Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Password Strength Testers Work For Important Accounts

timothy posted about a year ago | from the my-credit-union's-just-fine-with-8-chars-all-alpha dept.

Security 129

msm1267 writes "Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you've chosen is weak or strong based on the website's policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently. A paper released this week by researchers at the University of California Berkeley, University of British Columbia, and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they're creating passwords for sensitive accounts and for unimportant accounts."

cancel ×

129 comments

Sorry! There are no comments related to the filter you selected.

What's really needed... (3, Insightful)

msauve (701917) | about a year ago | (#43759161)

is not more reliance on passwords, but an infrastructure which replaces all of that.

I don't pretend to be a security expert, but why not ask for a public key instead, so I can authenticate with my private one, as with SSH? Or provide a pointer to some authentication server, so I can have a safely "shared" yet easily changed password for multiple sites? (and I am NOT talking about Facebook)

Re:What's really needed... (5, Funny)

msauve (701917) | about a year ago | (#43759277)

Oh, yea. Obligatory Dilbert [dilbert.com] (better than XKCD in this case).

Re:What's really needed... (4, Insightful)

Exitar (809068) | about a year ago | (#43759347)

Re: What's really needed... (4, Insightful)

Anonymous Coward | about a year ago | (#43759521)

All well and good if the sites would stop implementing arbitrary password length limits.

Re:What's really needed... (5, Funny)

fostware (551290) | about a year ago | (#43759573)

But all my passwords are "correcthorsestaplebattery"!

Re:What's really needed... (1)

Anonymous Coward | about a year ago | (#43759759)

That's why I just use "swordfish"!

Re:What's really needed... (1, Flamebait)

VortexCortex (1117377) | about a year ago | (#43759613)

If you actually do any PW cracking, you'd know that comic is wrong. Dictionary attacks with not just words, but with phrases and 1337 replacements, and exclamations, and numbers after or before or in between words, runs of N repeating characters to 'pad out' a password, etc, all get tried before brute force. One of the results of having leaked password databases published online is that the crackers could see all the tricks people use to construct their "memorable" passwords. Unurprisingly, appending 123xcv or other quick keyboard combinations are rather common, and thus added to the cracking database. Any trick you can think of someone else uses too, and is likely a known trick. Type a word with the left hand, but shifted over and up? Yep, it's in the cracking dictionary too, that one's easy to encode, so it saves space... Maybe memorize a passage from a book (not a popular passage) and use some letters from each word, etc.

Clever is Dead. Generate your passwords randomly or use with a salted hash of the domain name and a master password. I use a HMAC bookmarklette employing this technique, and I can re-create all of my passwords using any computer, phone, or web browser. If I can't get to my bookmark, or implementation of a hashing algorithm, then I'm not in a position to need the passwords.

Re:What's really needed... (5, Insightful)

Carnildo (712617) | about a year ago | (#43759843)

If you actually do any PW cracking, you'd know that comic is wrong. Dictionary attacks with not just words, but with phrases and 1337 replacements, and exclamations, and numbers after or before or in between words, runs of N repeating characters to 'pad out' a password, etc, all get tried before brute force.

If you understood combinatorics, you'd know that the comic is right. The first row is a password made from known tricks, and is probably in a dictionary (the 28-bit strength represents the size of the smallest dictionary likely to contain it, or how far you need to go through the dictionary before running into it). The second row represents a password generated randomly from what is effectively a 2048-letter alphabet.

Re:What's really needed... (3, Informative)

Anonymous Coward | about a year ago | (#43759849)

And by "working with phrases" you mean "working with known phrases", or rather "correct horse battery staple is already in the dictionary". If you do any PW cracking and "know that comic is wrong", you're probably just a script kiddie.

A random word from 65000 words dictionary gives 16 bit of entropy, adding variations on capitalization and 1337 makes each word worth a little over 18 bits. 4 word phrase is equal for a bruteforcer to a 10 full ASCII characters password, while being a lot more memorable. Yes, you'll pick those words from dictionary, which probably confused you, but it's the same as picking characters from alphabet for bruteforcing.

Re:What's really needed... (-1)

Anonymous Coward | about a year ago | (#43760553)

If the machine only allows 3 failed tries per hour, then completely lock up account for a day and a password reset after 9 attempts, whether or not you have 10 bits or 24 bits entropy is moot.

Re:What's really needed... (1)

Bert64 (520050) | about a year ago | (#43760765)

And if you lock the account automatically then someone malicious can simply run a script to intentionally try incorrect passwords repeatedly, thus causing a denial of service against the legitimate owner of the account.

Re:What's really needed... (1)

LordLimecat (1103839) | about a year ago | (#43760657)

The estimate for the size of common dictionaries is ~30,000 words. 30,000 ^ 3 is 1/10th as many combinations as an 8 character alpha-numeric completely random word. Do one of those substitutions you sneered at in just ONE of your words, and that number absolutely skyrockets.

Guess which password is easier to remember when Im required to change it periodically? Guess which is more secure, in reality?

Re:What's really needed... (0)

Anonymous Coward | about a year ago | (#43759743)

Beat me to it!

Re:What's really needed... (3, Informative)

kwerle (39371) | about a year ago | (#43759289)

This is the basic goal of http://openid.net/ [openid.net]
Using facebook's auth mechanism is mostly just a flavor of this.

Though see also http://supergenpass.com/ [supergenpass.com]

I don't know any of my passwords. I just know my supergenpass phrase.

Re:What's really needed... (2)

icebike (68054) | about a year ago | (#43759291)

PayPal CIO wants to ditch all passwords [cio.com] .

He is suggesting as an alternative something from the FIDO Alliance. [fidoalliance.org]

It could be something as simple as the Google Authenticator that generates number that last for mere moments.

Re:What's really needed... (4, Interesting)

dgatwood (11270) | about a year ago | (#43759571)

The FIDO stuff sounds like a whole lot of expensive extra technology with no real benefit over a password. A finger swipe is a replayable event just as much as a password or PIN.

The Google Authenticator is conceptually okay in theory, but in practice, AFAIK, it too becomes a gaping security hole as soon as your mobile device gets compromised.

