×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Please Do Not Change Your Password

CmdrTaco posted about 4 years ago | from the my-password-is-trustno1 dept.

Security 497

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

497 comments

The best password is: (5, Funny)

Anonymous Coward | about 4 years ago | (#31834526)

hunter2

Please let me use the same password (5, Insightful)

Hatta (162192) | about 4 years ago | (#31834548)

We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

Re:Please let me use the same password (1, Informative)

Anonymous Coward | about 4 years ago | (#31834626)

Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.

Re:Please let me use the same password (5, Funny)

oldspewey (1303305) | about 4 years ago | (#31834690)

What a waste of a perfectly good pretend. No thanks, I'm going to pretend I'm on a white sand beach in Thailand, gentle waves lapping at the nearby shoreline, while I sip gin tonics and a dainty masseuse massages my pale white calves.

Re:Please let me use the same password (3, Insightful)

Skarecrow77 (1714214) | about 4 years ago | (#31834714)

I was under the impression that the -vast- majority of compromised passwords were due to either social engineering (Hey, this is "Bill from IT", I need your password to fix that "performance issue" you're having) or sheer neglect on the part of the the user (password on a post-it on the monitor). Am I mistaken?

Re:Please let me use the same password (4, Funny)

Shakrai (717556) | about 4 years ago | (#31835020)

Am I mistaken?

Please provide me with your social security number, birthday and mailing address so that I may answer your question.

Re:Please let me use the same password (0)

Anonymous Coward | about 4 years ago | (#31834802)

Two months? For a 16 char full keyboard random password? More like two hundred years.

Re:Please let me use the same password (5, Insightful)

oldspewey (1303305) | about 4 years ago | (#31834630)

And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

Re:Please let me use the same password (1, Funny)

ColdWetDog (752185) | about 4 years ago | (#31834692)

Here's a nice argument to beat the Password Police over the head with (from TFA):

In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It's a high hurdle to clear.

Hey, I make more than double the minimum wage! Yeah, no more passwords for me!!!!

Oops. I'm salaried. Shit.

Re:Please let me use the same password (0)

Anonymous Coward | about 4 years ago | (#31835180)

I recently tried to register with some random website (I don't remember which one) and the password policy was so strict & detailed as to greatly shrink the brute-force search space.

IIRC, the password must:

* be 6 to 12 characters long
* include at least 1 letter and 1 number (symbols not allowed)
* not include duplicate letters & numbers (the rule you mentioned)
* not include sequential letters or numbers (i.e. if you used the number '3', you couldn't use '2' or '4' anywhere in the password)
* not include a set of numbers with equal parity (i.e. '7' and '9' were not allowed as the only numbers, but '7', '4' and '9' were allowed)

I think there was one more rule, but I don't remember.

I'm sure some PHB read the Cliff Notes version of an article on password security and decided to "get tough" and use all known possible password policies.

Re:Please let me use the same password (1)

rattaroaz (1491445) | about 4 years ago | (#31835196)

My personal favorite: "must have alpha numeric character in the password." So, instead of "password," you use "password1." Wow. I feel a lot safer now.

Re:Please let me use the same password (1)

Sparckus (1158609) | about 4 years ago | (#31835208)

My personal favourite: "No repeating characters allowed." Super idea!

No. 1 reason a good few of the people in my work forget their passwords all the time, the ones that do 'remember' write it down and either:

a) Stick it under the monitor for all to see
b) Put it in the top drawer of their desk which is always unlocked.

Fucking superb security policy if you ask me.

Re:Please let me use the same password (5, Informative)

Bearhouse (1034238) | about 4 years ago | (#31835212)

And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

Indeed. Similar to the Enigma: http://en.wikipedia.org/wiki/Enigma_machine [wikipedia.org]
Where a misguided decision was taken to never let a character be encoded to itself. This actually weakened the cypher: http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma [wikipedia.org]

Re:Please let me use the same password (4, Insightful)

r_jensen11 (598210) | about 4 years ago | (#31834698)

We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

Password rotation doesn't help with hackers, but it helps when a coworker learns what your password is.

Re:Please let me use the same password (2, Insightful)

b0bby (201198) | about 4 years ago | (#31834986)

Mod this up - this is especially relevant when it's a former coworker.

Re:Please let me use the same password (1)

Bert64 (520050) | about 4 years ago | (#31835116)

Also consider how the passwords are stored...
If they're salted SHA512 hashes, than a reasonably complex non dictionary password will be virtually impossible to brute force...
If they're stored using the encryption schemes present in windows, then it doesn't matter how complex your password is - it can still be easily cracked (trivially if lanman is enabled), or you can simply use the hash without cracking it.

