find a file called ORDER.FRM or PURCHASE.TXT or something like that. Type whatever you want into the exact middle of the file. In clear text. No one else will ever see them. =)
-- How's my programming? Call 1-800-DEV-NULL
How do you prevent certificate misuse?
by
Anonymous Coward
·
· Score: 0
By password. A certificate says who you are. ACLs still need to be maintained to manage application/system privileges. No-one has yet built Certificate->ACL parsing tools into systems or applications. Or, you could put the ACL into the certificate - meaning you have to re-issue the cert every time there is a privileve/role/duties change for the individual - and a second person has to vouch for the privileges you claim. And you must still maintain a certificate/ACL parsing engine in the system/application Certificates are cheaper, cost effective? Utter Bull!!!! Wakke UP! Lyal
Re:How do you prevent certificate misuse?
by
Anonymous Coward
·
· Score: 0
The certificate is only used as a substitue to pumping a login/password pair into a login session on a webserver. There is no reason that whatever is being used to map that login/password into ACLs on the backend need to change. Take Yahoo! for instance, once they have identified via a certificate who the user is they can do whatever "magic" cookie crap they are already doing to maintain state of that user.
An effective pw management scheme...
by
blahedo
·
· Score: 1
The most effective password management idea that I've heard is the advice we gave to people using our lab---come up with "password themes". That is, pick some class of passwords that are related and enumerable, munged in a fairly consistent way, and wouldn't be well known to anyone but you; this way you don't have twenty distinct things to remember, just one pattern that ties into something you already know.
For instance, ``Last names of people in my boy scout troop, with the first two letters swapped''. Or, ``First names of people at my last job, spelled backwards and with the fourth letter capitalised''. This sort of a method tends to be very productive, easy to remember, but hard to guess; and even if someone gets one of your passwords, they won't be able to figure out the others, unless they know you really well. And if you still can't remember your scheme, it's much safer to write down a dummy password that obeys the scheme, or even to write down the scheme itself, than to write down each valid password next to your computer.
Of course, it's probably easier if this gets used in combination with some of the other suggestions on this board---I think even this scheme would peter out if I needed to use a separate password for every registrable site I belong to.;)
-- ``This, too, shall pass.'' ---Eastern proverb
Re:Would you trust a closed source program for thi
by
Jburkholder
·
· Score: 2
Where did 'great and difficult' enter? Most of these passwords are the same, or variations, based on what the length and other limits. Most of the time its the account name that I have to remember. Some times its the same one I like to use all over, sometimes its my 'quake' handle, some times it one of the dozen or so webmail accounts I have.
I'm not using keep it safe to lock up inner-sanctum passwords, just to have a moderately-secure place to keep track of all these accounts and passwords. I used to have them in a clear-text notepad file, this is a shade better.
Is it just me or does trying to read a story about the cost losing/having too many passwords which requires me to register with yet another password seem a bit ironic?
The NYT is just not that interesting....
-- Never by hatred has hatred been appeased, only by kindness - the Buddha
I, of course, read the paper version this morning. Sure, it's backwards, but it doesn't have a password, and you wouldn't believe how fast the pages load.
And the NYT is much more interesting than most papers, unless your version of interesting is heavy on sports, sensationalism and/or local news.
I'm beginning to use just two passwords, my main UNIX one at work, and another one everywhere else. I'm sorry, I just can't remember six dozen pseudo-random strings.
And don't get me started on PIN numbers... Bring on the biometrics, and fast...
-- "Be nice, veer left, and never stop thinking" Iain Banks - Walking On Glass
Re:Overload...
by
Anonymous Coward
·
· Score: 0
And don't get me started on PIN numbers... Bring on the biometrics, and fast...
Sorry - pet peeve. "PIN numbers" expands to "Personal Identifaction Number numbers" - you're really supposed to say "PINs" (or "PI numbers" but nobody would understand that one).
Some security paranoids try and have every password different. Others make all their passwords the same. Both end up causing problems. I use a compromise. I have three passwords.
One is a 'high-security' password that I only use in trusted, secure situations. My root password falls into this category. This password NEVER goes over any clear channel, nor is it typed in when anyone is possibly watching.
The next level of password is the medium security password. This is for systems where I care about security, but compromising it wouldn't cause serious problems, the person would just be able to read some personal documents, and perhaps impersonate me.
The final password is the I-don't-give-a-rat's-ass-about-security password. This is for things like slashdot, NYT, and other web services. These are ones where I (or someone else) wants some kind of security, but I don't particularly care if it gets compromised, as the person couldn't do much with it (Oh no, they impersonated me while reading the NYT!).
Each password gets changed with a frequency tied to how important it is. For example, root gets changed every month or so. My regular login gets changed every few months, and I haven't changed the who gives a shit password in over a year.
The upshot is that I never forget my passwords, and I haven't had to ask a sysadmin to change one in years. And none of my accounts have been compromised (yet).
Honestly, though, password list management programs are out there in droves. The problem with them though is that they are inherently insecure. E.G. one global password reveals all other passwords...
I'd like to see a password management system with a physical level of security. For example, you insert your smartcard or HASP key into a reader or the computer's serial, parallel, or usb port and then whammo your list is decrypted based on the private key in your physical device (or using the device itself in the case of smartcards)
There's some sort of utility I saw a while ago that let you store your password and what site they're for in a file that is encrypted with {PGP|GPG}... so you only have to remember that one password to look up anything else.
Of course, if you loose or forget that one password then you're pretty much screwed.
My passwords are all fairly similar... they all come from a common source, but with vairences... for example, there's an inside joke I have with a long time friend... Using one of those words, the next word in another language, and a significant number, and capitalization changes I get a new password! Works very well...
Which reminds me.. I'm way over due for a password change..
Re:passwords
by
Anonymous Coward
·
· Score: 0
Better yet require a password AND the physical device, that way if you lose/have stolen the physical "key" its useless to whoever finds/stole it.
Combine what you know with what you possess. similar to the PIN# + ATM card combination.
"Keep it Safe" is a freeware program for W32 that does this. I use it at work to keep track of all the mail-lists, web-mail, web-shopping-accounts and stuff like that. Not sure I would ever really put a real system account there tho.
Wish there was a Linux port of this that I could use at home, it is pretty useful.
Just make a list of all your passwords, put it in a text file, and encrypt it with PGP. Then you only need to remember one password -- your PGP password.
It might also be a good idea to encrypt the file with 2 separate keys & passwords so you have a backup in case you forget one of the PGP passwords.
