×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Deloitte: Use a Longer Password In 2013. Seriously.

timothy posted about a year ago | from the you're-gonna-need-a-bigger-post-it dept.

Encryption 538

clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

538 comments

I Got It! (5, Funny)

pmcizhere (1028912) | about a year ago | (#42824413)

correcthorsebatterystaple. It's a perfectly long, easy to remember password. Just, nobody use it other than me, ok?

Re:I Got It! (2, Insightful)

Anonymous Coward | about a year ago | (#42824463)

awful password, only 4 symbols long

Re:I Got It! (1)

pmcizhere (1028912) | about a year ago | (#42824553)

awful password, only 4 symbols long

Not sure if serious...See http://xkcd.com/936/ [xkcd.com]

Re:I Got It! (5, Interesting)

alvinrod (889928) | about a year ago | (#42824897)

It's bad because much like you can have a computer program randomly combine letters, numbers, and symbols to generate a password, you can simply have the same program combine dictionary words together. There are hundreds of thousands of words in the English language, which would make the number of combinations quite large, but most of those words aren't commonly used so you could ignore them. If you had people generate a four word pass phrase, it's quite likely that most of them would contain only words from a relatively small subset of the English language.

When I use pass-phrases, I make sure to include some capital letters, numbers, and symbols. This makes it almost impossible to brute force. So for example, 2Correcthorse4batteryStapple! would be a much more secure password, that really isn't any more difficult to remember. It's only using 7 symbols, which makes it fairly easy to remember. Once you type it enough, muscle memory will allow you to enter it without too much issue.

You could make it even more complex by using slang words, words from other languages, proper nouns, or other such words.

Re:I Got It! (4, Funny)

AliasMarlowe (1042386) | about a year ago | (#42824575)

I currently use "11111111", and Deloitte says I should use at least 9 characters?
Easy peasy, I'll buy some time by making it 12 characters long: "111111111111".

Re:I Got It! (0)

Anonymous Coward | about a year ago | (#42824475)

I'll use abstruseboliviancanarycollar instead.

Re:I Got It! (0)

Anonymous Coward | about a year ago | (#42824483)

correcthorsebatterystaple. It's a perfectly long, easy to remember password. Just, nobody use it other than me, ok?

Crap. That's the same password I have on my luggage.

Re:I Got It! (0)

Anonymous Coward | about a year ago | (#42824485)

Yes, only you as I use "Correct Horse Battery Stable"

Re:I Got It! (0)

Anonymous Coward | about a year ago | (#42824527)

Hah, that comic [xkcd.com] is the background on my work computer.

Re:I Got It! (1)

wallsg (58203) | about a year ago | (#42824585)

correcthorsebatterystaple. It's a perfectly long, easy to remember password. Just, nobody use it other than me, ok?

Ha! Mine's even better:

c0rrecthorsebatterystaple

Re:I Got It! (5, Insightful)

LoRdTAW (99712) | about a year ago | (#42824711)

A better question would be, what system would allow 1000 password guesses per second to be authenticated? Most systems lock you out after 3 to 5 unsuccessful attempts. And I would hope that smart developers would put a time delay between how fast a user can reattempt to authenticate. So a computer sending authentication attempts in less than one second would be immediately blacklisted as a automated attack. Inserting a second or two delay between attempts would guarantee that. Assuming a computer could brute force a password by trying all possible strings, what system could that possibly be effective against? I can see that it could be useful against an encrypted file but an online banking site or other eCommerce site sounds impractical. anyone care to elaborate?

Re:I Got It! (0)

zieroh (307208) | about a year ago | (#42824767)

This.

There's this utterly stupid notion that passwords can be cracked online in a vacuum, unencumbered by real life safeguards to prevent exactly that kind of thing.

Re:I Got It! (5, Informative)

OzPeter (195038) | about a year ago | (#42824817)

A better question would be, what system would allow 1000 password guesses per second to be authenticated?

Irrelevant, as the cracking will happen offline after the bad guys have stolen your PW DB by exploiting other weaknesses in your system

Re:I Got It! (2)

Archangel Michael (180766) | about a year ago | (#42824829)

The fastest typist can type 100 - 150 WPM, so lets use that metric for designing systems requiring "human" input, like passwords. Artificially limiting brute force attacks.