Re:Please let me use the same password (4, Insightful)

DarkOx (621550) | about 4 years ago | (#31835146)

What is might do is limit exposure. Suppose someone guesses a password. They are not a hacker and even having guess a password they perhaps lack priviliges to make any systemic changes given them a back door. Having a rotation policy ensures they are only reading your CEO's e-mail for 90 days rather than years undetected.

Re:Please let me use the same password (0)

Anonymous Coward | about 4 years ago | (#31835210)

Or the password is shared. Shared passwords should be aged. Yes I know in theory passwords should not be shared, but in the real world some accounts are shared.

If you can change the systems that require shared passwords to not require them, good for you. Otherwise, you just have to change those passwords regularly (or immediately when the one of the holders changes role/jobs).

The weakest links are going to be pwned whether you force them to change their passwords every day or not. A hacker could send them a password form to help them "change" their passwords, or "Fill this in and you won't have to change their passwords so often", or just put a trojan/sniffer on their machine.

So if security is important you'd have to assume they WILL get pwned one day and design your systems accordingly. Or just assume that every now and then most of your systems are going to get pwned.

Re:Please let me use the same password (1)

Jurily (900488) | about 4 years ago | (#31834728)

Agreed. Show me one user who will memorize even two strong passwords for you. The more often you force them to change it, the more simplistic they will change it to. Is this what you want?

If you're lucky, they'll just append something to the end of the old one, thus making the change pointless.

Re:Please let me use the same password (1)

Bert64 (520050) | about 4 years ago | (#31835136)

Any well implemented password strength checking algorithm will reject a change of password which is based on the old one with a few characters appended - cracklib (installed by default on most linux distros) for example will reject that.

Re:Please let me use the same password (2)

sexconker (1179573) | about 4 years ago | (#31835170)

I was going to post about how I'm a user and I have plenty of strong passwords memorized.

Then I remembered I was forced to change one of them recently.

One I haven't used since.

Then I realized I didn't know what it was.

Then I remembered it, and the wave of panic is over.

Who do I bill for the time wasted, the stress, etc.?

Re:Please let me use the same password (1)

spamking (967666) | about 4 years ago | (#31834734)

This policy is nonsense.

Allowing daily users to have a single password that never expires is nonsense.

Re:Please let me use the same password (1)

Moryath (553296) | about 4 years ago | (#31834736)

It depends on where you are and what level of security you need.

Expiring passwords make sense - IF you are in a situation where you run a regular risk of passwords being exposed.

A worse problem is the fact that people use the same password for everything - bank account, hotmail, gmail, work, etc. One of them gets compromised by someone and all of a sudden their whole life is exposed.

Of course, the best way to get a user to be properly educated about securing their information is to have their identity stolen... but by that time it's usually too late.

Re:Please let me use the same password (1)

rfuilrez (1213562) | about 4 years ago | (#31834746)

Meh. Bullshit excuse IMO. My work has a 90 Expire policy for us who work on the shop floor. I dunno what it is for the people who use it every day. I have a 4 password rotation.
  • [password]!
  • ![password]
  • [password]*
  • *[password]

Pick a password, and a special character modifier and you have your good password, and can change it every 30 days or whatever your policy requires.

Re:Please let me use the same password (1)

Bert64 (520050) | about 4 years ago | (#31835186)

If someone cracks your old password, they could potentially work out your modifier process and calculate your current password. Especially if password histories are saved, such that you can see several revisions at a glance.

Re:Please let me use the same password (1)

Jazz-Masta (240659) | about 4 years ago | (#31834768)

When a user changes their password, a post-it note goes on their monitor for weeks.

If a user picks only one password and keeps it forever, they will typically pick a stronger password, protecting against brute force dictionary attacks.

However, keeping the same password does not protect against malicious ex-employees. I know companies that do not change admin passwords, and although they are complex, previous administrators still have access to certain info if they wish.

Re:Please let me use the same password (0)

Anonymous Coward | about 4 years ago | (#31834838)

Tell it to the various government regulations that mandate that sort of thing.

Re:Please let me use the same password (2, Informative)

Rivalz (1431453) | about 4 years ago | (#31834884)

find a scheme
like if it is October 2010 make your password
11Nov2010Ber!!
If it is December
12Dec2010Ber!! ect
Passwords that have rationale behind them are very easy to remember, can be very complex and sometimes easy to type.

Re:Please let me use the same password (4, Insightful)

whois (27479) | about 4 years ago | (#31834928)

There is a flip-side to this. No matter how careful you think you are, you will one day expose your password in the clear. Once that happens you have no way of knowing if anyone was watching.

Typing a password in the wrong terminal, typing a password in the wrong web field and having it autosearch google for your password. Typing your password over a bluetooth wireless keyboard with unknown encryption. Using a telnet session, etc. Logging in using a friend or co-workers PC that may have been compromised, etc.

Because of all this, it's still a good policy to change passwords on an annual basis, with an immediate password change if you know it's been leaked.