I really think it's better to have a few passwords for various levels of importance than to write your passwords down. Important passwords shouldn't be written down under any circumstance, and unimportant ones, well just use the same password for all of them. Oh, and NY times remembers your password for you, w/ a cookie I assume, so it's not really ironic at all.
kmj The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
--
kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
Re:Multiple Passwords
by
Anonymous Coward
·
· Score: 0
su -c 'chattr +i $HOME/.netscape/cookies' does rather nicely:-)
Re:Multiple Passwords
by
Anonymous Coward
·
· Score: 0
Of course it only stores it in a cookie if you have them turned on. Which reminds me of a great way to turn off cookies: It's annoying to turn them on 'let me know when i get a cookie' because you get so many alerts, but it's annoying to turn them off because then you get websites telling you you need them to use their website. Here's what you do, leave them turned on, then delete all your cookies (you can do this in Netscape by either deleting the cookies 1 by 1 or just delete the file in your user directory, there is a warning not to edit the file, but it's just BS). Next change the file permissions on the cookie file to read only. After doing this, I believe the cookies are still stored in memory when the browser is open, but when the browser is closed they are all gone.
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
Re:340$ user/year? Ha!
by
Anonymous Coward
·
· Score: 0
RocketJeff noted that Gartner Group estimates are not realistic. Yes, I sat in a presentation yesterday where GG's estimate of long distance costs from a fax machine is $700 per month. Never mind that we send stuff over the net that we used to fax; at the $0.07 cents per minute that most big companies are paying for domestic LD, that's 10,000 minutes of faxing, or pretty much 8 hours a day, 21 days a month of non-stop fax. Unless you're faxing overseas a whole lot, that number's a joke. As I suspect the $340/luser is as well.
Boy I wish it was that simple to reset a password in a large help desk enviroment. At least in the current large help desk I work at the poor fools over in user administration have to fill out a ticket first, then reset the password. Now due to security concerns nearly every password can NOT be given out directly over the phone. So they have to the End User on hold and call and leave the new temp password on the audix. Of course I hear people complaining all the time about how the end user can't seem to understand directions to not answer the phone and let it ring through the audix therefore a second call has to be made. Now if the end user doesn't have an audix, it has to be left with on thier managers audix, which means they call and if the manager answers explains what is going on and call back one more time to leave the password on an audix. Now after the end user manages to get the audix with the temp password. They have to be walked through changing the password. Of course they have to be reminded of the password policy even though it hasn't changed in about 16 months at this point. Also given that on average the end users have probally around 4-5 passwords and there are 30, 45, 60, and a couple of 90 days expiration times which makes it even more complex to the end users. So while I think the 340/user/year is high, it isn't to high of a number.
Don't forget about desktop and laptop passwords, which aren't always easy to circumvent, and often require a call to the manufacturer's tech line and some sort of ID before you can get the magic incantation. Beyond that, you have password-protected applications, Office documents, db accounts, PGP, etc. which all require varying degrees of knowledge and/or hassle to bypass, or are so difficult to bypass that it isn't worth the effort required, thereby making the protected property, real or intellectual, worthless for all intents and purposes.
Then there are PDAs, door lock PINs, secure filing cabinet PINs, ATMs, etc.
The use of password protection has proliferated beyond out ability to manage it and it's not always cheap to bypass the protection.
-- slashdot broke my sig
Re:340$ user/year? Ha!
by
Anonymous Coward
·
· Score: 0
alan_g complained about lusers who wouldn't let the phone ring so that the help desk person could leave the luser a message with their password. The help desk person is also a luser; why not just log in to the audix and SEND the message, as opposed to phoning and waiting for the call to bounce to voice mail? If the scenario you describe is so frequent, one would think they'd have figured this out.
I gave up on remembering all of my passwords. So I generate a different (random) password for every account I have and store them all in an encrypted database on my Palm Pilot. Works great, and if someone gets my TV Guide profile password, I don't have to fear for my online banking accounts.
Works great for me...
-- "People with opinions just go around bothering one another." -The Buddha
Re:Good use for a PalmPilot
by
Jimhotep
·
· Score: 1
Don't misplace your PalmPilot.
Keep it locked up with a combination lock.
DOH! a number to remeber!
it's a viscuous circle!
I'd like to see this bathroom
by
RedX
·
· Score: 1
"But since the introduction of the automated teller machine, people have accumulated an arsenal of passwords, access codes and personal identification numbers to use everything from answering machines to office bathrooms."
I'll be going home a little early today because I forgot my bathroom PIN and soiled my pants.
Re:I'd like to see this bathroom
by
Anonymous Coward
·
· Score: 0
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd "usr" "somedummypswd" "somedummypswd"
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
I forgot my password but my program remembers it..
by
bigboy
·
· Score: 1
For Windows
To get those hidden passwords (******) that you have forgotten, but your programs remember, try Revelation http://www.snadboy.com/Revelation.shtml... it helps for getting your forgotten passwords out of your ftp program to be used for telnet or whatever...
It's an invaluable tool, I use it all the time.
Ok, so telling your program to remember your password isnt very secure... but that's your discretion.
And 90% of all stats are made up by operations managers looking for more budget for helpdesk functions.
And the other 90% are made up by consulting firms looking to court SSO (single-sign-on) product companies......
Let's look at the numbers, shall we? Let's say we work for a company that has 70,000 (I have one in mind) employees that use computer systems and have at least one password.
Let's also assume that the helpdesk function at this company spends a 50/50 ratio on personel and equipment for help desk functions, and the median help desk person gets $40k per year (which is actually high to account for HR costs and benefits).
Lets do some math:
70,000 employees x $340 = $23,800,000
1/2 half of that is $1,190,000. At the median salary of $40k per year, that means that the helpdesk for this company has 297 1/2 people doing nothing but password recovery functions every year. I know for a fact that this is not true.
Now, not having read the article (I refuse to register to news sites), I'm sure that they figure things in such as lost productivity, research time, and so on. But I sincerly doubt that the actual costs are even approaching what Gartner gives.
You should take these things with a grain of salt. Different environments have different costs associated with password management. A large mainframe-based company can handle thousands of users with a very small staff for password functions. A loosly networked company, where everyone has Administrator on his NT box, and 15 servers to log into, will have higher. A large company will have smaller costs per capita than a mid-sized company.
Unfortunately, I work for the help desk of a leading IT firm in Chicago. I would estimate that at least 50% of the time, the user's problem is either a request for a reset password or is solved by resetting the password. Think about the time (time=money) we could have back if there weren't so many password issues. We would have twice as much time/resources to devote to serious problems. Think of it this way -- with ~10 help desk employees responsible for 3500+ employees on billable consulting time at client sites around the world, a lot of money is lost to inactivity of the consultants due to thei computer problems. I will admit though, that supporting Winblows causes at least as many headaches... arrgghhh.. I thought I hated Windoze *before* I had to troubleshoot it all damn day. Tangent, sorry.
