Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Applying Pavlovian Psychology to Password Management

timothy posted about 3 months ago | from the risk-versus-reward-baby dept.

Security 288

Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt: "For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."

cancel ×

288 comments

ObXKCD: Passphrases (5, Interesting)

tepples (727027) | about 3 months ago | (#46916403)

From the article: "Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters." And sites like Phil's Hobby Shop [philshobbyshop.com] have lowered "complexity" requirements for sufficiently long passwords. I'm glad the passphrase concept is catching on. To what extent can xkcd be credited [xkcd.com] with awareness of passphrases?

Re:ObXKCD: Passphrases (3, Insightful)

Anonymous Coward | about 3 months ago | (#46916509)

Not a great extent. Most of us knew the math already, but it only works well when you really select randomly from a dictionary instead of making grammatically correct sentences or even personally chosen set of "random" words (from a limited vocabulary). Mixing passphrases and complex passwords works best. battery horse correct staJ&%v1ple

Grammar is overrated (2)

tepples (727027) | about 3 months ago | (#46916537)

As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.

A Revelation for all (0)

Anonymous Coward | about 3 months ago | (#46916715)

Here is wisdom. Let him that has understanding count the number of the beast: for it is the number of a man; and his number is Six hundred three score and six.

Solve that for my Slashdot password.

Re:A Revelation for all (1, Troll)

CODiNE (27417) | about 3 months ago | (#46916743)

YESSS!! Finally I'll be able to log into and post from the illustrious Anonymous Coward account!

Re:A Revelation for all (-1)

Anonymous Coward | about 3 months ago | (#46916917)

Sometimes a nigger is just a nigger.

Re:Grammar is overrated (4, Interesting)

Mashiki (184564) | about 3 months ago | (#46916801)

As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.

Bingo. Funny enough, I just finished doing a security job out in western canada(provincial government office) and moved them to passphrases. Funny how the number of "passes written on post-it-notes" dropped from "everywhere" to nowhere except the firebox safe. The safe of course is in it's own room, and requires two keys to open besides the combination. This of course also cut down on the intrusions into the network, because people simply "walking in" couldn't glean passwords that were posted in the open anymore.

Re:ObXKCD: Passphrases (0)

lgw (121541) | about 3 months ago | (#46916545)

This "long password" bullshit again?

No, the solution is not strong passwords. The solution will never be strong passwords. If your security requires passwords stronger than a 4-digit PIN (enough that a few guesses before lock-out won't get an attacker anywhere), you're doing it wrong.

There are many off-the-shelf two factor solutions today. Choose one. My company badge goes into a smart card reader - awkward, but secure. You can put soft tokens on company-issued PCs/Laptops/whatever, and if the solution is any good it will be:
* Seamlessly transparent to the user, other than the one-time setup for a new device.
* Fully secure with a 4-digit PIN

WTF are people thinking, still going on about strong passwords in this day and age?

Proliferation of two-factor means (2)

tepples (727027) | about 3 months ago | (#46916561)

There are many off-the-shelf two factor solutions today. Choose one.

That's fine if you only ever sign into one web site that uses two-factor authentication. But if every web site you sign into during the day insists on a different off-the-shelf two-factor solution, or if one of the solutions is pay-per-use, it could get very expensive. One such pay-per-use method that has become popular is receiving a text message on a cell phone.

Re:Proliferation of two-factor means (1)

lgw (121541) | about 3 months ago | (#46916613)

Note TFA is about sys admins training users, not what we can do as users ourselves.

Do cell phone companies still charge for text messages? I used to get charged for every message, as I never had a plan that included any, but T-Mobile just converted my plan to unlimited everything.

I chose my primary broker/bank because they had good 2-factor auth - wouldn't trust significant money with a bank that didn't. And for a non-financial account - who cares?

Re:Proliferation of two-factor means (5, Insightful)

jonwil (467024) | about 3 months ago | (#46916625)

The problem with the use of SMS for 2-factor auth is not that you have to pay for the messages (paying for incoming text messages is an artifact of the horridly broken pricing model for US cellphone service) but that SMS is unreliable (I have had instances of SMS messages not getting through, especially if my phone happens to be switching cells or entering a dead zone at the time) and also that with more people doing so much internet stuff on their cellphones, having the second authentication factor being the same device you are using to log into the web site makes things a lot less secure.

Re:Proliferation of two-factor means (1)

Anonymous Coward | about 3 months ago | (#46916701)

The real problem is that I don't want to give my fucking phone number to random asshole websites. If any website tries to force me into coughing up my phone number in order to register, I instantly know it's absolute garbage and take my leave.