I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

Or having to change a password on a system you only login to once every 6 months, every time you login. I hate that. :)

Unfortunately, it doesn't always work out because one centralized password means you trust one department of a company with access to everything (there are workarounds for this, but still company politics gets in the way)

Re:Please let me use the same password (4, Insightful)

Moryath (553296) | about 4 years ago | (#31834974)

I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

Single sign-on for a single company is a great idea.

Having your work password, gmail, hotmail, bank password all be the same? BAD idea.

Re:Please let me use the same password (1)

vlm (69642) | about 4 years ago | (#31835122)

Once that happens you have no way of knowing if anyone was watching.

You are confusing authentication/authorization with accounting.

Screwing around in the auth arena, is not a solution for having no accounting system at all.

Re:Please let me use the same password (4, Insightful)

COMON$ (806135) | about 4 years ago | (#31834988)

On our LAN I put rational policies in place. Essentially I look at the threat of an event and what it will take to mitigate it. If I am worried about a brute force attack I can solve that by password rotation or increasing complexity. I let the user choose which they are comfortable with. Some users dont want to use a passphrase so they have to change their password more often. Other people have realized that "I love my dog fluffy." is really easy to remember and since it meets my complexity and length requirements I make the password rotation much much longer.

Yes, In 2008 AD you can do granular password policies, and yes this works VERY well. Not only do I have a pile of users with 15+ characters, I have users who WANT to use these passwords.

I find that when you give the users a choice and work with them, security goes much smoother. users will always take the easiest way out, every time.

Re:Please let me use the same password (1)

g253 (855070) | about 4 years ago | (#31835198)

Yes, In 2008 AD you can do granular password policies, and yes this works VERY well. Not only do I have a pile of users with 15+ characters, I have users who WANT to use these passwords.

(dramatic voice)
Welcome to the world of tomorrow!

Re:Please let me use the same password (1)

mcgrew (92797) | about 4 years ago | (#31835028)

From TFA:

That poses a challenge for the security industry, Herley said. While doctors can cite statistics showing smoking causes cancer, and road-safety engineers can produce miles of numbers supporting seat belt use, computer security professionals lack such compelling evidence to give their advice clout. "Unbelievable though it might seem, we don't have data on most of the attacks we talk about," he said. "That's precisely why we're in this 'do it all' approach."

Security professionals have no scientific evidence their advice is sound, according to TFA.

It goes into the password expiration paradigm as well, pointing out that if someone steals your house key, they're not going to give you time to change the locks; they're breaking in immediately.

Where I work, I use two silly made up words, followed by numbers, as the password, since I actually have to remember what it is to log onto the PC. For websites, ironically I use strong passwords because I don't have to remember them; either cookies or Firefox will remember them for me, and nobody ever makes me change them. I keep them written down on a piece of paper, just in case. Plus, getting a password reset at a web site is a hell of a lot less hassle than getting it reset at work.

Re:Please let me use the same password (1)

Bert64 (520050) | about 4 years ago | (#31835048)

Depending on how its implemented... If it's using the default options built in to active directory for instance, then the password policy only really pays lip service to security while still being extremely weak...
You might be required to use mixed case letters and numbers, and change your password every month or so... But it still doesn't stop you having weak passwords, for instance "Password1" is perfectly valid under every implementation i've seen, and when it forces you to change your password "Password2" works just fine. Eventually it forgets your old passwords so you can simply wrap back round to Password1.

It also only remembers a fixed number of passwords, not any password for a particular length of time... Which means you now need such nasty kludges as setting a minimum password age to avoid people wrapping the password round quickly.

If forced to change your password, just increment a number at the end...

But you are right, forcing someone to change a password regularly forces them to remember new passwords regularly, choose a poor change policy (like the incrementing numbers), or write their passwords down.

Re:Please let me use the same password (0)

Anonymous Coward | about 4 years ago | (#31835120)

Try doing that one a dozen or two dozen different systems at any given time. Not only do I have a problem but my users do as well. Most of them just write them down somewhere. My favorite is the one taped under the keyboard.

Re:Please let me use the same password (1)

marcansoft (727665) | about 4 years ago | (#31835172)

Just do what I do. I use relatively strong passwords. On places which require password replacement, I just append an ever-incrementing number, while still keeping the strong password part. This effectively bypasses the aging and lets you keep using the same password (a single incrementing number should be easy to remember, and you can always try a few times).

