Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Strong Passwords Not As Good As You Think

CmdrTaco posted more than 5 years ago | from the still-better-than-'password' dept.

Security 553

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

cancel ×

553 comments

Sorry! There are no comments related to the filter you selected.

HEY! (0, Redundant)

macbeth66 (204889) | more than 5 years ago | (#28676197)

How did you now my password?

Re:HEY! (3, Funny)

Mattcelt (454751) | more than 5 years ago | (#28676573)

Ha! Dumbass. You need a better password now, like the one I have on my luggage: 1-2-3-4-5

Re:HEY! (4, Funny)

Yvan256 (722131) | more than 5 years ago | (#28676671)

1-2-3-4-5? That's amazing. I've got the same combination on my planetary air shield!

Re:HEY! (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28676767)

LoL... obligatory Spaceballs reference.

Re:HEY! (0)

Anonymous Coward | more than 5 years ago | (#28676761)

What?? There's nothing wrong with using a randomly-generated sequence of numbers for your combination.

Re:HEY! (1)

Omniscient Lurker (1504701) | more than 5 years ago | (#28676645)

According to TFS you have a keylogger on your computer. I suggest you kill it with fire, but not in Soviet Russia, because "in Soviet Russia, keylogger fire kills with you.".

News at 11 (4, Insightful)

sweatyboatman (457800) | more than 5 years ago | (#28676251)

If your computer is hacked than you're boned.

Seems to me that the solution is to have a strong password and keep your computer free of malware.

Is that really so hard?

Re:News at 11 (4, Interesting)

DrLang21 (900992) | more than 5 years ago | (#28676293)

There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.

Re:News at 11 (5, Insightful)

Tridus (79566) | more than 5 years ago | (#28676325)

Yeah, this.

"Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.

Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you're actively making the situation worse.

Re:News at 11 (5, Insightful)

Allicorn (175921) | more than 5 years ago | (#28676409)

So write it down and put it in your wallet with your credit card.

Unless - of course - you routinely tack your credit card to your cubicle wall. No? Didn't think so.

Re:News at 11 (4, Insightful)

Talennor (612270) | more than 5 years ago | (#28676555)

Do you have to enter your credit card number every time you want to access your computer? No? Well that's why it's in your wallet and not more easily accessible.

Re:News at 11 (3, Insightful)

quangdog (1002624) | more than 5 years ago | (#28676463)

normal users simply can't deal with them. The result is sticky noted passwords.

This gets especially problematic when the janitorial staff comes through one night and decides all those pesky post-its (and, indeed, most every paper/seeming clutter on every desk) needs to get cleaned up and thrown out.

Really happened where I worked, once.

But just once.

Re:News at 11 (5, Insightful)

ArhcAngel (247594) | more than 5 years ago | (#28676639)

Agreed, but what I find even more mind numbing is the places that require you to have a password that is between 6 to 10 characters in length (6 for a "strong" password and 10 because their system can't handle passwords any bigger) and must have at least two numbers in them as well as one upper case or some such. If the person/group trying to crack your system know about these requirements (which isn't hard to find out if you plaster it on the logon screen) it greatly reduces the number of permutations they even have to try. You have basically handed them a filter and said Don't bother looking for anything that doesn't contain the following.....

Re:News at 11 (1)

ParanoiaBOTS (903635) | more than 5 years ago | (#28676651)

The way we deal with this is that every computer in the office has a biometric scanner attached. External to the office users may use a traditional strong password to log in.

Re:News at 11 (4, Interesting)

bbernard (930130) | more than 5 years ago | (#28676683)

This kind of thinking is, well, disappointing. Yes, it would be "easier" for you the user to not need such a strong password. That would be one way of looking at it. I think it would be easier, too, if I didn't need to look both ways for pedestrians while backing out of my driveway every day. What are the chances that I'm going to hit a pedestrian? Pretty small, but I need to look for them anyway.

There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools.

1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc.

2. Teach yourself an easy way to create complex passwords. Use the first letter of each word in a silly phrase like "Snoopy Prefers @nchovies 0n his 8rick Oven pizza." (SP@0h8Op) Or pick some other way of remembering these things.

3. Or, install a backup camera so you don't need to look around for those pedestrians.

Just my 2 cents.

Strong passwords (0)

Anonymous Coward | more than 5 years ago | (#28676753)

should only expire when you suspect they have been compromised.

If you're changing your password every 30 days, the value you get from cracking it is heavily reduced and so it isn't WORTH cracking.

Re:News at 11 (4, Funny)

grumpyman (849537) | more than 5 years ago | (#28676685)

"Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.