Re:I Got It! (5, Informative)

AndrewStephens (815287) | about a year ago | (#42824905)

True, but nobody tries breaking into a system by logging in ten thousand times a second to a single account. The recent well-publicised break-ins resulted from the hashed password file being publicly available, either stolen through a vulnerability or maliciously leaked. If the attackers have the hashed passwords they can try them at a rate of millions or billions of attempts per second for as long as they want.

Re:I Got It! (3, Interesting)

Beardo the Bearded (321478) | about a year ago | (#42824913)

I'd just double the time it takes for each try.

First bad password: 1 second to retry.
Second bad password: 2 seconds to retry.
Third bad password: 4 seconds to retry.
Fourth bad password: 8 seconds to retry.
Fifth bad password: 16 seconds to retry.

You get the idea. It'll end brute-force and only mildly inconvenience clueless users with fat fingers.

Re:I Got It! (0)

Anonymous Coward | about a year ago | (#42824727)

Better luck using Chinese passwords. 10,000 characters to choose from, so 10000^8 password space. Much more efficient than making passwords longer.

Re:I Got It! (1)

BlueParrot (965239) | about a year ago | (#42824743)

My preference is to mix a few languages and technical terms.

nekozuki catbus ibuprofen shutzpa

Even if you know how I generate these passphrases the number of combinations is staggering.
Since the majority of language can use latin script you easily have a million or more possibilities
for each word, giving more than 10^24 potential combinations, and that does not take into consideration
that I am more than happy to include things like "catbus", which is not a real english word.

Re:I Got It! (0)

Anonymous Coward | about a year ago | (#42824909)

That's exactly the same password I'm using!

Re:I Got It! (1)

Anonymous Coward | about a year ago | (#42824945)

there's even a generator for such passphrases.

http://passphra.se

Why the heck are faster computers a problem at all (0)

Anonymous Coward | about a year ago | (#42824449)

Shouldn't we just be using slower and slower hash algorithms to store passwords to compensate?

Re:Why the heck are faster computers a problem at (3, Insightful)

wiredlogic (135348) | about a year ago | (#42824523)

We should have legislation prohibiting cleartext and unsalted password storage. At least for any site that handles money. That will help quite a bit to inhibit the sort of casual database cracking that goes on today.

Re:Why the heck are faster computers a problem at (1)

CanHasDIY (1672858) | about a year ago | (#42824643)

We should have legislation prohibiting cleartext and unsalted password storage. At least for any site that handles money.

Personally, I'm surprised PCI doesn't require this already.

Passwords are shit. (0)

Anonymous Coward | about a year ago | (#42824459)

Why aren't passphrases more common?

Far easier to remember Hot grits down your pants with a petrified Natalie Portman than miJFsVXx3!, and potentially far more secure by virtue of character number.

Re:Passwords are shit. (2)

maxwell demon (590494) | about a year ago | (#42824487)

But it takes much longer to type in

Re:Passwords are shit. (4, Insightful)

LordLucless (582312) | about a year ago | (#42824637)

Probably not. I can type my mis-spelt Shakespeare quote of a passphrase faster than I can type an obtuse non-alphanumeric-laden password, because I'm far better at typing English sentences than I am weird symbol sequences.

Re:Passwords are shit. (1)

CanHasDIY (1672858) | about a year ago | (#42824673)

Only if you hunt and peck for everything.

FWIW, it took me about half the time to type the above line than it takes to type my current 12 semi-random character password.

Re:Passwords are shit. (4, Insightful)

Wonko the Sane (25252) | about a year ago | (#42824645)

Because a lot of websites, especially financial sites, have stupid limitations on password length and/or complexity.

Re:Passwords are shit. (1)

Zerth (26112) | about a year ago | (#42824665)

Passphrases are uncommon because many sites think that "at least" means "exactly" when setting up the user database.

I've dropped one bank because of it. And those secret question/answer fields that are also 8 characters long because they might waste entire megabytes of storage if everyone had room for a complete response.

Re:Passwords are shit. (0)

Anonymous Coward | about a year ago | (#42824699)

Passwords are shit

Damn you! How did you figure out my password was "S-H-I-T"?

Re:Passwords are shit. (0)

feedayeen (1322473) | about a year ago | (#42824803)

Why aren't passphrases more common?

Far easier to remember Hot grits down your pants with a petrified Natalie Portman than miJFsVXx3!, and potentially far more secure by virtue of character number.