Re:Please let me use the same password (1)

Foxxxy (217437) | about 4 years ago | (#31835176)

We have a password policy as well, with the no repeating characters, previous 10 passwords not allowed, not allowed to change the password twice in 48 hours, must have special character, upper and lower case and numbers, can't contain any part of user id or name, must be 9 characters in length, must start with a letter...... and that is just the domain password, rules for internal systems are just as crazy but some don't allow special characters etc so you are forced to maintain 50 passwords and user id's even though LDAP is the "only standard moving forward"

I sit next to the security teams, on password change day I yell and then remove the piece of paper on my cube's name badge and replace it with the updated passwords. They don't like me. I have proved that leaving your user ID and password at sight level at your cube doesn't mean someone will use it.... so far

Jews for Nerds! (-1, Troll)

Anonymous Coward | about 4 years ago | (#31834572)

Jews, also known as kikes, hebes, hymies, yids, gold niggers, oven magnets, hook noses, sheenies, swindlers, criminals, "firewood", and Arabs in denial are a subhuman species of reptilian extra-terrestrials and adherents to one of the world's oldest major religions, called "Judaism", otherwise known as "The Worship of Money" or "Eating Arab Babies".

Judaism was the world's first master race theory. The Jew religion teaches that Jews are the Chosen People of God and that there is a sacred mystical quality to Jew DNA. In olden times, Jew prophets would, under the command of YHWH, frequently lead the Jews on genocidal rampages against neighboring populations, and even today Jew leaders often cite Jewish religious ideals to justify their ongoing genocide of sandniggers. Judaism ironically found its mirror-image inversion in the anti-Jew Aryan racialism of the Nazis.
Despite only being 0.22% of the world's population, Jews control 99% of the world's money. Not only do the Jews control the world, but also the media, the banks, the space program, and LiveJournal's porn communities and Gay communities. All Jews possess the following features: an extremely large nose, fake boobs, curly hair that reeks of faggotry, one of those gay hats, a love of coke, a law practice, a roll of money, a small cock, or shitty taste in dental hygiene.

Jews invented both Communism and Capitalism. Karl Marx, of course, was a Jew, which was why he understood money so well, and in fact he was converted to Communism by another Jew, Moses Hess, the actual founder of Zionism, who ghost-wrote Marx's The German Ideology. Capitalism was created when Christian Europeans threw away their morals and decided to embrace Jewish practices like usury (see: John Calvin). Jews were the first group to create a sophisticated banking system, which they used to fund the Crusades in order to pit Christians and Muslims (both adhering to religions derived from and controlled by Jews) against each other to kill as many people as possible in a macabre human sacrifice to YHWH.

The Jew banking system was based on fraud and lies, so when it inevitably collapsed, the Jews just pwned as many people as possible by unleashing the Black Plague on them. Later, Jews economically controlled medieval Venice (the first modern maritime trade empire), and then crypto-Jewish merchants economically controlled the Spanish Empire, including the slave trade. Openly Jewish bankers orchestrated the Dutch Empire and founded Jew Amsterdam (later Jew York). Later the Dutch Jews moved to London because they thought it would be a better base for a global empire, and actually brought a Dutch nobleman, William III, with them, who they installed in a coup d'état (more like Jew d'état, amirite?) as new King of the British Empire. For hundreds of years, Jewish bankers controlled global trade through their bases in Jew York City and London. European colonialism was, through its history, essentially a plot whereby Jews could gain control of gold and diamond mines in poor countries and increase their stranglehold over the global economy.

Jews also enjoy slicing up baby penises for fun, some even enjoy sucking them. See below.

Jews also created Jew search engine Google, so now they can find all Jew information on Internets.

Some suggest that we should use Jews instead of dogs to sniff out large amounts of concealed cash or anything else worth smuggling at airports due to their sensitive Jew noses. Obviously, this is a horrible idea, because the pay is bad, and the dirty Kikes would probably form a union and demand moar money, thus increasing the burden on taxpayers everywhere.

Logical Inconsistency (0, Offtopic)

TheMeuge (645043) | about 4 years ago | (#31834894)

I've always found it curious that anti-Semites generally claim that Jews are somehow inferior or sub-human, and then assign them unparalleled power to swindle and deceive, and claim that the Jews control most/all governments or most/all money.

The two concepts, are mutually exclusive. If the Jews were inferior, they would never have been able to control everyone else who is of higher intelligence and ability.

The logical conclusion, is that IF you are right and the Jews control all money and all governments (and have done so throughout known history), then they are clearly far superior to the rest of humanity and whatever sufferings you may ascribe to their victims, are merely the inevitable pains of one species being superseded by a further evolved descendant.

In essence, if your conspiracy theories are correct, that means that YOU are inferior to the Jew, and your skull will be examined by the Jew descendants a thousand years from now in a museum... right next to Australopithecus and Neanderthal.

Re:Logical Inconsistency (0, Offtopic)

Artifice_Eternity (306661) | about 4 years ago | (#31835038)

See also: "Those lazy immigrants are sitting around getting fat and breeding on the taxpayer's dime! Also, they're taking all our jobs!" Which one is it? It can't be both.