Re:Proliferation of two-factor means (1)

mjwx (966435) | about 3 months ago | (#46916779)

The problem with the use of SMS for 2-factor auth is not that you have to pay for the messages (paying for incoming text messages is an artifact of the horridly broken pricing model for US cellphone service) but that SMS is unreliable (I have had instances of SMS messages not getting through, especially if my phone happens to be switching cells or entering a dead zone at the time) and also that with more people doing so much internet stuff on their cellphones, having the second authentication factor being the same device you are using to log into the web site makes things a lot less secure.

There are very few 2 factor systems you dont have to pay for in some way (none if we're including the cost of your time).

But I'm commenting to point out the irony that I as an Australian, could receive SMS alerts from my bank on my Australian SIM whilst roaming in the US for free. In the Philippines, you can send unlimited SMS's as long as you have 1 peso in credit (US$1 = 45 PHP or there about). The cost of SMS's are largely superficial.

Re:ObXKCD: Passphrases (1)

complete loony (663508) | about 3 months ago | (#46916579)

I have wondered if the best way to measure password complexity is with an arithmetic compressor. Train it with a good dictionary, including words in various languages and any cracked passwords from hacked servers. The compressed size is the complexity measurement.

Re:ObXKCD: Passphrases (0)

Anonymous Coward | about 3 months ago | (#46916635)

Indeed, This is pretty much how it works.
One way of running an attack is to decompress the dictionary lowest entropy to highest.
The coolest thing like this is compressing log files, and using the "compressyness" of each fragment to color the logs. common things fade to the background, interesting things are easy to spot.
You can even use that to search when things go wrong, "what interesting stuff happened just before this outage" can give you a surprising amount of information.

Re:ObXKCD: Passphrases (-1)

Anonymous Coward | about 3 months ago | (#46916629)

Absolutely none. That comic is fucking moronic and obviously created by someone who hasn't worked in a real job in at least ten years.

How about we talk about the Pavlovian desire for dipshits to post that dumb fucking comic whenever passwords are mentioned?

Ah crap, I apologize for giving you a hard time personally. It's just the dumb comic I've ever seen.

Re:ObXKCD: Passphrases (0)

Anonymous Coward | about 3 months ago | (#46916663)

math? fuck math. mah feeelz.

Re:ObXKCD: Passphrases (0)

Anonymous Coward | about 3 months ago | (#46916909)

*Uses dictionary attack, breaks password in a few hours at most

Re:ObXKCD: Passphrases (1)

Gaygirlie (1657131) | about 3 months ago | (#46916957)

*Uses dictionary attack, breaks password in a few hours at most

You clearly have no idea how that works. For one, let's assume that we have a passphrase that consists on 4 different words and there are no characters or numbers that aren't part of the words. A hacker knows the passphrase consists of 4 words, but that's all he knows. He has a, say, 50,000 word dictionary to use for his attack. Now, you have to remember that we have words as small as 2 letters and ranging all the way to several tens of letters, but also that you have 4 of such words of which you do not know the length of -- not knowing the length of the words means the words, when looking at it from a programmatical viewpoint, could start or end at any point in the passphrase.

With the above in mind the hacker would have no choice but to simply try every single word in the dictionary in every possible combination. You probably assume he would just have to make 50,000 tries, but alas, you'd be forgetting there's 4 words and not just one; he'd have to try 50,000^4 combinations, ie. 6250000000000000000 different combinations. And that is only if all the words are spelled correctly and are all found in the dictionary -- what if they're not all actually in the dictionary, like e.g. most of us made up lots of nonsense words when we were children and we could use those in the passphrases? Or what if there are additional characters in the passphrases and you don't know if they're at the end, middle, the start or in the middle of the words themselves? You'd basically have to still drop down to bruteforcing.

Preposterous (0)

Iamthecheese (1264298) | about 3 months ago | (#46916405)

Long passwords composed of random words are highly random, highly resistant to bruit forcing, and relatively easy to remember. The battle to make users remember arbitrary characters isn't just foolish, it's insecure.

Re:Preposterous (2)

msauve (701917) | about 3 months ago | (#46916417)

"highly resistant to bruit forcing"

Especially if you misspell words!

French for "noise" (1)

RuffMasterD (3398975) | about 3 months ago | (#46916975)

Spelled perfectly. It's a European thing: "highly resistant to noisy forcing"

TFA agrees (1)

tepples (727027) | about 3 months ago | (#46916453)

And the featured article agrees. It mentions Stanford tapering down complexity requirements for longer passwords, dropping them entirely at over 20 characters.

Re:Preposterous (0)

Anonymous Coward | about 3 months ago | (#46916485)

Long passwords composed of random words are highly random, highly resistant to bruit forcing, and relatively easy to remember. The battle to make users remember arbitrary characters isn't just foolish, it's insecure.

