×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hotmail To Ban Common Passwords

Soulskill posted more than 2 years ago | from the 123456-iloveyou-letmein-$catname dept.

Communications 140

Time and again, when security breaches reveal large numbers of user passwords, analysis shows there are particular passwords commonly used by a significant percentage of the userbase. Now, an anonymous reader tips news that Hotmail is trying to do something about it. "We will now prevent our customers from using one of several common passwords. Having a common password makes your account vulnerable to brute force 'dictionary' attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). ... Common passwords are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants.'" This comes alongside a new feature that lets users send a report indicating a friend has had their account hacked.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

140 comments

123456 (5, Funny)

Anonymous Coward | more than 2 years ago | (#36778396)

My luggage! Nooooo

Re:123456 (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#36778640)

Didn't wear bra today.
Hold boobs while running on stairs.

Re:123456 (0)

Anonymous Coward | more than 2 years ago | (#36779382)

wow my luggage only allows 4 numbers 1-2-3-4 I would love to have 6 cause it's so much harder to guess.

Re:123456 (0)

Anonymous Coward | more than 2 years ago | (#36779422)

Dark Helmet: That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

*enter President Skroob*

Skroob: 12345?

That's amazing I got the same combination on my luggage!....Prepare....Spaceball 1 for for immediate departure......and change the combination on my luggage!

Prediction (5, Insightful)

Anonymous Coward | more than 2 years ago | (#36778402)

By the time I post this, someone else will already have posted the "combination on my luggage" joke.

Re:Prediction (0)

Anonymous Coward | more than 2 years ago | (#36778610)

Ding!

Prediction (1)

SomewhatRandom (1299167) | more than 2 years ago | (#36778718)

3M's Post-It note division sales will increase, due to users writing down their passwords and storing them under their keyboards.

Re:Prediction (1)

Em Adespoton (792954) | more than 2 years ago | (#36778844)

Sales will increase significantly for laptop users... as will a trail of sticky notes on every surface where they have placed their laptop.

Re:Prediction (2)

Toe, The (545098) | more than 2 years ago | (#36779544)

That's horrible security practice!

What you're supposed to do is write all your passwords on one sheet of paper, clearly indicating which one is for what login. Then write the word PASSWORDS at the top in big letters and post it on the wall of your cubicle.

(Sadly, I really have seen this.)

Re:Prediction (1)

thePowerOfGrayskull (905905) | more than 2 years ago | (#36779702)

That's horrible security practice!

What you're supposed to do is write all your passwords on one sheet of paper, clearly indicating which one is for what login. Then write the word PASSWORDS at the top in big letters and post it on the wall of your cubicle.

(Sadly, I really have seen this.)

I remember that scene too. The password for this month is "pencil".

Re:Prediction (-1)

Anonymous Coward | more than 2 years ago | (#36779066)

By the time I post this, some unfunny retarded dipshit will already have posted the "combination on my luggage" joke.

Fixed that for you.

Re:Prediction (0)

Anonymous Coward | more than 2 years ago | (#36779418)

Lighten up.

Re:Prediction (0)

Anonymous Coward | more than 2 years ago | (#36779902)

Did you call moi, dipshit?

Re:Prediction (0)

Anonymous Coward | more than 2 years ago | (#36780216)

This. ^

Time and again, when security breaches reveal large numbers of user passwords, analysis shows there are particular passwords commonly used by a significant percentage of the userbase. Now, an anonymous reader tips news that Hotmail is trying to do something about it.

(Damn lameness filter)

There are options for penis repair (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#36778404)

The actions of a Southern California woman who allegedly cut off her husband's penis has horrified men throughout the country, perhaps even the world.

In the midst of divorce proceedings triggered, perhaps, by "inappropriate relationships" on his part, Catherine Kieu Becker drugged her husband's meal to render him unconscious, tied him to a bed and cut off his penis with a 10-inch kitchen knife, police say. She then put the severed organ in the garbage disposal and turned it on before calling 911.

Surprisingly, penis destruction is not that uncommon an event, and surgeons have developed a variety of techniques to deal with it.

