Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Passwords That Are Simple — and Safe(?)

CmdrTaco posted more than 4 years ago | from the pardon-my-skepticism dept.

Microsoft 563

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

cancel ×

563 comments

Sorry! There are no comments related to the filter you selected.

deh. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32965438)

Why don't use simple words that can't easily be found using dictionnary bruteforce ?

And most hacked account come from shitty secret question/answer that can let you change password.

Simple (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32965758)

When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.

And having written-down passwords negates the benefit of all those special characters.

Also, simply making it policy that users can't write the passwords down doesn't help...users either break the policy or often forget their passwords, forcing frequent use of the password recovery process, which can be costly and further weakens the security of your system.

Re:Simple (1)

TangoMargarine (1617195) | more than 4 years ago | (#32965830)

pneumonic

Is that a cross between pneumatic and mnemonic? The device which a robot uses to recall information?

Also, it strikes me that this idea only helps at all on the assumption that the site involved enforces the "three strikes and lockout" policy. Otherwise, it's even easier to bruteforce them. (I actually read the article) Or am I missing something?

Eventually they will be in dictionaries. (4, Insightful)

khasim (1285) | more than 4 years ago | (#32965840)

If the password can be easily remembered, it will end up in a dictionary.

But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.

You have two different uses for passwords:

#1. Lets you login to your computer or account or whatever.

#2. Encrypts files that you don't want other people to read.

If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).

In case #2 then you want a HUGE key because the file can be attacked off-line.

don't ever use the word "password" (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32965444)

Call it a "passphrase." Ban that other word.

changing passwords frequently makes no sense (3, Interesting)

js_sebastian (946118) | more than 4 years ago | (#32965448)

Recent paper by some microsoft folks at usenix security: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf)

Re:changing passwords frequently makes no sense (4, Informative)

Monkeedude1212 (1560403) | more than 4 years ago | (#32965654)

People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.

*I suppose that depends how frequently you are talking

Re:changing passwords frequently makes no sense (1)

Shakrai (717556) | more than 4 years ago | (#32965738)

Someone will still only save to "My Documents" or C: drive

You know it only takes about five seconds to use group policy to map "My Documents" to a network location, right?

Re:changing passwords frequently makes no sense (1)

spamking (967666) | more than 4 years ago | (#32965928)

Someone will still only save to "My Documents" or C: drive

You know it only takes about five seconds to use group policy to map "My Documents" to a network location, right?

True, but this would only work if you mapped it to a departmental directory that everyone who needed access to had it . . . you know as well as I do that users prefer their own workstation/network share that others in their department can't get to.

Re:changing passwords frequently makes no sense (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32965934)

You know that'll cause a lot of un-needed traffic, right? We don't want all our computers all having shared drives communicating with each other so they pop up on everyone's computer anytime they log in.

We do that. (1)

khasim (1285) | more than 4 years ago | (#32965988)

And the people STILL share passwords because they cannot remember how to navigate through the various folders.

This is a case where I'd prefer the *nix method and just mount the directories under the user's home directory.

Technology will never be a match for someone's mindset. Bob's files are in Bob's directory on Bob's computer. If Alice wants to see Bob's files, Alice wants to go to Bob's computer. And then Alice wants to copy them to Alice's computer to work on them.

Re:changing passwords frequently makes no sense (2, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#32965810)

So instead of having a few people in the company knowing passwords, you lead to the people with a sticky note with all their passwords stuck to their monitor. Lets face it, perfect security is impossible, the average person can't remember insanely long abstract passwords, so either you have weaker passwords, the security question flaws, IT hell of having to reset passwords every other week, or the sticky note on the monitor.

Real security requires you to balance out risks, figure out who is the main threat and make passwords to combat that. If your main threat is from random blackhats, choosing a password like "jennifeR21211985" wouldn't be too terrible of a password, on the other hand, if the main threat was from people who knew the person, such a password like your kid's name with a random capital letter then their birthdate could be laughable.

Re:changing passwords frequently makes no sense (3, Funny)

hal2814 (725639) | more than 4 years ago | (#32965972)

There's not always a sticky note on the monitor. Some people are security conscious. They hide the sticky under their mouse pad. Because really... who would ever think to look there?

Re:changing passwords frequently makes no sense (2, Insightful)

tlhIngan (30335) | more than 4 years ago | (#32965732)

Yeah, changing passwords frequently just makes for lower-quality passwords.

Eventually people fall into a sequence that's even more detrimental to security than a really good, long password.

Here's some "strong" passwords - capital letters and numbers: Jan2010, Feb2010, Mar2010, ...
Let's make it harder, add symbols! Jan!2010, Feb@2010, Mar#2010, ... Nov2010
Can't repeat numbers in same spot? Jan!2010, 2010Feb@, Mar#2010, ...
Want longer? January2010, February2010, ...
Hell, they may just simplify and do 1!January, 2@Feburary, 3#March, ...
etc.