It's actually easier to incorporate non-alphanumeric characters into a passphrase than a password too. "El ni~no causes rain." is going to be really hard to brute force but easy to remember.

Re:Preposterous (1)

techno-vampire (666512) | about 3 months ago | (#46916511)

Using either hyphens or underscores to replace spaces also helps, especially if you use both of them, e.g., This-is_an_example-of-a_passphrase.

Re:Preposterous (1)

jonwil (467024) | about 3 months ago | (#46916641)

+1 to this, using foreign language characters in a passphrase is a great idea, it makes things more secure since it increases the number of combinations hackers need to try (assuming they even have the foreign language characters in their data sets which I doubt they do)

Re:Preposterous (1)

Teun (17872) | about 3 months ago | (#46916799)

What are these 'foreign' language characters you repeat twice?

Re:Preposterous (5, Insightful)

stoploss (2842505) | about 3 months ago | (#46916825)

+1 to this, using foreign language characters in a passphrase is a great idea, it makes things more secure since it increases the number of combinations hackers need to try (assuming they even have the foreign language characters in their data sets which I doubt they do)

Enjoy being locked out when you realize that UTF8 != CP-1252 != UTF16LE, etc. Oh, and god help you if you need to use a different OS to login, or don't have rights on the given machine's account to change the input charset. And all this is before you get into the potential disconnect between the webapp's stated charset vs the backend password system's charset (your password text field input isn't being passed around as raw bytes no matter how much you might wish it to be, sorry).

There is no hell like charset encoding. Yes, in some imaginary world where everyone dropped IPv4 when IPv6 came out, simply because it was the correct technical solution, your idea might work due to ubiquitous, end-to-end UTF8.

Here in the real world, well, one time I got locked out of a shitty online banking system because I used a punctuation character in my chosen password while setting it and all non-alphanumerics were stripped from input in the login password field, thereby preventing me from ever being able to submit my chosen password.

The real world is horrific and soul crushing.

Re:Preposterous (1)

ysth (1368415) | about 3 months ago | (#46916971)

zxcvbn [dropboxusercontent.com] rates that as 78 bits of entropy; 72 without the ~.

But if everyone starts using some foreign words or terms with accented characters transliterated, it becomes just another part of a cracker's dictionary, and not much better than "The boy causes rain." (59 bits, still an excellent password).

Re:Preposterous (3, Interesting)

mysidia (191772) | about 3 months ago | (#46916549)

The battle to make users remember arbitrary characters isn't just foolish, it's insecure.

Which is not what this is about. The article is about varying the password expiration by whatever password grading system you have chosen

Without advocating a specific grading system.

But there are some pretty decent grading systems that use a graph-based approach to calculate an approximation of time to crack, based on application of different cracking techniques to different substrings within the password.

For example: for 3 common words strung together. You count the number of words in all the dictionaries that each word shows up in, and you figure time to crack for that substring as n/2; for each word, where n is the size of the smallest of the cracking reference dictionaries containing that word, and multiply those times together for the words strung together.

For common variants such as leet substitution, applying a misspelling, appending a digit, prepending a symbol, changing a case....

Of course, then, the approximate effect on crack time of all these things can be calculated.

Appending a digit multiplies it by 10.0. Prepending a symbol multiplies it by 6.0. Alternating the case of some letters multiplies the strength of that word by 2.0

Performing leet-speek substitution multiplies the strength of that word by 1.05

Applying a misspelling, single letter substitution, or transposition to a word multiplies time to crack that word by 26.0, etc.

Why not? (5, Funny)

msauve (701917) | about 3 months ago | (#46916407)

all passwords in this post don't include the beginning and ending quotation marks

Include the quotes, and be even more secure!

Belt and suspenders to whip Bobby Tables (1)

tepples (727027) | about 3 months ago | (#46916463)

Unless the developers have taken a belt-and-suspenders approach to guarding against cross-site scripting and Bobby Tables attacks [explainxkcd.com] by not only using parameterized statements but also stripping any punctuation characters that may have special meaning in HTML or in SQL. Angle brackets, ampersands, and quotation marks become an underscore, which is a more common (that is, less entropy) character in passwords.

Re:Belt and suspenders to whip Bobby Tables (1)

msauve (701917) | about 3 months ago | (#46916491)

less entropy added > no entropy added.

Writing passwords down (2)

sinij (911942) | about 3 months ago | (#46916451)

Sure, implement this and watch most of your userbase write passwords down and keep them on the side of the monitor or under the keyboard.