Totally in time. (4, Funny)

Anonymous Coward | about 4 years ago | (#31834596)

"Change your passwords and be rooted." -- JIRA attackers.

phisy site (0)

vxice (1690200) | about 4 years ago | (#31834660)

hi yes it is time to update your pass word. please enter below your current password and new password. then the phisy site changes it for you logs you in and has two of your passwords profit

Password aging isn't in touch with the real world (4, Insightful)

Skyshadow (508) | about 4 years ago | (#31834666)

Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.

Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:

(1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
(2) A lot more easy-to-guess passwords
(3) Incremented passwords (FuckTheSecurityGuys14)

This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.

Re:Password aging isn't in touch with the real wor (1)

Shakrai (717556) | about 4 years ago | (#31834732)

Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.

You neglected one possibility: Your IT people are sadists who are sick of dealing with lusers ;)

Re:Password aging isn't in touch with the real wor (2, Insightful)

Moryath (553296) | about 4 years ago | (#31834856)

You neglected another possibility: your security restrictions were set by some dumbass in a state legislature who read some paper or book regarding "IT Security" and passed laws and regulations for government agencies...

Re:Password aging isn't in touch with the real wor (2, Informative)

Itninja (937614) | about 4 years ago | (#31834758)

Yes, yes. This is all very fine. Until there is a massive security breach (like this recent one [thejournal.com] ) and the CEO is looking for a place to drop the blame-hammer. Password aging may have had nothing to do with the breach, but who cares? The IS dept didn't have one? It's their fault then....

Re:Password aging isn't in touch with the real wor (5, Insightful)

ConceptJunkie (24823) | about 4 years ago | (#31834990)

And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..

Mod parent up. (1)

khasim (1285) | about 4 years ago | (#31835222)

Not so much for the Congress comments but for the recognition that "blame" is POLITICAL.

It isn't about the facts or the obvious consequences of human nature + rule X.

It's about CYA and playing political games so that other people get stuck with the blame.

Re:Password aging isn't in touch with the real wor (1)

CannonballHead (842625) | about 4 years ago | (#31834778)

(4) Users who actually come up with relatively easy-to-remember passwords that make sense to them and are difficult to guess.

But I guess, to make a point, one has to ignore the possible good outcome ;)

In general though, I agree that your #s 1-3 are going to be a lot more prevalent.

Re:Password aging isn't in touch with the real wor (1)

Skarecrow77 (1714214) | about 4 years ago | (#31834848)

Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.

SSID?

Re:Password aging isn't in touch with the real wor (2, Insightful)

Shotgun (30919) | about 4 years ago | (#31834872)

Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.

The stereotype is that computer geeks can't get a date or fit into social situations. Why? Because they don't understand human nature. And who is in charge of setting the password policy? The geekiest guy in the organization. I see a major issue.

Re:Password aging isn't in touch with the real wor (3, Insightful)

tsalmark (1265778) | about 4 years ago | (#31834914)

Password aging does not prevent the cracking of passwords, it prevents against leaving compromised account around forever.

Password aging made sense, once upon a time. When the biggest issue was resource theft, changing passwords every few months cleaned out the unintended access some people had, either nefariously or through chance (old unclosed account and what have you).

Now with the speed of automated hacking tools password rotation is less than useless as a defense.

Re:Password aging isn't in touch with the real wor (2, Interesting)

0100010001010011 (652467) | about 4 years ago | (#31834950)

I've been doing columns of keys on they keyboard, It's going to be a long time before I run out, and meets most requirements. (Sometimes I hit a caps lock for the second set), Plus logging in takes almost no time at all.

1qaz2wsx
1qaz3edc
2wsx3edc
1qaz4rfv
2wsx4rfv
3edc4rfv
1qaz5tgb

Re:Password aging isn't in touch with the real wor (3, Funny)

NeoSkandranon (515696) | about 4 years ago | (#31835220)

Man, I just looked down at my kb thinking you had a good idea, then was REALLY confused for a minute.

Then I remembered I'd messed the keys around to fuck with people who looked over my shoulder.

Re:Password aging isn't in touch with the real wor (3, Funny)

Starteck81 (917280) | about 4 years ago | (#31835062)

I often tell people at work I'll be adding a squirrel noise requirement to the password policy next month. I always expect them to laugh but they usually just have a horrified look on their face that reads something like 'you can do that?'. I then have to clam them down and tell them I'm only kidding.

Subject-verb agreement (-1, Offtopic)

edittard (805475) | about 4 years ago | (#31834670)

that user's rejection of the security advice they receive

Subject-verb agreement. Look it up.

Re:Subject-verb agreement (0)

Anonymous Coward | about 4 years ago | (#31834798)

That is a sentence fragment. Look it up.

Re:Subject-verb agreement (2, Informative)

Homburg (213427) | about 4 years ago | (#31835098)

Perhaps you should take your own advice, and find out what "subject-verb agreement" means? Neither "user" nor "they" is a verb or a subject, so I'm not sure how subject-verb agreement could be relevant here.