Most news stories about the incident cite the case of Lorena Bobbitt, who cut off the penis of her husband, John, and threw it out of a moving car. That penis was ultimately found and reattached, leading John Bobbitt to a brief career in porn movies. But a cursory search of the Internet suggests that the event is far more common than might be expected.

Several news reports indicate that Thailand may lead the world in penis slashings, often over disputes about the common custom of men having a second wife. The act is colloquially referred to as "feeding the ducks" because that is apparently a common way of getting rid of the evidence. A 2008 report in the journal Burns indicated that electrical burns are a common cause of penis loss in India, although the report did not address how the injuries occur.

I think the big story here is.... (1)

Anonymous Coward | more than 2 years ago | (#36778464)

That Hotmail still exists.

Re:I think the big story here is.... (1)

Anonymous Coward | more than 2 years ago | (#36778684)

Meh. I never saw the appeal of hotmail. I'm still using excite.com *pulls up onion belt*

Re:I think the big story here is.... (0)

Anonymous Coward | more than 2 years ago | (#36779320)

I have hotmail and gmail... there isn't anything I've ever needed to do that isn't available in hotmail, but available elsewhere.

What if (0)

Scutter (18425) | more than 2 years ago | (#36778476)

What if you really love cats?

Re:What if (1)

Em Adespoton (792954) | more than 2 years ago | (#36779044)

well, you just have to check and see if "ireallylovecats" is on the blacklist. If it is, try "ireallyreallylovecats." Rinse and repeat (not the cats).

Re:What if (2)

Toe, The (545098) | more than 2 years ago | (#36779608)

You can create a 100% secure password:
il0v3c4ts

I use this technique all the time. Usually I just use the name of the service, like bankofamerica, and change Es to 3s, etc. Do you get it? An E and a 3 look kinda the same... but backwards!!! Brilliant!

This is totally bulletproof. No hackers have ever heard of this amazing technique. Everyone should use it.

Re:What if (1)

burning-toast (925667) | more than 2 years ago | (#36780262)

Given the hash in a common format, applications like LophtCrack could take this out in about 20 minutes or less... We won't even start with how fast rainbow tables or brute force could whip through it at a length of only 9 characters and only using alpha-numerics.

There is even a specific option to slightly increase the cracking time by checking for letter - number - symbol substitution which it will do before attempting brute force checking.

Not really any more secure at all. Sorry. I used to use Lopht on a network I administered to check for passwords this weak. And without fail they would take at most a couple of hours to find.

Moving Target (1)

ZombieBraintrust (1685608) | more than 2 years ago | (#36778502)

Wont this just lead to new commonly used passwords while at the same time reducing the number of overall passwords possible. I would think they would need to regularly study what becomes common and ban those while unbanning old common passwords.

Re:Moving Target (0)

Anonymous Coward | more than 2 years ago | (#36778570)

No need to unban old common passwords. The number of common passwords is small compared to the number of possible passwords (hence their commonality).

Re:Moving Target (0)

Anonymous Coward | more than 2 years ago | (#36778902)

But once no one has those common passwords, they'll become the best passwords to have!

In fact, having those passwords WHILE THEY ARE BANNED would be the best option!

Re:Moving Target (1)

PickyH3D (680158) | more than 2 years ago | (#36779038)

Only if you had the entire list of passwords. And, even then, it's a predefined list of common passwords: why wouldn't a cracker try them?

Any password cracker absolutely would. A banned, "common" password will never be the best option. A long password phrase always will be.

Re:Moving Target (1)

thePowerOfGrayskull (905905) | more than 2 years ago | (#36779732)

Any password cracker absolutely would. A banned, "common" password will never be the best option. A long password phrase always will be.

I've started doing this recently, it's great - passwords can be both rememebred easily.

However, it's ridiculous the number of sites that still disallow spaces in passwords. There's no excuse for that, unless you're storing passwords as old DOS file names.

User names often have the same ridiculous restriction.

Re:Moving Target (1)

YodasEvilTwin (2014446) | more than 2 years ago | (#36778624)

No. Occassionally new common passwords will pop up (perhaps "googleplus" on Google+ for example) and they'll ban it, but in general this action will force people to invent new passwords. The use of creativity will result in a broader set of passwords, not a different narrow set. As well, this is trivially automated. No need to do studies and manually ban.