If you want something stronger than passwords, it must have the following criteria:

  1. Immune to replay attacks. Done correctly, this means that each authentication request must have a unique ID that must be signed or otherwise combined with some shared secret in a secure way.
  2. Immune to man-in-the-middle attacks. Each request for authentication must be signed by the requestor so that the user can be certain that he/she is not agreeing to do something other than what is intended. Each response from the user must include at least a hash of the original request.
  3. Immune to device compromise. The most common way that computer security is breached is through password sniffers or other compromise of the user's computer or mobile device. If you cannot trust the device that is performing the authentication, you cannot trust the action being performed, and all security goes out the window, including existing measures for preventing MITM and replay attacks, such as SSL/TLS.

None of these schemes I've seen so far address #3, and as a result, none of them are significantly more secure than typing letters at random and pasting the resulting password into a text file on your Desktop. They try to address problems that don't actually exist, while failing to address the root of the problem, which is that computers, mobile devices, etc. are not inherently secure.

For example, Google Authenticator uses a time-based token. This tries to avoid replay attacks by limiting the period during which an attack is possible. That doesn't work very well, though, unless you can delay an attacker's ability to sniff that token. This means that you have to prevent a MITM attack. As soon as the device is compromised, SSL and TLS are no longer capable of preventing a MITM attack, so the entire scheme falls apart.

Anything short of a non-networked device communicating with your computer over a very simple protocol (think "formal verification" here) is not a major win, IMO. And it can't be something silly like touching a smart card to an RFID reader, either, because the reader could perform more than one transaction, and you would have no way of knowing that you just bought some farmer in Iowa a new tractor alongside that DVD from Amazon. No, you really need a physical screen and a button on the device saying, "Do you agree to transfer $258,000 to Bank of Nigeria?" in order to significantly improve things. Anything short of that is just wasting a lot of time and expense without addressing the real problem—that if you can't trust the endpoint, you can't trust the message. Start by developing a truly trusted endpoint. After that, the entire problem becomes fairly trivial.

Re:What's really needed... (2)

icebike (68054) | about a year ago | (#43759811)

I think that Google Authenticator tries to prevent mitm attacks by having any given token usable exactly once in addition to having a very short lifespan.

So any putative man in the middle must get to Google before you do and immediately proxy everything you want to do from that point on to prevent you from discovering the attack.

If you lose your phone you can still can log in with your emergency passwords and lock

I think you underestimate authenticator.

There are similar schemes that use a single purpose hardware fob that simply displays 6 or 8 digits with no network connectivity (just a very accurate clock).

Re:What's really needed... (1)

kermidge (2221646) | about a year ago | (#43760051)

True enough, but any scheme that makes me buy and own another thing is failure prone - it could break, get lost or stolen. Too many flawed assumptions about the real world are complicating the pursuit of useful solutions.

Re: What's really needed... (1)

AvitarX (172628) | about a year ago | (#43760095)

I don't think it needs to be particularly accurate even.

If I'm not mistaken, the token changes every 30, and the server allows for a shift of one token in either direction (90 second window).

If you slide to one of the non centered tokens, the server makes note, and rec enters you. Considering my crappiest clock (my car) gains about 5 minutes a year, any regular use password (monthly or so) would be fine with even a sloppy clock.

Re:What's really needed... (4, Informative)

dgatwood (11270) | about a year ago | (#43760179)

I think that Google Authenticator tries to prevent mitm attacks by having any given token usable exactly once in addition to having a very short lifespan.

Here's why that doesn't work. The attack is very, very, very simple, and once you see it explained, you'll never trust those sorts of services again. A basic attack looks like this:

  1. Attacker compromises the device and waits for user to log into Google.
  2. Attacker captures the response to the authentication request and forwards it to their own server.
  3. Attacker's server connects to Google's system and obtains credentials.
  4. Attacker displays a network error message to the user. The user logs in again to the real Google server, unaware that the first attempt was successful, just for somebody else.

Elapsed time: tens of milliseconds after the user logs in. A slightly more sophisticated attack looks like this:

  1. Attacker compromises the device and waits for user to log into Google.
  2. Attacker captures the response to the authentication request and forwards it to their own server.
  3. Attacker's server connects to Google's system and obtains credentials.
  4. Attacker masquerades as a forwarder for Google's server so that the user is completely oblivious.

Elapsed time: tens of milliseconds after the user logs in. And if the service you're logging into works the way most services do, an even simpler attack looks like this:

  1. Attacker compromises the device and waits for user to log into Google.
  2. Attacker steals the cookies that Google stores on the user's system and uses them on another machine.

Elapsed time: zero milliseconds after the user logs in. But the best one of all is this:

  1. Attacker compromises the device and steals the private key used to generate the authentication token.
  2. Attacker logs in at will. From anywhere. At any time. Forever and ever.

Elapsed time: zero milliseconds after the device is first compromised or GA is first installed.

All four techniques are 100% transparent and are 100% effective attacks against software-generated time-based authentication schemes. The first two are 100% effective against hardware tokens used for time-based authentication, too. In fact, even if Google upped the ante and made the authenticator be interactive, where the Google servers sent a unique nonce that had to be encoded along with the time stamp, this scheme would still not be significantly stronger. The only change required to the first two schemes would be adding one additional step—telling the attacker's server to issue a request to Google and pass that request nonce to the compromised client. And the third and fourth schemes would continue working as-is. This is why time-based authentication is basically worthless unless the endpoint is trusted (and at this point, I'm growing more and more convinced that users should assume that their endpoints are not trusted).

The reality of the matter is that time-based authentication schemes are an anachronism. When they were first conceived by RSA in the mid-1980s, they were not intended for general users. They were intended to protect against precisely one threat—an attacker with a very specific target watching a user type in his or her password from a distance. They work well for that purpose. They can be compromised once by any attacker who gains control over the system where the authentication token is being entered, even if hardware tokens are involved, and they are permanently compromised by any attacker who gains control over the system where the secret key is stored. The reason there haven't been very many new implementations of time-based authentication since the 1990s is that such schemes just aren't particularly useful against modern attacks. They give the illusion of security without actually adding any. Well, unless you're worried about your roommate seeing you enter your password.

Put another way, creating a secure authentication scheme where the endpoint is compromised is fundamentally impossible for precisely the same reason that perfect DRM is fundamentally impossible. Alice is also Eve and Mallory. Food for thought.