Catchphrases fail because:

People are lazy: I don't want to type more than I need to if I am going to log a few thousand times.
Capitalization requirements: Are your proper nouns capitalized? What about every word? What about the first?
String length limits and special symbols required: Is Ms. Porman's name hyphenated, or did I put that somewhere else, does that symbol even count? And where the heck did I put that '1'?
***************** oh, crap, did I misspell a word?

Until artificial limits are removed... (5, Insightful)

eksith (2776419) | about a year ago | (#42824467)

I used my online banking today and they limit to 8 characters EXACTLY... even though they demand a non alpha-numeric character and mixed case. I keep thinking, these idiots still don't get it. Also, obligatory [xkcd.com] .

Re:Until artificial limits are removed... (2)

DigiShaman (671371) | about a year ago | (#42824725)

Some financial, investment and health insurance sites (I will not site for my own protection) specifically will not allow upper case and special characters (! @ # $ % etc). Oh, and they must be minimum of 8 but not more than 12 or some such. WTF? How is that secure?!

It's best to consolidate your passwords (0)

Anonymous Coward | about a year ago | (#42824491)

My computer has the same password as my luggage and to the oxygen on my planet. No one will ever be able to figure it out.

Biological validation (1)

concealment (2447304) | about a year ago | (#42824493)

There's going to be a shift from passwords in general. Not only are they often insecure, but there's no verification that the person typing in the password is the user who owns it.

No, we're going to switch to biological means. This will be more secure, but as a side effect, there will be more assaults in which the eye/finger/penis is removed and used to gain access to these bio-protected systems.

Re:Biological validation (3, Insightful)

Anonymous Coward | about a year ago | (#42824745)

From the point of view of an remotely-accessible device, biometrics and passwords are identical. Any device can send a bit string and claim to have obtained it from a biometric scan, even if the bio in question is not present. As a result, they do not solve the problem of verifying the identity of a user.

Even worse, you end up using essentially the same password for everything, it can never be changed, and you carry it around everywhere you go on your face or hands.

Two factor authentication (4, Insightful)

pwnies (1034518) | about a year ago | (#42824505)

Don't use a longer password, just use two factor authentication.

Re:Two factor authentication (3, Insightful)

swilde23 (874551) | about a year ago | (#42824651)

As long as it's actual two-factor authentication. None of the fake crap that people call two-factor.

For the record, asking me to pick a picture isn't a second form. Something you know, something you have, etc...

Re:Two factor authentication (4, Insightful)

swillden (191260) | about a year ago | (#42824929)

As long as it's actual two-factor authentication. None of the fake crap that people call two-factor.

No kidding. My bank (I really need to change) uses two factor authentication. To log in you have to know both the username and the password! In order to make this more secure, they apply password quality requirements to both. Yes, that's right, your username must be mixed case and contain alphabetic and numeric characters, and must be at least 8 characters in length. Symbols are not allowed, however, since that would just be weird.

For the record, asking me to pick a picture isn't a second form.

Most places that use a picture aren't using it as a second authentication factor. It's an anti-phishing countermeasure. The idea is that you pick a picture when you set up your account and then every time you log in you should see your picture. If you don't see your picture, then you know you aren't really looking at your bank's (or whatever) web site, but an attack site. Of course it's not an effective countermeasure against attack sites that use your credentials to connect to the real bank site in the background, get the picture from the bank and then show you what you expected to see. But it does prevent some phishing.

Re:Two factor authentication (0)

Anonymous Coward | about a year ago | (#42824695)

And if only password is available?

Re:Two factor authentication (1)

SuricouRaven (1897204) | about a year ago | (#42824707)

Almost a good solution. But it isn't free, which is a problem. Your bank can issue two-factor authentication easily enough, as can any website of significant value. But what about, for example, a website like Tribal Wars: They have a great many users, but only a tiny per-user income. They survive by keeping the per-user cost low (There's a reason the site is mostly text). If you ask them to spend $15 to buy and mail a dongle to every user, they'll go out of business in an instant. So what do you propose? The only solution I see is to switch to third-party verification: Log in with a facebook ID, and use their token. But I think Facebook has too much power already, it'd mean the end of what little privacy is left.

Re:Two factor authentication (1)

swillden (191260) | about a year ago | (#42824799)

Use Google Authenticator. The app runs on all Android and iOS devices and you can download an SDK to implement support for it in your system. If you do that, Google is not involved in the login process at all, you're just using their (open source) software, so there's no privacy impact.