.... while sys admin uses "admin" as password on servers/switches without the need to change, ever?

Re:News at 11 (2, Informative)

MadKeithV (102058) | more than 5 years ago | (#28676813)

Oh how I wish you were kidding, but experience confirms that you are not.

Re:News at 11 (1)

cavtroop (859432) | more than 5 years ago | (#28676775)

Um, hire intelligent users? We know that isn't going to happen though. So take your password, keep it in your wallet. You don't leave that laying around, do you?

Or, have one master password (use that for your machine password), and PasswordSafe to store all your other passwords. You can remember one password, right? Even if it's slightly complex?

Security requires all parties to work together, or it's useless and easy to circumvent.

Re:News at 11 (1)

vadim_t (324782) | more than 5 years ago | (#28676781)

Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you're actively making the situation worse.

No, not really.

If people at your office can be trusted, you don't really take a huge risk by having a postit with the password. The complicated password, however, makes it much harder to brute force from the outside, or to brute force a compromised hashed password DB.

A few years back somebody managed to grab the Second Life password database. My password was something like "KKVRJTVRq8KI1eVL", so I could be quite sure that whoever got the DB would have first instantly cracked the several thousands of "password" and "secret" passwords in the DB (there was about a million accounts at the time), and mine would be way down the list, so I could reasonably expect it would resist attempts at cracking while I was getting around to changing it. If I had that password stuck to my monitor it wouldn't have changed any of this in the slightest.

If your password is a unix account password that's accessible through ssh and present on an externally accessible server, you can bet that if your choice was "password" or "secret" your account will be broken into soon enough. There's quite a lot of machines out there trying that sort of thing against each ssh server.

Re:News at 11 (1)

BrokenHalo (565198) | more than 5 years ago | (#28676407)

My password is prominently tacked up on my cubical wall.

A cubical wall? Nice. I hope it has a doorway in it...

Re:News at 11 (2, Informative)

Secret Agent X23 (760764) | more than 5 years ago | (#28676529)

There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.

We have this policy on our timekeeping system. I re-use the same password with a number from 1 to 6 appended to the end. When it's time to change the password, I just change the last number. After 6, go back to 1.

Re:News at 11 (3, Interesting)

Hognoxious (631665) | more than 5 years ago | (#28676765)

I once worked at a place where you couldn't have more than 2 characters in common with any of the lant N so that wouldn't work.

Re:News at 11 (5, Insightful)

tie_guy_matt (176397) | more than 5 years ago | (#28676615)

Another problem with password rules that rotate too fast and have too many rules is that you end up with many users who are locked out of their accounts. I imagine if the helpless desk gets 100 requests a day to reset account passwords then after a while they become less careful to ensure that the person requesting a password reset is actually the person that owns the account. Personally the more stupid password rules I encounter the more likely I am to try to come up with a password that is easy to guess (since I will be the one guessing the password in a little while.)

Re:News at 11 (0)

Anonymous Coward | more than 5 years ago | (#28676623)

It's like Harry Potter!

Re:News at 11 (0)

Anonymous Coward | more than 5 years ago | (#28676689)

... and somewhere in the system is a record of your last six passwords, which might make it easier to guess your current password even if you don't post a sticky-note anywhere.

Re:News at 11 (3, Insightful)

Hognoxious (631665) | more than 5 years ago | (#28676809)

The system doesn't need to store any passwords, not even the current one. It's called a one way hash.

Re:News at 11 (1)

clone53421 (1310749) | more than 5 years ago | (#28676831)

If it's done right...

Re:News at 11 (1)

wjh31 (1372867) | more than 5 years ago | (#28676697)

What is the point in changing a password atall. If someone has discovered your password i imageing they would be unlikely to wait to use it. "oh damn i waited 3 months and now the password doesnt work". If your account has been compromised, you need a new password (and to figure how it happened to prevent it), if you account is safe, its safe.

Re:News at 11 (-1, Flamebait)

BitZtream (692029) | more than 5 years ago | (#28676705)

So every 4 months, taking a few seconds to learn a new password which you will then proceed to use every day for the next 4 months is too much effort for you eh?

Fortunately, many companies have policies to help people like you out. It generally involves working for some other company afterwords however.

I hear you, passwords are hard, giving a shit about what you do is hard.

You should probably find a new job that doesn't require you to have a memory better than a snail if you don't like the policy rather than just making your own rules because you can't be bothered to follow the ones that are in place.

Its good that you think you know better than the people in your company that are paid to make those decisions. Maybe you do, maybe you know better than everyone else. Of course you do. Thats why you're in charge and setting these sort of policies is your responsibility.