Re:What's really needed... (2)

icebike (68054) | about a year ago | (#43760353)

Here's why that doesn't work. The attack is very, very, very simple, and once you see it explained, you'll never trust those sorts of services again. A basic attack looks like this:

Attacker compromises the device and waits for user to log into Google.
Attacker captures the response to the authentication request and forwards it to their own server.
Attacker's server connects to Google's system and obtains credentials.
Attacker displays a network error message to the user. The user logs in again to the real Google server, unaware that the first attempt was successful, just for

Here is how I know you haven't a clue what you are talking about, and why I hope you will just go away and stop pontificating:

Attacker compromises the device...
    Really? Really? Just like that, compromises my cell phone, which is never out of my possession?
    How is it you hand waive all that process away?
And waits for the user to log into google
    Again, Really? Do you even have a clue how Google authenticator works?
    You don't log into google with the authenticator. You log in with some other computer over a ssl connection.
      Then google asks you for a code from the authenticator app. Guess what: The app doesn't even talk to google
        except at install time. You can put your phone in airplane mode and still get a code from the authenticator.
        So even a compromised phone (something you seem to think is trivial, but never bother to explain) won't do you
        any good because it does not contact google.

        You then key this number into the computer talking to google over a ssl connection. It compares it to the
          number your authenticator would have rendered for that particular 30 second window. If its good you get in
          but again you are in a ssl pipe.

        So you capture nothing. NOTHING.

Attacker captures the response to the authentication request and forwards it to their own server
    No it doesn't, because you captured nothing. It was in an SSL pipe from some compute you don't even know about.
    Further the code has been USED, and its no good any more. Its a one time code.
    Further Google would see you trying to create your own connection and would immediately you to get a code off of your authenticator...
        but wait, you don't have an authenticator synced with that account, and the old number is no good..

You would have to already have an ssl compromised machine in place and lure a google user into signing on via that specific machine.
But wait, that wouldn't work either [blogspot.com] because
google already detects this. Even Schneier [schneier.com] does believe this would work even with National authorities forcing bogus certificates.

Even if you had a pre-compromised computer and an elaborate SSL spoofing setup in place ahead of time, on a computer that you knew I would have to log in from, you can only compromise that single session, and when you attempted to change anything so that you could log in again in the future, I would be locked out of the account, and would therefore know the account had been compromised.

So just stop hand waiving into existence imaginary compromised devices, and thereby supposing into existence the hardest part of the whole operation.
If this was so easy, it would have already been done. Yet every attempt to bypass Two Factor has been done via apps that would not support Two Factor, and which required an application specific password, which in the end, is just another password.

Re:What's really needed... (2)

jonbryce (703250) | about a year ago | (#43761077)

There is a case in Europe of people getting into bank accounts by compromising their cellphone. They sent a phishing message puportedly from their bank telling them they needed to install some security software on their phone, with instructions on how to do it for iPhone, Android and Blackberry.

Then, having got the login details for the bank account, they log in, do a transfer instruction, and when the bank sends a code to the phone to authenticate it, the malware on the phone intercepts the message, and sends it to them, so they can complete the transaction,

Re: What's really needed... (1)

thepacketmaster (574632) | about a year ago | (#43759511)

Password safes would be a better solution. A central authentication service is useful, but it also has a big target on it for all the hackers out there. One big score and the hackers could have access to millions of accounts on thousands of sites. If it's worth their while, hackers will keep at it until they get the prize. To keep you safe a better choice is a password safe. You have random passwords for every site and store them in the safe. Then you put a strong password on the safe that you won't forget. Your accounts are as secure, if not more so, than using a centralized sign-on, and the hackers can't access millions of user accounts all in one place.

Re: What's really needed... (3, Informative)

El_Oscuro (1022477) | about a year ago | (#43759739)

Isn't that what keepassx is?

Re:What's really needed... (1)

s1d3track3D (1504503) | about a year ago | (#43759565)

Yes! Please (Hey, mod partent up)

Re:What's really needed... (1)

mlts (1038732) | about a year ago | (#43759817)

There are always client certificates, but that means every web browser you use has to have a copy of your private key handy.

Another authentication system mentioned would be one that would have some random text, and would ask the user to select it, sign it with their private key, and paste the clearsigned text. Very simple and fairly platform independent, although PGP/gpg support can vary greatly depending on platform.

Re:What's really needed... (2, Insightful)

Anonymous Coward | about a year ago | (#43760029)

What needs to be done, as a minimum, is something like Password Hasher (the firefox plugin) needs to be built into each browser. Each website has its own tag and when I type in my password the password that actually gets sent to the website by my browser is different from the password that I typed and it's different from site to site even if I choose to use the same or a similar password. That way if my password does get logged or compromised by one website they can't as easily discover the underlying password and use it to access information from other accounts I may have if I use the same password. The whole process should be built into each browser and oblivious to the user, I can go on another computer and type my password for the same site and it will go through the same hash process and send the same password.

Of course this isn't foolproof, someone could potentially back - crack the original password based on the sent password or try to create databases of cracked original passwords for each website (ie: for each hashtag) but at least this is an additional simple obstacle that will make it more difficult for those who get a hold of compromised passwords sent by the browser to benefit from them through using them for other websites. My browser should, ideally, never send the password that I type to the server exactly as I type it, it should be sent hashed.

Re:What's really needed... (1)

Anonymous Coward | about a year ago | (#43760065)

(a continuation) and if you really want additional security you can have a browser that has password hasher built in use two hashtags. Say I visit bank of America. I create an account and upon creating the account the server associates a personal, individual, unique hash tag to my account. Each account gets a unique hash tag. When I type in my username and password to log in the browser takes the generic hashtag of bank of America (that everyone visiting bank of America shares) and my personal hashtag is also sent to my browser. The browser uses both hastags to generate the password to send the server and it sends that password to the server. This way even if the hashsum and my hashtag is compromised my password would have to be individually brute forced. I go onto another computer with a different browser and that browser also receives my personal hashtag upon me typing in my username and password and it uses both the website (bank of America) generic hashtag along with my personal hashtag to generate the password to send to the server. The whole process is absolutely oblivious to the user and no additional work by the user is needed. Each user password needs to be individually cracked if hashsums and hashtags are compromised. No rainbow attacks possible. This is what needs to be done. It's simple and orders of magnitude more secure than anything we have now.

I declare this and the above idea obvious and non-patent worthy.