However, it's also worth pointing out that using third-party authentications from Facebook, Google, etc. via OAuth also doesn't really impact privacy as much as you might think. The third-party authenticator only knows that an authentication was done, and nothing more. Further, for web sites that implement OAuth correctly (which really isn't that hard), there's no reason to limit the third-party authenticator to those big-name providers. In fact, you can run your own OAuth server in your basement and use that as your "third-party" authentication provider, implementing whatever form of authentication you like with whatever degree of security (or not) that you want.

Re:Two factor authentication (1)

CastrTroy (595695) | about a year ago | (#42824875)

If Google can provide an App for my phone that provides the second factor (Google Authenticator [google.com] ), then any other company should be able to do the same. Offer a separate "dongle" for anybody who doesn't have a smart phone and you are set. You could probably make a dongle that supported giving out keys for multiple sites. So instead of having a separate dongle for each service you subscribe to, you have a single dongle which can give out different keys for all services. This would probably work much like and Android phone, that could support many apps for 2 factor authentication, but could be much cheaper and simpler than a phone.

Re:Two factor authentication (0)

Anonymous Coward | about a year ago | (#42824751)

Doesn't scale.

99% blame on system administrators. (-1)

Anonymous Coward | about a year ago | (#42824513)

Why do admins allow brute force attacks? It doesn't make sense.

A failed password attempt should prevent trying another for 10 seconds. 10 failed attempts should lock the account out and force the user to phone or do some other authentication to recover it.

For real - why is this so hard? I only didn't put 100%, because the other 1% of the blame lies with users using "abc123" as their password for everything.

Re:99% blame on system administrators. (1)

eksith (2776419) | about a year ago | (#42824625)

The problem with this is that most people demand to use an easy to remember password and will stubbornly ignore their own password hints. This happened quite a lot at a fashion company I worked for (I wasn't responsible for the web end, thankfully), and customers kept complaining, no joke, "why should a password be case sensitive?"

It wasn't uncommon for customers to blurt out their passwords on the phone either. One lady started giving me her credit card number out of the blue, thinking that was the problem. When these are the types of people you're dealing with, the lockout is quite a bit more of a hassle. I think they switched to OAuth as a result.

People are getting used to the idea of online security, but growing pains are plenty.

Re:99% blame on system administrators. (1)

MindPrison (864299) | about a year ago | (#42824721)

Same thing for my boss...I insist that he uses long advanced passwords, but he's old and hates complex things in life, likes to play music and sing...and yet he runs a 6 digit company, the worst part is that he uses his silly easy passwords on hundreds of sites.

Why should a password be case sensitive? (0)

Anonymous Coward | about a year ago | (#42824871)

A 12-character case-sensitive alphabetic password has 68.4 bits of entropy and a 15-character case-sensitive alphabetic password has 70.5 bits of entropy.
A 13-character case-sensitive alphabetic password has 74.1 bits of entropy and a 16-character case-sensitive alphabetic password has 75.2 bits of entropy.
A 14-character case-sensitive alphabetic password has 79.8 bits of entropy and a 17-character case-sensitive alphabetic password has 79.9 bits of entropy.
A 15-character case-sensitive alphabetic password has 85.5 bits of entropy and a 19-character case-sensitive alphabetic password has 89.3 bits of entropy.

Adding 3 or 4 extra characters is much easier than making the password case sensitive.

and customers kept complaining, no joke, "why should a password be case sensitive?"

The real joke is forcing the password to be case sensitive.

Re:99% blame on system administrators. (2)

SuricouRaven (1897204) | about a year ago | (#42824753)

Two reasons:
Firstly, because the attacker may not need to authenticate against the server, if they have managed to hack in and get the encrypted password or found a way to determine it by MITMing a legitimate authentication.
Secondly, because what you describe is itsself abuseable for DoS attacks. It allows an attacker to simply log in repeatedly with a bad password to disable an account. Even if the account can be reenabled after some effort, that's enough to cause serious disruption in some fields. Lock the competitor's salespeople out on the morning of a big conference, or use it to delay members of an opposing MMORPG team while your own people storm their territory.

Taste the rainbow tables... (0)

Anonymous Coward | about a year ago | (#42824525)

8 character passwords have been crap for a long time. Way to join the rest of us in the 21st century, Deloitte. Remind me, why is anyone paying you again?

