Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Poor Passwords A Worse Problem Than Poor Antivirus

timothy posted more than 5 years ago | from the sure-is-for-me dept.

Security 247

dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."

Sorry! There are no comments related to the filter you selected.

FP (-1, Troll)

masshuu (1260516) | more than 5 years ago | (#28997713)

FP for the first time

Sunflowers aren't so bad (4, Insightful)

plover (150551) | more than 5 years ago | (#28997715)

In TFA the author complains about "sunflowers", people who have passwords on post-its stuck around their monitor frame. The thing about post-its is that 89% of last year's credit-card breaches originated from sources outside the companies. And there is no malware possible that can read what's written on a post-it note.

Re:Sunflowers aren't so bad (4, Interesting)

Shikaku (1129753) | more than 5 years ago | (#28997735)

And there is no malware possible that can read what's written on a post-it note.

Security cameras. If you know what to Google you can find all sorts of security cameras on the internet.

Or just walk in and look yourself.

Re:Sunflowers aren't so bad (4, Interesting)

exley (221867) | more than 5 years ago | (#28998023)

OK so I went and searched for "office security cameras" and that pretty much just turned up companies selling cameras. I then tried "office security cameras HOT XXX ACTION" and that DID yield me some results... But no passwords on sticky notes :( Rule 34 should kick in eventually, through, right?

Seriously though, I'm guessing most office security cameras are too low-res and they give a wide-area view so as to make it pretty damn difficult to be able to get someone's PW that way.

Re:Sunflowers aren't so bad (3, Informative)

MadnessASAP (1052274) | more than 5 years ago | (#28998145)

Try searching for "axis-cgi", you may be suprised what you can find.

Re:Sunflowers aren't so bad (1)

dotgain (630123) | more than 5 years ago | (#28998251)

Are you kidding? My first Rule 34 pic ever saved is of a cute girl nude except for hundreds of yellow post-its

Re:Sunflowers aren't so bad (3, Insightful)

brentonboy (1067468) | more than 5 years ago | (#28998303)

And there is no malware possible that can read what's written on a post-it note.

Security cameras. If you know what to Google you can find all sorts of security cameras on the internet.

Or just walk in and look yourself.

Seriously? No security camera will have a resolution high enough to actually read what's written on a post it note, assuming it's even in focus. It's not like on TV where you can just "zoom in, and enhance." Probably the best you could get would be to see a vaguely "sunflower" shaped monitor, as described.

Re:Sunflowers aren't so bad (2, Funny)

mwbeatty (1401881) | more than 5 years ago | (#28998507)

But they do it on TV all the time! You mean the technology on those cop shows isn't real?

Watch CSI (1)

wooferhound (546132) | more than 5 years ago | (#28998593)

Oh yes they can see post it notes
don't you watch CSI on TV ?

Re:Sunflowers aren't so bad (1)

UncleTogie (1004853) | more than 5 years ago | (#28998623)

No security camera will have a resolution high enough to actually read what's written on a post it note, assuming it's even in focus.

Do a search for "PTZ cameras", please....

Re:Sunflowers aren't so bad (1)

plover (150551) | more than 5 years ago | (#28998637)

Unless the security camera is a foot or two from the post-it, or if the password is written in 1/4" black magic marker, it won't be visible. I saw this used in a real (not TV) court case where the defendant claimed he wasn't the perpetrator in the video because his tattoos weren't visible in the security camera footage. (His were fine blue lines that looked like home-made or prison tats.) Investigators recreated the scene in the convenience store using calibrated lines and demonstrated to the jury that lines the size of those on the defendant's arm weren't visible on that camera at that distance. Guy went to jail for a very long time.

Another problem with that idea is that you could locate a camera pointed at a specific identifiable target. Just because you know a password doesn't mean you know the user ID, nor what system it's used to log in. I know someone's password is "KermitTF" -- but I can't tell you which computer it's good on.

And malware doesn't walk in the door and look. That's one of the very few advantages of having the criminal attackers located on a different continent.

The complex-but-written-down password is still excellent defense against network hackers. How you choose to secure the paper determines the rest of the security.

Re:Sunflowers aren't so bad (1)

masshuu (1260516) | more than 5 years ago | (#28997755)

true, and I'm more worried about my own physical health if a malicious person is in my house reading those notes. Chances are he has something sharp and pointy with him

Re:Sunflowers aren't so bad (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28997851)

Wow that reminds me of the 'Night of the Long Knives' July 2, 1934 when the Nazi regime carried out a series of political executions... Weird...

Re:Sunflowers aren't so bad (5, Insightful)

KeithIrwin (243301) | more than 5 years ago | (#28997901)

I agree completely. I generally tell people that it's far, far, far better to have a strong password which you write down than a weak one which you can remember. Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

It's also not even vaguely clear to me why people feel that regular password changes are helpful or a good idea. As far as I can see, all they do is make it tougher for users to use strong passwords (due to being unable to memorize them), thus leading to weaker passwords and less security. An uncompromised password is an uncompromised password. They don't go stale.

Regular password changes don't help decrease the likelihood of a system being compromised, they just offer some mitigation in the event that it has been compromised. However, given that an attacker probably will need only a few hours or days to slurp plenty of information or do plenty of damage, rotating passwords monthly isn't even likely to mitigate the compromise much.

So the trade-off being made is that the system is now more likely to be compromised due to weaker passwords but in return, there's small chance that an attack will be stopped after the system has been compromised due to the password changing. That doesn't seem like a good trade-off to me. My best guess is that this advice is left over from a time when some systems had shared passwords. The regular password change was so that people who had been given the password to a system to do one thing wouldn't have access forever. Some places even used daily passwords so that they could give someone access for one day, but have their access reset the next day. But that advice has been carried over to individual user passwords in systems which use better access control technologies to manage access.

These sort of reports don't stop and analyze what constitutes good password management. They just say "Passwords should be changed regularly. It must be true because everyone is saying it. This company doesn't change their passwords regularly, so they have poor password management." As such, they aren't really a good assessment of the problem.

Re:Sunflowers aren't so bad (5, Insightful)

grumbel (592662) | more than 5 years ago | (#28997999)

Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

Or better yet, store it in your wallet. A place that is save enough for your money, credit cards and car keys should be save enough for a bunch of passwords. One could of course go one step further and get rid of passwords altogether and use a secure authentication device instead, with USB being commonplace everywhere that shouldn't be to hard to just use a USB device that does the authentication and encryption in a secure and easy to use manner.

The core problem isn't that users chose insecure passwords, thats just human nature, the core problem is simply that hardware and software developers haven't build systems that work well enough with this "flaw" of human nature.