I'm going to start a consulting firm whose only service is changing passwords. I'll telnet in from home and take my 800-line calls in my pajamas, and for this remarkable service I'll charge $300 each, and call that a discount.
And for a volume discount, I'll personally rap lusers upside the head when they reach $3,000 or more in charges.
/m
Re:Someone Wanna Grab that Palm Pilot?
by
xener
·
· Score: 1
There's a nice freeware encryption package for the pilot call cipher. It uses IDEA (128 bit keys).
I use it to encrypt passwords on my pilot
Better biometric device
by
Anonymous Coward
·
· Score: 0
One of the main reasons biometric devices are not too common is that you must buy software for them, and then connect them to the computer itself. The computer must already have the software installed and must be informed that the passwords are there. Here is what I suggest:
Someone create a stereoscope with a small display viewable only to the holder. Activate this display using a thumbprint or something (perhaps a master password.) Then the user can scroll through a list of machines and passwords/pins.
A useful function would be to have the device generate a random password for you. That way, dictionary attacks are out of the attack arsenal.
So why is this good? Well,
1) The user doesn't have to remember passwords 2) The user can use the password anywhere and on any computer -- no special cables or software is needed 3) If the device uses biometrics to authorize the user, then the device is secure (with a bit of encryption or non-tamperable memory that is...)
Now, if someone would just make the darn thingee...
cypherpunk/cypherpunk works
by
gonzocanuck
·
· Score: 1
just try it!
--
Palm Pilot
by
Anonymous Coward
·
· Score: 0
For keeping track of passwords alone, it's worth the $200. I have not only my passwords written down, but also everyone else's passwords (for when they forget them and I'm not on site to reset them) - well over 300 passwords. No way in hell I could memorize that many strings of random characters.
Great Idea
by
Anonymous Coward
·
· Score: 0
A network admin I knew used a program for Winblows called Whisper 32. It was basically the same idea: One passwd lets you into the program, which shows you a plaintext version of all the passwds you've told it about (presumably stored encrypted). I was wondering if anyone had written something similar for Unix, but clearly this is unnecessary if you just use PGP. Easy, safe, and cross-platform. What a great idea. Personally I go for the 3 password levels myself, but this may be better all around...
Re:Someone Wanna Grab that Palm Pilot?
by
flathead
·
· Score: 1
How secure is anything? If I leave my planner in the seat of a taxi or a restaraunt table the lucky person gets my money, my credit cards, my address, and knowledge of when I won't be home. To me, that's a lot scarier than someone finding out what my root password is. I can change that. Changing a business trip is a little harder.
It's almost impossible to protect yourself from your own stupidity. If you put your passwords in your pilot, just be sure to recognize it's value and don't leave it in the back of a taxi.
I know many of you will nearly die in a paranoia attack, but I believe that when the day comes that is cheap and reliable enough to have biometric access codes on everything that needs to be protected, this endless password dance will be reduced.
If I could simply get a retinal scan to log into my computer, the need to password protect much of it's content would be a great deal less.
- Raider
-- +Raider of the lost BBS
Nice way to remember multiple passwords
by
ucblockhead
·
· Score: 1
Pick a theme. Something like "names of Star quarterbacks of the seventies reversed and with all vowels replaced with the number of letters in their team name".
I.e.: n7tgn7kr7T
That way, when you forget a password, you have a very limited number of things to try. I've done this and found it very useful when I forget which password I gave some web service eight months ago.
(I do use a different theme.)
--
The cake is a pie
Re:Nice way to remember multiple passwords
by
sparty
·
· Score: 1
Of course, mneumonic devices (SP?) also help. Classic example: By the dawn's early light Btd'el! or Bill Clinton has 15 interns under his desk! BCh15iuhd! Then it just becomes a question of which is which. (Damn, did I bash Bill Clinton or Bill Gates in my foobar login? Or did I use the same line as on goober? Or do I still even have a goober account?) That's where the earlier suggestions (ie one high-security, one medium security, and one low-security (e.g. slashdot/nytimes/etc) password). I actually use three or four, but along the same lines. Of course, I suppose I should change them at some point....
a wee bit dense?
by
Anonymous Coward
·
· Score: 0
All those posts simply saying cypherpunks/cypherpunks whenever there is a NYT article hasn't tipped you off?
my solution
by
Anonymous Coward
·
· Score: 0
I always register as Bill Gates (bgates@microsoft.com, and please add me to all of your mailing lists). If necessary, I use the M$ address and phone number).
[Joke] Rules for the Selection of Passwords
by
Anonymous Coward
·
· Score: 0
[This is an ooold joke but I thought it might be appropriate here for those who haven't seen it yet.]
RULES FOR THE SELECTION OF PASSWORDS meulenbr@vdp-he.ce.philips.nl (Frans Meulenbroeks) (computer, chuckle) [Got this one from Piet Verbruggen. I think it is funny and instructive!]
CORPORATE DIRECTIVE NUMBER 88-570471
In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.
RULES FOR THE SELECTION OF PASSWORDS:
1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.
2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.
3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.
4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.
5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.
6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.
7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.
Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.
A solution you can use is have one really strange password "ql69$!amzsefb" (not mine of course) and memorize this. When you need to create a new password create a variant => ql69$!anzsefb and ql69$!aozsefb this way you will never forget your password.
The encrypted passwords: ql69$!amzsefb -> OBLzco1HA9QN2 ql69$!anzsefb ->.5/ZI.2Wlfn0w
To me that gives good variance so it would be tough for password crackers.
If you have no choice about some passwords you should use a VERY secure password database. I don't personally use password databases but its better have a backup, then to be locked out of your accounts. --------------------------- ^_^ smile death approaches.
Someone Wanna Grab that Palm Pilot?
by
InitZero
·
· Score: 1
Ron Dilley is a network administrator. He maintains 129 active passwords using a Palm organizer to track his passwords.
I ain't got one (yet) so I've got to ask... How secure is that? Can you get PGP for the Palm? Seems to me he leaves his Palm Pilot on the seat of a taxi or on a restaurant table and he is going to be hating life very mucho a lot and a half.
Re:Someone Wanna Grab that Palm Pilot?
by
Ralph
·
· Score: 1
How secure is that? Can you get PGP for the Palm?
Nope, there is a small utility for the palm called "Secret!", which does all this. It keeps all the stuff stored crypting it wiht TripleDes (yes, it's not that secure). It even has a TAN-Mode (for those of you into homebanking).