Re:Writing passwords down (-1)

blue trane (110704) | about 3 months ago | (#46916473)

Passwords are security through obscurity. We need a better system altogether.

Re:Writing passwords down (5, Insightful)

ShanghaiBill (739463) | about 3 months ago | (#46916621)

Passwords are security through obscurity. We need a better system altogether.

Absolute hogwash. That is not what "security through obscurity" means at all. Security through obscurity refers to security based on an algorithm being secret, not specific per-user information.

Password in your wallet (1)

tepples (727027) | about 3 months ago | (#46916495)

Bruce Schneier considers writing down passwords to be acceptably secure [schneier.com] . Carrying around a card with your passwords on it isn't really any less secure than carrying around a piece of plastic with your credit card number embossed on it.

Re: Password in your wallet (1)

Anonymous Coward | about 3 months ago | (#46916525)

The trick is to carry around a card with your passwords on it, but then append a short (about 6 character) addition that's easy for you to remember. That way you only have to remember the short phrase and you're protected in case u lose your wallet or someone figures out the passphrase. Best system I've seen so far (of course, for daily use a password manager is lovely. This just works for logging into public computers)

Re: Password in your wallet (1)

tepples (727027) | about 3 months ago | (#46916571)

Yeah, that's roughly equivalent to the swipe-and-PIN method used by EFTPOS cards (Interac, PLUS/Visa Debit, Cirrus/Debit MasterCard) in North America.

Re: Password in your wallet (0)

Anonymous Coward | about 3 months ago | (#46916877)

Or a piece of meat with yr fingerprints+DNA!

Re:Writing passwords down (0)

Anonymous Coward | about 3 months ago | (#46916503)

In this age, are we really concerned about someone getting a paper password list? It would seem most password related threats come from automated attacks originating many miles away.

Re:Writing passwords down (2)

techno-vampire (666512) | about 3 months ago | (#46916553)

Having a hint or reminder to your password is OK, I'd think, as long as it's clear to you, but obscure to anybody else. As an example, my laptop is named after a planet used in an SF series I like. Even if somebody guessed that, there are enough places, people and things in that series to keep the hint from being any help to anybody except me.

Re:Writing passwords down (1)

Kaenneth (82978) | about 3 months ago | (#46916591)

Romulus?

Re:Writing passwords down (1)

techno-vampire (666512) | about 3 months ago | (#46916921)

No. And, what makes you think it's a TV series anyway?

Re:Writing passwords down (1)

Anonymous Coward | about 3 months ago | (#46916885)

Last I checked, Post Its have no networking vulnerabilities AT ALL.

If you trust your coworkers/family or the password is communal, this is MUCH BETTER than any form of computerised storage.

Re:Writing passwords down (1)

Anonymous Coward | about 3 months ago | (#46916933)

So long as they're taught to write down a mental jogger rather than their password. Just a word or two to remind them of what their password/passphrase is.

For example, I currently use a passphrase format of [randomly chosen non-alphanum char][some public holiday name][slightly 1337-ilised customer code][some day of the week or the just the word "day"]

So for example, "_EasterC0mp4nyAMonday".

I can have a post-it note on my desk with the words "Easter Monday" on it with no issues.

The problem, of course, is in the user training required to get that logic through some thick skulls.

nobeta=1 (0)

Anonymous Coward | about 3 months ago | (#46916457)

When I say "nobeta=1" I mean "nobeta=1"

Here's a Pavlovian response. I type nobeta=1 into the URL. Slashdot directs me to a beta format story anyway. I stop coming back to Slashdot.

Too confusing to the average user? (0)

Anonymous Coward | about 3 months ago | (#46916461)

Such variance in expiration cycles would be too confusing to the average user.

Re:Too confusing to the average user? (1)

blue trane (110704) | about 3 months ago | (#46916483)

Yes of course. Some of us just don't care enough if our random login to some website we visited once isn't secure.

Re: Too confusing to the average user? (0)

Anonymous Coward | about 3 months ago | (#46916529)

That's why more sites need AC. For throwaway comments or to ask a question with no intention of ever returning etc..

Re: Too confusing to the average user? (1)

tepples (727027) | about 3 months ago | (#46916577)

With anonymous posting, how do you prevent people from inserting off-topic advertisements?

Re: Too confusing to the average user? (2)

blue trane (110704) | about 3 months ago | (#46916611)

Are they really more annoying than the popups and popunders and intrusive audio ads?

Re:Too confusing to the average user? (0)

Anonymous Coward | about 3 months ago | (#46916535)

I have to change my password every day, so I make it shorter and easier to remember each time. Now it's "12345", and I've been notified it will be valid for two hours.