Plus, it really depends on what you're trying to protect. My password for a blog site would be relatively weak because if it's compromised, so what? My password for my bank though is something much stronger for obvious reasons. Sites that claim that 80% of the people use "password" as their password isn't revealing - it depends on the site itself. If it's some news site or otherwise unimportant with no consequences, it'll have a weak password. If it's a password to your bank account, then you'll have something much stronger on it. Ditto sites with same password - if it's a blog, so what if I use the same password on all the blog sites I visit? Big whoop, you compromized by NYT login and now have access to some other blog sites.

Re:changing passwords frequently makes no sense (0)

ISoldat53 (977164) | more than 4 years ago | (#32965858)

Maybe if sites with a large number of users would not "inadvertently release" passwords would help also.

No comments yet (0)

Anonymous Coward | more than 4 years ago | (#32965456)

Damn, now I'll have to read the article.

If I suffer any injuries it'll be on you slashdot!

SImple non-dictionary passwords (3, Insightful)

ceswiedler (165311) | more than 4 years ago | (#32965458)

The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

Re:SImple non-dictionary passwords (1)

hitmark (640295) | more than 4 years ago | (#32965490)

optionally make up a word and apply some kind of personal leetspeak "encoding" to it.

Re:SImple non-dictionary passwords (0)

Anonymous Coward | more than 4 years ago | (#32965774)

Or u can just use a short phrase.

something like "eatthatfroglater" or wathever...
i think that if they are long enough (four + words) they are strong enough, and very easy to remenber...

PD: thats not my passwd. iamspanish, my passwd are in galician...

Re:SImple non-dictionary passwords (2, Interesting)

Shakrai (717556) | more than 4 years ago | (#32965584)

Just use diceware [std.com] . It's got more than enough entropy and uses real words that are easy to remember.

Re:SImple non-dictionary passwords (0)

Anonymous Coward | more than 4 years ago | (#32965598)

Thanks, but no thanks for publishing my password, you insensitive clod!

Re:SImple non-dictionary passwords (1)

pnutjam (523990) | more than 4 years ago | (#32965668)

that password is fine until someone starts using it for a website, laspdedi.com

Re:SImple non-dictionary passwords (0)

Anonymous Coward | more than 4 years ago | (#32965866)

lasopedi != laspdedi

Re:SImple non-dictionary passwords (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32965710)

I've found that chopping off certain parts of my full name are easy to remember as well, though I suppose those might be easier to guess than a simple non-dictionary word.

James Tiberius Kirk would be something like ameski or jamtibirk

and like you said - its very easy to simply add or replace the more complex symbols.

Re:SImple non-dictionary passwords (0)

Anonymous Coward | more than 4 years ago | (#32965780)

I don't see the benefit in using that method.

Signed,
Ameski Jamtibirk

Re:SImple non-dictionary passwords (5, Informative)

ArcherB (796902) | more than 4 years ago | (#32965736)

The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

The best passwords I've found are sentences translated into passwords. For example:

My phone number is 555-234-2344 : Mp#i555-234-2344
I live at 2202 Park Street : Il@2202PSt
Four score and seven years ago : 4Sa7ya...
My wife won't go down on me since we got married! : Mww'tgdomswgm!

Whatever. You get the idea. All you have to remember is the sentence.

Re:SImple non-dictionary passwords (4, Funny)

alexo (9335) | more than 4 years ago | (#32965960)

My wife won't go down on me since we got married! : Mww'tgdomswgm!

Bad password. Too common.

Re:SImple non-dictionary passwords (1)

Kepesk (1093871) | more than 4 years ago | (#32965842)

Part of my job involves helping people reset their passwords. I'm amazed at the number of people who insist on using their usernames, the word 'password' or some variation thereof as their password.

Re:SImple non-dictionary passwords (1)

mcgrew (92797) | more than 4 years ago | (#32965882)

I make up random letter, number, and punctuation passwords, write them down, and keep them in my wallet with my other valuables. Tags are slightly obfuscated in case my walet gets stolen; "Dorothy Slasher" for slashdot, for example.

Re:SImple non-dictionary passwords (0)

Anonymous Coward | more than 4 years ago | (#32965976)

I wonder how many people just tried to log on to your Slashdot account using the password 'lasopedi'.

Depends on the importance and access (3, Insightful)

FictionPimp (712802) | more than 4 years ago | (#32965464)

To me it depends on two things:

1) How important is the data.
2) What level of access do un-authorized people have to the system.

For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).

Do I really need a password like 2wsx)OKMnhy6BGT%?

or does something simple like: 53xym@n cover it?

Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?

Re:Depends on the importance and access (1)

socz (1057222) | more than 4 years ago | (#32965606)

Want to know how I set up my passwords?

1st) I write a song. A tune I can follow in my head.

2nd) I add words.

3rd) When asked for a password, I type until the max limit has been reached.

4th) When logging in, I type until I'm not allowed to!

Sure, it might sound complicated but no one is going to guess what year Columbus sailed...

Re:Depends on the importance and access (1)

mandelbr0t (1015855) | more than 4 years ago | (#32965704)

I would also add:

3) Where is it possible to access the data?
4) Is it feasible to monitor and log accesses to the data?