Neat, I keep all my passwords (and the root-passwords of our customers machines) stored in it.
Doing this is also quite a reminder to not forget your Palm anywhere;-)
Ralph
Re:Someone Wanna Grab that Palm Pilot?
by
Anonymous Coward
·
· Score: 0
There is another utility for the Palm called Strip at www.zetetic.net. This one uses 128bit Idea encryption so go get it. (I don't work for them or anything, I just like their tool).
If you think about it, how many of these systems really *need* to be secure? Do I really need to have a unique, six-digit, alphanumeric password just to read the NYT, or my e-mail for that matter? It's not as if it were my bank account or anything. If you want security, use strong encryption. Otherwise, don't waste my time.
Why Don't We Make A Slashdot NYT Account?
by
Plankeye
·
· Score: 1
That way, we could read these dang articles without having to sign up for this.
it takes one secret phrase and hashes it against the hostname (or any other obvious value) using SHA-1 to produce a relatively secure password. Nothing gets stored on disk, and you don't have duplicate passwords.
Of course, if you're on someone's Windoze box and want to log into the NYT, you're SOL unless you can install Perl without them noticing;-)
OH MY GOD!!!! Can you imagine such a thing! Well, we used to have a metal key for the downstairs ladies, but mgmt finally got rid of it - we were losing one key a month and that was bad enough!
--
Voice passwords
by
Anonymous Coward
·
· Score: 0
I've heard mumbling of Apple's Mac OS 9 or OS X using some sort of voice ID for passwords. So when you login I guess you say "Open sesame" or whatever and it validates you as whatever user. From what I know (very little) of voice prints, this seems like it would be quite secure if it were done right. Coming from Apple, I dunno, they do great stuff with some things and a complete half-ass job on others. "Sorry boss I got laryngitis I can't login and do work today"
New MacOS (on topic, really)
by
Anonymous Coward
·
· Score: 0
MacOS 9 will supposedly have a password API that application vendors can take advantage of to authenticate users. The password database will be loaded when a user logs-on (yes, it will support multiple users thru logons. This system will also support http and other internet protocal passwords. Even more nifty, one's "computer password" (used at logon) can take advantage of voice recognition. Thus, you can have a reasonably secure set of passwords (protected behind a pw and, if you like, your voice) that are automatically handed out as needed. Say what you want about apple, but they know what's up in ease of use.
--grossdog (who is on a new computer and, gasp, can't remember his/. pw)
Is anyone else catching the irony, here? NYT is just adding to a vicious circle by requiring people like me, who don't have an NYT password, to *gasp* register for an NYT password!!!
I remember an article on/. a few weeks back. The NYT had an article on Online Privacy, but you had to register to read it. Now that's ironic.
Just waiting for MacOS 9's keychain. Let's you store all your various passwords in one, tightly encrypted and portable keychain which you can unlock with one master password. Just hope MacOS 9's vioce recognition passwords carry through to keychain!
--
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
The problems with passwords...
by
Gestahl
·
· Score: 1
Is usually not the password or the security system. Its the people who use them. For example , at work I have people everyday who tell me their passwords because they don't have the time of day to stay and login as Administrator on their NT boxes while I fix their dumbass problems. Further more, many passwords can ge guessed due to their simplicicty (almost half are the reverse of their login or their login + #). Of course, this is to be expected since the human brain is meant to generate and remember patterns, not random characters. Perhaps even more unbelievable is the fact that almost any employee can call the helpdesk and have their password reset. With _no_ ID check.
On top of that, the real problem is not people getting into a system with passwords. The real security problem is the idiot things people can do while logged in as a high security user. Its amazing what they do. Many people, mostly experienced techs (with high priviledges on the system), login outside the firewall and the secuity features therein, and access high risk sites (not pr0n but warez and other sites due to high access speeds). Therefore, the password security and access standards don't need to be revised, the user's intelligence does.
Gartner Group
by
Anonymous Coward
·
· Score: 0
Does anyone else not beleive any numbers this group publishes? $340 per user? Gimme a break. I think this company also estimates the TCO of a PC at like $10,000. I hate groups like that, they way overblow the cost of everything just to seem like they're actually doing some usefule and important research. Gimme a break.
Everytime there is a link to the NY times articles from/., I just get a new password with a new fake name/email address. My personal favorite combination is Name: Fake Name email: fakeemail@isp.com. I don't know why they make you register, it's not like I'm going to remember my password. And if they do it to get user information, I'm willing to bet more than half the information they get is fake anyway. Guess this isn't really related to the article, but I just thing websites that you have to log into are annoying.
Much of this will change when things like retinal scanners, thumbprint scanners and infared face scanners come out. My I am waiting for voice print access that can filter out good copies of my voice. (possible even programmed to ask questions only I can answer such as what happened the night of June 28 1992?)(Answer: I lost "ScRaMbLeD ThE ReSt" )
Garbage, secure ID, and biometrics
by
wilkinsm
·
· Score: 1
When I played sysadmin, we ended up assigning passwords like 7fesy3q and let the user change them at their own risk. Of course we would run crack daily, so this would discourage this unless they follows the strict "acceptability" rules.
When I have to play the letters/numbers game, sometimes I pick a radio station as a password like 8950kbaq.
Slashdot Mirror
All of this password insanity has been driving me crazy for a couple of years now. The answer to it all (on the web anyway) is personal certificates. Whether issued and verified by an organization like Verisign or by the site wanting identification (like NYT or Slashdot), it is much easier to unlock a database of certificates on my browser with one password than it is to remember a zillion passwords.
Everyone's argument to this idea is always that nobody is going to pay Verisign for a personal certificate. That is fine. There is no reason that Yahoo! and Slashdot and the NYT cannot issue their own certificates for free! These certificates do not need to be as closely guarded as the ones issued by the bank. They are only for identification for use with some trivial service. Who really wants to break into my Yahoo! mail account anyway??
I had a girlfriend of about a year and a half and I knew her AOL password while I dated her. Turns out she used the same password for anything so I coulda completely screwed her over, but I wasn't so inclined.
Lucky for her.
I've been bitching about this for a while now. The sheer number of passwords one has to remember today to function is outrageous, and the amount of web pages that require you to log in (you're guilty too, Rob) doesn't help. I try to use the a-few-different-depending-on-security passwords approach, but because every password program has different restrictions it isn't always that easy. Usually I wind up recreating my accounts whenever I need access. And finally, don't forget with nearly each password comes a login name... There must be a better solution out there.
:)
:)
Finally, a little quote from the article I thought was fairly humorous
"Michael J. Koszenski, a computer technician in Lexington, spent 2,000 hours of his own time creating a password database software for his PC after being disappointed with various password tracking programs...who has 30 or so passwords and access codes to manage."