Re:Moving Target (1)

T_Tauri (883646) | more than 2 years ago | (#36778776)

Hopefully pretty soon we will move away from using passwords to something else like one of those RSA key fobs and OpenID. Then people can remember a single password which combined with the dual factor makes a very strong proof of identity. OpenID gives you the same login everywhere which removes the other issue with secure passwords and trying to remember all of them, After all its better to trust a company that bases its business of dual factor authentication than a pile of post-it notes stuck to your monitor. They will take securing their servers seriously. Oh wait....

Re:Moving Target (1)

Em Adespoton (792954) | more than 2 years ago | (#36779162)

I've always wondered whether a system that compares your hash to a hashdb and rejects it if there's more than a certain percentage of matches would be a good idea.

This obviously wouldn't work for small populations, as the system could itself be used to identify passwords within the system... but for something the size of Hotmail's DB, it could work; especially if the feedback was a simple "you cannot use this password. Try again" for all collisions and blacklisted passwords.

The system could even prompt users to change their password if it started to become too common.

Is there a list of the banned passwords? (0)

Anonymous Coward | more than 2 years ago | (#36778588)

It would be ironic if someone would publish a list of all the banned passwords sorted by frequency of usage... the perfect tool for brute force attacks on non-hotmail sites.

Re:Is there a list of the banned passwords? (1)

Quirkz (1206400) | more than 2 years ago | (#36778722)

I don't know about banned passwords, but slashdot has stories quarterly about "most common passwords" -- often released as an analysis of hacked or exposed passwords on one site or another. The common passwords are common everywhere, and the crooks already know them. Publishing the list of most common ones can only help if it convinces a user their password is too simple.

I'll admit that a couple of passwords I thought were 'clever' have shown up on these lists, and it's convinced me to change them to something less common.

Misprint (0)

Anonymous Coward | more than 2 years ago | (#36778622)

I believe there was a misprint in the quote. It should read "Having a Hotmail account makes you vulnerable"

It still exists? (-1)

Anonymous Coward | more than 2 years ago | (#36778662)

The real story here is that there are still people using Hotmail!

fix brute force attack (1)

index0 (1868500) | more than 2 years ago | (#36778700)

Why not limit the number of password tries in a given time unit?

Re:fix brute force attack (2)

supernatendo (1523947) | more than 2 years ago | (#36778862)

Because when, not if, Hotmail servers are compromised either externally or internally and the account hashes are collected in bulk, one can brute force the hashes all day long since nothing can detect failed attempts once your just running hashes against a text file.

Re:fix brute force attack (2)

magarity (164372) | more than 2 years ago | (#36778916)

That only works when trying to hack a particular account. If you want to send spam to everyone in some random account's contact list, you don't care whose contact list. So if you know some percentage of the accounts use the same thing for their password, that's a lot of contact lists, mission successful at only one password attempt per account.

Re:fix brute force attack (0)

Anonymous Coward | more than 2 years ago | (#36779426)

FTFA:

Of course, Hotmail has built-in defenses against standard dictionary attacks, but when someone can guess your password in just a few tries, it hardly constitutes “brute force!”

Your own fault (0)

Anonymous Coward | more than 2 years ago | (#36778728)

I say, you cant secure your password you deserve to be hacked

I signed up for a Windows Live account yesterday (0)

Anonymous Coward | more than 2 years ago | (#36778786)

Their real problem isn't common passwords... it's enforcing a maximum password length (to around 15 chars). I assume Hotmail shares the same rules.

I had to check the year to make sure it wasn't 1998. Password length restrictions in 2011? WTF? Passphrases aren't some arcane nerd practice anymore. Lots of people use them now, usually because they're easier to remember.

Password Encrypted? (1)

BlindMaster (2262842) | more than 2 years ago | (#36778794)

I thought those passwords are encrypted, so how do they get the list of those common password? And isn't `recover your password` questions are common/flawed as having password in place?