If the answer to 3) is "anywhere" and 4) is "no", there is a case for a strong password. In these cases, it may be necessary to take advantage of password memory features in either your smartphone or web browser. In this case, a strong password would protect against constant phishing, while still being useable. The fact that I don't actually remember my password is balanced by the fact that the password is only remembered in a physically secure location. Password recovery in the case that you need it could be accomplished via a token-based password reset using a callback scheme (e.g. email or SMS). You would have to break into my house or steal my phone to be able to access those accounts. Admittedly, this may be a concern depending on the value of the data; but I would change the answers to 3) and 4) in this case.

Seems to Be Some Confusion (2, Informative)

eldavojohn (898314) | more than 4 years ago | (#32965472)

I'm not sure that allowing unique but simpler passwords is a better idea.

There is a misunderstanding here. The paper itself is proposing an additional mechanism for protecting against popular passwords. Let's say I give you the password "password" and you find it in the dictionary and send it back to me. Now I give you the password "p@ssword" and you again explain it must have an uppercase/lowercase mix as well as a special character and a number. So I give you "P@ssw0rd" and we go about on our merry business.

Unfortunately for the security of my account, I responded to your system's demands in a very algorithmic way. And, after millions of users try this, it might be safe for me to add in my dictionary attacks substitutions for characters in password.

I believe what the proposed paper is suggesting is that there is an oracle that alerts the user when their password is acceptable but is simply too common and therefore unsafe. The final piece of the puzzle is building in protection so that attackers cannot "query" the Oracle to find out what are popular passwords in your system that have reached their max. It's about managing entropy in the set of passwords that your user has with a new mechanism ... and can be applied equally to the loosest and most stringent password requirements.

After reading the paper (assuming you don't have this already), it is genuinely a way to increase your user's protection.

Re:Seems to Be Some Confusion (1)

socz (1057222) | more than 4 years ago | (#32965700)

This is one if not the only thing(s) I liked of the pressure sensitive keyboard that MS developed (it was MS right?). Having your P@$$UU0rd wouldn't be enough, it would have to be with the same pressure each time AND speed/quickness/slowness of typing it. That is pretty secure.

For anyone who thinks "people will be able to do it..." Sure, for most probably. But you take people like myself who type pretty quickly and it'll be a job - not because of the speed but because of how hard or soft I press certain keys.

In my world, it's not how complex or difficult it is to type a password, but how fast I can type it. It always seems there's people around me when I'm logging into any number of things so In order to avoid having to ask "please look away" or compromising what my pw is because I need to use a lot of 'special character keys' i just type so fast no one can tell what i'm entering! Of course, some things require more security than others :P

Re:Seems to Be Some Confusion (2, Insightful)

travisco_nabisco (817002) | more than 4 years ago | (#32965930)

Detecting how a user types a password sounds like a great idea until I decide that my cheese burger is not worth putting down, and I try to type the password with one hand.

Or maybe I have cut my finger and have a bandaid on it, altering my typing speed and force distribution. Perhaps there is a crumb stuck under a key that alters the momentum of the press.

There are way too many possible ways for it to go wrong. There needs to be a backup method, and that is likely to remove most of the benefits of the scheme.

Re:Seems to Be Some Confusion (0)

Anonymous Coward | more than 4 years ago | (#32965822)

The final piece of the puzzle is building in protection so that attackers cannot "query" the Oracle to find out what are popular passwords in your system that have reached their max.

Why does that matter? The list of common passwords that attackers currently use will likely be all be maxed out, so attackers can just use that and there's no need to query anything. The system's defense can only rely on the fact that the max is low, not on the secrecy of maxed-out passwords.

Idioms (1)

jplopez (1067608) | more than 4 years ago | (#32965494)

Use your favourite idiom/s with random symbols mixed in. For instance, turn "All that glitters is not gold" into "$all.that_glitters.is_not.gold#". Works like a charm.

Re:Idioms (1)

mdarksbane (587589) | more than 4 years ago | (#32965908)

The thing is, once you've hit 12+ characters in a phrase the special chractera aren't really buying you that much. You gain as much security by making your phrase one word longer as you do adding -;())$&&@@ in the middle of it. Allthatglittersisnotgold will beat dictionary attacks, take weeks to brute force, and be much easier to type. The only point of random characters is to get some of those benefits in an 8 character password.

dictionary (-1)

Lilo-x (93462) | more than 4 years ago | (#32965496)

Just take the most common dictionaries and parse users passwords against those, this would actually use less resource overall for sites with millions of users.

Then also just setup honeypots that monitor password traffic coming in from these spambots and when you trigger x amounts of a password being attempted add it to the dictionaries.

It seems as usual MS are trying to come up with an unnecessary solution.

Mike

Simpler (1)

Anne_Nonymous (313852) | more than 4 years ago | (#32965502)

t*m1Lv!^88o%wYc5#pq9-eb7+n? That's amazing. I've got the same combination on my luggage.