Re:Sunflowers aren't so bad (3, Insightful)

ScrewMaster (602015) | more than 5 years ago | (#28998351)

Or better yet, store it in your wallet. A place that is save enough for your money, credit cards and car keys should be save enough for a bunch of passwords.

Huh? That's not very good advice. If someone steals my wallet, they get access to whatever cash I have in it, and some easily-replaceable plastic. If I report the loss/theft promptly, my liability is limited.

On the other hand, if I put passwords to my important online services there (such as my bank account, 401K, etc.) I could find those assets gone forever. If I have passwords to my company's systems there, they also could be compromised, and it would be my fault for storing those passwords in such a readily accessible place. A wallet is not secure, was not intended to be secure, and is something people carry around out of necessity, and the thought of losing it is a source of constant worry. Plus which, there are people who specialize in relieving us of the burden of carrying said items, you know ... they're called "pickpockets."

Also, the problem with carrying arround a "secure authentication device" is that very few services support them. Well, not in the U.S. anyway, and that's where I live. And even if you are able to use one, you'll probably still require a PIN of some kind. Probably not a good idea to put that in your wallet either.

Regardless, you are absolutely correct that people not thinking things through and concerning themselves solely with convenience is human nature, Me, I use difficult passwords and I make the effort to a. memorize them and b. change them now and then. But that's me: few computer users are willing to work that hard, and I also agree with you that they really shouldn't have to. However, the core problem isn't so much hardware and software developers: the problem is that the people in charge of the financial systems in many countries just don't see the investment in secure transaction handling to be worth the money. It's cheaper to pay their insurance underwriters and just charge off the fraud. Of course, that fact that some number of citizens get totally fucked over every year is just acceptable collateral damage.

The United States' banking system is horribly insecure at pretty much every level, and I don't see that improving any time soon because it would cost a lot of money. A good first step might be getting rid of Diebold (I mean, come on, a Windows-based ATM?) but I don't see that happening soon either.

Re:Sunflowers aren't so bad (2, Informative)

plover (150551) | more than 5 years ago | (#28998777)

You can certainly take a little responsibility for your own security. You don't have to write down the whole password, or you can obscure it in some way that you remember. If your password is aRgLeBaRgLe123 you can just write down "aRgLeBaRgLe" and remember that you glue 123 to the end of all your passwords, or write down "arglebargle123" knowing that you always cApItAlIzE eVeRy oThEr lEtTeR. For most people, the people who have physical access to their screens are less likely to be sophisticated attackers than your average network hacker.

Of course you still have to make sure that nobody learns any of your passwords, because they'll easily figure out your simple obscuration scheme.

Years ago I had all my various credit card PINs written and stored in my wallet with the cards, but I knew I had an offset to add to each before using it. The offset was the PIN for my main bank card, so it was something I already remembered. (I have since divested myself of all those extra cards, so I don't have the paper any more.)

All that said, I still don't write down or save my secure work or banking passwords. I'll write down stupid web site passwords, but not anything that puts me or the company I work for at risk.

Re:Sunflowers aren't so bad (2, Interesting)

techno-vampire (666512) | more than 5 years ago | (#28998235)

It's also not even vaguely clear to me why people feel that regular password changes are helpful or a good idea.

I spent time doing tech support for an ISP. As part of my job, I needed to log into a web page. The server was inside the office firewall, and nobody outside it could log in. Not only were we required to use ten-character passwords (Upper, lower, numeric and punctuation all required.) they expired every sixty days. There was no possible way for an outside attacker to reach that web server, no way that constantly changing our passwords made anything more secure, but we had to do it, probably because somebody in IT realized that they could set it up that way and decided that if they could force passwords to expire, they should, whether it helped or not. What made it worse was, all the Certificates expired and nobody ever bothered to update them. This wouldn't have been so bad (You tell your browser to accept it, and the problem goes away.) but our boxes were locked down so badly that telling the browser that the cert's OK didn't survive a reboot, meaning you had to go through the same song-and-dance several times a day.

'tech support for an ISP' (1)

rts008 (812749) | more than 5 years ago | (#28998751)

...our boxes were locked down so badly that telling the browser that the cert's OK didn't survive a reboot, meaning you had to go through the same song-and-dance several times a day.

I would have asked you if you worked for Creative Labs, but the ISP bit shot that down. :-)

What you describe is what I went through at CL.
Knowledge Base web pages that did not have the URLs whitelisted in the proxy we used, boxes locked down tight**, 8 minute maximum call time allowed per call for tech support...including the 2-3 minutes needed for the required interrogation about the 'problem' product, etc....

**except for the USB ports!
I put Damn Small Linux in a bootable partition on a USB stick to get away from WinXP and IE that was imaged onto all of our Dell workstations. Unfortunately, I was found out by management after about 4 months when they were doing a routine 'call monitoring', and heard me offering Linux support for a customer with a Creative Labs Nomad. I was still a n00b in the tech support scam, and was actually trying to offer real tech support for our customers...silly me! I was asked to resign in lieu of being sacked. :-)

[I grin because that was the only job I held in my life, that I felt I needed to keep a shotgun at the front door of the house...I could force myself to leave the house for work if need be!]

*me:Go to work, or I'll Dick Cheney your face!
also me:Okay, I'm going to work, asshole!
me:Damn...I just concocted a special rocksalt load with White Phosphorous[Willy Peter for you military fans] to try on you!
also me:Shit!...Decisions, decisions....Rocksalt and Willy Peter to the face, or go to work at Creative Labs again....Hmmmm...Hey, is this a trick question?!?!?!?*

Re:Sunflowers aren't so bad (4, Insightful)

plover (150551) | more than 5 years ago | (#28998523)

Regular password changes don't help decrease the likelihood of a system being compromised, they just offer some mitigation in the event that it has been compromised. However, given that an attacker probably will need only a few hours or days to slurp plenty of information or do plenty of damage, rotating passwords monthly isn't even likely to mitigate the compromise much.

Many of the really big credit card attacks (TJX, Network Solutions) took place over several months (or years), harvesting on-line transaction data. We have no way of knowing if the passwords were rotated during the course of the attack if that would have shut down the attackers. Network Solutions was PCI DSS rated, which means they had a password rotation policy in place, and their attack continued from March through June. We can probably assume the attackers seized the first opportunity to create a back door that they could use in the event the passwords were changed, so a rotating password would have had no effect on them.

Re:Sunflowers aren't so bad (1)

omb (759389) | more than 5 years ago | (#28998779)

And, in case if compromise, you can force a password change when you havve finished the forensics.

Re:Sunflowers aren't so bad (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28998369)

If I was a dick, I could get probably 90% of my colleagues' secret PIN codes just by asking them. Who needs malware? People are the problem, not encryption levels.