Re:Password Encrypted? (1)

DemonGenius (2247652) | more than 2 years ago | (#36778896)

I thought those passwords are encrypted, so how do they get the list of those common password?

Common password lists do exist, this has been studied to death. I would imagine that the password is compared with a list that exists on the server before it is encrypted.

Re:Password Encrypted? (1)

pe1chl (90186) | more than 2 years ago | (#36778936)

Whenever you type your password on the login form, it is available to them in plain text.
(of course it is transmitted encrypted over the internet, but then it is decrypted by their server)
If you are lucky they don't store your password in their database in plaintext, but each time you log in they have the opportunity to lookup your password in their insecure password list before encrypting it again to compare it with their database entry.

Re:Password Encrypted? (1)

bberens (965711) | more than 2 years ago | (#36779460)

If you are lucky they don't store your password in their database in plaintext

If you're really lucky they run your password through a one-way hash and store *that* into the database. Then, theoretically, anyone who gets access to your hash can come up with a password that will get them into the compromised system.. that is a password that happens to have the same hash, but not necessarily your actual password.

Re:Password Encrypted? (0)

Anonymous Coward | more than 2 years ago | (#36778944)

Somehow I knew this would get asked...

All they need to do is feed the common passwords into their hashing/salting/encrypting/demuxing/whatever system to get the encoded text that is stored in the database. Anyone with that same encoded text will get a warning that they need to change their password. it's basically rainbow tabling themselves... which, while kinky sounding, is very boring.

And yes, the recovery option is the side screen door to Fort Know that people seem to forget about. We really do need a better password recovery system.

Re:Password Encrypted? (1)

glwtta (532858) | more than 2 years ago | (#36779358)

And yes, the recovery option is the side screen door to Fort Know that people seem to forget about. We really do need a better password recovery system.

We have one, it's "reset your password", and it's what every moderately well-run site uses. I haven't seen a password recovery option on any mildly popular site in years. (I'm sure someone will come up with an example, point is, it's rare).

Re:Password Encrypted? (1)

ZombieBraintrust (1685608) | more than 2 years ago | (#36779528)

No I think he was saying "reset your password" is the side screen door to Fort Knox. "Reset your password" generally involved security questions and emailing the password to a secure email location. So once you break their hotmail account you can "Reset your password" on your bank account or your WOW account. I wonder if there are any lists of common answers to security questions.

Re:Password Encrypted? (1)

glwtta (532858) | more than 2 years ago | (#36779852)

Hmm... I had a little problem parsing the original sentence (And isn't `recover your password` questions are common/flawed as having password in place?), you could be right.

Of course if you actually have their Hotmail login and password, chances are they are the same as the bank account.

Re:Password Recovery vs Google Two Way Auth (1)

BlindMaster (2262842) | more than 2 years ago | (#36779530)

How would you expect to `reset your password` for your email, while the validation process requires you login to your email account?
How do you envision to reset your password on Hotmail, while the requirement might be for you to login to get the reset password link?

Actually, its good to mention Google's two way authentication here as well.
I know HSBC or some other banks had been using similar way 20 years ago, and with better technologies, Google expands this with an app on Android phone (it works on my Android, never had an iPhone).

Re:Password Recovery vs Google Two Way Auth (1)

glwtta (532858) | more than 2 years ago | (#36779766)

Email providers often ask for a secondary email when you sign up, just for this purpose, some services allow you to change it "in-place" (ie, answer a few questions, type in the new password - not terribly secure, of course), some use SMS (I quite like that option).

With banks, you typically have to call them, which is fine - it's not something yo have to do all that often.

Speaking of HSBC, they have this gimmick where you have two passwords, and one of them you have to enter by clicking letters on a little javascript keyboard (instead of typing) - I hate that thing, pointless security theater, and I always forget the second password.

Re:Password Recovery vs Google Two Way Auth (1)

BlindMaster (2262842) | more than 2 years ago | (#36779988)

The Google Two Way Authentication is similar the the SMS solution that you mentioned.
As for HSBC 20 years ago (not Internet era yet, but using modem to call into their server), which generates a second password for your next session.