If you meant "pronoun agreement," you're still wrong. "They" agrees perfectly with a singular noun of indeterminate gender.

Password aging does *not* help (4, Insightful)

bradley13 (1118935) | about 4 years ago | (#31834682)

Password aging is not only irritating for users, it causes them to choose even worse passwords, or to write their passwords down. If you are lucky, and they do neither of these, then it is very likely that they will use "strong-password-1", "strong-password-2".

Re:Password aging does *not* help (0)

Anonymous Coward | about 4 years ago | (#31834796)

I wish you guys would stop posting my passwords.

Re:Password aging does *not* help (2, Interesting)

DMUTPeregrine (612791) | about 4 years ago | (#31835000)

I do roughly that. I use "strong-password-2.718281828459" "strong-password-3.1415926535" "strong-password-1.6180339887" and so-on and so forth. It goes from "guess the 20-character random string" to guess the constant of the month.

Re:Password aging does *not* help (1)

dfxm (1586027) | about 4 years ago | (#31835182)

However, if a password is compromised, the attacker only has a limited amount of time to access the account. If passwords never expired, an attacker will always be able to access the account. Security is always a trade off. I feel like the risk of (potentially) weak passwords is not worth the trade off of an attacker having a potentially unlimited amount of time to work with. Weak passwords can be mitigated with a strong password policy. If your systems are such that if an attacker breaks in once, then you are right, it doesn't matter. But if having access for a longer time means an attacker can do more damage, then why not expire passwords?

It's all about the trade off. There is no one "right" way to do it.

Password aging and complexity = lists (2, Interesting)

SteelRat (11640) | about 4 years ago | (#31834706)

If anyone gathered metrics on such practices, I would bet that for most environments, they would find that it yields the opposite effect of what is intended.

It makes strong passwords and lots and lots of password lists under keyboards, in text files, and on post-it notes.

I gave a little talk [gorrie.org] at a Toorcon [toorcon.org] event a couple years ago where I included some pictures of password lists found in the wild.

I think everyone competent knows about these things, they just choose not to say anything about it because it is a "best practice."

Re:Password aging and complexity = lists (2, Insightful)

John Hasler (414242) | about 4 years ago | (#31835108)

Please cite some incidents traceable to the writing down of passwords.

IMHO users should be instructed to write their passwords down in a little black book and to keep that book in their wallets with their money and credit cards. The company should issue the book and teach the employees how to record passwords in it, how to keep it secure, and what to do if it is stolen or lost.

Look at it logically... (1)

HerculesMO (693085) | about 4 years ago | (#31834724)

If your password is 365 days old and not hacked, how is it any MORE secure if you change it and it becomes 3 days old?

The odds are the 3 day old password is a derivative (and easier to create) of your original, so hacking it will be easier too. In fact, if somehow people got your historical passwords, they could figure out what your next one was.

Where I worked last, I picked the date on the calendar and added it to the end of my regular password. Not secure, but a 30 day interval to change it was brutally annoying.

Dupe! (2, Informative)

howlingfrog (211151) | about 4 years ago | (#31834776)

Less than a month ago. http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational [slashdot.org]

Kudos to the /. editors for cutting way down on the number of dupes and summary-contradicts-article stories over the past couple of years, but they're certainly not eradicated. Maybe dupe-checking should be part of slashcode--an automatic search for links and link titles that the editor (or submitter?) has to at least scroll past to post.

Re:Dupe! (1)

anglico (1232406) | about 4 years ago | (#31835066)

I thought it did? I've searched before submitting and didn't find the article I was submitting, but then when I pasted the URL and hit Preview it said it was a duplicate.

On password aging... (1)

SmackTheIgnorant (985978) | about 4 years ago | (#31834782)

I think it's time to let "123456" and "password1234" retire.

Oh look, a pun on "aging" and "retire"! ....

Seriously, I see too many people keeping their passwords. Some of the "Smarter" people I've met keep the same base 8-10 character password, with a 2 digit month at the end of it. 2-3 week password aging cycle? That 2 digit number gets 1 added to it every change, until they hit however many the cycle has to be, and then they start over again, or changing back to 1 every jan.

How about NON-IT related passwords: I'm talking about bank website, or telephone banking passwords? ATM PIN on their bank / credit card?
We change website, email passwords, network passwords, you bet, but the admin / root password on the systems they monitor?
How about revisiting your accounts on whatever social networks / forums you have and changing their passwords, or better yet, checking out to see if the answer to your "Security question" is available online somewhere? How often should we run the gamut of "What websites do I have a username and password on", and how often should we change THOSE passwords?