Re:Sunflowers aren't so bad (1)

Svartalf (2997) | more than 5 years ago | (#28998671)

And many of the "sunflowers" aren't due to really inept people (a' la the secretary for the Principal in Wargames...) it's because of TOO stringent password requirements that insist upon upper AND lower case coupled with at least one, if not several numbers in the password.

It doesn't make it more secure doing that- it tends to make it less os.

It's all down to ridiculous password rules... (5, Interesting)

musefrog (1471169) | more than 5 years ago | (#28997717)

I think one day, we'll look back at this period of needing umpteen different 8-16 character one capital letter one alphanumeric character passwords (changed each month!) with the same horror we now regard the times when the best solution to a serious leg injury was to cut the freaking thing off. With no anasthetic. Maybe it's not directly analogous, but it's just as barbaric and wrong and crazy!

Re:It's all down to ridiculous password rules... (1)

Nerdfest (867930) | more than 5 years ago | (#28997849)

The ridiculously short interval in most places is a huge part of the problem. It's asking people to do insecure things to make it more convenient. I read someone advocating lately to write your passwords down, but keep them in your wallet. Not a bad idea if you don't have the electronic means to do the same.

The best long term solution is probably some sort of revocable 2 factor authentication.

Re:It's all down to ridiculous password rules... (1)

Brian Gordon (987471) | more than 5 years ago | (#28997881)

One day, we'll use a big private key (from a microsd card or an RFID) to authenticate instead of relying on a puny little 8-16 alphanumeric password.

It's already implemented in Vista at least.. you can log in from different authentication providers like a fingerprint scanner or a smart card or a web cam.

And for remote administration it's even better. You don't need to be there to put in a smart card; you just handshake with your key over the network.

Re:It's all down to ridiculous password rules... (0)

Anonymous Coward | more than 5 years ago | (#28997973)

Outside vista, we've had it since forever: you use OpenSSH with public/private key authentication. :-)

Re:It's all down to ridiculous password rules... (0)

arose (644256) | more than 5 years ago | (#28998103)

One day, we'll use a big private key (from a microsd card or an RFID) to authenticate instead of relying on a puny little 8-16 alphanumeric password.

People who's passwords provide no real security might be, the rest of us do have and/or will have big private keys encrypted with strong passwords.

Re:It's all down to ridiculous password rules... (3, Insightful)

bcmm (768152) | more than 5 years ago | (#28998289)

And Linux has had Pluggable Authentication Modules since 1996. It currently supports, among other things, smart cards, fingerprints, passwords and and a bunch of different hardware crypto devices.

Re:It's all down to ridiculous password rules... (0)

Anonymous Coward | more than 5 years ago | (#28998781)

Passwords have their uses, but for day to day authentication, they have so many weaknesses that I wish there were a standard way of authenticating with two factors.

Right now, I have three rebranded Vasco ID devices. Two for eBay/PayPal (bought another since my first one has been used for a number of years. The third is for Blizzard stuff. This is a decent way to get around the keylogger issue. However, I wish there were a standard for offline devices, so I can use just one device and it would work with any authentication provider. Of course there is an "app for that", but not everyone uses iPhones, and some businesses explicitly forbid them.

It would be nice to have an offline authentication standard that doesn't require an expensive internal authentication structure. Regardless of device to set up, one would enter the serial of the device, and the 6-8 digit code it has. Then, you just tack on the digit code after your password when logging in. Windows has had hooks for SecurID support since NT or Windows 2000. Only bad thing about SecurID is that one needs to have at least two ACE servers for your domain (one main, and at least one failover because if your ACE servers go down, you have lost all ability to log people on organization-wise.)

Best of all worlds would be a device that can do offline access, as well as online via a USB jack (like RSA's SecurID 800 or the Aladdin eToken NG-OTP). This way, a company or organization could use client certificates for authentication, which deal away with a large amount of authentication problems.

Two factor authentication is not a complete fix-all. One can compromise a Web browser in a complicated MITM attack (IBM's ZTIC device is an advance against forged bank transactions). One also can seize the OTP code while it is en route to the server, and then create a login session using that (SSL should always be used for authentication, but sometimes organizations either don't bother or use self-signed certs which can be spoofed.)

Two factor is a step up for authentication. Passwords may be useful for authenticating as root, Administrator, or a trusted user, but not over the Internet.

Ideally, NIST or ISO should make a standard for offline authentication, similar to how there is a standard (PKCS#11) for smart cards.

Re:It's all down to ridiculous password rules... (1)

arose (644256) | more than 5 years ago | (#28998085)

Takes me a few times typing in a new 16 character password (lowercase, capitals, numbers, symbols) to remember it. The trick is to type from memory and only use a note/password manager to refresh it, not copy. Easiest way is to encrypt a file with your new password and train it before setting it for the system.

Re:It's all down to ridiculous password rules... (1)

Alanceil (891771) | more than 5 years ago | (#28998089)

May I suggest a Firefox addon as a remedy ?

https://addons.mozilla.org/en-US/firefox/addon/469 [mozilla.org] (Passwordmaker)

Like in TFA, I find it hard to make up many good passwords, so I'd rather use one strong one to create passwords that are unique for each login.

My password isn't guessable. (3, Funny)

XPeter (1429763) | more than 5 years ago | (#28997733)

It's password! How ingenious is that?

Oh, wait...

Re:My password isn't guessable. (1)

Inda (580031) | more than 5 years ago | (#28998749)

I would have guessed at '12345' or 'abc123' first. Forth choice would have been 'computer', then '123456', '1234', 'a1b2c3', 'qwerty', '123', 'xxx', 'money', then finally 'test'.

Passwords are obsolete. They have been for years.

Slow news day (-1, Flamebait)

oldhack (1037484) | more than 5 years ago | (#28997743)

Just like everyday.

well (1)

nomadic (141991) | more than 5 years ago | (#28997765)

security service providers say they find more problems with password management than antivirus applications when they do security assessments.

The important words being "security assessments." In real-life impact viruses are far more serious an issue; I know many, many people who have had their computers infected with viruses than have had their passwords stolen. In fact, I can't really remember if anyone I know has ever had a password stolen.

password rules (0)

Anonymous Coward | more than 5 years ago | (#28997767)

They just implemented wierd password rules in our company, before I use to have long but easily remembered passwords with characters and special characters. Now with the new rules there is no way I can remember the passwords so I have them on a post-it taped to my laptop. I have to login to many times otherwise, so if you want more security dont get insane on password rules :)

Mandatory IRC Idiot Reference (5, Funny)

conner_bw (120497) | more than 5 years ago | (#28997775)

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

Fingerprints? (1)

Annwvyn (1611587) | more than 5 years ago | (#28997787)

I know passwords are the norm, but some places have adopted fingerprinting. For example, to get drugs from the pharmacy for my ambulance, I have to sign in to Pyxis using a fingerprint scanner. There are also laptops that are carrying password keyrings linked to fingerprint scanners. Even at UNH, when I signed in to get my meal, they had a hand scan to ID you so you could get through the turnstile. Not new technology, already implemented into everyday software, and tough to fake. For something like a corporation or law office (who can probably afford it), why not? Just a thought.