Offline cracking (0)

Anonymous Coward | about 3 months ago | (#46916467)

How is offline cracking time relevant?
Surely it can't be brute forced online so why force changing the password?

Stop it (0)

Anonymous Coward | about 3 months ago | (#46916617)

Stop it with the reasonable questions.

Re:Offline cracking (1)

Anubis IV (1279820) | about 3 months ago | (#46916767)

Precisely what I was thinking. I'm not sure what problem they're trying to solve by forcing users to change passwords. Besides which, tying expiration dates to each password basically just tells the attacker which passwords are likely the easiest to brute force. That may not be a problem if your expiration dates are always sooner than the amount of time necessary to brute force the passwords, but what's to stop an attacker from simply making a box that's twice as powerful? It's a silly pursuit.

Moreover, a service which provides this sort of an "incentive" is one which users will simply stop using, since nearly no one in the mainstream is even equipped to respond appropriately. The Slashdot sort of crowd is basically the only group using password managers. Trying to incentivize this sort of behavior before password managers are in the mainstream is like shocking your dog every time it fails to clean up its own crap in the yard, despite the fact that it has no comprehension for how to use tools, bags, or whatever else you might use.

Re:Offline cracking (1)

Jarik C-Bol (894741) | about 3 months ago | (#46916839)

How exactly does the attacker know the passwords expiration date? Your argument that the attacker will make a box that is twice as powerful to brute force passwords is irrelevant, because they already are doing that to brute force passwords (to whatever extent people who try to break into websites brute force anything these days). The idea that poor passwords should be prompted to be changed more often is, on the surface, a great idea, but it all falls apart when you know that anyone that chooses "1234ABCD" as their password will simply change it to "5678EFGH" when forced to change it every 3 weeks. People that make their password "GRSvD@wo0tzLeMUxzPWNZSD56qwertyioup)" don't NEED to be prompted to regularly change there password, because its insanely hard to crack compared to 1234ABCD, and they probably change it of their own volition because they understand passwords.

Re:Offline cracking (1)

Anubis IV (1279820) | about 3 months ago | (#46916863)

How exactly does the attacker know the passwords expiration date?

How exactly WOULDN'T they? If the attacker is doing offline brute forcing of passwords, that means they've obtained at least a partial copy of the database for the site (since they have to have the hashes and salts), at which point it's probable that they would have also obtained the expiration dates linked to each password.

Your argument that the attacker will make a box that is twice as powerful to brute force passwords is irrelevant, because they already are doing that to brute force passwords (to whatever extent people who try to break into websites brute force anything these days).

That was more or less what I was getting at. Anyone who implemented such a system would be constantly needing to tweak the expiration dates to keep up with whatever the latest password cracking hardware and methodology happened to be so that they could ensure the expiration dates were always sooner than the brute force time necessary. It's a high maintenance system and a silly pursuit, as I said before.

The idea that poor passwords should be prompted to be changed more often is, on the surface, a great idea, but it all falls apart when you know that anyone that chooses "1234ABCD" as their password will simply change it to "5678EFGH" when forced to change it every 3 weeks.

I disagree that it sounds good on the surface, since it would lead to a horrid user experience, but I do agree that it falls apart. That's why I was pointing out that it's a worthless thing to incentivize, since the people you're trying to encourage are technologically incapable of equipping themselves in most cases with the tools necessary to circumvent the disincentive, and, frankly put, they have more important things to be spending their time on than dealing with some random site forcing them to reset their password once a week. Again, it falls apart because we're asking people to change without giving them the tools to do so.

Forcing password changes is never a good idea (5, Insightful)

wisnoskij (1206448) | about 3 months ago | (#46916469)

Because all you are going to get is users deciding that they they cannot come up with a 10th password that year and just going picking "123456".

"I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few)"
What a joke. If every site used this method I, and many other people, would need to change multiple passwords every single day of the year. The entire system would break down and become completely unmanageable

Re:Forcing password changes is never a good idea (2)

The MAZZTer (911996) | about 3 months ago | (#46916497)

I think the idea is you'd let the user know. "This password would take approximately 4.5 days to crack. For your security, you will be required to change this password after 3 days. Alternatively, you may pick a longer, more secure password to lengthen this interval (for example, a 16 character password will only require a change after XX years)." Or something.

Re:Forcing password changes is never a good idea (3, Insightful)

Mr. Slippery (47854) | about 3 months ago | (#46916683)

I think the idea is you'd let the user know. "This password would take approximately 4.5 days to crack....

..."if we are incompetent enough to divulge your encrypted password." So, how about you don't divulge my encrypted password, then?

Re:Forcing password changes is never a good idea (0)

Anonymous Coward | about 3 months ago | (#46916793)

A single password may take 4.5 days to crack, but what about millions of those passwords? Everyone should just use them!