That's TWO HUNDRED AND FIFTY eight hour days! 66 days of work for each password! I hope that's a misprint
In case any of you are interested at all about the Keychain and MacOS 9's voice passwords, AppleInsider has it all in its MacOS 9.0 archive:
http://www.appleinsider.com/macos9.0.shtm l
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
A combination of a single easy to remember password and a substitution cipher based on the name of the thing that the password is for. Example, NYT would be encoded by making the first version of the alphabet (for the first letter of the password) start with N, the second letter Y=A, the third letter T=A, and then back to N=A until all the letters of your password are encrypted.
Of course there are more high tech ways to do this but you better not lose the program you used to encrypt your passwords unless you know how to rebuild it from scratch. (Still, writing a password encrypting program is fun for a rainy day, I think.)
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
How dare you!
The more and more insignificant sites popping
up that require login accounts, the more and
more seldon my preferred login names (or any
variant of any of them) are available.
So now regardless of how often I reuse a password
or PIN, whether I can remember the login I chose
for that site is hit/miss.
Agreed. Gartner group 'reports' at utter trash. They are only used as ammo in your aid for winning over the boss to your ideas :-)
login:slashdotid
password:slashdot
or
login:cypherpunks
password:cypherpunks
I wrote a program a while ago that does the same thing. You can download it here. The source code is included, but some of it is in VB3 binary format, so you'll need VB3 to view it. It runs on Win95/98 with VBRUN300.DLL (and maybe Win3.1), an EXE is included.
Actually I tend to fill in as many 'bla' as I can. For instance when dowloading software (for instance a plugin) companies ask you all sorts of stupid question to which i always answer bla. Sometimes a stupid javascript tells me bla won't do so I then make it bla@bla.com. ,though, since it frequently has interesting stuff to read.
I have registered for NYT the conventional way
greetings, Jilles
Jilles
It's called passface and it is password like in the sense that something needs to be remembered, but what you need to remember is very different.
The principle is that humans are very good at remembering faces, so you can select a face out of a series of faces, and then a second, and a third, and a fourth. That is your password. When you want to log on, you are greeted with the series of faces, and then you choose one, and then you get a second series of faces...et cetera.
You have to keep in mind that not all helpdesk people know the root password on the machines they maintain. For example, where I work, a lot of what we do is done through sudo and we don't even need to know the root password on the machines... however if sudo is not enabled for changing a users password, you will need to know teh root password on that machine, and if it s not yours, tehre is time involved with contacting the owner of that machine and having them change the password.
Smart cards and/or biometrics are the way to go. Re-usable passwords are not only hard to forget, but they're insecure. (No opinions here, nosiree bob.)
Thawte gives away personal certificates for free. They don't contain your name, only your email address (because Thawte can use an automated program to verify this), but they do everything that a Verisign personal cert would do. They will even sign a PGP key, so people know that the listed email address is really yours. They also sell other types of certificates for less money than Verisign, and they are listed as a trusted CA by IE and Netscape. http://www.thawte.com/certs/personal/
I've a little script called "ring" I use to look up phone lists. For passwords I just have a pgp encrypted file; I decrypt it and pipe it through ring to find the password I need for whatever obscure site I need to visit. I have a few shell aliases for storing (unexported) the passphrase for this file in my shell and for passing it to pgp for the pgp->ring lookup. Works just find.
So I just make random passwords for sites and note 'em down. (md5 on an active log file is a handy way to get arbitrary strings for passwords).
Cameron Simpson, DoD#743 cs@cskk.id.au http://www.cskk.ezoshosting.com/cs/
What I usually do is have an easy to remember password that I use for things that I don't care much about the security of. Things like web based email accounts I signed up for and end up using as another address to use for those sites who make you fill out those surveys before you can download their product. For more secure things I usually make up random passwords in the form of three letters, two numbers, and then three more letters. I usually keep the case of the passwords mixed, but consistent so I can remember it. The result is a password that is fairly difficult to guess due to the mixed case and the numbers, but easy enough for me to remember since I know the pattern of the letters and numbers.
I can type fast and obscured enough so that noone can read, what Im typing.
:-)
I can rent a camcorder and single-step through your keystrokes.
Some time ago Apple Computer included software called "Keychain" with its OS.
Keychain would keep all your passwords super-secure in a little pop-up window and you only needed to remember the one Keychain password to access it.
Keychain was great software. Unfortunately Apple is too daft to recognize a good thing and axed Keychain from the MacOS.
Pfft.
Peace
Three digits is not extremely weak for a bathroom, you're gonna look kind of suss standing at the ladies bathroom doing a brute force finger attack on the pin as you work through up to 1000 combinations. 3 digits is fine for that..
Yes, but what's the point of having really great and difficult to remember passwords for all these crappy accounts? You can use simple passwords for these (usually they don't check very much), and you can use the same one every time.
So you can use your brainspace for the real passwords, that really have to be save.
Hrm, keep in mind these were the same guys that published the study that helped motivate the "NC" disaster by stating PCs cost some godawful amount to maintain. They also claimed water coolers cost something like $250000 per year.
Is it just me, or have others also noticed a couple
other articles on this topic? It seems to me, all of these
are just a preamble of a hype-storm for the Microsoft
solution to this problem. go take a look at this
Hotmail is already using this, but i don't know of any others yet.
i am thinkink this could really become big, and could really give MS
a monopoly on website user authentication. How about moving quickly, and developing an open source standard similar to this?
Linuxghoul
Sigura Non Grata
Well, the article says that it was the Gartner Group doing the estimating. I usually multiple their estimates by .1 to get a realistic amount...
Try Strip:
http://www.zetetic.net/products.html#str ip
Works good for me. Stable too.
'Please enter all of your passwords, pin #'s, etc. into this form. Click the "OK" button to send this to^H^H^H^H^H^H^H^H^H^H^H^H store this information in encrypted form.'
Any program I used for such a purpose I would want line-by-line audited, much like OpenBSD.
>1/2 half of that is $1,190,000.
> um.... (no further commenting needed.)
Okay, so I forgot a '0'.. $11,900,000... The rest of the math was right...297 1/2 people changing passwords....
jf
No. Which is why I said I'd never put a real system account into this, just all my crap webmail passwords that I really couldn't care less if they are compromised. :-)
as people have often access to more than one machines (shell), and sometimes more than one email address, it means one password for each of them! Even if i have about 15 sheel/email i use 4 or 5 passwords, easier...
the poll are fucked, but here's a link of poll about number of email address, another link which is the same subject?!? and link to the password one.
also what happened to this poll of Aug 4th?