Stop being a lazy fuck and do what you're supposed to or find a new job.

Re:News at 11 (1)

Deathlok's Bear (695862) | more than 5 years ago | (#28676721)

Every 4 months? Must be nice.

We get the notice to change our password every *15 days*.
Yes, at my company I have to change my password 24 times per year.

At this point I've taken to cycling through passwords until I can just reuse one that I actually remember, rather than complying with the hideous length/complexity/frequency requirements.

Why we haven't moved to Digipass or something significantly less annoying, I don't know.

Re:News at 11 (1)

Zerth (26112) | more than 5 years ago | (#28676725)

An example password for such situations

[i1!][a@]m[l1!][e3][e3][t7]

that gives you 144 combinations if your system just requires a mix of letters and not letters, not counting upper-vs-lower, or something like half if your password require letters, numbers, and symbols every time.

Can't remember which you've used recently? Write down past choices using just the letter A for letters, S for numbers, and D for symbols in place of the actual character.

E.g. ADASSSA for i@m133t

That way someone won't mistake it for a real password and yell at you for writing it down, since it would fail the complexity test I assume your password changer enforces.

It might take you awhile to come up with a phrase sufficiently variable without being ambiguous, but then you'll be set for years even if you change passwords weekly.

Re:News at 11 (0)

Anonymous Coward | more than 5 years ago | (#28676733)

It is true about Salesforce.com and some web hosting providers.
1. Change your password
2. Password must be longer than 8 characters
3. Password must contain numbers, uppercase and lowercase
4. Passwords cannot be reused

So you resort to using generic stuff that could be easily cracked with a dictionary, or you write it down

Re:News at 11 (1)

fluffernutter (1411889) | more than 5 years ago | (#28676741)

The solution for you would be keypass [keepass.info]

what I tell my people (0)

Anonymous Coward | more than 5 years ago | (#28676795)

When people say they can't remember their passwords I tell them to write half of it down on one piece of paper and half down on another. Keep the papers in different places, maybe half in your purse or wallet and half in your desk.

I tell them very bluntly that "this is only temporary until you memorize it. After A FEW DAYS shred the papers."

Yes, this creates a security risk, but it's contained and is an acceptable risk in our environment.

Oh, we have quarterly password changes and no-last-N-password and must-be-hard-password requirements on our systems.

The one thing I don't do is go back a week later and ask if they've memorized their password yet. That's outside my political authority.

Obviously anonymous for this.

Re:News at 11 (1)

KillerBob (217953) | more than 5 years ago | (#28676825)

Exactly what I was going to say... I have never had a problem remembering passwords myself (I usually take a phrase, translate it into another language, transliterate it back into English, and then replace a couple of characters with numbers... so if I were to pick "everything's alright", in Japanese that's "ii desu", I could make it more casual and make it "ii desu ne"... remove the spaces, add some numbers, and it becomes "iid3sune".. strong enough to get past the filters, and it's got no meaning in English, so it's hard to guess....

But others don't have the luxury. By having arcane and obtuse password security rules, all you end up doing is obfuscating things. People aren't going to remember hard passwords, and so they end up either picking something that's completely insecure, or they end up writing down their passwords. I worked at one place where almost everybody in the building had a password that was (name of the company) + (sequential number). so if it was your first password, it'd be "sparklies01" (changing the name of course), you change your password after 30 days and it becomes "sparklies02".... what the heck is the point in even having a password if it's set up like that?

I think it's more secure to allow people to set weak passwords. They aren't going to be easily brute forced with a dictionary attack, especially not with policies that lock the account after 3 failed attempts, but they're also not going to be something that's so hard to remember that it ends up getting written down, or following a sequence that's laughably insecure.

Re:News at 11 (1)

lilo_booter (649045) | more than 5 years ago | (#28676827)

Probably old hat, but how about taking an album you know well, and using the first line of each song to generate your password - like 'I see a little silhouetto of a man' becomes 15al50am (assuming you stick to a few fixed rules for substitution in your alpha nums) - then all you have to do is write 'bohemian rhapsody' or the track number on your post it :-).

Before anyone tries, no, that is not my password...

Re:News at 11 (1)

DoofusOfDeath (636671) | more than 5 years ago | (#28676483)

If your computer is hacked than you're boned.

So am I if my computer is boned?

Re:News at 11 (1)

jonhaug (783048) | more than 5 years ago | (#28676563)

If your computer is hacked than you're boned.

Seems to me that the solution is to have a strong password and keep your computer free of malware.

Is that really so hard?