Re:Forcing password changes is never a good idea (0)

Anonymous Coward | about 3 months ago | (#46916541)

Forcing password changes, or prevents password reuse, basically means that the typical user will either write down their password, or they will be visiting your lost password recovery system, which had better be pretty damn secure.

Re:Forcing password changes is never a good idea (1)

techno-vampire (666512) | about 3 months ago | (#46916575)

Years ago, I worked for an ISP. Once they realized that they were able to put expiration dates on employee's passwords, they did so. Not just for things that we could access from home, but for services on the internal LAN that couldn't be reached unless you were physically on site. My response was to make them as rude and vulgar as I could, both as an expression of what I thought of the policy and because I knew that this would make them easier to remember. And, of course, a little bit of creative spelling didn't hurt.

Re:Forcing password changes is never a good idea (1)

LiquidAvatar (772805) | about 3 months ago | (#46916753)

You shouldn't be using the same password across multiple sites anyway. Break down and get a password safe and then just use randomly generated unique passwords for every site. As a side benefit, the next time some site gets hacked, you'll only need to change your password for that site instead of every site you've ever logged into.

Re:Forcing password changes is never a good idea (5, Insightful)

Maxo-Texas (864189) | about 3 months ago | (#46916829)

I struggle when I get a new phone or tablet...

And then I have to remember the netflix, hulu, pandora, google, etc. etc. etc. password.

And when I get it wrong-- I have to reset it.

And then I have to change it on EVERY device.

The other struggle is that

SITE A REQUIRES CAPITALS.
SiTe b treats capitals like lower case.
Site c requires 1st letter capital.
siTe d requires at least 1 capital.
Site! e requires punctuation.
Site~ f doesn't allow !'s.
Site1 g requires at least 1 number
5173 h requires only numbers

SiteSite1 i Has the above restrictions but requires 8 or more letters.
Sitesite j only allows 8 letters- but requires 4 or more
Site k won't work with XKCD since it doesn't allow ' 's
Site L has some permutation of these rules and won't let me reuse prior passwords- or double letters, or various other sequences, or english words in the dictionary-- so my password ends up being almost completely arbitrary.

So these days-- I write algorithmic encoded passwords on paper.
So you can look at the paper - and it doesn't mean anything to you. It's not a simple substitution cypher.

But it still sucks when I buy a new device and have to change all the passwords for something before I started writing down passwords.

Another thing password services (not job passwords) have is a duration of YEARS. I'm supposed to remember a password I created 7 years ago that met arbitrary rules- which they won't tell me now. Meh.

Re:Forcing password changes is never a good idea (0)

Anonymous Coward | about 3 months ago | (#46916911)

a user who picks [sample password] might be required to change the password in three days

...

based on calculations showing it would take about 4.5 days to find the password

... and you say...

I[...] would need to change multiple passwords every single day of the year.

So, in other words, your passwords are even worse than the example of an insufficient password that gets cracked in less than half a week.

Not only do you pick sucky passwords for everything, but you just publicly posted that fact. Hmm... if I'm looking for an easy target to attack, then guess: who do I choose?

The entire system would break down and become completely unmanageable

Personally, I am not in favor of a new password requirement scheme. I am more in favor of wide deployment of an easy to use system that involves using private keys that humans will not be able to memorize. It's easier, and more secure: wins all around. The only problem is that a suitable "easy to use" system hasn't been (imagined, designed, and then) mass deployed. The most manageable solution involves breaking down (er, well, replacing) the current entire system. Once people learn that they can stop using tough passwords, there will be demand to upgrade systems to the more secure and easier alternatives. It's bound to happen.

Until that day arrives, try pointing that gun a little bit further away from your foot.

Re:Forcing password changes is never a good idea (1)

AudioEfex (637163) | about 3 months ago | (#46916967)

Precisely.

Some of the replies to you say "well, that just forces people to make more complex passwords" so they last longer, but that's just the same-old. And anyone that deals with this from a business standpoint will tell you that the real problem with requiring customers/users to have more complex passwords is the more complex you make them, not only the more frustrated the customers get - but you also have to make it even easier for them to reset their passwords.

Just anecdotally, I know of one medium-sized financial company that increased their password complexity requirements, and they had to double their call center size practically overnight to compensate for all the extra phone calls from folks who needed to reset their password, and/or were just so upset that it was so much more difficult to use their site (and they even offered an email reset option). Financially, it would have been cheaper to just cover any potential losses that may or may not happen vs. the ongoing cost of maintaining that (temps are expensive) and the cost of customer satisfaction (yes, people really do cancel accounts because they find it too difficult to log in to the website).