Re:Fingerprints? (2, Informative)

KeithIrwin (243301) | more than 5 years ago | (#28998313)

Biometrics work fine for in-person authentication, but they are terrible for network authentication because they are not secrets and because they cannot be changed. In person, they might be hard to fake (depending on the technology), but over the network, it's just data like any other and, as such, trivial to fake. I have a longer comment about this further down if you want more detail.

Re:Fingerprints? (3, Insightful)

6Yankee (597075) | more than 5 years ago | (#28998371)

Fingerprints, great... Might as well get a permanent marker and scrawl my password all over my laptop!

Password Policies (1)

bryan1945 (301828) | more than 5 years ago | (#28997829)

Companies need to implement a 'good' policy. I've seen policies that enforced only a 5 character password. I've seen one policy that was a minimum of 8 characters, at least 1 number, and at least 1 special character. Sure, /.'s could handle that, but I once knew an administrative assistant (I forget if secretary is PC or not any more) that kept forgetting how to cut and paste. Great lady, just wasn't computer friendly. Another thing- if you can't remember your passwords, at least stick the Post-It note in your drawer rather than on your monitor!

Arora (4, Interesting)

Sir_Lewk (967686) | more than 5 years ago | (#28997833)

It's good to see Arora getting some more attention now. I've been using it now for more than half a year and I must say it's the first webbrowser I have actually liked in several. I would definetly consider it the best OSS webbrowser on linux right now, particularly if you're running KDE (although Arora is desktop agnostic, it is Qt). I've been fed up with Firefox's bloat (ever try comparing Firefox and Seamonkey these days? Guess which is heavier...) for some time and Arora is a nice change from that.

mod down (0)

Anonymous Coward | more than 5 years ago | (#28997867)

mod this down, I'm an idiot and responded to the wrong thing.

Re:mod down (2, Funny)

Nerdfest (867930) | more than 5 years ago | (#28998047)

That's ok. Compared to the typical post these days it's refreshingly informative.

Re:Arora (1)

Sir_Lewk (967686) | more than 5 years ago | (#28998005)

No really, this is offtopic, posted to the wrong article.

Biometrics (2, Interesting)

the_macman (874383) | more than 5 years ago | (#28997855)

What's wrong with biometrics? Maybe somebody could explain to me why more keyboards don't ship with biometrics built in? Instead of remembering 25 different passwords each with their own ridiculous rules you could just scan your finger. It could even work when you want to make CC purchase or login to your email.

Re:Biometrics (1)

jedidiah (1196) | more than 5 years ago | (#28997935)

What? You don't watch mythbusters?

Mebbe someone with MythTV has a copy of the episode with the fingerprint scanner.

Re:Biometrics (4, Informative)

Hal The Computer (674045) | more than 5 years ago | (#28998011)

Okay, I'll bite. Because you're too cheap. Seriously, biometrics that actually work (are hard to fool) are going to make your keyboard several hundred to several thousand dollars more expensive.

Those fingerprint readers that come for "free" build into laptops are snake oil.
Some educational reading:
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]
http://mythbustersresults.com/episode59 [mythbustersresults.com]

Re:Biometrics (1)

Macrat (638047) | more than 5 years ago | (#28998163)

you could just scan your finger.

And when someone decides to cut your finger off?

Re:Biometrics (0)

Anonymous Coward | more than 5 years ago | (#28998345)

you could just scan your finger.

And when someone decides to cut your finger off?

I think then you would know that someone is trying to access your system, and perhaps you would start using a different finger for authentication. You know, because the finger you normally use isn't there.

Re:Biometrics (4, Insightful)

KeithIrwin (243301) | more than 5 years ago | (#28998183)

The problem with biometrics is that they aren't secrets and they aren't changeable. As such, they're fine for low-security in-person authentication. For example, I've heard of a restaurant which had their wait staff punch in by scanning their finger prints. That's fine. But if you use it to control access to the VPN, then that's problematic due to the non-changeability.

Here's why:
Let's assume that you are an employee who runs Windows at home. You keep up with the latest patches and don't do anything stupid. You probably even run Firefox. But still, someone manages to slip through an unpatched bug and infect your system. It can happen to just about anyone. They then install a back door and start logging what's going on in your system. They notice that you connect to a VPN so they start sniffing your USB traffic so that they can appear as you (recording either your password or your fingerprint). Now they can get into your company's VPN. It's compromised. Fortunately, your IT guy is on the ball. At 11am the next day, you get a call from your network admin asking you if you are signed into the VPN because he expects that you're in the office, but you also appear to be signed in remotely. You confirm that you are not signed in and the two of you realize that you've been hacked. He temporarily disables your access. You go home, clean up your home computer (assuming that you can) or bring it in to have them clean it up, and then it's time to give you access back.

Now here's where things diverge. If you've used a password, you just have to change your password to a new one, and it's secure again. Your fingerprint isn't changeable. Obviously, you can switch to a different finger, but that's a limited strategy since you've only got 10 of them (well, maybe slightly more or less if you were born with extra fingers or have lost some in accidents). I suppose once you're out of fingers, you could use toes, but I doubt most users would be willing to. This becomes especially problematic if any non-hashed versions of things are stored (as often must be done for fuzzy matching) because if the database gets compromised, every single person would need to change to a new finger. You also wouldn't want to use the same finger for your work password as you use for your bank. So, a total of 10 may seem like a lot, but over the course of a lifetime, you're almost certain to run out. Other biometrics are even more problematic since people have at most two irises, only one voice, only two sets of hand geometry, etc.

The non-secrecy can also be a pretty big issue, although that one usually only comes up with insider attacks since they generally have to know you in person. Let's say you use the fingerprints for controlling access to the company database. Now, Alice is a supervisor in payroll accounting and can change people's salaries in the database. Eve works sales and is clever and unscrupulous. Eve invites Alice over to dinner, and after she's left, lifts her fingerprints from her wine glass or the glass table top or almost any other smooth surface she's touched. Heck, she might even be able to get it from a door knob at work if she's careful. Once Eve has the fingerprint data she can then log-in over the network to the database.

The banking situation would be even tougher because you would expose your fingerprint when you use an ATM. All an attacker would have to do is wipe the buttons and/or fingerprint scanner clean before you use it and then lift your print from the machine when you're done.