My password is very easy to remember. (1)

mabersold (1171751) | more than 4 years ago | (#32965506)

It's the same as the combination to my luggage.

Actually I don't. (1)

DrPeper (249585) | more than 4 years ago | (#32965514)

"I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain"

Actually I don't have a problem with it. Once you get used to it and it's normal, then it's really not a problem. The thing with these people is that no matter how easy a password system is, they are going to complain about it.

Re:Actually I don't. (1)

Darkness404 (1287218) | more than 4 years ago | (#32965686)

Ok, so how do you remember the password? Yes, some of us /.ers can memorize a large password but for the vast majority of everyone else, they have to write it down. When you write it down, it means that anyone with physical access to your workstation/cubicle now has your password. Not to mention how security questions are usually a weak link...

Something tells me that a 6-7 character password of something meaningful yet obscure would have decent amounts of protection without leading in new security flaws.

Re:Actually I don't. (1)

FictionPimp (712802) | more than 4 years ago | (#32965846)

I use patterns on the keyboard for most of my passwords.

For example

@W(I0o1q#E*U

That is a easy to remember password.

wpWPa'A'z/Z? is another.

Re:Actually I don't. (0)

Darkness404 (1287218) | more than 4 years ago | (#32965914)

Things like that may be great for you, but what about the 50 year old person in accounting who uses the hunt and peck method of typing where that would be incredibly slow? The problem with company-wide password policies is that its not just for us who know the keyboard, know the point in having passwords like that, and such. What about the boss? Of course he is going to want root everything, but in general most bosses are pretty lousy with computers, he isn't going to want a password like that, he wants a password like his wife's name and birthday. The boss is not going to want limited access because in his mind he is the boss and should have full access to everything anytime, not that he really -wants- to set up cronjobs systemwide, but if you have an account that won't let him, he doesn't want to be locked out of that.

Re:Actually I don't. (1)

travisco_nabisco (817002) | more than 4 years ago | (#32965996)

I don't know about 20 character password, but a 8-12 character password should be recallable by most humans.

Whenever I need a new password I actually just sit down and type a combination of letters and number, upper and lower case. Then I type it another 10 times and it is in my brain already. By not planning it out before I type it I believe my brain is creating a pseudo random combination that it will remember easily.

Write it down (5, Funny)

glittermage (650813) | more than 4 years ago | (#32965516)

Just write down your password in a convenient & easily accessible location near entry point. Problem solved.

Re:Write it down (1)

boristdog (133725) | more than 4 years ago | (#32965744)

Just write down your password in a convenient & easily accessible location near entry point. Problem solved.

I guarantee that everyone reading this just thought of those Post-its on his/her PHB's desk.

At least the PHB's secretary has the good sense to put the Post-it with the password in her drawer, where no one would ever think to look.

Only for big services (2, Informative)

PseudonymousBraveguy (1857734) | more than 4 years ago | (#32965528)

This only works for big servics: If you have only a couple of users, you will miss many of the easy-to-guess passwords. Instead of preventing users to pick the same password as other users, you should check the passwords against a pre-made dictionary. This is basically the same approach, only without relying on the users for building your dictionary.

Hidden Messages (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32965530)

I like number and letter combinations that don't match real words but have embedded messages that I remember every time I log in.

iH@73J3W$

Re:Hidden Messages (0)

Anonymous Coward | more than 4 years ago | (#32965728)

Funny, I do the same thing.

DF331n'$Mu2@l

Passwords aren't the weak point (4, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#32965532)

In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.

Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.

Compuserv had it right (3, Interesting)

pcjunky (517872) | more than 4 years ago | (#32965534)

Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.

Easy, secure passwords (1)

c1ay (703047) | more than 4 years ago | (#32965542)

It's pretty easy to make secure, simple to remember passwords. Take some random sentence from your like like, "I grew up at 367 oak Street in Mytown when I was little." Grab the first letter and all the numbers, Igua367OiMwIwl and you've got a dictionary proof password that's secure and easy to remember.

Re:Easy, secure passwords (1)

Scatterplot (1031778) | more than 4 years ago | (#32965746)

A slightly easier to remember version of that train of thought is to use a whole sentence- 'baconisgood' or 'ihaveacalculator' is made up of words in the dictionary, but the sentence structure won't be very easy to guess. Add capitals and punctuation to suit.

Questions (1)

Mr_Silver (213637) | more than 4 years ago | (#32965544)

The new scheme from Microsoft Research does away with complexity requirements entirely while protecting against both dictionary attacks and statistical guessing. The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it. The scheme can only be used by organizations with millions of users--websites like Microsoft's Hotmail, for instance.

I am, by no means, an expert in any of this. Are they suggestion that if (say) 5 people all pick "h3lloth3r3" as their password then this is automatically added to the banned list?

Or are they also suggesting that if a dictionary based attack occurs and 5 people all get "iamgod" as a password tried then it too will get added to the banned list?

The problem I can see with the former is that you could still end up with a deeply insecure password, it's just that no-one else has come up with it. The problem with the latter is that anyone who previously had that password now has to have their account locked until they change it to something more secure.