So you didn't read the paper, or how do you defend the use of strong passwords that the author did not think of? Anyway, if there is only "your computer", then things are significantly simpler. A typical user has to remember at least 20 passwords all over. (Waiting for the Slashdot poll "How many passwords do you have to remember and how many of them are different?") - J

Woo hoo! (2, Funny)

BobSixtyFour (967533) | more than 5 years ago | (#28676257)

Yes! Now i can change my password back to password!

Re:Woo hoo! (1)

Yvan256 (722131) | more than 5 years ago | (#28676743)

At least those of us who speak french have much better passwords. Mine is 10 characters long, that's 2 characters better than yours!

c'mon (4, Funny)

greebowarrior (961561) | more than 5 years ago | (#28676265)

surely we should all be changing our passwords back to "Joshua"?

Re:c'mon (1)

gnick (1211984) | more than 5 years ago | (#28676487)

A little off-topic, I guess, but Joshua has got to be one of the nerdiest passwords around (although any nerd worth his salt would salt it appropriately.)

I took a week-long network security/penetration course from this guy [counterhack.net] who literally named his first-born Joshua just as a tribute.

Re:c'mon (2, Funny)

maxume (22995) | more than 5 years ago | (#28676603)

At least it is a reasonable name. If he named his kid Swordfish...

Re:c'mon (1)

DoofusOfDeath (636671) | more than 5 years ago | (#28676613)

surely we should all be changing our passwords back to "Joshua"?

Yeah? You want to play a game, mothafucka???

Hang up your punk-ass modem and step down. She-it.

(Okay, I probably need to stop watching The Wire before I go to work.)

And this is news how? (5, Insightful)

damn_registrars (1103043) | more than 5 years ago | (#28676287)

I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging. However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.

I'll repeat what I've said before: Use sentences. (3, Informative)

kinabrew (1053930) | more than 5 years ago | (#28676289)

I advise people to use unusual sentences as passwords.

For example, look at the previous sentence.

I advise people to use unusual sentences as passwords.

It contains uppercase letters, lowercase letters, spaces and punctuation.

It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.

And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.

limited application (3, Insightful)

damn_registrars (1103043) | more than 5 years ago | (#28676387)

Sentences as passwords are only applicable in environments that allow such things. Sure, they are very strong for hacker-resistance but you should realize how many systems don't allow:
  • spaces
  • passwords longer than 16 characters

In particular many *NIX environments still don't natively allow spaces in passwords, so that approach would fail there.

Re:limited application (3, Informative)

MrMr (219533) | more than 5 years ago | (#28676643)

In particular many *NIX environments
I have used passwords with spaces since the 1990's on AIX,IRIX,HPUX, Solaris and Linux and have only seen that happen on poorly written sql code (deliberatily put there by some ignorant web-developer).
Which environment would that be?

Re:limited application (1)

SatanicPuppy (611928) | more than 5 years ago | (#28676699)

I tend to use sentences, but instead of using a sentence like: "This sentence would make a crappy password."

I'd reduce it as follows: "Tswmacp." Capital letters where capital letters would be in the sentence, include punctuation, and there you go.

The biggest problem with it is that, in the english language, certain letters are unlikely to ever start a word, so it reduces the frequency a bit, and also, there aren't many numbers, even if you transliterate words like "to" to "2".

So I pull out quotations from books: "Say to yourself in the early morning: I shall meet today inquisitive, ungrateful, violent, treacherous, envious, uncharitable men. Marcus Aurelius Meditations Book 2, 1st paragraph"

And you get this: S2yitem:IsmtiuvteumMA2,1

That one's pretty long, and commas may be verboten in your system, but you get the point. It's got a built-in mnemonic, and you can look it up in the book if you forget it.

Re:limited application (1)

Yvan256 (722131) | more than 5 years ago | (#28676807)

So what? His password becomes "iadvisepeopletou". Simply enough, AND you can still put a sticky note on the monitor and most people wouldn't know it's the password.

It could also be the same thing but backward from the last character. Could be backward but forward with the complete words. Could be from the 2nd or 3rd word in the sentence, etc.

Re:limited application (2, Informative)

Rob Riggs (6418) | more than 5 years ago | (#28676843)

The biggest problem of all is that there is no standard to what should be allowed in a password. I have had banks tell me that punctuation is not allowed in passwords.

Some require uppercase, lowercase and numbers.
Some require specific complexity; most do not
Some require a symbol.
Some don't allow a symbol.
Some require at least 8 characters.
Some allow at most 8 characters.

Really, it's just stupid. Until some standards body issues requirements in internet password practices that financial institutions are required to implement, it is just a lost cause.