--
http://www.beroute.tzo.com
"Science will win because it works." - Stephen Hawking
Forgive my naivete, but could you not create a netscape-plug-in or an Active-X control to just delete this file everytime you go to a new page?
Not sure if it would mess up search engines, but basically, a Cookie Monster that eats em as you go?
--sugarman--
Rich.
My university dept actually does have the ladies room password-protected, sort of. It's an extremely weak 3-digit password, though.
Umm, what was my password on NYT again? ;>
if we had a kerberos server that we could trust MIT uses one for all their internal authentication; it makes things there a lot simpler.
I wrote Strip, the Password and Account manager for the Palm Pilot. I am not trying to plug the product but since its been mentioned twice already I feel more comfortable. Strip will protect against user stupidity. It encrypts EVERYTHING before it goes into the palm databases. Furthermore, if you leave it on in the back seat of the taxi it locks the program when the palm automatically powers off. Idea is the same algorithm used in PGP, so its heavily tested and secure. Its open source, so you can look at the crypto code and compile it yourself if you want to. Strip does specific and comprehensive memory wiping of unused data, so even if your would be attacker got an actual RAM image off your palm they would not find your key, or any of the data that has been displayed during Strip's use.
I do it the same way you do. Sometimes I recycle old high-security words and use them at the mid-security level. If I forget one, it makes it a little easier to guess.
At least with a Palm you can use physical security. I dunno about you, but I'd feel a lot safer cracking into a networked box somewhere than trying to take a Palm off of someone my size. ;-)
Time is Nature's way of keeping everything from happening at once... the bitch.
Remember: Your password is case-sensitive.
Looking through the logs a while later - I saw multiple entries of people trying to use "case-sensitive" as their password...
> bgates@microsoft.com
YM billg@microsoft.com. HTH. HAND.
You really want microsfot talking to your ISP about you forging billg's email?
I can type fast and obscured enough so that noone can read, what Im typing. :)
But if I have my pws on a PalmPilot or whatever I have to make them visible, at least long enough for me to read. Or do you hide under a newspaper everytime you want to enter a password
The real cost comes from knowing who rang in and asked for the CEO's password to be reset, along with resetting the password to the payroll system.
Comment removed based on user account deletion
By password - eventually, biometric, if you can handle the privacy/compromise possibilities Lyal
I remember reading this from a computer magazine about 5 years ago. The secret to maintaining password security is to store them in clear text, in a file which is globally readable, but pick a file that no one would ever bother opening.
Dowload some shareware, say, a typing tutor, or something equally useless. Install it. Go to the directory where the software is installed, and you'll find a file called ORDER.FRM or PURCHASE.TXT or something like that. Type whatever you want into the exact middle of the file. In clear text. No one else will ever see them. =)
How's my programming? Call 1-800-DEV-NULL
By password. A certificate says who you are. ACLs still need to be maintained to manage application/system privileges. No-one has yet built Certificate->ACL parsing tools into systems or applications. Or, you could put the ACL into the certificate - meaning you have to re-issue the cert every time there is a privileve/role/duties change for the individual - and a second person has to vouch for the privileges you claim. And you must still maintain a certificate/ACL parsing engine in the system/application Certificates are cheaper, cost effective? Utter Bull!!!! Wakke UP! Lyal
The most effective password management idea that I've heard is the advice we gave to people using our lab---come up with "password themes". That is, pick some class of passwords that are related and enumerable, munged in a fairly consistent way, and wouldn't be well known to anyone but you; this way you don't have twenty distinct things to remember, just one pattern that ties into something you already know.
For instance, ``Last names of people in my boy scout troop, with the first two letters swapped''. Or, ``First names of people at my last job, spelled backwards and with the fourth letter capitalised''. This sort of a method tends to be very productive, easy to remember, but hard to guess; and even if someone gets one of your passwords, they won't be able to figure out the others, unless they know you really well. And if you still can't remember your scheme, it's much safer to write down a dummy password that obeys the scheme, or even to write down the scheme itself, than to write down each valid password next to your computer.
Of course, it's probably easier if this gets used in combination with some of the other suggestions on this board---I think even this scheme would peter out if I needed to use a separate password for every registrable site I belong to. ;)
``This, too, shall pass.'' ---Eastern proverb
Where did 'great and difficult' enter? Most of these passwords are the same, or variations, based on what the length and other limits. Most of the time its the account name that I have to remember. Some times its the same one I like to use all over, sometimes its my 'quake' handle, some times it one of the dozen or so webmail accounts I have.
I'm not using keep it safe to lock up inner-sanctum passwords, just to have a moderately-secure place to keep track of all these accounts and passwords. I used to have them in a clear-text notepad file, this is a shade better.
If you're a pilot user suffering from this problem, check out STRIP at http://www.zetetic.net/
When you are a customer with a lost password, that is a serious problem. If Big Corp ought to take customer service more seriously.
You've read my mind! This is exactly the sort of multi-tiered password system I came to over time. ;-)
I think I'll document this now
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
forgot my NYT password--how am i going to read the article now!
/willhelm
Is it just me or does trying to read a story about the cost losing/having too many passwords which requires me to register with yet another password seem a bit ironic?
The NYT is just not that interesting....
Never by hatred has hatred been appeased, only by kindness - the Buddha
I'm beginning to use just two passwords, my main UNIX one at work, and another one everywhere else. I'm sorry, I just can't remember six dozen pseudo-random strings.
And don't get me started on PIN numbers... Bring on the biometrics, and fast...
"Be nice, veer left, and never stop thinking" Iain Banks - Walking On Glass
This post requires a password to read, and you've forgotten it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Some security paranoids try and have every password different. Others make all their passwords the same. Both end up causing problems. I use a compromise. I have three passwords.
One is a 'high-security' password that I only use in trusted, secure situations. My root password falls into this category. This password NEVER goes over any clear channel, nor is it typed in when anyone is possibly watching.
The next level of password is the medium security password. This is for systems where I care about security, but compromising it wouldn't cause serious problems, the person would just be able to read some personal documents, and perhaps impersonate me.
The final password is the I-don't-give-a-rat's-ass-about-security password. This is for things like slashdot, NYT, and other web services. These are ones where I (or someone else) wants some kind of security, but I don't particularly care if it gets compromised, as the person couldn't do much with it (Oh no, they impersonated me while reading the NYT!).
Each password gets changed with a frequency tied to how important it is. For example, root gets changed every month or so. My regular login gets changed every few months, and I haven't changed the who gives a shit password in over a year.
The upshot is that I never forget my passwords, and I haven't had to ask a sysadmin to change one in years. And none of my accounts have been compromised (yet).