Thanks for any clarifications!

Unintended consequences? (1)

russotto (537200) | more than 4 years ago | (#32965552)

If the idea is to prevent compromise of multiple accounts, this has merit. But if the attackers only need to get one account (and don't care which one), this actually hurts things. By allowing simpler passwords but requiring that not too many users have the same simple password, they increase the number of simple passwords used by the system, thus increasing the chance the attacker has a password on the system in his dictionary.

advice from microsoft (1)

apostol (1860422) | more than 4 years ago | (#32965558)

Microsoft's advice for your security: Use simpler shorter passwords to protect your data like your birthday or your name etc etc..

think of something you like to do or did before (1)

alen (225700) | more than 4 years ago | (#32965568)

i used to use the designations of military units as passwords. something like HHC of the 72nd Armor Battallion would be hhc72armrbn. after the domain admins started to use 5 passwords remembered i switched to restaurant names and anything else i liked to do. for a little while i thought about using hashed versions of porn star names for system account passwords.

as I said before (0)

Anonymous Coward | more than 4 years ago | (#32965588)

a hash of a nursery rhyme segment or something that you have on your computer would work well. A simple program that hashes a part of a nursery rhyme and pops it into the password field.

My favorite (3, Funny)

DNS-and-BIND (461968) | more than 4 years ago | (#32965590)

I just love being required to use a SECURE PASSWORD for something totally meaningless like a forum or shopping cart. It usually goes like this: 1) Password rejected! All passwords must contain numbers. 2) Password rejected! All passwords must contain mixed case. 3) Password rejected! All passwords must contain at least one symbol. 4) Password rejected! Use only ASCII, ¥ and © are not allowed. 5) Password rejected! Your account has been disabled and a 24 hour block has been placed on your IP address. Please call customer service, the number is on another page of our website.

Re:My favorite (2, Funny)

boneclinkz (1284458) | more than 4 years ago | (#32965792)

Amen. I get so tired of that nonsense. Look, I really don't care if somebody breaks into my Bell Tire Discount Club forum account. I'd much rather just use "passw0rd" than have to come up with a 76-character string that includes both upper and lower-case, at least one special character, at least one numeral, a Latin proverb, the last four digits of my social security number, and a passage from the Necronomicon.

Re:My favorite (1)

OzPeter (195038) | more than 4 years ago | (#32965796)

You left out "Password cannot start with a number" and probably a lot more inane restrictions. "Password is too [long|short]"

Re:My favorite (2, Interesting)

ninjacheeseburger (1330559) | more than 4 years ago | (#32965994)

I once got locked from my bank account as I registered with a 14 character password which I spent some time memorizing.

Unfortunately after calling them up and resetting my account twice, I was informed that the system only allowed 10 character long passwords and they had not implemented any method of checking the length when you registered.

Amatuer idea (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32965602)

Not allowing duplicate passwords is often one of the first things that people that don't understand security think of. It's also one of the first things that people realize is a very stupid idea once they come to understand security. The problem is simple. If you tell somebody that the password entered is in use, you've just told them the password of another user. User names are not secret, so it's much simpler to fly through a list of users trying a single password than it is to fly through a list of passwords for a single user. Allowing multiple users to use the same password before it is locked out just makes it worse. If there are multiple potential hits, it's easier to find one account once you have a locked-out password.

Simple to remember, Hard to crack (2, Insightful)

Jimpqfly (790794) | more than 4 years ago | (#32965614)

Think about a sentence, take the first letter of each word, include a digit : you got your password.

Why am I still using passwords? (0)

Anonymous Coward | more than 4 years ago | (#32965618)

Why aren't we using public key encryption?

Anyone else see the problem with this? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32965624)

If you automatically ban overly popular passwords, you have provided attackers with positive information about passwords in existence among the pool of users under the regime.

1) change password, repeat until
2) you hit upon a banned password
3) add password to the top of your dictionary
4) ???
5) profit

apg can help (1)

tikram (1262046) | more than 4 years ago | (#32965636)

http://www.adel.nursat.kz/apg/ [nursat.kz] Automated Password Generator can generate very nice, pronouncable, but still pretty secure passwords. Add a few punctuation characters, and you have a strong password that is fairly easy to remember.

An example of the output:

me@host:~$ apg

Please enter some random data (only first 8 are significant)
(eg. your old password):>
Bachmebjij8 (Bach-meb-jij-EIGHT)
7Knipwoi (SEVEN-Knip-woi)
gruemUnrod2 (gruem-Un-rod-TWO)
MaHiopt1 (Ma-Hi-opt-ONE)
RidHynEbr8Or (Rid-Hyn-Ebr-EIGHT-Or)
AfnoHoorfid9 (Af-no-Hoorf-id-NINE)

Substitition cipher method (2, Informative)

iivel (918436) | more than 4 years ago | (#32965640)

I've posted this as a potential answer on /. before though the original page on my site is no longer available. It's also been discussed here: http://www.schneier.com/blog/archives/2009/05/secret_question.html [schneier.com] (find cipher.php) I found my old page on the wayback machine...perhaps I'll move it back where it goes http://web.archive.org/web/20060715223129/http://levii.com/cipher.php [archive.org] I'd appreciate input on the method. You have your random card, your own ez phrase and you end up with properly complex passwords. I've implemented this in numerous business environements, and people seem very happy with the result. Every 60 days they choose a new ez passprase and/or get a new dynamically generated card.