Re:limited application (1)

blackraven14250 (902843) | more than 5 years ago | (#28676845)

Pick the letter n+1 (n is # of word) of each word in the sentence, put in reverse order, add in a 10-n after each occurrence of arbitrary letters (Maybe the ones in the person's name?). Granted, there's a small algorithm, but the sentence itself could easily be linked in someone's memory to how to use it. Also, after about 10-15 tries, they'll remember the password.

On a side note, anyone who can't do something like this can't remember 3 directions. Which is nobody. The real problem would be with people's willingness to learn it.

Re:I'll repeat what I've said before: Use sentence (1)

s7uar7 (746699) | more than 5 years ago | (#28676401)

At least read the summary, if to TFA! How will that help against phishing and keyloggers?

Re:I'll repeat what I've said before: Use sentence (4, Funny)

Nerdfest (867930) | more than 5 years ago | (#28676403)

Slashdot is an excellent source of many of these sentences, as with spelling mistakes they're even harder to brute-force.

Re:I'll repeat what I've said before: Use sentence (1)

Looce (1062620) | more than 5 years ago | (#28676451)

So, uh... passphrases?

Re:I'll repeat what I've said before: Use sentence (0)

Anonymous Coward | more than 5 years ago | (#28676465)

Tell that to application developers at banks, utilities, and other important accounts that only allow alpha-numeric characters in the password. Who still limits passwords to max 10 characters? Aren't we all salting and hashing anyway?

How can we put pressure on the application developers to allow us stronger passwords? I can't necessarily change banks or utility providers easily.

Re:I'll repeat what I've said before: Use sentence (1)

clone53421 (1310749) | more than 5 years ago | (#28676489)

They'd also have to be a pretty good typist, since they can't see what they've typed. Plus, the password box doesn't visibly change to reflect the extra keystrokes after it's full, so you can't tell if you hit an extra letter. If you only get 3 tries before your account locks out, this might not be a very good idea.

Then of course most passwords can't be longer than a certain length, which the other reply already mentioned.

Re:I'll repeat what I've said before: Use sentence (1)

goombah99 (560566) | more than 5 years ago | (#28676557)

I agree, except to improve upon this, you can just use the first few letters of each word, or even just the first letter.

this keeps the passwords reasonably short which is good both for typing quickly (and from just finger muscle memory) as well as being better in cases where passwords are truncated by the system inuse.

moreover, beyond the first few letters the entropy added by the remaining letters is dropping swiftly so they add less protection if someone know you are using whole words.

Additionally if you write the sentence on the wall, but are using only the first few letters of each word, it adds enough obfuscation that someone present at your desk and seeing the sentence probably won't have time to work out your cleverness.

Re:I'll repeat what I've said before: Use sentence (1)

furby076 (1461805) | more than 5 years ago | (#28676745)

1) The application can only handle X amount of characters where X is less then the sentence
2) You need to have symbols in there (e.g. '*')
3) You need to change this once per month
4) You have multiple systems which require passwords
5) Passwords may not be repeated

All of this = reasons why your password method may not be the best.

There is a reason why ma-bell made phone numbers seven digits long and it's not because ma-bell anticipated the need to use every 10 million number combinations...it's because 7 digits is what the human brain can easily remember. Easily being "you remember this once" not "you need to remember a new number every month, including different character sizing, symbols, etc"

I met Bruce Schneier in an elevator once (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28676297)

and he autographed my copy of Applied Crypto for me, and he copied a little puzzle inside the front cover. It was a 3x3 matrix of numbers. I could never make heads nor tail of it. Has anyone else seen this and solved it? I'm at work so I do not have my copy of applied crypto with me, or I'd attempt to post the puzzle.

Re:I met Bruce Schneier in an elevator once (1)

TinBromide (921574) | more than 5 years ago | (#28676625)

i think it may have been one of the nine sub-squares in his sudoku puzzle he was working on before you interrupted him to sign your book.

Simple solution (3, Insightful)

L4t3r4lu5 (1216702) | more than 5 years ago | (#28676301)

Biometric authentication.

No problems there! [bbc.co.uk]

Re:Simple solution (1)

HogGeek (456673) | more than 5 years ago | (#28676525)

I've often thought about this, and my only concern would be:

If one works with, or has access to "truly useful" (read highly "valuable") data, then one is subjecting ones self to losing a digit (or eye, or something) :-)

Re:Simple solution (3, Insightful)

Itninja (937614) | more than 5 years ago | (#28676763)

Biometrics are not as bullet-proof as many people think. With many fingerprint scanners, for example, one can fool them with little more than a xerox copy of the needed fingerprint. I am more of an advocate of three factor security, instead of just trading one single-factor method for another.