Alice can keep her password in her head, or if it's too hard to keep in her head, she can write it down and keep it in a locked drawer in the office. This isn't absolute security, especially since keys can be duplicated from pictures of them, but would at least require that Eve physical break into the office. But still, her password at least starts out as a secret unknown to anyone else. Her fingerprints are not secrets. Using your fingerprint as your password is like writing you password on every single surface you touch all day every day.

Essentially, using fingerprints for authentication works fine if you can know that the fingerprint really goes with the finger, but once you're looking at data flowing over a network, then you don't know if that biometric data comes from the actual finger or has just been snooped or lifted. And if it has been snooped or lifted, there's nothing you can change to restore a secure state.

I have an idea. (4, Interesting)

neokushan (932374) | more than 5 years ago | (#28997913)

I'd like to make a proposition to everyone on slashdot.

For the greater good of humanity, we need to employ some social engineering. I suggest that all of us stop referring to it as a "password" and start referring to it as a "passphrase". With a little luck, it'll catch on and people will start using phrases instead of just words. This tiny change should cause people to create easily remembered passes that are in excess of 10 characters long.

Maybe not such a good idea... (3, Insightful)

musefrog (1471169) | more than 5 years ago | (#28998037)

I've come accross one (badly coded) site where that stategy backfired on me. I typed my standard use-it-for-non-critical-sites 15 character passphrase - all seemed well and good. But then, when I tried to log in, it kept telling me I had the wrong password.

Turns out their form only saved the first 12 or so characters - but they hadn't limited how many characters you could type into the field, so I didn't know I'd typed too many. And guess what - the login form accepted more than 12 characters! Hence my borked login.

Fortunately I think that flaw got fixed when they upgraded their site, but I wonder how many more sites out there are broken like this...

Re:Maybe not such a good idea... (3, Insightful)

KeithIrwin (243301) | more than 5 years ago | (#28998245)

I use PasswordMaker [passwordmaker.org] for website passwords (as everyone should) with a 16 character password length. I've probably run into a half dozen sites which have silently removed the last 4 or 8 characters, cutting it down to 8 or 12 characters. I've also run into several which strip out "special" characters (single or double quotes, slashes, spaces, parentheses, or whatever else they feel threatened by) in an asymmetric manner. That is, they remove them from the password before they store it in the database but not when you type it in or vice versa. It's a real pain.

I've also had other sites which simply reject my password because of excessive length or because it contains "special" characters. Any place which can't accept any password I give them is doing a terrible job of securing their users accounts.

Re:I have an idea. (0)

Anonymous Coward | more than 5 years ago | (#28998079)

Yeah, but the know nothing admins in some companies use max characters for passwords. I used to use a whole sentence for my passwords but somewhere around 2002 companies started using complex password riquirements such as 1 Caps char. 1 special char. but then limit to 8 or 10 characters. WTF?

Oh well.

Re:I have an idea. (3, Interesting)

Headrick (25371) | more than 5 years ago | (#28998299)

Agreed, but unfortunately it's not that easy. I just started a new job and got my AMEX corporate card in the mail today. The online account had a maximum password length of 8 characters with no special characters allowed. A phrase would never work when we have companies that are still limiting their passwords to 8 characters.

Author parrots common fallacy (5, Insightful)

whoever57 (658626) | more than 5 years ago | (#28997923)

The author parrots out the common fallacy that passwords have to changed frequently:

Even worse, good password management requires frequently changing passwords - every 30 to 60 days is the standard. Rotating passwords more frequently--every 15 days or so--is possible, but the panelist say it creates more of management and user headache that leads to more sunflowers by users who's memories can't keep up with changes.

Until people get over this misconception and communicate to their users: "give yourself a good password. I won't ask you to change it so you can pick a strong password that you will remember and that will be the end of memorising passwords" Then stress what makes a strong password.

Re:Author parrots common fallacy (3, Insightful)

dotgain (630123) | more than 5 years ago | (#28998377)

This.
Password rotation is dumb dumb dumb dumb dumb. At least half of my users would have mentioned the annoyance of changing passwords, many tell me the exact process they use to circumvent it while doing so.
But my hands are tied, because twice a year the auditors come in, and if I don't have a password rotation policy he'll tell my boss, who'll then tell me to implement it. I've tried to reason with him, but passing the audit was more important. Beancounters in charge of IT FTW.

Re:Author parrots common fallacy (4, Informative)

ScrewMaster (602015) | more than 5 years ago | (#28998435)

Just assign the damn things! When I was in college (about thirty years ago, now) the school's mainframe would assign users a strong password when you got your account. Choosing a poor one wasn't an option. The system did manage to come up with interesting and easy-to-memorize combinations, I must say. It was actually fairly impressive: I never saw anyone writing down their password because they didn't need to. However, they weren't just random combinations of characters, and they weren't subject to a dictionary attack.

Depending upon individuals to come up with strong passwords is utterly hopeless: you tell them what their password is. However, you can't just give them something like "pz039yq53t" because they'll get frustrated and stick it on a Post-IT note. Come up with an algorithm that generates strong but easy-to-remember passwords and you'll be in good shape.

Poor passwords in TV shows (2, Funny)

Kligat (1244968) | more than 5 years ago | (#28997947)

When the password is the name of the computer owner's son, daughter, or significant other, why is it that the main character never has to fiddle around altering names by replacing random letters with 1337 or @, $, and # signs?

Re:Poor passwords in TV shows (2, Informative)

techno-vampire (666512) | more than 5 years ago | (#28998325)

Script writers do that for a very good reason: timing considerations. A TV drama has a one-hour time slot, minus time for commercials, opening and closing; probably about 40 minutes or so for the story. Fiddling around with creative misspellings of names takes time and doesn't move the story along. It's the same reason, BTW, why when somebody on TV turns on the news, the story they're looking for is just starting.

Re:Poor passwords in TV shows (1)

Spliffster (755587) | more than 5 years ago | (#28998347)

As far as I can tell, the all use the same password, this one: *******

Re:Poor passwords in TV shows (1)

dotgain (630123) | more than 5 years ago | (#28998451)

Imagine a man sitting at a terminal. Breaking 128-bit SSL. With a gun to his head. Getting a blowjob. No, TV is not reality, and they bend and break things to be more appealing to the audience. You think *real* crime scene investigators and doctors/nurses don't get the same thing? Recently, watching a (terrible) movie with Sylvester Stallone, I eyerolled when he told a paramedic "this man needs an I.V." - as if he'd be healed by any random substance being shoved into his veins by way of a needle.