In truth, this discussion largely academic in nature - because brute force is rarely used to gain access to a website, and rarely works anyway as most sites lock you out after a certain amount of attempts (see above, the costs of maintaining password resets).

If you really do want to fend off brute force, for whatever reason, using words at all is going to be susceptible. The best password method I have found is using the "first letter" phrase method. For example, if your favorite song is "Itsy Bitsy Spider", using "Ib8cutws" (since a spider has 8 legs, substituting 8 for spider, in this instance). A saying, phrase, or song that is easy to remember for you, but typically difficult to guess (even by someone who knows you - just like murder, it's most likely to be someone you know who can do real damage). Then append either as a prefix or a suffix whatever appropriate to the website that you can remember to make it unique to that site.

If you want to make a truly unique password for each site, you can keep a list - but using the above method you can easily code the list itself. For example, if your phrase is a quote from Shakespeare, you write down the name of the teacher who's class you first heard it in. Or if it's a song, the name of the person it reminds you of. That way, even if someone finds your paper or electronic list, there is little they can discern from it.

Again, though, in truth - most times someone is going to hack your account and try to do anything untoward, it's gong to be someone you know. And while even some financial accounts are sensitive (say, something like PayPal where you can transfer funds in and out of accounts and to third parties), in most cases - like your basic credit card - there is little incentive for a 3rd party to try to access your data. You can usually get your credit card number from your statement PDF, but your expiration date and CCN aren't going to be found. Same with basic bank accounts - unless it has the ability to transfer out. At most someone can request a new card/change of address - but that is so clumsy, traceable, and isn't going to gain a true criminal anything on a significant scale. Yet again, it's most likely going to be someone you know (a relative or employee), who can access these things other ways as well.

The real danger financially is merchant hacks (such as Target) and the like, very few people are just sitting around trying to get into random accounts because there is so little they can do.

All that said, and sort of a side note, but all the paranoia about electronic financial stuff is like folks feeling safer driving a car than being in an airplane. By far it is much safer to handle your transactions/payments online, because the most insecure thing you can do is write a check and mail it. That check has printed on it your full name, address, and all the information someone would need (routing number, acct number) to directly transfer funds out of your accounts rather instantly.

Today, when you mail a check to your insurance company, say, to pay a premium - it doesn't actually go to the company. It goes to a "lock box" - a company that processes checks for hundreds or even thousands of companies. So you put it through the mail, with God knows how many hands going through it before it actually gets there (and hopefully doesn't fly off a truck), once it gets there, it is opened by a minimum wage worker, who scans it - electronically - and then (hopefully) sticks it in a shredder. So your payment is already going electronically - it just goes through dozens or even hundreds of hands before it gets there, unlike just paying your bill online yourself. Try explaining that to Grandma, though, who insists that writing checks is the only way she feels safe.

Does anyone still choose a password? (1)

Kittenman (971447) | about 3 months ago | (#46916477)

I just say 'generate' to PasswordSafe (right now my tool of choice) and have a 8-character pile of gibberish that I can't pronounce and never read. If someone points a gun to my head (the NSA?) and asks for my online banking password, I can only - truthfully- say that I have no idea.


BTW, pavlovian to me implies egg whites and sugar, mixed and then baked. Then cream.

Then they'll ask for the master password (1)

tepples (727027) | about 3 months ago | (#46916519)

Someone can still point a wrench [xkcd.com] to your head and ask for your PasswordSafe master password. What would be your truthful answer to the following question: "Do you know your online banking password, or any other password that can be used to retrieve your online banking password?"

itll happen like this (0)

Anonymous Coward | about 3 months ago | (#46916569)

"give me your password"

" i don't know"

*glug glug*

"wait stop the computer has it in PasswordSafe"

Re: Does anyone still choose a password? (1)

evanism (600676) | about 3 months ago | (#46916531)

And tropical fruits.

Mmmmm.

The only sensible approach - a encrypted key chain (1)

mar.kolya (2448710) | about 3 months ago | (#46916493)

The perception of website owners that I HAVE to remember their password just shows overblown feeling of self-importance for site owners.

The only sensible approach - completely random passwords, generated by some tool and stored in a key chain with good one master password.

Idea that user somehow would remember password for each site he uses is simply stupid. The number of passwords can easily go up to a hundred. And if all sites start insisting on changing them once in 3 days users will likely go insane.

And be damned those site owners who make it very difficult for browser to insert saved password. And the worst I've seen so far is Home Deport's credit services (owned by city bank, I presume).

And yes, I know, passwords are used not only on websites. Nevertherless - in ideal world user just plugs in his encrypted key chain and uses it to access everything he needs with one password. Well, maybe two - personal and work.