Re:What's really needed... (0)

Anonymous Coward | about a year ago | (#43760117)

One advantage of this to previous schemes is it allows anyone with a basic webserver to implement it without having to maintain the additional equipment to take incoming passwords and salt them before hashing and verifying them with the stored hash. The responsibility now lies on each and every browser which means less work for all servers and server admins to maintain. Also, if the password got intercepted it's not the original live password that gets intercepted it's a hash. There is no good reason for browsers to send live passwords.

Re:What's really needed... (2)

dgatwood (11270) | about a year ago | (#43760223)

What needs to be done, as a minimum, is something like Password Hasher (the firefox plugin) needs to be built into each browser.

That protects against what is probably the least interesting situation—when the user's password to one site is silently compromised by attacking that site, and the user used that same password on another site. First, it assumes that the user's password is weak enough to be readily cracked by someone hammering on the password database (which if it is salted properly, is unlikely). Second, it ignores the reality that most passwords are not compromised by server-side security holes; they're compromised by client-side security holes—keyloggers, etc.

To use a car analogy, this is like putting an un-pickable lock on a car to protect your expensive radio, but leaving the factory glass windows untouched.

Re:What's really needed... (2)

hairyfeet (841228) | about a year ago | (#43760499)

I don't see why two factor authentication isn't standard across the web, what with flash chips being so cheap. i mean if i can get a 16GB USB drive that is so thin and small it fits in the card holder of my wallet why we can't have something similar that works with any website? And public/private keys are frankly more complex than most users could handle, at least from the ones I've looked at.

As for TFA you just hit the nail on the head when you mentioned FB because what I'm seeing is more and more people that let FB handle it and if there isn't a FB option they pass. Should we consider this good or bad? On the one hand FB knows too damned much about people as it is but on the other hand at least they aren't reusing passwords constantly

Minor difference at best (5, Insightful)

icebike (68054) | about a year ago | (#43759177)

The long and the short of it: Not Much!

Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.

They claim it was for "important accounts" but how important would the account be that was being used in a study?

Lots of people re-use passwords on "nothing accounts" simply to prevent having to remember a gazillion passwords.
That doesn't mean they reuse all passwords.

Its probably more important to not log in using the same user name on many different sites than it is to have passwords consisting of crazy strings of random characters that you can't even type consistently let alone remember. If someone guesses your re-used password in one site they have a much better chance of guessing your other logins.

Re:Minor difference at best (2)

khasim (1285) | about a year ago | (#43759331)

All excellent points. And there are still more.

#1. Unless your password is "password" or some variant AND the site does not limit password attempts then "password strength" isn't that important.

#2. You are more likely to have your passwords compromised by using a cracked computer or by falling for a phishing link.

#3. If not #2 then when one of the sites you use is cracked and their username/password file (unhashed, unsalted) is stolen.

Also, why can't a site tell you what the requirements are PRIOR to you having to come up with a username/password/secondary-password/pet-name/school-name/maiden-name-mother?

Re:Minor difference at best (0)

Anonymous Coward | about a year ago | (#43759435)

No, the sad reality is you are more likely to have your password published by accident by some droid at your credit card company.
in india.

Re:Minor difference at best (1)

Cenan (1892902) | about a year ago | (#43760729)

Or not by accident. They can quadruple their years worth by just "leaking" a password database to the right people. Choosing the lowest bidder is not always a good idea, it lowers the corruption bar significantly.

Re:Minor difference at best (4, Interesting)

jrumney (197329) | about a year ago | (#43760021)

90% of accounts I have created were so I could read some support documentation, or download an updated driver from a vendor etc. The only reason for putting password protection on such things is so the vendor can spam me in future. I really don't care if such accounts are compromised, in fact, I actively use obvious username and password combinations along with fake, or if they require confirmation before activating the account, throwaway email addresses. Another 9% are sites like slashdot, where the account gives some convenience, but nothing of value is stored there (a bit of reputation is at stake if someone hacks the account and uses it to troll, but the damage is minimal and easy to explain away). For the other 1%, I'll care enough to create unique passwords that are difficult to crack.

No kidding (4, Insightful)

Sycraft-fu (314770) | about a year ago | (#43760447)

I'd say I'm a pretty security aware individual, what with working in IT and all that. I do defense in depth on computer and physical security, I'm proactive about things, etc. Seems to have worked, I've never had a system owned.

So I never reuse passwords, right?

Wrong, I do all the time. Almost every forum online I have the same password for, and it is a weak one. Why? Because I don't care. Oh no, someone might hack my forum account and... I dunno, post something as me! Whatever would I do? I'm not going to bother to generate a great, unique, password for every site.

However my bank account? Random password (I don't seem to have trouble remembering them), long, and it requires two factor authentication. That protects my finances, and those matter. So security on that is pretty high.

The idea that everyone is going to have a high security password for every site and not reuse it is silly. There are plenty of things where if your account got compromised, you just don't care so much.

Also it can make sense to group systems. All my systems at home use a single password. There is no reason for them not to. They are all in the same security context, basically. It is no different than at work where my single account gets me access to any domain system.

THIS THIS THIS (2)

brunes69 (86786) | about a year ago | (#43760981)

This is what I have been saying for a dogs age. Security "professionals" have this all wrong because they neglect a very simple concept - NOT ALL ONLINE DATA IS EQUALLY IMPORTANT.

Frankly, I don't care if someone hacks my slashdot account. I don't care if someone hacks the account to the deals forum I visit. The worst that will happen is it will be a minor inconvenience to get the password reset, and they might post some troll information about me.

The only accounts that I have that I care about security are my banking accounts, my Facebook account, and my email account. That is pretty much it. I don't even care about Twitter really.

By forcing all random accounts to have strong passwords, you make the password management problem a lot more difficult than it should be for the average user.

Furthermore, all of these random one-off sites should be using OpenID / Google Login / Twitter / Yahoo / Facebook Login / SOMETHING, some form of identity federation... preferably supporting multiple of these. There is no reason that a mom & pop shop website should be managing identity credentials in this day and age, it is not required. Everyone on the planet has an account with SOME ONE of these providers, or an OpenId provider.

Password reuse (1)

manu0601 (2221348) | about a year ago | (#43759205)

Who can they know that password is not reused from another service such as gmail, facebook, or whatever?

Re:Password reuse (1)

icebike (68054) | about a year ago | (#43759309)

Who can the know, or How can they know?

If I learn that your password is kjwrxe72 when you log into Slashdot, guess what password I will try first when I find out your email address.....