The Article is poor.... (4, Informative)

Manip (656104) | more than 5 years ago | (#28997969)

The article repeats the same Myths of password security that we have been repeating for the last thirty years. Let me review them for you:
  - Password Length is important
  - Password Complexity is key (e.g. A-Z with at least one special, one number)
  - Password Expiration is important

Like all good myths these have elements of truth in them but fail to really hit the nail on what the problems actually are, or namely:
  - Strong login auditing is important (failed attempts, unusual patterns, etc)
  - Login speed should be throttled (e.g. No 60/guesses per minute)
  - Failed logins should be capped (e.g. Login wrong five times? Consult technical support)

Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five. If you tried to spread out the attempts over several weeks (making it slower still) the audit logs should be alerting the administrator to 14/failed attempts per week from China.

Re:The Article is poor.... (1)

arose (644256) | more than 5 years ago | (#28998181)

DoS, you'll either be stuck with people flooding support and not getting anything done, or you will drop part of those blocks, after that it will be back to password strength.

Re:The Article is poor.... (1)

BikeHelmet (1437881) | more than 5 years ago | (#28998743)

This is why both username and password need to be changeable by admins.

root and admin are never root or admin on my boxes.

Re:The Article is poor.... (2, Informative)

blincoln (592401) | more than 5 years ago | (#28998241)

Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five.

The reason length is important is because there are ways to crack most types of password that don't involve going through the same interface that an interactive user would.

For example, on Windows you can get ahold of the password hashes either off of a domain controller or with network sniffing software. Then you can make any number of cracking attempts offline. Or you can just use a rainbow table system like Ophcrack and do a reverse lookup in a matter of minutes on the hash of virtually any password less than 15 characters long.

Re:The Article is poor.... (0, Troll)

omb (759389) | more than 5 years ago | (#28998527)

Security and Windows is an oxymoron anyway. If you can hack away for months at any usable password you can crack it, even if it is fully random, eg 8^256 is small. First you must secure the authentication data.

If you want any real security use a SSL secured challenge-response that can only be effected by a a numbered card, and significant asymetric key, say 4096 bits, and you can implement the response device in software or a PIN protected card+calculator, (eg SWISS E-BANKING).

Re:The Article is poor.... (1)

Manip (656104) | more than 5 years ago | (#28998697)

If they have your password hashes, shows over.

Anything under eight digits can be broken almost instantly and asking users for a password longer than eight digits is just frankly unreasonable. Heck, in your scenario, they could just reset all the passwords and access accounts freely.

As far as DoSing an account or accounts, that is entirely a different security problem and one you should address with different measures like isolation and logging.

Quit telling users not to write passwords down. (1)

John Hasler (414242) | more than 5 years ago | (#28997989)

Instead encourage them to do so and teach them to properly manage them. There are many possibilities: password-safe programs, little black books to be kept in the user's wallet, lockable desk drawers, elctronic one-time pads . . . (even post-it notes on monitors in some circumstances). First, however, you must accept that the average user is never going to memorize any password more complex than a minor variation on the name of his favorite pet. Get that idea out of your head.

No Surprise (2, Insightful)

virtual_mps (62997) | more than 5 years ago | (#28997991)

This is probably because most security assessments aren't very good and don't correlate well to an organization's actual security problems. At least the assessments help people get rid of all that extra money they have.

poor password policies (4, Interesting)

mayberry42 (1604077) | more than 5 years ago | (#28997993)

I remember when working for a major financial firm in Boston, they had the most ridiculous password policies for each password. We had to have at least four or five different passwords according to what you needed to access, each with their own rules and limitations (size, characters allowed etc...). Not only that, but each password expired in different intervals. So basically every week, you'd have to change at least one password making the whole damn thing impossible to remember.So, what did people do? They wrote them down in little sticky-notes. Sure, I came up with my own schemes to facilitate remembering them, but nevertheless a forgotten password was bound to happen. It amazes me how paranoid firms are about some policies, yet leave the back door wide open due to such stupidity

Due to a recent identity-theft scare I had the other day, it made me realize the importance of safe-guarding the data with good passwords. Since then, I've used KeePass to generate and store all my 20-digit random passwords that I've since never have to remember (a backup, of course, is constantly made and stored in a safe place). Either way, I'm no security expert, but it seems to me an approach like this would be much more sensible than inconsistent password policies that expire randomly. Just my $0.02

Re:poor password policies (1)

Macrat (638047) | more than 5 years ago | (#28998187)

And in contrast, I worked at a company where all new employees were given the default password of "welcome." Needless to say, over time I learned that most employees never bothered to change that password.

Re:poor password policies (1)

dotgain (630123) | more than 5 years ago | (#28998495)

Sounds like the silly admins didn't check the "User must change password at next login". Of course, you don't just use it for new users, any time you take an angry call from a user, just tick the "must change password" box. You'll feel better already, and your victim won't figure it out because they won't have to change it until tomorrow morning.

"Good Enough Security" (3, Interesting)

resistant (221968) | more than 5 years ago | (#28998065)

We all know most people will never use "proper" passwords, let alone "properly", quite aside from offices in which ridiculous password management policies drive people to drink^h^h^h^h^h simply writing their passwords on Post-it notes stuck to their monitors. Why not make the best of a bad situation by only insisting on reasonable passwords changed no more than once per six months, complete with freely available "wallet-sized password booklets", but which are accompanied by other methods such as once-per-session typing pattern analysis [wikipedia.org] verifications or cheap magnetic stripe cards? (The obvious security problem with a magnetic stripe card in the same wallet as a password booklet, for example, can be ameliorated by insisting that the magnetic stripe cards be kept in small employee lockers, and never allowed off-premises).

The point is that a little imagination is all that is needed to make security reasonably good or at least acceptable, given that the weak link will always be the kind of muppets who insist on shoving bricks between doorjambs and ultra-high-security triple-locked doors if they are at all allowed. Sure, any security method can be defeated, but it's far easier to educate (okay, frighten) people into not removing stuff from company premises (the magnetic stripe cards) or to make them perform once-a-day monkey tricks (the typing pattern analysis verifications) than it is to make them stop writing stuff down in very insecure ways. Security will tend to be more even, and problem employees will be easier to spot.

The old saying comes to mind, "The perfect is the enemy of the good."

Bad title, bad advice (1)

xsee (469209) | more than 5 years ago | (#28998151)

This title is very poorly worded... It should be called "More users FAIL on passwords than being negligent with security software". Not to mention I disagree with the premise entirely. Even if you have a Sup3rS3cr3tUBERp@ssw0rd its useless if your machine is compromised by a keylogger.