Re:On password aging... (1)

Hognoxious (631665) | about 4 years ago | (#31835156)

Seriously, I see too many people keeping their passwords. Some of the "Smarter" people I've met keep the same base 8-10 character password, with a 2 digit month at the end of it.

I've worked in places where that wouldn't work - it checked for common characters.

or better yet, checking out to see if the answer to your "Security question" is available online somewhere?

Try the "forgotten password" procedure; if what they send you is familiar, it means your password is stored in plaintext or a reversible cypher somewhere. (I put on my foil hat) Of course if what they send you is a one-time new PW that looks like a cat ran across your keyboard that doesn't necessarily mean it isn't...

Insane restrictions (1)

webdog314 (960286) | about 4 years ago | (#31834822)

I understand the whole point behind having a secure, random password with a limited life. At the same time, I also have a piss-poor memory for random strings of ASCII characters. I don't work for a government agency, or a company with classified or even proprietary works, yet, even my mindlessly boring personal email account requires an 8 character random string with alpha and numerical characters, no runs, no common words, and no repeats. I don't use that account for ANYTHING secure or private, and if it were to suddenly be paraded to the world for all to see I really couldn't give a damn. So why the hell can't my password be any fraking thing I want?

Why aren't we teaching people general security practices instead of forcing them to pick a password such that the first thing they are going to do is write it down on a little post-it that they store under their keyboard.

i need an example (3, Funny)

fattmatt (1042156) | about 4 years ago | (#31834846)

Could someone post an actual stong password you have in use?

Re:i need an example (2, Interesting)

Jahava (946858) | about 4 years ago | (#31834912)

Could someone post an actual stong password you have in use?

I'll volunteer: 11111. I figure it's such a terrible password that brute-force software, giving humanity the benefit of the doubt, will have removed it as an option for the purposes of optimization. Thus it is the strongest password.

Re:i need an example (0)

Anonymous Coward | about 4 years ago | (#31835054)

************ works pretty well for me.

Re:i need an example (1)

bluefoxlucid (723572) | about 4 years ago | (#31835088)

Sure. The password for my Slashdot account up until last month (when it required me to change it) was gh5826@a45rx

Re:i need an example (1)

j.sanchez1 (1030764) | about 4 years ago | (#31835132)

I use Keepass [keepass.info] /KeepassX [keepassx.org] (depending on the platform I am on). It has a built-in password generator with parameters you can set (length, special characters, spaces, etc...). Below is an actual password I use, generated out of Keepass.

RtpPNm"%6JgN_r@Yqz2/`

Pointless (1)

Stenchwarrior (1335051) | about 4 years ago | (#31834858)

People, in my organization at least, are forced to change after 180 days but they only change to a slight variation of the previous one. Ex: old password=Password1, New password=1Password. Sure, you can make it so no part of the previous password be used, but they always find a way around, thereby making it quite easy to guess.

Now, the military has a completely annoying process, but I think it works pretty well. It not only makes your 10 character alpha-numeric + symbol password change every 180 days, but you have to answer 3 questions that it randomly pulls from a survey of about 30 questions you had to take before you can even log in. That, or use your CAC (common access card) along with a PIN, but that requires a smart card reader and their proprietary client.

The short: No one method will ever be secure enough; you need a combination of methods to make things as safe as possible. Even then, the most skilled hacker will get your shit and there's nothing you can do.

Benefits? (1)

IndustrialComplex (975015) | about 4 years ago | (#31834860)

The real problem with password expiration is that the benefit is not clearly understood.

What does it combat?

Once someone HAS the password, you are faced with closing the barn door scenario. Anything that could have been taken or accessed, likely already was. Granted you may prevent them from acquiring additional information or access, but you can't be sure that they haven't made any backdoors, even if those backdoors aren't even related to your system. With your email, I could easily construct a spear phishing attempt to gather information from people whose passwords were never compromised.

Hey Bill, I'm working with Susan on XYZ project. I know that when you had trouble with the SUBCOMPONENT you resolved that with WHATEVER. I'm running into a similar problem with our SIMILAR SUBCOMPONENT. Could you take a quick look at our approach and give us your opinion?

It works. People want to help.

The real thing that I think this does help, is reducing the risk from Password creep. Everyone knows that we end up using variations on our passwords across domains. I'm willing to bet that at least 80% of people's facebook passwords are also their email passwords. Rotating does help to keep that down, but people fight against it, and likely will change ALL of their passwords to match their newly changed one.

I doubt we will ever convince people otherwise, but it is probably a hell of a lot more cost effective to have simple password rules (Or hell, just a damned physical token with a simple PIN).

Re:Benefits? (1, Informative)

Anonymous Coward | about 4 years ago | (#31835026)

Well here, let me explain it to you.