Re:Password reuse (1)

manu0601 (2221348) | about a year ago | (#43759355)

But that method is an offense, and therefore it is not workable for a law abiding site or corporation.

Re:Password reuse (1)

Cenan (1892902) | about a year ago | (#43760755)

They can't know. And they shouldn't bother pondering that; what "they" need to focus on are sane password policies and proper salting. One of the conclusions of the article is that if password holders (sites you log in to) spent more time trying to secure their shit, there would be less work for end users. The only reason password strength can become a problem is if "they" get compromised and the user password database gets stolen. Fix that problem, and eveyrone can start logging in with "123" again.

poor rules (1)

Dr Max (1696200) | about a year ago | (#43759245)

The rules that define them need improving. It's all you must have at least 1 number, symbol and capital; but when you have a 20 something character, couple of obscure words joined together password (much easier for humans to remember bluesunsuperpartytime than 1s0stat1C) it isn't going to matter much if you put in a % sign at the end.

Indeed. Most strength checkers are quite wrong (2)

Anonymous Coward | about a year ago | (#43759629)

You're absolutely right. For fifteen years, my job was preventing brute force attacks and the use of compromised credentials. (I wrote the Strongbox system.) The well known xkcd comic illustrates why the popular rules for "good passwords" are wrong, wrong, wrong. The LENGTH of the password is by far the most important thing. Password! is a really bad password, but would be considered "very strong" by most meters.

Probably the best thing we could do for password security would be to replace the word "password" with "pass phrase" or better yet "secret sentence". It's extremely unlikely anyone would ever crack the password "Ray eats cherry pie alamode", yet it's very ready for the user to remember.

http://xkcd.com/936/

Re:Indeed. Most strength checkers are quite wrong (1)

jrumney (197329) | about a year ago | (#43760061)

My bank includes a "pass phrase" as part of its security check. They don't allow whitespace in this pass phrase and limit its length to 12 characters. I think someone at the bank is knowledgeable enough that the orders went out to change from using passwords to pass phrases, but they need to do a better job of spreading that knowledge around the monkeys doing the coding so they don't just change the name to please the boss.

Re: Indeed. Most strength checkers are quite wrong (1)

oobayly (1056050) | about a year ago | (#43760381)

Odds are they're doing something like using a char field to store the password which means that whitespace *may* be trimmed, so it's safer not to allow them. I'm surprised that some of them are advanced enough to accept the £ symbol as it's not in the standard ASCII set.

Not that I don't trust banks or anything, but they tell me to install Rapport every time I try to log in. One of these days I'm going to call and ask how to install it on Debian (for shits and giggles)

Re:Indeed. Most strength checkers are quite wrong (3, Informative)

retchdog (1319261) | about a year ago | (#43760325)

coherent english phrases have approximately one bit of entropy per character. your sentence wouldn't be that unusual if crackers were using the appropriate tools (which of course they aren't).

the xkcd example works better because it's nonsense. to see it intuitively, "eats cherry" is a common 2-gram (although salaciously ambiguous out of context) whereas "horse battery" is uncommon (as is its referent).

The forced registrations on many sites drive reuse (4, Insightful)

luvirini (753157) | about a year ago | (#43759247)

The growing number of places you need a password on just to access some content is a sure cause for increased password reuse.

Humans are simply not suited to remembering random enough password to cover all the sites on internet.

The save password option on the browser might help...

but more and more sites use the "no not save passwords" option.. forcing people back to reusing passwords.

Well, personally I just use fairly random passwords and "rememberpass" extension on firefox to force saving password even when the site does not want you to do that.. as the lesser of the evils.

Article is useless and misleading (1)

Dynedain (141758) | about a year ago | (#43759259)

According to the article:

The team concluded that the presence of meters upon site registration, for example, is not as effective as when the meters are not associated with a registration,

Soo... the summary sentence actually says nothing. What was the result? It also sounds like they're reporting on whether people noticed the meter, not whether the meter was successful in getting people to use better passwords.

Headline parse error (1)

Megahard (1053072) | about a year ago | (#43759361)

I pictured big banks and the like hiring people to try to break passwords of employees or customers.

Strong passwords considered harmful (2)

Skapare (16644) | about a year ago | (#43759371)

I might be the exception because one of my passwords is 27 characters and I have never needed to write it down. But most people do need to wrong down long meaningless strings of gibberish, especially if they many of them. Just like people know to find the car keys above the sun visor in a car, or under the rug at the house door, people know to look in or under the desk drawer to for the computer password.

Few people get a chance to sit at your PC, though. Network access is the greater risk, and that often has no password need because people just click on the link to the dancing squirrels and let their computer be taken over. We also need LESS use of passwords when connecting to things on our networks. Everything should be strong crypto authenticated, even inside private LANs.

What a coincidence (1)

Anonymous Coward | about a year ago | (#43759513)

I've been using "Imightbetheexceptionbecause" for years. We should do lunch, Skapare!

So? (4, Interesting)

Smallpond (221300) | about a year ago | (#43759375)

Now tell us what percent of breakins are due to guessing passwords. Maybe 2%. The rest are social engineering, default accounts, keyloggers, vulnerabilities, malware, misconfigured networks and people leaving their phones in bars.

Re:So? (1)

GodfatherofSoul (174979) | about a year ago | (#43759479)

I bet it's more than that. A guy I used to work with couldn't get in touch w/ a client we were doing support for and guessed the password. I have no clue what he was getting into, but our clients are Fortune 500 companies.

Re:So? (1)

dgatwood (11270) | about a year ago | (#43759639)

Yes, lots of weak passwords are guessed by automated bots. This tends to affect websites like Facebook, message boards, etc., where the maximum possible damage is fairly limited and mostly harmless. By contrast, most people's bank account passwords are not "12345".

Not for important accounts, though. For things like banks, the password rules generally are already strong enough to make guessing problematic unless you know your victim, and to some degree, even then. It is far easier to make a virus that compromises millions of machines and looks at what letters the users just typed, or injects spyware into their browsers to detect which of those virtual PIN number pad buttons the user clicked, or whatever. Instead of an attack on a specific person that requires research, you can successfully compromise thousands or even millions of people. Why spend a high amount of effort per target when you can spend almost none and get similar results?