Passwords must die! (0)

Anonymous Coward | about a year ago | (#42824539)

Passwords must die!

Easy formula (0)

Anonymous Coward | about a year ago | (#42824551)

Childhood friend's first name.
Common household item.
What you ate for lunch.

Anitadildosandwich

DOH!

I love old news. (4, Insightful)

mcmonkey (96054) | about a year ago | (#42824561)

The relationship between password length and password strength is old news.

But don't tell users, tell the programmers and system admins. I regularly encounter systems where max password length is 12 or fewer characters. For some reason there are also systems that don't allow characters other than letters and numbers in passwords.

Let us make longer, more secure passwords. Let us use special characters, unicode, tabs and spaces!

Re:I love old news. (1)

mcmonkey (96054) | about a year ago | (#42824621)

For years a password that was at least eight characters long and included mixed-case letters, at least one number, and one non-alphanumeric symbol was considered relatively strong.

Yes, and those years were 1999 to 2004.

Re:I love old news. (5, Informative)

SuricouRaven (1897204) | about a year ago | (#42824801)

xapsdogien32
> Error: Must include at least one punctuation character.
xapsdogien32!
> Error: Must not contain a dictionary word.
xapsd_ogien32!
>Error: Maximum length twelve characters.
psd_ogien32!
> Error: Must include an uppercase character.
A1!
> OK

Re:I love old news. (1)

SolitaryMan (538416) | about a year ago | (#42824669)

12? I know a freaking BANK where the character limit for the password is 8. Yep 8 character password to online banking.

Re:I love old news. (0)

Anonymous Coward | about a year ago | (#42824849)

I'm willing to bet I know exactly what bank you're referring to. It's also not case sensitive. Go ahead, try it.

Re:I love old news. (0)

Anonymous Coward | about a year ago | (#42824749)

I ran into that before. I accidentally hit the apostrophe/quote key on the keyboard on my way to hit enter. Well, the page threw up a database error, which included the SQL command it was trying to run. Thank goodness no one's password contained the SQL drop command in proper syntax because the server would have run it.

Re:I love old news. (1)

Verunks (1000826) | about a year ago | (#42824895)

blizzard uses case insensitive passwords, it's fun since their games are probably the most targeted by hackers, I know they have authenticators and they lock the account as soon as they detect a suspicious login but I still don't see any reason on why they don't use case sensitive passwords

Easy way to make passwords (0)

Anonymous Coward | about a year ago | (#42824565)

An easy way to make a very complex password is this:
sentence
number (6 digits can work, there are a lot of 6 digit numbers)
Done.

If you want to re-use that password, add an extra factor to make each one unique:
encode the service name somehow, such as numbers and a-n gets replaced with 0 (note no caps, overcomplicates), and the rest of the alphabet and punctuation is A.
Or think of a very simple metaphor for the service, or relation to the service. (facebook - thewhorehole, youtube - wherethingsgotodie, etc.)
These will considerably improve the general security of your password.
Better than done.

And always use 2-factor auth if available.

None of this will protect you if databases are stolen, but they will stop brute-forcing and global hacks of your accounts. (unless your hacker also read my post and is smart)

Restricted by password length (0)

Anonymous Coward | about a year ago | (#42824569)

I try and use long (but easy to remember) passwords on all sites. Unfortunately, there are still a large number of sites that ridiculous cap on the maximum length of the password (12 characters max is more common than it should be). I'm all for giving up short passwords, but not all issues resolve around the user having poor password security.

Sites that prevent the browser from remembering pa (1)

ZorinLynx (31751) | about a year ago | (#42824573)

I'd be more than happy to use long, more secure passwords if I'd be allowed to let my device memorize them. More and more sites are using the HTML option that denies autofill, keeping devices from memorizing passwords on them.

It should be possible to tell a device to ignore that HTML option if you have a passkey set on the device. Not letting devices remember passwords is less secure than just allowing it because people will use weaker, easier to type in passwords.

Not to mention Google's bad habit of making you reenter your password every so often. Just keep me logged in, damnit. My phone has a passkey.

Re:Sites that prevent the browser from remembering (2)

pmontra (738736) | about a year ago | (#42824713)

Use keepassx [keepassx.org] . Usernames and password won't be stored into your browser and that could be annoying but you'll always be able to paste them into any login form. Or at least I never experienced any problem. There is also an Android version and you can copy the password db file among devices (dropbox or manual file copy).