Re:Password Encrypted? (1)

bberens (965711) | more than 2 years ago | (#36779484)

This one always gets me. People may be smart enough to have a strong password for their bank, but will have a weak password for their e-mail where the password recovery details will be sent to.

Re:Password Encrypted? (0)

magarity (164372) | more than 2 years ago | (#36778960)

Yes but if several accounts all use the same password they all hash to the same value. If an administrator puts password 123456 into a known account and looks up the hashed password for that account, it's easy to then search for that hash among all accounts.

Re:Password Encrypted? (1)

BlindMaster (2262842) | more than 2 years ago | (#36779424)

Yes, I assume they can sort by hashed password, and actually my question is how they ended up with "common password" if Hotmail encrypted the password. If there is a decrypt function, then I am curious how secure it is being hosted.

And I suppose they are here to study the pattern, which included related passwords, eg. 123456 qualify as linear f(x) = x, therefore 1234567 will also be categorized as the same thing for study, no?
If I am a hacker, I am interested in the pattern more than just common passwords, and for a security expert to counter hackers, would they be studying the pattern instead of general `common passwords`? Or provide suggestion on those pattern, instead of just some isolated password case?

Re:Password Encrypted? (1)

ZombieBraintrust (1685608) | more than 2 years ago | (#36779728)

They are using passwords from other sites. Sites that didn't do their security correct and stored passwords as plain text. The sample size of these exposed sites is large enough that they know what Americans currently choose as common passwords.

Re:Password Encrypted? (2)

Ferzerp (83619) | more than 2 years ago | (#36779958)

Not if properly salted it will not.

Re:Password Encrypted? (1)

magarity (164372) | more than 2 years ago | (#36780428)

Not if properly salted it will not.

It should be obvious that this isn't the case or this analysis would be impossible.

Re:Password Encrypted? (1)

LordLimecat (1103839) | more than 2 years ago | (#36780460)

Microsoft has the salt, so they will be able to check certain passwords. Hash 123456, salt it, compare with the table.

The point of salt isnt to make the hashes impossible to do lookups on (otherwise you couldnt do logins), its to make existing rainbow tables worthless.

Common sense here... (1)

mlts (1038732) | more than 2 years ago | (#36778832)

This is something that public access UNIX systems and universities with a ton of students learned ages ago, when all it took was a guy running Crack on /etc/passwd (before passwords were shadowed.)

Most operating systems have a small dictionary they check against so people using "12345" for something other than their luggage will be stopped immediately.

History just repeats itself... websites are now learning what operating system makers learned in the early 1990s -- keep the passwords well encrypted, and disallow obvious dictionary entries, so a brute force operation may take seconds to find a password rather than microseconds.

Re:Common sense here... (1)

toejam13 (958243) | more than 2 years ago | (#36779560)

Hotmail could go one step further. As opposed to just checking against a blacklist of common passwords, they could use a whitelist of acceptable password types. Must be 8 or more characters in length, must be mixed case and must contain one or more digits. Then you run that against the blacklist to weed out people picking "Passw0rd" or "t1nkerB3ll".

Re:Common sense here... (1)

Pope (17780) | more than 2 years ago | (#36779644)

Yep, do both: blacklist the "bad" passwords, and add a strength requirement. Hell, all online services should have been doing this for YEARS already.

Re:Common sense here... (1)

mlts (1038732) | more than 2 years ago | (#36780042)

The reason online services have not bothered is because until now, it really didn't matter. Having security is expensive, and the PHBs believe anything security related has no ROI, so it doesn't get done.

Now that attackers have snarfed password databases and made them public, online services are starting to actually bother with some security such as using salts and hashing passwords, enforcing basic password measures, and adding anti-brute force attack provisions, such as locking out IPs, tarpitting (where the replies get slower and slower, or they remain the same speed, except any passwords guessed get completely ignored), or locking out the account.

The ironic thing... online services are just discovering this... this functionality has been in AIX, Solaris, and various Linux distros since the early 1990s.

Seems like we are reinventing the wheel. Now all we need are websites to have a standard form of two-factor authentication, with multiple devices on the list (so if one loses their phone, they can use a SecurID card to still get in, or even a printed TAN list as a last resort, similar to how Google's authentication does it.)