We should have biometrics, passwords, and proximity smartcards.

Re:Simple solution (1)

sesshomaru (173381) | more than 5 years ago | (#28676821)


We should have biometrics, passwords, and proximity smartcards.

But, Brain, isn't that a bit much to access a cash register at Chuck E. Cheese's? Narf!

Throwing the baby out with the bathingwater? (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28676303)

So because something that's good against brute-force attacks, but isn't against phishing and keyloggers, we should stop doing that? Phishing and keylogging are a result of strong passwords. So you need to implement adequate measures against those instead of saying strong passwords are useless.

If users have a hard time remembering their passwords, train them in it. Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user, yet very hard to bruteforce because you can make them quite long easily.

Re:Throwing the baby out with the bathingwater? (5, Insightful)

Anonymous Coward | more than 5 years ago | (#28676341)

Exactly.

the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers.

It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors? Doesn't make sense either.

Re:Throwing the baby out with the bathingwater? (4, Insightful)

maxume (22995) | more than 5 years ago | (#28676479)

It's more like pointing out that a $25 lock is probably sufficient for a house with 25 glass windows (as opposed to a $100 lock).

Re:Throwing the baby out with the bathingwater? (1)

nelsonal (549144) | more than 5 years ago | (#28676601)

I knew a guy with an old convertible soft top who generally left the top down, since if a thief wanted the radio/valuables in the glovebox etc, he was going to get it anyway and that saved him a slashed soft top (which aren't cheap to replace). You might want to leave your doors unlocked if you're regularly replacing windows that get broken.

Re:Throwing the baby out with the bathingwater? (0)

Anonymous Coward | more than 5 years ago | (#28676661)

If you read the article, you find that beyond a certain point, having a better lock is irrelevant. That is, does it matter if I have a 100$ lock or a 1000$ lock if they will just smash the window on sight of the 100$ lock? But if I have a 2$ lock then they'll kick in the door.

We need reasonably strong passwords, which the article states is about 20 bits, but we need more complex user IDs if we have less strong passwords.

Re:Throwing the baby out with the bathingwater? (0)

Anonymous Coward | more than 5 years ago | (#28676837)

You do realize that the insane password schemes aren't built against gussing at the login, they're built against someone brute forcing the password hash. As things have changed, getting the password hash has gotten a lot harder, and generally an administrator account has already been compromised, reducing (but not eliminating) the problem of the passwords getting compromised. That risk has to be balanced against the risk of having passwords on a postit note next to the computer, which is real and very exploitable. Therefore, there's a significant chance that having a complex password scheme lowers the security of the system.

I love the need to link to Bruce (0)

Anonymous Coward | more than 5 years ago | (#28676317)

I love the need to link to bruce but his contribution to this piece is "Strong Web Passwords Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei FlorÃncio, Cormac Herley, and Baris Coskun."

Really? Did we need to cite his commentary on this one?

My password is 1234 you insensitve clod! (0)

Anonymous Coward | more than 5 years ago | (#28676323)

You thought you could trick me into admitting my password was trustno1? Well, it didn't work.

News for who? (1, Redundant)

wcrowe (94389) | more than 5 years ago | (#28676335)

...but are useless against phishing and keyloggers....

No kidding. Here's another news flash for you, computers do not run on magic crystals.

Re:News for who? (1)

gnick (1211984) | more than 5 years ago | (#28676749)

Are you sure about that [wikipedia.org] ?

OK, maybe not completely magic, but close enough to magic for an approximate engineering schematic. That's the big difference I've seen between engineers and scientists. Engineers will typically accept a little bit of magic as long as the result is a functional schematic. Scientists will deny the existence of any magic in the system and dig ridiculously deep into any system showing magical symptoms.

All that aside, I agree. Nobody on slashdot thinks that a strong password will defend against phishing attacks - Only common sense can do that. But, although they won't strictly-speaking defend against a key-logger on your system, they may help keep the key-logger off.

Sounds dumb to me (2, Insightful)

drinkypoo (153816) | more than 5 years ago | (#28676343)

But maybe it's just the summary? I'll go RTFA right after this, or at least skim it. But since phishing and keyloggers are only two threats, and people can still guess passwords (or brute-force them) I think I'll keep using randomly generated passwords.

"Wrote a piece" apparently means "wrote a sentence" because all Bruce said about the paper is that it was "Interesting", then he C&P'd the abstract. Why not link directly?

Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place. However, this ignores the type of attack where a remote hole allows retrieval of a file, and that hole is used to retrieve the password list. There are also other attacks which would allow one to get ahold of your encrypted password, not least by sniffing, which can then be brute-forced without having to worry about three-strikes policies.