Git Rid of Asinine Password Requirements First (5, Insightful)

Secret Agent Man (915574) | about a year ago | (#42824577)

  • Minimum lengths? Sounds good.
  • Require a non-alphanumeric symbol? Sounds good.
  • Must have at least one lowercase letter, capital letter, punctuation, number? Uh...
  • Max length of 12 characters. Wat?

Some password requirements are perfectly acceptable, even encouraged. There exist plenty, however, that just make one scratch one's head. Why would a maximum length any lower than several hundred characters ever be necessary? More egregious limitations include requiring an insanely complex number of symbol/letter/number combinations (easy for AI, hard for humans, as XKCD eloquently points out) and, of course, passwords restricted to numbers only. Sadly financial institutions seem to be fond of this one, possibly under the mentality that a PIN is just as good as a password, and customers won't forget that!

Re:Git Rid of Asinine Password Requirements First (1)

SuricouRaven (1897204) | about a year ago | (#42824839)

There are two reasons I can think of the maximum length limits:
- Badly-written software using too-short fixed space allocations.
- Reducing the number of users who come up with a super-secure long password, but forget it themselves by the next day.

It's really hard to remember (1)

Tsolias (2813011) | about a year ago | (#42824597)

ÂHumans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices let's say you type your current 7-char password 2 times, is it harder to remember? I guess it will be even harder to remember to type it 3 times, if 14-chars are no longer safe enough in the future.

Secret Plans (5, Informative)

SJHillman (1966756) | about a year ago | (#42824601)

I think some places encourage short passwords. StudentLoans.com is Citibank's site for, you guessed it, student loans. The MAX password length is eight characters. That only encouraged me to pay off my loan to them faster just so I wouldn't have to deal with security like that.

Of course, nowhere in the signup do they warn you that only the first eight characters of your password will be accepted, nor does the login box limit you to inputting eight characters. I signed up with abcdef12345678 and tried signing in with abcdef12345678 but it gave me password refused. By luck, I tried abcdef12 and it worked. Screw Citi and all of the others still using password schemes from the early 90s

Passphrases (1)

ScottCooperDotNet (929575) | about a year ago | (#42824605)

We should encourage the use of longer passphrases rather than passwords and eliminate or raise limits on their length. It's much easier to remember a sentence than a string of random characters.

Too many banks in the US also have limits on both user names and passwords. :(

part of the problem comes from the developers (0)

Anonymous Coward | about a year ago | (#42824619)

Maybe we should deprecate the term password and ask people to pick a passphrase?
"isaw95giantbunnies@myparty!"

It's easy to remember and relatively easy to type even on a phone.

Though part of the problem comes from the developers of applications and manufacturers of devices. How many time as a web site prevented me from using a complex password? Heck, a few weeks ago, I worked with a Thecus NAS(Built on Linux). It took me forever to realize that there was a 12 character limit with no special character allowed!

Use TPM (4, Interesting)

Chemisor (97276) | about a year ago | (#42824675)

Instead, store your password on a TPM chip, from where the hash can not be stolen and where the attempt rate can be regulated. This way even 7 character passwords can be quite secure.

It would be nice... (2)

Junta (36770) | about a year ago | (#42824735)

If 99% of sites didn't put such a restrictive short length on their password length. I can remember and don't mind typing a pretty long sentence, but then the site generally complains because of the spaces or because I exceeded something silly like a 33 character limit. I will also say that some forbid special characters, some require. If you are going to stick me with no more than about 12 characters and refuse use of symbols like & and $, it's asinine. If you see that I have a 48 character password and complain that not one of them is 'special', you are impairing my ability to use a memorable password of appropriate length...

Duh (0)

Anonymous Coward | about a year ago | (#42824739)

A team of expert consultants from Deloitte discovered in *2013* that Moore's Law kicks the ---- out of Darwin when it comes to the password arms race. And said consultant team's recommendation was:

Well gosh, people, you'll just have to try that much harder to come up with/remember passwords that are hard to crack.

Thanks guys!

no solution (4, Insightful)

Tom (822) | about a year ago | (#42824747)

Password length matters to brute force attacks - and if your application allows a brute force attack to happen, it is broken already, insecure by design.