-Cheetah
I really should start writing all my passwords down.
Then what do I do with the list?
Just make a list of all your passwords, put it in a text file, and encrypt it with PGP. Then you only need to remember one password -- your PGP password.
It might also be a good idea to encrypt the file with 2 separate keys & passwords so you have a backup in case you forget one of the PGP passwords.
Power corrupts. PowerPoint corrupts absolutely.
hahaHAHAHAHAHHAHAHHahahah! Irony. I love it!
Large print giveth, and the small print taketh away
kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
Gee, do you think he was serious?
-----
I gave up on remembering all of my passwords. So I generate a different (random) password for every account I have and store them all in an encrypted database on my Palm Pilot. Works great, and if someone gets my TV Guide profile password, I don't have to fear for my online banking accounts.
Works great for me...
"People with opinions just go around bothering one another." -The Buddha
I'll be going home a little early today because I forgot my bathroom PIN and soiled my pants.
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd "usr"
"somedummypswd"
"somedummypswd"
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
For Windows
... it helps for getting your forgotten passwords out of your ftp program to be used for telnet or whatever...
To get those hidden passwords (******) that you have forgotten, but your programs remember, try
Revelation http://www.snadboy.com/Revelation.shtml
It's an invaluable tool, I use it all the time.
Ok, so telling your program to remember your password isnt very secure... but that's your discretion.
- Jim - "I hate people." -
And 90% of all stats are made up by operations managers looking for more budget for helpdesk functions.
And the other 90% are made up by consulting firms looking to court SSO (single-sign-on) product companies......
Let's look at the numbers, shall we? Let's say we work for a company that has 70,000 (I have one in mind) employees that use computer systems and have at least one password.
Let's also assume that the helpdesk function at this company spends a 50/50 ratio on personel and equipment for help desk functions, and the median help desk person gets $40k per year (which is actually high to account for HR costs and benefits).
Lets do some math:
70,000 employees x $340 = $23,800,000
1/2 half of that is $1,190,000. At the median salary of $40k per year, that means that the helpdesk for this company has 297 1/2 people doing nothing but password recovery functions every year. I know for a fact that this is not true.
Now, not having read the article (I refuse to register to news sites), I'm sure that they figure things in such as lost productivity, research time, and so on. But I sincerly doubt that the actual costs are even approaching what Gartner gives.
You should take these things with a grain of salt. Different environments have different costs associated with password management. A large mainframe-based company can handle thousands of users with a very small staff for password functions. A loosly networked company, where everyone has Administrator on his NT box, and 15 servers to log into, will have higher. A large company will have smaller costs per capita than a mid-sized company.
jf
There's a nice freeware encryption package for the
pilot call cipher. It uses IDEA (128 bit keys).
I use it to encrypt passwords on my pilot
One of the main reasons biometric devices are not too common is that you must buy software for them, and then connect them to the computer itself. The computer must already have the software installed and must be informed that the passwords are there. Here is what I suggest:
Someone create a stereoscope with a small display viewable only to the holder. Activate this display using a thumbprint or something (perhaps a master password.) Then the user can scroll through a list of machines and passwords/pins.
A useful function would be to have the device generate a random password for you. That way, dictionary attacks are out of the attack arsenal.
So why is this good? Well,
1) The user doesn't have to remember passwords
2) The user can use the password anywhere and on any computer -- no special cables or software is needed
3) If the device uses biometrics to authorize the user, then the device is secure (with a bit of encryption or non-tamperable memory that is...)
Now, if someone would just make the darn thingee...
just try it!
For keeping track of passwords alone, it's worth the $200. I have not only my passwords written down, but also everyone else's passwords (for when they forget them and I'm not on site to reset them) - well over 300 passwords. No way in hell I could memorize that many strings of random characters.
A network admin I knew used a program for Winblows called Whisper 32. It was basically the same idea: One passwd lets you into the program, which shows you a plaintext version of all the passwds you've told it about (presumably stored encrypted). I was wondering if anyone had written something similar for Unix, but clearly this is unnecessary if you just use PGP. Easy, safe, and cross-platform. What a great idea. Personally I go for the 3 password levels myself, but this may be better all around...
How secure is anything? If I leave my planner in the seat of a taxi or a restaraunt table the lucky person gets my money, my credit cards, my address, and knowledge of when I won't be home. To me, that's a lot scarier than someone finding out what my root password is. I can change that. Changing a business trip is a little harder.
It's almost impossible to protect yourself from your own stupidity. If you put your passwords in your pilot, just be sure to recognize it's value and don't leave it in the back of a taxi.
I know many of you will nearly die in a paranoia attack, but I believe that when the day comes that is cheap and reliable enough to have biometric access codes on everything that needs to be protected, this endless password dance will be reduced.
If I could simply get a retinal scan to log into my computer, the need to password protect much of it's content would be a great deal less.
- Raider
+Raider of the lost BBS
Pick a theme. Something like "names of Star quarterbacks of the seventies reversed and with all vowels replaced with the number of letters in their team name".
I.e.: n7tgn7kr7T
That way, when you forget a password, you have a very limited number of things to try. I've done this and found it very useful when I forget which password I gave some web service eight months ago.
(I do use a different theme.)
The cake is a pie
All those posts simply saying cypherpunks/cypherpunks whenever there is a NYT article hasn't tipped you off?
I always register as Bill Gates (bgates@microsoft.com, and please add me to all of your mailing lists). If necessary, I use the M$ address and phone number).
[This is an ooold joke but I thought it might be appropriate here for those who haven't seen it yet.]
RULES FOR THE SELECTION OF PASSWORDS
meulenbr@vdp-he.ce.philips.nl (Frans Meulenbroeks)
(computer, chuckle)
[Got this one from Piet Verbruggen. I think it is funny and instructive!]
CORPORATE DIRECTIVE NUMBER 88-570471
In order to increase the security of all company computing facilities,
and to avoid the possibility of unauthorized use of these facilities,
new rules are being put into effect concerning the selection of
passwords. All users of computing facilities are instructed to change
their passwords to conform to these rules immediately.
RULES FOR THE SELECTION OF PASSWORDS:
1. A password must be at least six characters long, and must not
contain two occurrences of a character in a row, or a sequence of two or
more characters from the alphabet in forward or reverse order. Example:
HGQQXP is an invalid password. GFEDCB is an invalid password.
2. A password may not contain two or more letters in the same position
as any previous password. Example: If a previous password was GKPWTZ,
then NRPWHS would be invalid because PW occurs in the same position in
both passwords.
3. A password may not contain the name of a month or an abbreviation
for a month. Example: MARCHBC is an invalid password. VWMARBC is an
invalid password.