In other words, keep your complicated passwords, they are still necessary to defeat dictionary attacks. Security is not something you can buy in the store, it is a mindset that you must adopt. The more factors of security, the better. If you can't memorize a complex password after using it twenty or thirty times, you should start playing memory games or something. Even I can do that and my memory is poor enough to be a liability (and always has been since childhood.) We're all different and excel in different ways, but you owe it to yourself to sharpen certain skills.

I guess the bottom line is that I'd be concerned about employing someone who can't remember a password. You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes (or eat it, or whatever) when you no longer need it. It shouldn't be that difficult for a modern human who can understand how to operate a computer.

This just in! (1)

HideyoshiJP (1392619) | more than 5 years ago | (#28676349)

Bullet proof windows not as safe as previously thought. Under certain conditions, such as a door being unlocked and/or open, a bullet proof window may not keep you safe from robbery at gunpoint.

The same combination as my luggage! (0, Redundant)

mrdoogee (1179081) | more than 5 years ago | (#28676351)

1 - 2 - 3 - 4 - 5

My password is "secret" (1)

miknix (1047580) | more than 5 years ago | (#28676357)

Nobody knows it.

Also useless against Live CD (1)

uncle-gendo (1247352) | more than 5 years ago | (#28676367)

Give me an Ubuntu CD and I'll show you just how useless any password is without encryption...

Re:Also useless against Live CD (1)

Nos. (179609) | more than 5 years ago | (#28676653)

Challenge accepted.

Here's links to an Ubuntu CD.
http://www.ubuntu.com/GetUbuntu/download [ubuntu.com]

I put my password in a plaintext file in my home directory.

Go

YOU iNSENSITIVE CLOD? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28676411)

hand...don't comprehensive of programming vitality. Like an the 'coomunity' be on a wrong

My password (4, Funny)

Rik Sweeney (471717) | more than 5 years ago | (#28676421)

I sometimes set my password to ******** It sounds stupid but it has two advantages:

1. I know that I've typed in a * because I can see it

and, most importantly

2. When I have to repeat my password to confirm it, I can just copy and paste the previous field, saving me literally seconds of typing

Re:My password (1)

Culture20 (968837) | more than 5 years ago | (#28676687)

3. Audio guessing of keypresses doesn't work when you hold a key down.

Re:My password (2, Funny)

ptbarnett (159784) | more than 5 years ago | (#28676711)

I sometimes set my password to ********

Your password is hunter2 [bash.org] ?

Weak passwords (1)

CopaceticOpus (965603) | more than 5 years ago | (#28676435)

The summary is missing an important point. The article suggests that weak passwords can be made secure by limiting the number of guesses allowed using a three strikes rule.

However, this solution has some problems. If any old password is allowed, there are 10-20 passwords which are most commonly chosen by all users. These are still likely to be guessed by an automated guessing system.

Also, the three strikes rule can be circumvented by using a botnet based attack. A botnet of 50,000 nodes would be allowed 150,000 guesses.

One other benefit to requiring strong passwords is that it may keep users from reusing the password from their Yahoo account, fantasy football account, etc.

Re:Weak passwords (1)

maxume (22995) | more than 5 years ago | (#28676709)

I think it might be safe to do some sort of throttling after a few thousand attempts (I mean something like 3 attempts per IP, and a short wait for new IPs, the user can still make it through that).

Come to think of it, this actually explains to me why my credit union and Yahoo! are using authentication questions now (no need to throttle the authentication step, and no need to lock authenticated users out of guessing at their password during a bot attack).

I would prefer they sent me a token generator, but that's what I get for using such a small institution.

Now if only people would take this into account... (5, Insightful)

Lendrick (314723) | more than 5 years ago | (#28676439)

I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it. So I append a '1' on the end to satisfy the filter, and click submit again. I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter. Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.

It would be really nice if they'd just turn those damn filters off. This forum site isn't a bank. I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway. Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses. Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1."

[/rant]

Hide userid - seems like a good idea (1)

hey (83763) | more than 5 years ago | (#28676459)

Like the paper says userids aren't secrets but non-secret userids make spam easier. Many companies use initial + last name as the user id: eg jsmith. If they also added a random 4 digit number: eg jsmith1234. It would make guessing userids harder for spam. And make unauthorized login attempts harder.

The Problem With Passwords (1)

furby076 (1461805) | more than 5 years ago | (#28676495)

When a company makes the requirements so difficult. For example: Symbol, plus one caps, plus one lowercase, plus one number, and at least 8 characters, changed every month and never being able to repeat. Then this policy is applied to every system, which if they are not all AD (active directory) controlled means someone has to remember multiple passwords each month.