Enforcing longer passwords will not improve security for real-life cases. Enforcing more cryptic passwords will actually reduce security for real-life cases. Why? Because people will need to type slower, making shoulder-surfing easier. People will start to write passwords down, and they will re-use passwords more often.

You can't solve this issue with simple solutions like "use longer passwords". The only thing that will do is make "password1234" the new standard instead of just "password".

There should be a limit to password retries. !0. (1)

elucido (870205) | about a year ago | (#42824921)

Password length matters to brute force attacks - and if your application allows a brute force attack to happen, it is broken already, insecure by design.

Enforcing longer passwords will not improve security for real-life cases. Enforcing more cryptic passwords will actually reduce security for real-life cases. Why? Because people will need to type slower, making shoulder-surfing easier. People will start to write passwords down, and they will re-use passwords more often.

You can't solve this issue with simple solutions like "use longer passwords". The only thing that will do is make "password1234" the new standard instead of just "password".

You should get 10 chances to enter your password and then your data should self destruct if encrypted.

Re:no solution (2)

GWRedDragon (1340961) | about a year ago | (#42824941)

Isn't it funny how "require more complex passwords!" has risen to the level of knee-jerk groupthink mantra, and typically anyone questioning it is shouted down as ignorant?

Meaningless. (1)

GWRedDragon (1340961) | about a year ago | (#42824807)

Nothing has changed.

When applying a hash+salt to a password to store in a database, you run it a bunch of times to take up an attacker's cpu time. By picking the number of repeated hashes, processing a password->hash attempt can be made to take any amount of cpu power. When designing a system, one attempts to choose a value such that, with current systems, it takes a reasonable amount of time to process a login but also too long for an attacker to brute force.

TFA talks a lot about the 'number of possible combinations', but in reality that is not strictly relevant.

What matters here is only how much more cpu power is available to attackers than to the site owner. This ratio is what determines the number of 'combinations' required to defend against attack by someone who steals the database. So, if attackers start using hardware to run hash algorithms, sites can as well, and the same balance would be maintained.

not my problem (3, Informative)

Charliemopps (1157495) | about a year ago | (#42824809)

I've got logins for what... 200 sites? This is a problem for the sites, not me.
Passwords don't work. Think of something new. I can not remember 200 passwords that are 9+ characters, can't contain real words, have special charcters and God knows what else.

The solution for the end user? Don't use these sites for anything important. Don't store and personal information. Don't do business with sites that retain your credit card number and give you no option to not store it.

Just use voice recognition already! (2)

sl4shd0rk (755837) | about a year ago | (#42824815)

I speak all my passwords aloud into either my desktop microphone, laptop microphone or mobile microphone. This allows me to use the longest phrases without having any difficulty typing. People get a bit annoyed when I'm using the computers at the library but I explain it's all in the best interest of security.

I already use a 25 character password. (4, Funny)

elucido (870205) | about a year ago | (#42824891)

So this (just use an 8 character password) is for sissies. I also don't write my passwords down and they include special characters, large and small letters, numbers, and are completely random. It's not possible to crack a 25 random character password. I suggest everyone follow me and use 25 characters at least.

Man, that's going to suck for iPhone users (1)

Overzeetop (214511) | about a year ago | (#42824917)

Every damned time you turn around the iPhone is asking you to enter your password for iTunes. And with the on screen keyboard it's torture to actually enter a password with mixed case, numbers and (heaven forbid) symbols.

I, for one, do not look forward to our excessively long password overlords.

Bank of Montreal's password must be exactly 6 char (1)

sanchom (1681398) | about a year ago | (#42824919)

Bank of Montreal's passwords for online banking must be exactly 6 characters long, and contain no special characters.

18 character passwords (0)

Anonymous Coward | about a year ago | (#42824925)

6 unique characters based loosely on the system I'm accessing, and a 12 character global key. System fails on really stupid sites with "maximum length" systems like the uk government webpages.

What aren't accounts locked? (1)

macbeth66 (204889) | about a year ago | (#42824937)

After three tries, the account is locked and you then have to go through a bunch of Q & A to get it unlocked?

As for those short passwords with the stupid rules. UGH! I can't remember them. Let me use a whole sentence!

I'll use strictly cash... (1)

Jane Q. Public (1010737) | about a year ago | (#42824943)

... before I'll submit to an iris scan at a bank. Several local banks have tried using thumbprints on checks, and it is NOT well-accepted by their customers and others.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...