This, of course, ignores attacks on the infrastructure itself (e.g. attacking a credit card processor to steal credit/debit card numbers en masse or installing a card skimmer on an ATM). Those sorts of attacks also seem to be pretty popular, but they don't have much to do with passwords.

Re:So? (1)

dgatwood (11270) | about a year ago | (#43759663)

Sigh. Ignore the first sentence in the second paragraph. This is what over-editing does.

Re:So? (0)

Anonymous Coward | about a year ago | (#43760047)

By contrast, most people's bank account passwords are not "12345".

Thanks. My friend who's into IT security advised me not to use passwords that are common on my bank account, but until I found your post I had no idea how to find out if a password was common. Now at least I know one that's not.

Re:So? (1)

dgatwood (11270) | about a year ago | (#43760229)

You owe me a new keyboard.

Most are guesses. 92% (1)

raymorris (2726007) | about a year ago | (#43759893)

You seem to be thinking of targetted attacks on a specific person. That's probably fewer rhan 1% of all attack attempts. Based on statistical analysis of thousands of attacks (tens of millions of login attempts), I'd estimate password guessing at more like 92%. There are many bot nets constantly trying dictionaries against random sites. As a rough guesstimate, there are maybe a few tens of millions of dictionary attempts by http EVERY DAY. The combos admin/admin and admin/password work all too often.

That's not even due to guessing (1)

dutchwhizzman (817898) | about a year ago | (#43759985)

Most of "lost password" break-ins are due to the companies demanding you use passwords not storing them properly, giving a hacker a nice database of non or trivially encrypted passwords to use. Password reuse wouldn't be a problem if the password wouldn't be stolen from compromised websites.

Re:So? (0)

Anonymous Coward | about a year ago | (#43760751)

I had the displeasure to open a database for a small business website, and saw the passwords in plain text next to their names, addresses, and other information.

I skimmed the list and realized quickly with one algorithm I could gain access to approximately two thirds of the accounts using the information in the other fields, assuming three guesses (assuming I get three minor variations before being locked out). I was slightly surprised at what the exact pattern was -- it's very similar to one tossed around at slashdot and other sites but not the same, yet it was remarkably consistent, so consistent that I have to believe it's actually taught somewhere to people because the shouldn't all come to the same algorithm independently from all these different places.

They made payments through paypal and not through this password, so I guess it could be that every user was tech-savvy enough to determine that they should use their weak password here, but I doubt it.

I changed their password system to use a salted hash, converted every record, and overwrote their backups (with the company owners' permission). I don't think a breakin to that site would be all that terrible (associates email addresses with physical addresses, not great but big deal) except I wouldn't want to bet on how many of those email address / password combinations could log into a person's web mail account. From there you can get a lot further by triggering password resets on other sites.

in college they call it research (-1)

Anonymous Coward | about a year ago | (#43759413)

In programming they call it a 12 y/o with an old copy of visual basic.
for dos.
1.1.2 .a

I'm Fine With That (0)

Anonymous Coward | about a year ago | (#43759451)

But the one thing that's been annoying me lately is websites that have a minimum password requirement (must be 8 letters, must have a number) but they don't tell you about it until after you've filled out the entire registration and pressed submit. By then I've already added the password to my keychain, and have to go back and fix it and try again.

Some places I use "qwerty" because I don't care if my account is hacked. Now I have to switch to the more convenient "qw3rtijim09!" to pointlessly satisfy a robot.

How good are the meters? (3, Insightful)

Carnildo (712617) | about a year ago | (#43759473)

How good are the meters as an indication of password strength? If you've got a meter that calls "Password1" (nine characters, mixed upper and lower case with a number) strong, it doesn't matter if the meter has an effect or not.

Password strength is inherently impossible to measure (it's related to the password's Kolmogorov complexity [wikipedia.org] , which is incomputable). A good heuristic meter would check the password against the output of a few password-cracking programs and assign a strength based on how long it takes the password to show up, but I doubt anyone's doing that.

Re:How good are the meters? (0)

Anonymous Coward | about a year ago | (#43759661)

How good are the meters as an indication of password strength? If you've got a meter that calls "Password1" (nine characters, mixed upper and lower case with a number) strong, it doesn't matter if the meter has an effect or not.

I know of an MMO whose meter considers your password strong if you have both cases, a number and punctuation, even if it's only 4 characters long.
It also considers long random-character passwords weak if they don't have numbers and punctuation. Terrible.

There are lots of bad ones (2)

Sycraft-fu (314770) | about a year ago | (#43760473)

For example the powers that be at work decided that the important thing was 3 of the 4 groups (upper, lower, numbers, and punctuation are the groups), and length, with 14+ being what makes it happy. So you input a short phrase like "I like puppies" it'll call it strong and take it. However if you input "@la2wo!d?o-z4" it'll call it weak because it is too short. Input something like "niecrlazleswiariucriuml7priu8roab7iuyluc0oawr1u5pl" and it'll reject it because there are only 2 of the 4 groups).

There's no further analysis, it is just a length and groups thing, with rather poorly defined groups.

Also in terms of strength, while there's no perfect one, measuring bits of entropy, which you can do, is pretty good. However few sites use anything that advanced.

Re:How good are the meters? (0)

Anonymous Coward | about a year ago | (#43760679)

Actually most password strength will use dictionary attacks that password crackers use to detect how well it would protect against it.
So it splits your password up in tokens where each token could have been cracked by a current cracking program.

The number of tokens, and the length of each token is an indication of how many bits of entropy are in your password.

Linux passwd can be configured to have a password cracker as backend, it has been doing this for over 10 years.

Re:How good are the meters? (1)

Hentes (2461350) | about a year ago | (#43760711)

Measuring entropy would be a good start.

Speaking of "meters" (0)

mysidia (191772) | about a year ago | (#43759495)

Why not in addition to requiring a password... give the user a 255x255 grid (Total 65,000 boxes). Require the user to place 3 symbols on the grid, by clicking, not within the vicinity of any two symbols lining up horizontally, diagonally, or vertically, and not within a certain euclidian distance of any other symbol.

The symbol in a box can be placed in the center, left edge, right edge, bottom edge, top edge, upper-left corner, upper-right corner, lower-right corner, or lower-left corner.

In addition to the password, the placement of the symbols must be remembered (which box, and where in each box, each marker was placed).

The result is an extra ~19 bit field.

Then a heavy work-factor PBKDF2, BCrypt, or SCrypt hash of this 19-bit field could be appended to the password.