Passwords (1)

Antony-Kyre (807195) | more than 4 years ago | (#32965642)

Okay, how about an informal poll?

1. What is the oldest password that you are still using?
2. Is the username associated with said account one that can be hit by dictionary attacks? Yes, username.

Because a username and password are only as weak as the weakest link between them. Don't get me started on password recovery schemes. Secret question anyone? Gotta be kiddin' me. People post their secret questions' answers in their blogs sometimes!

Hopefully any site will temporarily lock the account if too many failed passwords are tried. There are other security measures that can be implemented too.

I'd be more scared of trojans than someone guessing a medium strength password myself.

Re:Passwords (1)

NEDHead (1651195) | more than 4 years ago | (#32965938)

My oldest involves stone tablets, and requires a crew of egyptians to maneuver it to the tablet reader I have installed

Lockouts.. (1)

malkavian (9512) | more than 4 years ago | (#32965644)

If you can lock out a service, and have things flagged that way, simple isn't quite so bad. You need to have access to the password source to brute force things (in which case, you may just have lost already by giving up that extremely sensitive file).
Users like things nice and simple and memorable. If you force nasty constructs on them, they'll either:

1) Write things down on a piece of paper, or text doc on their desktop. Both are bad (though probably the desktop is worse).
2) Call the service desk every time they need to log in, after having forgotten their password. As long as you've got good checks in place, this isn't quite so bad, but can also open you up to social engineering attacks pretty easily. It is, however, incredibly resource hungry (and service desks rarely have infinite resources).

Having a simple, memorable password, and tracking the fails (locking out on multiple fails) is a reasonably decent way forward, unless you're in a super sensitive domain. In which case, your users should be of a higher calibre as far as familiarity with IT security and procedures are concerned.

In any security process, there will always be flaws. The trick is trying to balance each stage sufficiently that a service is usable by the required users, and also that it is appropriate to protect the services and information desired.

Phrases (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32965652)

I never understood why phrases never caught on in place of single, overly-complex and hard to remember "words." Using a phrase like "I need my morning coffee!!" as a password is long enough that it won't be brute forced, complex enough that it won't be dictionary'd, and is still completely memorable. Nonsense phrases would make it even less likely to be "figured out."

Re:Phrases (0)

Anonymous Coward | more than 4 years ago | (#32965894)

Whoa, I tried it, and now I'm logged in as you!

Turn your phrase into a password. (2, Informative)

Weedhopper (168515) | more than 4 years ago | (#32965946)

Use your phrase. Just turn it into a password.

I Need My Morning Coffee!!

Then jam a number (your morning train, maybe) than makes sense onto it. Result:

inmmc!!650

I do this with song lyrics and quotes, going as far as to leave plaintext reminders on post-its - it's still impossible to guess.

Pager chat and vanity plate speak (0)

Anonymous Coward | more than 4 years ago | (#32965672)

I like generating passwords that substitute numbers for letters and are misspelled but phonetically recognizable, e.g. j3n3rou5ly

Subject (2, Informative)

MBGMorden (803437) | more than 4 years ago | (#32965688)

This is definitely a pet peeve of mine. We recently introduced new password rules at work, despite me trying to convince them otherwise. Has to be 8 or more characters, must contain upper and lower case letters, numbers, and symbols. And it has to be changed every 3 months.

Wonderful. Now everyone has these horribly complex passwords, which around half the users are now posting next to their monitor on a sticky note. If they'd had made simpler passwords available, not nearly as many people would have resorted to that.

It seems common sense, but too many IT managers just don't get it - complex passwords are only useful until they hit the threshold at which the user sidesteps around the whole secrecy part of it.

The perfect passwords (0)

Anonymous Coward | more than 4 years ago | (#32965690)

Let's say that there's two threats to passwords:
- Short passwords
- Bruteforceable passwords

The best password is one that overcomes both of these with the minimum memory required.

This is NOT fZ&%!kf(mM*$12ppkf

It is rather M&yfAvouritefiLmI)sAFishCalledWand$a

How do you brute force that? If you were to, you would need a dictionary attack that took all words, or recognised phrases, and randomly inserted all symbols at all positions and tried with all kinds of capitalisations. This comes quite close in terms of bruteforcing to "random collection of symbols". VERY easy to remember, VERY difficult to crack. Please show me wrong.

If you are extremely lazy and sloppy and don't care about nothing (like me), you can also have 2-3 passwords that you mainly use, but each of them tailored to the website by 1 or 2 letters. Something like 'qlmntybio7' but where you replace the T with the last latter of the name in the website (t for slashdoT), or the number with the number of letters in the name, and you use a different password for the webmail it is all linked to. Superficially not easy to guess, blocks fishing bots, takes at least some intelligence and targeted effort to figure out.