4. A password may not contain the numeric representation of a month.
Therefore, a password containing any number except zero is invalid.
Example: WKBH3LG is invalid because it contains the numeric
representation for the month of March.
5. A password may not contain any words from any language. Thus, a
password may not contain the letters A, or I, or sequences such as AT,
ME, or TO because these are all words.
6. A password may not contain sequences of two or more characters which
are adjacent to each other on a keyboard in a horizontal, vertical, or
diagonal direction. Example: QWERTY is an invalid password. GHNLWT is
an invalid password because G and H are horizontally adjacent to each
other. HUKWVM is an invalid password because H and U are diagonally
adjacent to each other.
7. A password may not contain the name of a person, place, or thing.
Example: JOHNBOY is an invalid password.
Because of the complexity of the password selection rules, there is
actually only one password which passes all the tests. To make the
selection of this password simpler for the user, it will be distributed
to all supervisors. All users are instructed to obtain this password
from his or her supervisor and begin using it immediately.
----
Comment removed based on user account deletion
A solution you can use is have one really strange password "ql69$!amzsefb" (not mine of course) and memorize this. When you need to create a new password create a variant => ql69$!anzsefb and ql69$!aozsefb this way you will never forget your password.
.5/ZI.2Wlfn0w
The encrypted passwords:
ql69$!amzsefb -> OBLzco1HA9QN2
ql69$!anzsefb ->
To me that gives good variance so it would be tough for password crackers.
If you have no choice about some passwords you should use a VERY secure password database. I don't personally use password databases but its better have a backup, then to be locked out of your accounts.
---------------------------
^_^ smile death approaches.
Ron Dilley is a network administrator. He maintains 129 active passwords using a Palm organizer to track his passwords.
I ain't got one (yet) so I've got to ask... How secure is that? Can you get PGP for the Palm? Seems to me he leaves his Palm Pilot on the seat of a taxi or on a restaurant table and he is going to be hating life very mucho a lot and a half.
If you think about it, how many of these systems really *need* to be secure? Do I really need to have a unique, six-digit, alphanumeric password just to read the NYT, or my e-mail for that matter? It's not as if it were my bank account or anything. If you want security, use strong encryption. Otherwise, don't waste my time.
That way, we could read these dang articles without having to sign up for this.
Just an idea.
Plankeye
Who the hell told Carrot Top he was funny?
Let me guess...
your virginity?
(Lost mine July 7, 1999, but I'm just a young'n)
You might want to check out this program - http://www.interlog.com/~gray/twonz/twonz.html
it takes one secret phrase and hashes it against the hostname (or any other obvious value) using SHA-1 to produce a relatively secure password. Nothing gets stored on disk, and you don't have duplicate passwords.
Of course, if you're on someone's Windoze box and want to log into the NYT, you're SOL unless you can install Perl without them noticing ;-)
OH MY GOD!!!! Can you imagine such a thing! Well, we used to have a metal key for the downstairs ladies, but mgmt finally got rid of it - we were losing one key a month and that was bad enough!
I've heard mumbling of Apple's Mac OS 9 or OS X using some sort of voice ID for passwords. So when you login I guess you say "Open sesame" or whatever and it validates you as whatever user. From what I know (very little) of voice prints, this seems like it would be quite secure if it were done right. Coming from Apple, I dunno, they do great stuff with some things and a complete half-ass job on others. "Sorry boss I got laryngitis I can't login and do work today"
MacOS 9 will supposedly have a password API that application vendors can take advantage of to authenticate users. The password database will be loaded when a user logs-on (yes, it will support multiple users thru logons. This system will also support http and other internet protocal passwords. Even more nifty, one's "computer password" (used at logon) can take advantage of voice recognition.
/. pw)
Thus, you can have a reasonably secure set of passwords (protected behind a pw and, if you like, your voice) that are automatically handed out as needed.
Say what you want about apple, but they know what's up in ease of use.
--grossdog (who is on a new computer and, gasp, can't remember his
Is anyone else catching the irony, here? NYT is just adding to a vicious circle by requiring people like me, who don't have an NYT password, to *gasp* register for an NYT password!!!
I remember an article on /. a few weeks back. The NYT had an article on Online Privacy, but you had to register to read it. Now that's ironic.
Just waiting for MacOS 9's keychain. Let's you store all your various passwords in one, tightly encrypted and portable keychain which you can unlock with one master password. Just hope MacOS 9's vioce recognition passwords carry through to keychain!
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Is usually not the password or the security system. Its the people who use them. For example , at work I have people everyday who tell me their passwords because they don't have the time of day to stay and login as Administrator on their NT boxes while I fix their dumbass problems. Further more, many passwords can ge guessed due to their simplicicty (almost half are the reverse of their login or their login + #). Of course, this is to be expected since the human brain is meant to generate and remember patterns, not random characters. Perhaps even more unbelievable is the fact that almost any employee can call the helpdesk and have their password reset. With _no_ ID check.
On top of that, the real problem is not people getting into a system with passwords. The real security problem is the idiot things people can do while logged in as a high security user. Its amazing what they do. Many people, mostly experienced techs (with high priviledges on the system), login outside the firewall and the secuity features therein, and access high risk sites (not pr0n but warez and other sites due to high access speeds). Therefore, the password security and access standards don't need to be revised, the user's intelligence does.
Does anyone else not beleive any numbers this group publishes? $340 per user? Gimme a break. I think this company also estimates the TCO of a PC at like $10,000. I hate groups like that, they way overblow the cost of everything just to seem like they're actually doing some usefule and important research. Gimme a break.
Everytime there is a link to the NY times articles from /., I just get a new password with a new fake name/email address. My personal favorite combination is Name: Fake Name email: fakeemail@isp.com. I don't know why they make you register, it's not like I'm going to remember my password. And if they do it to get user information, I'm willing to bet more than half the information they get is fake anyway. Guess this isn't really related to the article, but I just thing websites that you have to log into are annoying.
Much of this will change when things like retinal scanners, thumbprint scanners and infared face scanners come out. My I am waiting for voice print access that can filter out good copies of my voice. (possible even programmed to ask questions only I can answer such as what happened the night of June 28 1992?)(Answer: I lost "ScRaMbLeD ThE ReSt" )
www.mp3.com/Undocumented
When I played sysadmin, we ended up assigning passwords like 7fesy3q and let the user change them at their own risk. Of course we would run crack daily, so this would discourage this unless they follows the strict "acceptability" rules.
When I have to play the letters/numbers game, sometimes I pick a radio station as a password like 8950kbaq.
I've also seen secure ID badges too.
What we really need is biometrics everywhere.