Thereby, creating a password augmentation that will be very difficult to brute force

Re:Speaking of "meters" (2, Interesting)

Anonymous Coward | about a year ago | (#43759755)

...and very difficult to remember making the use of such a system insanity.

Or make the passphrase three characters longer (0)

Anonymous Coward | about a year ago | (#43759845)

You could do all of that, or you could gain more entropy by making the passphrase three characters longer. Really, the way to get more bits of enyropy is to use more bits. Any of the three sentences in this post has a lot of bits.

Re:Or make the passphrase three characters longer (1)

Carnildo (712617) | about a year ago | (#43759877)

Understandable English text doesn't have very much entropy, averaging 1.5 bits per character. Your sentences have 162, 98.5, and 88.5 bits respectively (I gave you an extra bit for your typo of "entropy" in the second sentence. Just be sure you remember it the next time you type your pass-sentence in.)

Re:Or make the passphrase three characters longer (0)

Anonymous Coward | about a year ago | (#43760303)

Considering A random 16-char alphanumsym password also has "only" ~100 bits of entropy...
which is easier to remember?
"X1w71Z8,d3hi?qVh"
or
"Really, the way to get more bits of enyropy is to use more bits."

Re:Or make the passphrase three characters longer (1)

Anonymous Coward | about a year ago | (#43760571)

Learn and use Chinese words for password. With over 10000 commonly used characters gives you 10-bit per characters. ;P

I find it hard to believe.... (1)

MasseKid (1294554) | about a year ago | (#43759691)

I find it hard to believe when any important account would/should lock out out after a couple of tries would be vulnerable to even a 4 digit pin of only numbers (2 months of 4 tries per day locks you out on average, at some point your bank should really be contacting you) would be vulnerable to a brute force attack. On the other hand, key loggers make even 128 character long truly random, 46 options per character passwords are easily broken. Even more annoyingly are the fucking stupid "password helpers" that say well just follow this simple rule and you'll make your password virtually unbreakable. Word to the wise, if you're following a rule, you've added 1 bit of entropy, that's it. Nothing more.

Believe this (2)

dutchwhizzman (817898) | about a year ago | (#43760013)

Attackers are not trying just one account, but many. They don't try a single account from a single IP sequentially. If you have 1 million accounts and a four digit pin to get in, you get 100 accounts unlocked on average with every sweep of a single pin on those 1 million accounts. Get your botnet to do the sweep, give it a little time so people will log in and reset the counters and in a few months you'd have all the accounts unlocked with almost no lock-outs. You might need a little intelligence put in so you'll delay attempts on accounts that got locked out, not use botnet IPs that got locked out for a week or so if you really want to keep a low profile, but other than that, a 4 digit pin is trivial.

LastPass (0)

bmo (77928) | about a year ago | (#43759747)

Of late I've been using LastPass. I don't know any of my passwords by memory, simply because they're just random garbage.

Q908j0U9$!!uOVgJ2R!0XC*mN
4$J0X3B7d63r6Sr29&z9r0hdx

They all look like that. They are all unique per site too, so if Yahoo loses control of its passwords again, for example, the rest of my stuff isn't hosed.

Go ahead. Generate a rainbow table that takes into account 25 (or more) characters of pure junk.

--
BMO

Re:LastPass (2, Interesting)

Anonymous Coward | about a year ago | (#43759883)

> Of late I've been using LastPass.

That's great! Except... you know that LastPass had their entire database compromised [techcrunch.com] , right? Fool me once...

Re:LastPass (1)

bmo (77928) | about a year ago | (#43760079)

But that's not what the article says.

If you're going to threadshit, at least threadshit with a username so I can filter you.

--
BMO

A thought.. (4, Interesting)

SuperCharlie (1068072) | about a year ago | (#43759873)

Maybe a brainfart..but here goes..

Has anyone worked on a time based password system..such as.. the timing between the entry of the characters? So 11 then isnt the same as 1 1

I find that I have a few passwords that I use that I end up with a typing rhythm for certain character sets. I could logically break and wait on some.. or speed some up and slow some down consciously.. the intent of course being to add another completely random variable into the password thing..

You could have different timing resolutions for different levels of security. Imagine the difficulty of a password with only 2 characters exactly 1.756 seconds apart .. with a resolution of .002 seconds..and someone who can flip a coin, catch it, and click the second character consistently because of muscle memory and repetition. (random specs..but you get the picture)

And then the same scheme with a 1.5 second resolution for not so strict security. (again..random specs..but you get the picture)

Of course you would have words or phrases with timings in between so that...

"the l a z y dog" isnt the same as

"t h e lazy do g"

simply by the timing between the characters.

You would need to add or change passwords by typing them a few times until you can get the timing right for the resolution..and I would think a test or two before setting the password with timing..somthing like the voice recognition training...

and theres my brainfart for the day..enjoi.

Yes (3, Interesting)

dutchwhizzman (817898) | about a year ago | (#43760027)

Yes, they have. However, it requires client side applications and it is depending on the keyboard you are using. If you have to type your password on a different keyboard, your timing will differ because of the different placement and mechanics of the keyboard. It is only a reliable extra factor if you use a single type of hardware in very similar locations.

Your password must include a 9 in it. (2)

GoodNewsJimDotCom (2244874) | about a year ago | (#43759919)

At first glance, telling your users they must use a 9 in their password sounds dumb. "Hey, everyone is going to have at least one guessable character". But what in fact happens is most people who make a password on your site will not be using a reusable password from another site which is one of the biggest flaws in security right now. Your site's users are less likely to be hacked if another site's security goes down.

So while security "experts" think forcing you to use one uppercase letter and at least one !@#$%^&*() makes your password harder to guess, what it really does is make you write a password custom to the site. If sites were smart, they'd all have different password rules instead of conforming to this. This means one site would ask you for pick one "^&*(" and one "abcd", and another site would ask for you to pick one" #$%^" and one "wxyz"

Re:Your password must include a 9 in it. (1)

Snotnose (212196) | about a year ago | (#43760019)

But what in fact happens is most people who make a password on your site will not be using a reusable password from another site which is one of the biggest flaws in security right now.

I'll just use the crappy password I use for sites like /. and fark and stick a 9 after it. I hit this at work a lot, every x weeks they want a new password. So I end up with foo1, foo2, foo3, etc. Sometimes they notice what I'm doing (I'm a consultant, I change jobs a lot), in that case I have foo1, bar1, foo2, bar2, etc.