What happens? People WILL use post-it-notes with their passwords. Security can bitch and moan all they want about this but the alternative is people callign helpdesk 5 times a day saying "reset my password".

There needs to be a balance when using passwords...too easy and you have little/no security, too difficult and you force people to find routes to remember their passwords (e.g. post-it notes) killing any security. You would be better off to have too easy of passwords.

If a company is that paranoid about password security then install fingerprint/eye-scanners. They are very inexpensive (sub $100 retail) and you will save users and help desk a world of hurt.

Other methods (1)

OpsFace (1549111) | more than 5 years ago | (#28676513)

Is it time to explore other methods as well? Require fingerprint reader, retinal scanner, a few security questions about your mother's maiden name and your favorite childhood pet, a couple complex math problems, and then insert your driver's license as well as your tongue into a USB device(patent pending)...lets really make sure its you.

Defense-in-depth (2, Interesting)

Rennt (582550) | more than 5 years ago | (#28676519)

From the article:

Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.

This may be statistically true, but isn't it missing the point of defense-in-depth? Why rely on three-strikes to catch brute force attempts, when you can also have a password that resists brute force in the first place.

Strong passwords may be overkill (1)

GodfatherofSoul (174979) | more than 5 years ago | (#28676521)

Really, your password has to be two things: unguessable and unique. Unguessable in that no one can read a quick bio of you and start hammering out children's names or birthplaces and unique in that you're not sharing the same password across multiple hosts. That being said, I use the PC Tools Password [pctools.com] tool to generate my passwords. However, this introduces a whole new problem as I now have to maintain and secure a file containing all of these impossible-to-remember passwords that represents the keys to my kingdom.

Change back to trustno1? (0)

BitZtream (692029) | more than 5 years ago | (#28676527)

Until I decided to post this my slashdot password WAS trustno1.

All of the 'strong' password crap also makes crackers ignore easy passwords. Every rule you add for making a 'secure password' limits the combinations available. Everytime you make a restriction you are in fact making it easier to brute the password.

Trustno1 has been a great password for years. I've had a honeypot setup for at least 8 years using that password for root and administrator and never has it been tried to authenticate with it, even with the hundreds of thousands of attempts that have been made.

Even the bad guys have been socially engineered into making some very well known passwords great for securing important things, such as slashdot, which used trustno1 for my account until about 30 seconds ago.

Best Practices (5, Insightful)

Rob the Bold (788862) | more than 5 years ago | (#28676565)

According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of ïnancial fraud and identity theft, and most ïnancial institutions have security sections on their web-sites which oïer advice on detecting fraud and good password practices. As to password practices traditionally users have been advised to . . . "

-Choose strong passwords

-Change their passwords frequently

-Never write their passwords down

I would suggest that this is a case for the popular quip: "Pick two".

Keys (1)

Haiyadragon (770036) | more than 5 years ago | (#28676575)

They make things hard on users, but are useless against phishing and keyloggers.

O RLY?
Unlike, for example, the keys to my home. If I give those to complete strangers they are still quite useful. For picking my nose.

Which passwords are important? (1)

DNS-and-BIND (461968) | more than 5 years ago | (#28676581)

Well, if I'm signing up for a forum or some free email account somewhere, I don't need industrial-grade uncrackable password. Actually, if my password gets cracked, big deal. It's just come crappy account somewhere. I just love signing up for something because I want to ask a question, and the system refuses my password because it doesn't have two symbols, a mix of uppercase and lowercase, and two different numbers. Oh, Jip*4&nv4X isn't a good password, nix on that! And by the way, here's a brand-new illegible CAPTCHA for you for every new password try, only barely readable by native speakers of English. Anyone else from any other culture who doesn't use the 52 Roman letters, you're out of luck.

Strong passwords don't help against stupidity (1)

prefec2 (875483) | more than 5 years ago | (#28676647)

A strong password is a good thing to protect your front door. Of course it is useless if you tell it everybody (phishing) or if you install password logging tools to tell the password a special group of people. But that has nothing to do with the password, it has to do with human behavior. A strong password is good, but it is useless without other security measures. This is no surprise. I hear the loud noise of a rice sack falling over. If I am not mistaken, it comes form China.

Crap Summary (1)

nsteinme (909988) | more than 5 years ago | (#28676829)

This summary is terrible, even for /.. It makes it sound like strong passwords are ineffective, when in fact TFA claims that they are overkill for some situations.

I do agree though that passwords that expire are a bag of chach.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>