Wait, what?! (0)

Anonymous Coward | more than 2 years ago | (#36778876)

Doesn't Hotmail have minimum password requirements, like "at least 6 characters, 1 number, 1 capital letter" etc ?

Re:Wait, what?! (1)

jank1887 (815982) | more than 2 years ago | (#36778950)

no. and above all, see the comment above about a max password length for Live.com accounts. (hotmail is part of live.com now)

I am not using hotmail, but maybe my friend is... (1)

pe1chl (90186) | more than 2 years ago | (#36778890)

What I find disturbing with features like this, is how the service (be it hotmail, linkedin, facebook, whatever) always assumes that when you receive crap from one of their users and want to report it so something is done about it, you also have an account yourself.
I want to be able to report that I receive spam from one of their users WITHOUT having to create an account on their system.
So the "my friend has been hacked" report should not be only in their mail user interface, but also in some publicly accessible webpage or even better in the handling of mail sent to abuse@.

Furthermore, having monitored events of "hacked hotmail accounts" for some time, I believe quite a number of them is not hacked by bruteforcing the password, but by phishing or luring the user into "when you fill in this questionnaire we will send you a free led lamp" etc, where one of the questions in the questionnaire actually asks the user to provide their mail address and password.
Many naive users give all info you ask them for when promised a free gift.

Re:I am not using hotmail, but maybe my friend is. (1)

PickyH3D (680158) | more than 2 years ago | (#36779138)

I want to be able to report that I receive spam from one of their users WITHOUT having to create an account on their system.

The principle of the idea is sound, but the implications of them being--ironically--spammed to hide real problems is probably not appealing to them.

I believe quite a number of them is not hacked by bruteforcing the password

This is almost certainly true, but the features simply came out at the same time due to their relationship, and having your password brute forced is not a requirement to having your account flagged by your friend.

Good idea to ban common passwords (2)

gurps_npc (621217) | more than 2 years ago | (#36778968)

Far better than simply outlawing "you can't use your username as your password" Same goes for the silly "can't use the last password as your current one". I never understood the reasoning behind the time based password change. No one expects people to get a new key every six months for their home lock. No one expects someone to get a new ATM card every 6 months. Good passwords are worth keeping for years - as long as they actually are a good password. Are you supposed to be worried that you have given out your old password and forgotten about doing it? You can't stop an idiot from giving away his password. But you don't have to screw it up for the rest of us to help out the idiot.

Re:Good idea to ban common passwords (0)

Anonymous Coward | more than 2 years ago | (#36779368)

The password deprecation solves exactly one problem: How long is YOUR network exposed after a user's password is compromised.

This makes sense for employee passwords changing yearly for instance, as it prevents a single compromise from benefiting espionage agents for longer than that. However, for things like bank accounts, or MMO accounts it makes no sense as your biggest threat is the person that gets the credentials and empties it immediately.

Re:Good idea to ban common passwords (0)

Anonymous Coward | more than 2 years ago | (#36779412)

You have a nice analogy, but there's flaws...

A good key on my home lock doesn't act as a clone the moment I use it to open a padlock to the shed. It doesn't provide access to my employer's property and also to my safe deposit box and bank.

A password--even if I pick a really good one, is likely to be exposed by every idiot out there that gets compromised and/or doesn't hash the database.

If you have a competent sysadmin--the change periodicity happens not because we're worried about a slow brute force, but to make sure you aren't using the same password on our system that you're using for hotmail and your cousins's blog.

That's why my systems use a prime number for the rotation... to skew cycles.

good luck understanding this though

Re:Good idea to ban common passwords (1)

BlindMaster (2262842) | more than 2 years ago | (#36779580)

I agree with ATM card or physical key, since you are aware of these things being taken away.
However, password can be different. You never know MITM attack.

I really hate changing my password every 6 months (my company policy is every 30 days, 15 different passwords). And the only way to remember my password to start my workstation is to have a pattern (sigh, add a different number once in a while), which is not very secure, I believe.