"strong password policy" is NOT the solution (2, Insightful)

IGnatius T Foobar (4328) | more than 5 years ago | (#28998157)

Listen up, paranoid policy people everywhere: setting up a "strong password policy" is NOT the solution. Typically this involves forcing the user to choose a password that's more than ten characters, has punctuation and numbers and mixed case in it, and forces a password change every 30 days.

You know what that does?

It forces people to write their passwords down. On paper.

With the password written down, it's very easy to "crack" because it's sitting there, "in the clear" on a dead tree.

Re:"strong password policy" is NOT the solution (1)

lukas84 (912874) | more than 5 years ago | (#28998311)

Easy solution: Make it a policy that people found writing their passwords down get fired.

Re:"strong password policy" is NOT the solution (1)

ScrewMaster (602015) | more than 5 years ago | (#28998479)

Easy solution: Make it a policy that people found writing their passwords down get fired.

Then you'll find them in people's wallets, on the underside of their keyboards, or other insecure (but non-obvious) places. Getting all Draconian on people only goes so far. Security is a compromise, because people still have to get their jobs done, so finding a middle ground is important. IT departments can put in place all the overbearing policies they want, but if it costs too much productivity (or irritates workers too much) people will find a way to make it more convenient. Period. You have to work with human nature rather than against it, or you're pretty much doomed to failure.

Re:"strong password policy" is NOT the solution (1)

John Hasler (414242) | more than 5 years ago | (#28998765)

> Then you'll find them in people's wallets...

Which is, in most cases, a fine place for them to be.

Re:"strong password policy" is NOT the solution (1)

martas (1439879) | more than 5 years ago | (#28998681)

i write my passwords down on living trees. problem solved.

Re:"strong password policy" is NOT the solution (1)

KarlIsNotMyName (1529477) | more than 5 years ago | (#28998747)

What I hate, is when they require me to do a little bit of everything, assuming that I'm an idiot who can't make a good password otherwise, when I'm perfectly capable of making a relatively secure password, e.g without using _ or %.

8jjash3dtripleTarget is more secure than qwerty_1 (I really hate it when they have those awkward rules, yet limit your password length to a low number).

Length is always important, though. Even passwordpassword is better than password. Then a minimum of complexity. Maybe require at least 2 different types of characters, e.g. two of the following: Lower case, upper case, numbers, special characters. Never require all, because that makes for a harder password to remember, and even type (not good for a password you have to use often, for example to logon to your work account).

Re:"strong password policy" is NOT the solution (0)

Anonymous Coward | more than 5 years ago | (#28998757)

> It forces people to write their passwords down. On paper.

That's not as bad as you might think. I tell people it's okay to do that.

Just make sure they keep the paper in their wallet.

(Yes, there are still possible problems, but it's better than putting it on the monitor and I can't stop them anyhow because I just teach security classes, I don't set any password policies.)

Bad Passwords, and poor SysAdmin (1, Interesting)

omb (759389) | more than 5 years ago | (#28998215)

This is exactly right, and PostIt's should be a firing ofence, at __all__ levels up to and including CEO, given Sarbannes Oxley, next __obvious__ passwords must be screened out, and changing passwords/ageing should __not__ be required.

My singleton laptop often faces the internet un-firewalled but the bastard ssh attacks cannot do password-guessing against really secure passwords like "1", which I have never seen tried, but it will now ;-), or "Bawrinced", generated by apg.

People can learn a __few__ strong passwords, remember them and use them in ways that stratify, and "Canary" risk, see John Patrick Ryan.

Especially for internet logins, and for the weakest you can use dictionary words, which helps with the Canary Trap. Hebrew, Maltese and Attic Greek, transliterated into Latin alphabets make very good Canary words, and help you to sue the leaker. Few guess that "Marsaxlokk" is a place name, unless they know Malta, and then you can easily make it harder by spelling it ".M1rs1xlokk.". If you you __consistently__ do this for admin passwords, and make your users pick high entropy passwords, then you have emplaced a good first line of defence; then close all un-necessary ports, and use a scanner eg "nmap" to ensure you have what you intended.

Finally, use iptables to ensure that the open ports are firewalled, so when I put my laptop on a net I dont want 'NO ARP, or ICMP packets' because I dont want to alarm any intrusion detection systems; but I want to allow outgoing PRINTER,&#160;SSH, POP3, and in some cases incoming SMTP.

Finally, while it takes more work, it is far more secure to use iptables than a generic firewall writing the rules to be minimal. There are LOTS of brute force SSH attacks, and one must assume SSL also out there.&#160;SMTP is no secure so you only want to allow it from your mail-server which should have a static address. Use TLS with fetchmail, and a proxy SMTP sender which caaan be configured to send mail securely to a mail-server. If you are mobile as I am that means, write your own sender that knows about the quirks of your ISPs.

Since most of the ISP inspired SMTP 'improvements' just open up new security holes, thanks Eric. Encrypt everything you can, and certainly anything that is important, or "potentially compromising". Never use commercial mail services, they are totally insecure and like as not have backups that can be _discovered_ in law, to your disadvantage.

Just pointing out the obvious (1)

houghi (78078) | more than 5 years ago | (#28998221)

It would be interesting to see a solution. I have easily 25 different logins in use for my job. At many places I am not allowed to choose my own login and then they base it on my name and each does that in a different way. Some add numbers to it. Some are shared logins.

Some I can set the password, some I may change the password and some I must change the password. The shared ones can not be changed as others then would not be able to use it and then others I must ask to change and yet others I can not change at all.

As I try to have this as simple as possible, I use the same passwords, so the result is that I have more different logins then passwords, but still I need to have a file with all logins and passwords.

So the easy part is pointing out the problem. The hard part is coming up with a solution. I can't use Firefox and am not allowed to install any programs at work.

Re:Just pointing out the obvious (1)

KeithIrwin (243301) | more than 5 years ago | (#28998349)

Well, for the ones which you can't change the password for, you should probably just write those down and then secure the piece of paper in a locked box. For the ones which you can change the password for, you should use PasswordMaker [passwordmaker.org] . It takes in a URL string and a master password and uses that to generate a site-specific password. Just make up an appropriate URL for the different accounts (it doesn't have to be real, just memorable). And I know you're going to say "but I can't install software". There's a javascript version, so all you have to do is to download a web page to your desktop and then open it.