That said, my work passwords tend to be strong, I just add the stupid numbers when IT forces me to.

Re:Your password must include a 9 in it. (1)

rossz (67331) | about a year ago | (#43760297)

I have to do the same damn thing every three months on one system and every six months on two. This doesn't count my system admin passwords (which we mostly eliminated through the use of private keys). One system I use so rarely that I have to have it reset when I want to use it (it's the vacation database, which does not use the same password as anything else in the company).

Re:Your password must include a 9 in it. (1)

GoodNewsJimDotCom (2244874) | about a year ago | (#43760377)

Exactly, someone mod my original comment down, I simplified the context down too much.

Still reusing passwords that way (1)

dutchwhizzman (817898) | about a year ago | (#43760043)

So I make my password 912345 instead of 12345. Big deal. I use the same password as my matching luggage everywhere. I just put the mandatory characters in front of it. That way, I still have to remember a single password and I can read what to put in front of it on the site itself. Highly convenient and extremely secure.... not.

Re:Still reusing passwords that way (1)

GoodNewsJimDotCom (2244874) | about a year ago | (#43760373)

Good call, I'm sure that's how it'd end up being.

US Department of Justice (0)

Anonymous Coward | about a year ago | (#43759961)

The 'Syrian Electronic Army' is contracted and financed and managed with Presidential Oversight by the US Department of Justice !

Get a password manager (3, Insightful)

Snotnose (212196) | about a year ago | (#43759989)

I use KeePass. I have 1 strong password stored in my brain. I have 1 crappy password for places like fark, /., and ars. My passwords for my 2 investment firms, my bank, ebay, paypal, email accounts, etc, are all different and I have no idea what they are as I let KeePass generate them. I just open up KeePass, copy the password to the clipboard, then paste.

To make it portable whenever I add a password to KeePass on my laptop I copy the database to my phone. As I never access my sensitive accounts from anywhere but my phone I'm good.

In short, it's simple, free, and as long as my 1 strong password is good I'm in good shape.
 

Re:Get a password manager (0)

Anonymous Coward | about a year ago | (#43760269)

Why do you trust the password manager developers?

It's a single point of failure that could compromise all your accounts if their software is compromised, either because they are malicious or because they have made an error; malware writers have a very strong incentive to compromise them. I'd like to use a password manager but the chance they are a bad actor is just too high.

Re:Get a password manager (1)

UnknownSoldier (67820) | about a year ago | (#43760431)

Do you understand the point and how

a) open-source, and
b) Public Key Encryption

even work?

Re:Get a password manager (2, Insightful)

Anonymous Coward | about a year ago | (#43760503)

By that logic it's even more likely your OS or its keyboard driver are compromised, which would give the bad actor access to the same passwords (and then some). And what about sites integrating 3rd party scripts (like facebook/socialnetwork/googleanalytics stuff), they allow a 3rd party to run scripts on every page of their site (facebook/google could easily add a pre-submit event handler that reads the pw and submits it to them aswell).

Password managers are (at heart) very basic software, which makes source code evaluation relatively easy (assuming you pick an OSS variant, which you probably should). Aside from heavily investing brainpower in remembering a lot of passwords (or some in-your-head password "algorithm"), password managers are one of the safer methods available at the moment.

Important IT systems (such as banking/companyVPN/etc) are, or should, all be moving away from passwords.

Re:Get a password manager (1)

Svartalf (2997) | about a year ago | (#43760355)

This is part of the reason that "strong" passwords are actually as weak or weaker than "weak" ones. If you have to aggregate them into a "manager", something similar, or write it down on a post-it/piece of other paper it's NOT "strong" in the slightest.

We'd be better off having passphrases that would be difficult to brute-force, but easy to remember for humans.

Re:Get a password manager (1)

UnknownSoldier (67820) | about a year ago | (#43760419)

Concur 100%. One really strong, long, and easy to use passphrase to unlock all the other passwords.

Ctrl-B (copy username to system clipboard)
Alt-Tab
Ctrl-V (paste username)
Alt-Tab
Ctrl-C (copy password to system clipboard)
Alt-Tab
Ctrl-V (paste password)

Fast, Simple, Easy. Can even copy the encrypted password database onto a thumb drive so if it is ever lost / stolen -- good luck "cracking" the master password.

Re:Get a password manager (0)

Anonymous Coward | about a year ago | (#43760685)

I am actually thinking of writing my passwords down in a book instead.
Cannot be remotely accessed.
Very stable database that will not get corrupted easy.
Only problem is backups in case my house gets on fire or the book being stolen.

Re:Get a password manager (0)

Anonymous Coward | about a year ago | (#43760887)

That is my method, actually. It is a single point of failure, but it's one that never leaves home and is immune to hacking.

Importance... (2, Insightful)

Bert64 (520050) | about a year ago | (#43760753)

Every website appears to have an over inflated sense of its own importance... Why shouldn't i use a "weak" password on a site I deem unimportant?

Many of the password strength checkers are also deeply flawed, as they allow common dictionary words to slip through with trivial changes, eg Password1! is considered strong by most such checkers.

Also, how can i be assured that a site i sign up to is going to store my details securely? What's the point in having a strong password if its going to be stored in plain text or using a weak hashing algorithm?

So people choose strong passwords... (5, Insightful)

theedgeofoblivious (2474916) | about a year ago | (#43760759)

And then they write them down, stick them on sticky notes, and put them under their keyboards, or in their drawers, completely destroying the security, but maintaining the administrators' beliefs in it.

It's almost as good of an idea as making people change their password once a month, which also encourages people to write them down, re-use their weak passwords or choose passwords that are easy to guess.

And how about those password retrieval questions?

What's your favorite color or your mother's maiden name? No one can guess those.

Not really checking password strength (4, Insightful)

mwvdlee (775178) | about a year ago | (#43760771)

To most of those password checks I've encountered, "P@ssw0rd" is very strong, but a thousand random digits is unpermissably weak.

Quite a few stupid ones out there (1)

gweihir (88907) | about a year ago | (#43760959)

I ruse random passwords. There are quite a few terminally stupid p"password Testers", that will happily refuse 16 digit and letter passwords as weak, but call 8 digit/letter with a special character "strong".

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>