What's With Eight Character Limits? (0)

Anonymous Coward | more than 4 years ago | (#32965706)

Interactive Brokers has an eight character limit for passwords to ensure your money is nice and secure. TightVNC also limits your password to eight characters. Why is this limit imposed for some passwords?

Pass Phrases (5, Informative)

Lifyre (960576) | more than 4 years ago | (#32965714)

Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.

Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"

It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.

Re:Pass Phrases (1)

unfortunateson (527551) | more than 4 years ago | (#32965936)

Length is still a problem: Did I put spaces between each word? Did I capitalize some of the words?
A reasonable compromise, which still defeats most dictionary attacks is to acronymize your phrase:

"Purple Elephants make for a rough Work Day" becomes PEmfarWD. It sill has problems with caps -- make a rule like adjectives and nouns get capitalized, and you may be OK.

My problem is DIFFERENT rules (1)

gurps_npc (621217) | more than 4 years ago | (#32965716)

I don't mind elaborate rules, I do mind that some say things like "You must have a non-letter/number character" while others say "you can't have". It makes my systematic "rules" based approach to creating a password that is easy to remember much harder. (I.e. I can have a rule that says "Password is 1st letter of website name + last letter before the .com/.net/.org plus the combination "!4a" if one idiot says you need something like an ! and another moron says you can't have something like an ! ---------- Also, I absolutely HATE the moron that decided every website needs/wants a password. There are certain movie theaters that I refuse to go to because their web based ticket purchasing system requires an invasive profile with password. Look, you don't need that info and trying to get it is incredibally obnoxious when all I want is to buy a ticket on line. You aren't even giving me a discount - instead you charge more. You want that precious information, give me a 10% discount.

simple passwordS plural, ya for permutations (0)

Anonymous Coward | more than 4 years ago | (#32965718)

or just have 2-3 simple passwords that must be done in a certain order, brute force with a dictionary would take much longer

My solution (1)

NEDHead (1651195) | more than 4 years ago | (#32965748)

I simply refuse to earn enough money to make my bank account worth hacking

Not a total solution but... (1)

gearloos (816828) | more than 4 years ago | (#32965764)

I think the biggest issue (for me) is that for work I have seriously about 20 different passwords for different systems and logins and they all seem to have different requirements. It has taken me 5 minutes before just to create a password that the system will take.. I.E. 8 to 16 chars, must contain 1 special char, 1 cap, 1 lower case, and 1 number the number and the cap can not be next to each other, the number can't be the first or last char, and you cant have more than 4 chars in a row of the same class. Another system says: Must be 6 to 20 chars and contain lower case, upper case, and must begin with a number. It is an absolute nessecity to use my 256 bit AES Android password keeper on my phone or I can't even do my job nowadays.

Lock-out? (0)

Anonymous Coward | more than 4 years ago | (#32965786)

FTA:

[...]
One way that system designers try to defeat dictionary attacks is by temporarily disabling an account when a wrong password is submitted more than a few times. This is called account lock-out, and not surprisingly, attackers have discovered a simple way to defeat the approach.
[...]

Nice, now I can lock-out other people from their own Accounts much easier!

Someone didn't bother reading (1)

scourfish (573542) | more than 4 years ago | (#32965832)

my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and... god.

mix letters and numbers (1)

Tei (520358) | more than 4 years ago | (#32965878)

you can conver numbers into words:

2001: movie
2010: movie
1942: arcade saloon game
1984: movie
42: answer ..

You can also have tiny words that have meaning to you:
LOTR: lord of the rings
imho: in my humble opinion
me: me
orly: oh, really?
bf: battlefield ..

so you can mix both things

bf2010me44 ...
tk40000z21 ...
rs47ak232

to me is easier to remenber {expresion} {number} {expresion} {number} than a true mix of number of letters.

Passwords, imho, sould be easy to remenber and hard to guest.

Method (1)

ninjacheeseburger (1330559) | more than 4 years ago | (#32965888)

One method I heard was to have something simple that you remember but type one key to the right (or any other direction) F

For example a password as simple as slashdot becomes d;sjfpy

I use passwords that can be touch-typed quickly. (1)

Dzimas (547818) | more than 4 years ago | (#32965902)

Instead of memorizing a series of digits, numbers and symbols, I use "nonsense" passwords based on the position of my fingers (not just on the home row) that can be typed quickly. By shifting the block of keys left or right, I can create new passwords with a minimum of fuss. The result is non-dictionary passwords that are easy to remember and quick to enter.

My employer makes us.. (0)

Anonymous Coward | more than 4 years ago | (#32965916)

My employer makes us use passwords that have special characters, at least one numeral and at least one upper case _and_ it expires every two weeks. It also can _not_ start _or_ end with a numeral and must be 10 characters in length or more.

I would seriously be amazed if anyone has their password memorized after the first change.