Password hell (1)

LoRdTAW (99712) | more than 5 years ago | (#28998233)

There are two problems I see with creating and remembering passwords. First off many people simply do not understand the threat of weak passwords and blissfully use the name of their children or pets as a password. Second, people do not understand how to effectively create and remember strong passwords. I honestly believe that there should be a password or network security seminar that each person/employee should attend at their place of work. It doesn't have to be long, just enough time to explain why passwords are important to network security and how to create strong passwords. Hand out a simple sheet with examples or strong and weak passwords and suggestions on how to create strong passwords while avoiding weak ones. Also explain that passwords and log-in credentials are highly sensitive and should be considered personal information just like credit card and social security numbers. They should never be divulged to anyone but trusted IT staff. Explain the dangers of writing down passwords on random pieces of paper or post-it notes. And if it is necessary to write them down, put the paper in a secure, LOCKED place. I bet you could make the seminar only ten to fifteen minutes long and still get the point across. Bottom line is if you are trusting people with your data, why should they remain ignorant of the importance of the passwords used to access and protect that data?

Another problem I see with passwords if the sheer number of them that need to be created for users personal accounts. Banking, social networking, blogging, forum, e-commerce and gaming sites all require users to have unique passwords for each and every one of those accounts. Off the top of my head I estimate I have over two dozen accounts each needing a separate password. All too often this leads users to re use passwords and/or use weak, easy to remember passwords. At one time I had a little notepad at home that was just for writing down user names and passwords to the various accounts I have floating around. My solution to password hell was coming up with a password formula that helped me not only create but remember my passwords. Its not easy to explain but I take data from those websites that I have an account with and apply it to a simple formula which will give me a strong password. I don't actually have to remember the password because I can use the formula and data from the site to derive the password. Its not complex but clever enough to simplify the creation and recollection of passwords.

People can be password savvy, they just need to be educated a bit.

Antivirus isn't important (1)

ljw1004 (764174) | more than 5 years ago | (#28998263)

Everything is a worse problem than poor antivirus -- because viruses are so rare, if you're sensible.

In my past 16 years of running Windows machines with IE, I haven't once had my antivirus report anything. The standard precautions are enough -- use Proxomitron or don't visit dodgy websites; don't run pirate software; don't open attachments unless you were expecting them and you trust the competence of the sender.

I have had "antivirus" problems where the antivirus software interacts badly with the OS, e.g. keeping an executable open when my compiler wants to overwrite it. Nowadays I leave the antivirus switched off, and only turn it on when needed to connect to corpnet.

The 1960's Called (1)

bitemykarma (1515895) | more than 5 years ago | (#28998307)

Why does no one realize that we seem to be stuck in the 1960's; what's this dichotomy of "user name" and "password", in which we now type the first in plain text, but the second is shown as asterisks.

As if the former is common knowledge, but the latter is super double secret. What kind of retards are in charge of this shit?

Why aren't both secret; why aren't both in asterisks.

Or, how about we don't let people look over our shoulder.

The common sense solution, from TFA, is simply horseshit. Every idea that the so called experts come up with exacerbates the problem: mixed case, numerics, frequent changes: they all contribute to no one knowing their own passwords for the many systems that they have to log in to. Simply choosing a password that isn't in the dictionary and isn't based on something personal such as your child's name, and keeping it, and don't let someone look over your shoulder, is all that's necessary, and far better.

PS: do you notice how sign up forms don't give a crap if you type anything else incorrectly, but force you to enter your email twice. That's all they want. Thanks; here, have some spam.

Re:The 1960's Called (2, Insightful)

Entropius (188861) | more than 5 years ago | (#28998379)

There's a reason usernames are public.

On a Unix machine, knowing someone else's username lets you send them mail. It lets you access (if they allow you to) their home directory. It lets you see if they're logged on (using "w"), see information about them (using finger), and even communicate with them (using write), and lots of other useful things.

Re:The 1960's Called (1)

bitemykarma (1515895) | more than 5 years ago | (#28998473)

Excellent point, thanks for the reminder. Except...

Every desktop and server computer that I ever use day to day, is Linux, BSD, or Solaris, but on not a single one of them, even on the server computers, does there exist the (1960's again) situation of people "write"ing, "finger"ing, "w"ing, or emailing, based on the localhost's username.

Again, good point, but I haven't been in an environment like that for 20 years.

Re:The 1960's Called (2, Insightful)

arndawg (1468629) | more than 5 years ago | (#28998497)

What are you talking about? What good would asterisking the username do? It would result in a longer unkown string, but you should use strong passwords anyway so it shouldn't provide any extra security.

Remembering Complex Passwords? No Problem! (1)

omegakidd (592638) | more than 5 years ago | (#28998353)

One thing that has worked for me is to slowly type random keys while randomly hitting the shift key. This seems to work better for me than using a random password generator. I think it is because I remember the pattern of the keys that my fingers are pressing. One problem I have is remembering which place the password is used for. I usually have to try a couple of different ones to get it right--say if I don't go to that website that often. --- Sorry My English

the truth is... (0)

Anonymous Coward | more than 5 years ago | (#28998383)

At this point, NOBODY should be prompted to enter a password of their choosing every time they go to a website. We have the technology to do much better, even if it is something like "go to this other website, log in, tell it what website you want to log in to, and click a button to generate a one-time-use token"

That would be what you do in the event that you DON'T have regular access to your private key (like if your office doesn't allow USB sticks through the door). EVERY other case should be "select username, click "log in", click "okay" when the confirmation pops up"

Title (0)

Anonymous Coward | more than 5 years ago | (#28998385)

say they find more problems with password management than antivirus applications when they do security assessments

This doesn't have any relation to the quantity of break-ins resulting from poor passwords compared to the quantity for poor anti-virus, as the title would suggest.

RSA tokens and Etrade (2, Insightful)

zerofoo (262795) | more than 5 years ago | (#28998587)

My Etrade accounts have a traditional password with the requirement of an RSA token. This seems to be a great solution to the password problem.

The first part of the password is easy to remember, the second is changed every 60 seconds by the token.

It is a bit less convenient than a standard password, but that is the price to be paid to secure a bank account.

-ted

Password Research (0)

Anonymous Coward | more than 5 years ago | (#28998631)

Password guessing is really not that big of a threat - most (and I know not all) websites have a sane policy about the number of times you can guess within a given time period. There's a great research paper about this:

http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf

1Password (2, Insightful)

davebarnes (158106) | more than 5 years ago | (#28998649)

Strong, weak.
Your choice.
Use 1Password t manage them all.

No one asks why? (1)

Xeno man (1614779) | more than 5 years ago | (#28998687)

One big problem is no one asks what they are protecting. I worked at a call center (yes it was shitty) and I had a password to log on to the computer, a password to log into the phone system, a password to log into the call log system, and if I did email support another password for that. All cycled monthly. 4 constantly changing passwords all to prevent someone else from doing my job? What a waste of time. I didn't have access to personal information, no power to authorize free stuff, the only reason someone could have to use my account was to screw me over and try to get me fired. (Which I would have loved by the end of it) A lot of security could be eliminated if people ask what they are trying to protect and make things a lot easier for those that actually need access.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?