If I steal a big password file full of hashes, it is going to take me quite awhile to break them assuming some strong security measures are in place. In fact, you can calculate how long it will take to break a user's password. Most NTLM hashes of a reasonable length take at least several days, if not weeks, to crack. Now, if the password never changes, an attacker can wait as long as he needs until Cain or John breaks the password, and when it does, he's good to go. If you force a user to change his password before the attacker can crack it, it doesn't matter if he breaks the hash or not. The goal of the good guys is to make it so that the password expiration timer is short enough that an attacker has a small probability of cracking the password before it needs to be changed.

This policy is not in place for when a password is stolen, it is in place for when a hash is stolen. Letting a password persist forever isn't terribly bright.

Hope this cleared things up.

If only we could use OpenPGP (1)

bwbadger (706071) | about 4 years ago | (#31834876)

The problem with passwords is we all have to 'remember' so many of the darned things.

I really wish I could authenticate by being able to decrypt a secret using my private OpenPGP key. That way I would only need to remember one password, and changing that regularly would be something I could imagine. Changing the swarm of passwords I currently have to deal with is just inconcevable.

User passwords another ineffective IT policy. (1)

irreverant (1544263) | about 4 years ago | (#31834878)

Password machine policies are only effective if there combined with user password policies. Unfortunately none of this matters when you set user's as admin accounts. Sloppy code writing and ineffectual company policies place users at risk. What has helped in my job is teaching the user's effective web navigation, monitoring everything!, letting them know we monitor everything ( the honor system - just make them think we see everything) and implicitly denying all incoming requests to our firewall. Unfortunately this is how we do things since our users are to lazy to remember their passwords; they write them down on paper and leave them posted to their desks.

Post-it Note passwords (4, Interesting)

Midnight Thunder (17205) | about 4 years ago | (#31834898)

There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.

I see password security as an exponential curve, on a graph, reaching a certain peak and then dropping to zero. That dropping point is where the password rules become so complicated that most people would rather write the password down than try to remember it. That piece of paper suddenly became your weak point in the security model. For this reason you password policies need to focus on something that is sufficiently secure, but not so secure that it is in effect insecure.

Re:Post-it Note passwords (2, Funny)

cheeks5965 (1682996) | about 4 years ago | (#31835056)

uhh... an exponential curve keeps going up. there's no maximum, no dropping down to zero. Perhaps you're thinking of a bell curve? Feel free to mod this comment down because it provides no useful content and is just kind of snarky. In fact, I should just hit the cancel button instead of the preview/submit buttons. oops...

Rational Behavior (1)

Swanktastic (109747) | about 4 years ago | (#31834964)

The author makes a good point- users see the time cost of missing assignments as more damaging to their career than the benefits of following security protocol to the letter. They're probably right.

What's interesting, I believe, is that the security employee is being fairly rational by implementing every possible security mechanism, eg CYA-type behavior. Security people tend to get a lot of stick-motivation when there's a problem but very little carrot-motivation for minimizing the intrusiveness/timewasting of their protocols. If you're only ever getting feedback when something goes wrong, it's pretty rational as an individual to employ every defense mechanism possible.

Please fix your systems! (4, Interesting)

A Friendly Troll (1017492) | about 4 years ago | (#31835010)

How many times have you seen "the password must be between x and y characters in length and must contain blah blah"?

I want to enter a full sentence. Like "this is my password and you won't be able to guess it, you idiot". You aren't making this possible, because you're thinking like geek programmers who use randomly-generated strings of 8-12 characters by the dozens.

I write code and do inter-office support for my apps. Do you know how many times someone told me "I forgotz my password, halp!!11" after they were instructed to use a full sentence with a minimum of twenty-five characters? Zero. Nobody ever forgot it.

Funny from coming from someone at Microsoft (0)

Anonymous Coward | about 4 years ago | (#31835078)

I wish Microsoft would listen to its own researchers. I work there and we have to change our passwords every 90 days. They have to use characters of various types and you can't reuse a password... ever as far as I can tell. I've never really understood how this was supposed to improve security and often wondered if it made passwords more guessable since a lot of people probably use memorable patterns. I personally couldn't actually tell you what my password was without typing it since it follows a certain pattern on the keyboard.

Free advice, bargain at twice the price - {G} (1)

pugugly (152978) | about 4 years ago | (#31835110)

Password aging should automatically take into account the security of the password someone creates, via some algorithm that estimates 'guessability'

If it's a dictionary word and number, give it three months. If it's a dictionary word, number, and two symbols, give it six months. If it's a passphrase, all regular dictionary words but not a 'standard' phrase like 'lorem Ipsum" or "The quick brown fox' leave it alone for a couple years.

In other words - if someone is using a secure password, fuckin' reward them for it!.

Plus, if a password is being aged, and it's in it's expiration period - give people the entire 14 day (or whatever) period where they can use either the old password or the new password, and every time they use the old one remind them of the new one until they start using it. Let them transition between the two.

Just a couple obvious thoughts - Pug

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...