Re:Good idea to ban common passwords (1)

JetScootr (319545) | more than 2 years ago | (#36780038)

try this: use several unrelated dictionary words, strip the vowels, and make it look like math: prpl=rckt*grnt (purple = rocket * granite) or some similar small set of rules. passowrds are secure, you only have to remember three words, and once you've memorized the simple rules, you can even write down the three words without compromising the real password. You also get longer paswords (14 chars is current recommendation).

Re:Good idea to ban common passwords (0)

Anonymous Coward | more than 2 years ago | (#36779952)

Whenever an administrator enables this on dev machines, I make a point to come up with useless passwords that I can alternate and usually the same ones work against all companies filters. Just let me use my own secure password and leave it at that. It works better that way, research has been done on this before and people will just do what I do when you enforce password expiry. It doesn't make anything more secure, it makes it less secure as people have to keep coming up with easy to remember passwords which are most likely less safe than having one hard to initially remember password that you made a point to memorize and the idiots will be idiots no matter what. But if you frustrate users with annoying password expiration policies then everybody gives up on coming up with secure passwords because they have to do it so often.

Re:Good idea to ban common passwords (0)

Anonymous Coward | more than 2 years ago | (#36780374)

Part of security is limiting damage. Changing your password every N days means that a compromised password will be valid no longer than N days whether it's identified as compromised or not, thereby limiting the amount of time an attacker has to cause damage. Good passwords may be more difficult to compromise, but a good password is no easier to identify as compromised than a bad password is, and there's the same need to limit damage.

Related (0)

Anonymous Coward | more than 2 years ago | (#36779184)

http://yro.slashdot.org/story/11/07/15/1216222/Mozilla-BrowserID-Decentralized-Federated-Login

Suggestion (0)

Anonymous Coward | more than 2 years ago | (#36779228)

I will say this again and again and again.

Hotmail needs to do this. Have a master pass, for whole account access, and a secondary pass, for accessing e-mail (viewing/composing/sending only).

If someone's secondary pass is compromised, no big deal. Just log in using a secure computer using the master pass and change the secondary pass. But the secondary pass would still need to be strong.

Now, that above is my suggestion. Currently, if the password is compromised, what prevents the alternative e-mail, mobile phone number, secret question (which probably has the answer posted on their social networking site anyways) from being changed?

E-mail spoofing (0)

Anonymous Coward | more than 2 years ago | (#36779406)

I feel sorry for all the victims of spoofing being labled as hacked.

Humph! (0)

Anonymous Coward | more than 2 years ago | (#36779520)

More of big brother telling people what to do!

So does anyone think this is a good idea? (1)

jader3rd (2222716) | more than 2 years ago | (#36779752)

Personally I think it's a good idea. I'm glad Hotmail is implementing this feature. I think it makes the internet as a whole a safer place. What's different about this is that most security advances center around the system; this centers around the fact that Hotmail is a small part of their users lives. This doesn't make Hotmail less hackable in any way, but it does (or is at least trying to) protect the user from having their reputation (is spam being sent from this account) hijacked when another service gets cracked, and the users shared password is comprimised.

bout damn time (1)

JetScootr (319545) | more than 2 years ago | (#36779984)

Approx 20 years ago I wrote code for a system at work to do this, list was 100's of possible, including acronyms from work, userids and real names, stupid stuff like variations of 'password', etc. We had to do it cuz the customer (nasa) considered it "old hat, everyone else is doing this, why aren't we?"

Abuse (1)

Gripp (1969738) | more than 2 years ago | (#36780082)

i can't imagine that the "my friend has been hacked" button will last. I would imagine that the hackers would want to flood that button to obscure the real attacks. and it wouldn't be that hard to script....

This is intolerable. (2)

Estanislao Martnez (203477) | more than 2 years ago | (#36780084)

I'm sick of having to remember so many complicated passwords. Now that Hotmail is going to force me to change my password to something I can't remember, I'm just going to have to migrate to another email company. Hopefully I can get the same user name part as I have now (ron_damon).

My Password Won't be Blocked Under That Rule! (3, Funny)

Pauldow (1860502) | more than 2 years ago | (#36780880)

I've been using 8 asterisks for passwords so I can see what I'm typing.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...