I had to devise a way of creating and remembering my password so I wouldn't have to write it down. I came up with a simple way to do this.

Pick a number key at the top of the keyboard and simply hold shift to get my special character and continue to hold shit to hit the letter below it for the capital.

IE: hold shit and hit 1 then q to get !Q

Then I simply do _not_ hold shift and hit the next 4 sets to numbers/letters.

IE: 2w3e4r5t

This allowed me to create a few unique and easy to type/remember passwords. !Q2w3e4r5t @W3e4r5t6y #E4r5t6y7u, etc. Now, unfortunately I'm at the end of the row of usable 10 character passwords ^Y7u8i9o0p. So now I'm going to have to devise a new method, probably holding shift for the first two sets of letters/numbers.

IE: !Q@W3e4r5t, or, I can go with !Q1q1q1q1q, etc.

My point here is not to give away my passwords but to show off an obvious flaw in my employers policy. I have a system now that I can't actually memorize the password (I can't easily recite it) but I can type it through a pattern. However, if anyone reads this post and knows which system to exploit, they can deduce what my current password is in a matter of minutes (barring lockout).

My employer has forced me to go with an easy to guess system (for subsequent passwords) and isn't secure at all. And how many others have figured out this easy to type in pattern where I work? They have made it so "secure" that I have to use an easy to identify pattern to keep myself sane. That or I write it down which defeats the purpose all together.

How is that secure?

AC just in case...

What I (usually) do (1)

ceeam (39911) | more than 4 years ago | (#32965950)

11 random letters (all lowercase) and digits. No need to be more fancy than that. And if you roll the generator several times you'll find the combination which is pretty easy to remember after entering it 2-5 times.

But is that really enough? Let's calculate, assuming somebody can test a million tries per second (way optimistically/pessimistically, I'd say): (26+10)^11 / 10^6 = over 4000 years. Pretty secure. Actually, in real life you can even use 10 or 9 characters and sleep well.

Deceptively simple is the key. (1)

CaptainNerdCave (982411) | more than 4 years ago | (#32965952)

Seriously, I've found that the simplest, non-dictionary passwords are the best. Call me crazy, but I work from the premise that a random user is just as likely to guess my password on the first try as they are to guess it if given 100000 tries.

The place where I work (and other places that fly the same banner) has employees that are exceedingly technology illiterate, so it's a pretty good bet that I can find their passwords written near the terminals on pieces of paper. Since we're required to use two different, complex passwords with special characters, numbers, and various case letters (one for the local system and one for the corporate), and change them both (every month and every three months, respectively) without repeating the same thing for six changes, it's a recipe for disaster. I even tried explaining this basic principle to one of the upper IT guys where I work, one of the key people in deciding various policies.

I guess it's the idea that these techno-phobes, or whatever term is used to label them, need to be told to use something unusual, lest they use something more obvious, like "love", "tammy", "robert".

Easy problem to solve (1)

h4rr4r (612664) | more than 4 years ago | (#32965956)

The easy solution is to make the passwords longer. Everyone can remember a sentence.

This is flawed. (0)

Anonymous Coward | more than 4 years ago | (#32965974)

" "Replacing password creation rules with popularity limitations has the potential to increase both security and usability," the authors write. "Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing. "

The problem here is, If you attempt to sign up and get told that your password is too common, Then you know your in for a good chance to use that password to gain entry...
You TELLING! the hacker what passwords are common on said system.

Algorithmic or used all over (0)

Anonymous Coward | more than 4 years ago | (#32965978)

People don't remember good passwords very well, so people tend to use the same ones everywhere (73% in a recent published survey used the same password for random hobby or porn or whatnot sites they use for their banking) or make them algorithmic. Need numbers and letters and change every 90 days? How about "Q32010pwd" ? Or "Q3.2010pwd" if a punctuation is needed?

Mere entropy in the word captures only a tiny piece of the security properties of a password. Thus it really IS better to have a shorter password that gets remembered
and is kept a long time, rather than one that is written down and visible, or that is algorithmic and has 3 not-very-random characters instead of 9. For someone
to learn and remember a password they need time, which is what rapidly changing them denies.

Denying popular words is however not bad, but will cause trouble with many. In some areas vocabularies run to ~5000 words.

Two factor authentication (1)

spamking (967666) | more than 4 years ago | (#32965982)

If users don't/can't remember their complex passwords then change to some form of two-factor authentication.

The trouble is.. (0)

Anonymous Coward | more than 4 years ago | (#32965990)

You end up locked out of sites like SLASHDOT that once your password gets so good YOU can't even remember it, you have to create a NEW SLASHDOT ACCOUNT because their stupid email password retrieval system isn't working!!!

And to think I had something knee slapping hilarious to say and now I'm so enraged I can't remember it! ... Oh yeah ...

My passwords are protected by extreme poverty. I've nothing worth hacking.

I keep a database for all the passwords I have and frequently a site claims the password or login is wrong when it is correct! I even copy/paste the login info and pw incase I fat finger it, and it still says it's wrong. Just like what happened to slasdot which I'm now locked out of!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?