They should go much further (2)

fustakrakich (1673220) | about 3 months ago | (#46916507)

The computer will tase the users if they forget to change their passwords at the prescribed time. If they do remember, give them a biscuit, with a glass of milk if it's a strong password.

Re:They should go much further (0)

Anonymous Coward | about 3 months ago | (#46916831)

Now that's Pavlovian!

No one will guess... (0)

Anonymous Coward | about 3 months ago | (#46916527)

my password! I'll just choose "5f4dcc3b5aa765d61d8327deb882cf99" without the quotes as my password. It will take forever for someone to brute force that! HAHAHAHA! (Yes, I know better.)

Re:No one will guess... (1)

craighansen (744648) | about 3 months ago | (#46916627)

Sure, and it's nice that you can type "echo -n password | md5sum" to a shell if you forget the hex. But it might be better to keep your password secret, unless you intend to google "No one will guess... site:it.slashdot.org" to retrieve it in the future. You might as well tell everyone that a great password is "correct horse battery staple" - no one would guess THAT - and it's easier for a human brain to remember than xkcd.com/936/

Re:No one will guess... (0)

Anonymous Coward | about 3 months ago | (#46916647)

What I was getting at was that it's not a good idea to use md5 to make it look complex, since the entropy isn't that much higher I believe.

Dice words might better, except for the issue of length. Although, it can be shortened with md5 while still maintaining entropy.

Re:No one will guess... (0)

Anonymous Coward | about 3 months ago | (#46916983)

Correction: diceware

Time to move post-password anyway (0)

Anonymous Coward | about 3 months ago | (#46916547)

I should not have to remember a password, the system should handle it for me.

Re:Time to move post-password anyway (1)

tepples (727027) | about 3 months ago | (#46916589)

So how do you plan on carrying this "system" everywhere you go and having it interface with every other piece of hardware that you use? If you plan to use your smartphone or pocket tablet to remember your passwords, can it emulate a keyboard to key in the password? Does the machine into which you must enter your password even have an accessible USB port?

Re:Time to move post-password anyway (1)

blue trane (110704) | about 3 months ago | (#46916669)

Passwords are an annoying hack. Trying to force users to accept more and more onerous conditions to satisfy this hack is just laziness. Think up a better system.

Why bother? (0)

Anonymous Coward | about 3 months ago | (#46916555)

It's so much easier to read the sticky notes stuck in the top drawer of the desk, or call the help desk with the birthday, high school, home address and first car of your target?

Let the password fit the site (1)

petes_PoV (912422) | about 3 months ago | (#46916581)

I'd like to see sites develop password policies that reflect the value of information the passwords are guarding.

For example. if a password unlocks access to a bank account, it's reasonable for the bank to require more secure forms of access: including ones that are better than mere passwords, themselves.

However if all a website visitor has at risk is comments about stories. Comments that can be, and often are, as banal as I lik [sic] catz then even a 1 character password seems like overkill. As it is, the website owner often has a highly inflated idea of the worth of his/her/its website and maybe even an unbalanced paranoia towards security in general - maybe passwords aren't actually their biggest security problem. So I'd suggest the answer is for users to vote with their feet (or their passwords) and feed back to the admins what THEY think is the right level of annoyance they should be put to, in order to access websites' "riches". It might be a lot lower than the owners think it should be.

Makes sense only if hashed file is public (1, Insightful)

bugnuts (94678) | about 3 months ago | (#46916587)

The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques.

If you're assuming your hashed password file is public or you allow unlimited login attempts without shuttering the connections, then this makes some sense. But if your pw file is public you need to force a change far before the average crack time (like 2 stddev), which probably means hours on an average of 3 days to crack.

But if your pw file isn't supposed to be public, then you're setting a policy assuming your system has been cracked and are passing bad math onto the users as annoyance. And then blaming them. If you fail to factor in the likelihood of the password file being taken, then all the "average time to crack" might not matter.

Because eventually it will be (3, Informative)

tepples (727027) | about 3 months ago | (#46916603)

Yes, we're assuming that the hashed password file has a substantial probability of getting leaked, just as it was in several other high-profile breaches (Sony, Target, etc.). If it's impossible for an inside job to leak the password file, then how can the system 1. use the password file to authenticate users and 2. back up the password file in case of hardware failure?

Re:Makes sense only if hashed file is public (2)

TubeSteak (669689) | about 3 months ago | (#46916643)

But if your pw file isn't supposed to be public, then you're setting a policy assuming your system has been cracked and are passing bad math onto the users as annoyance.

Dude, the first step to good security is to assume you've been compromised and then construct your defenses based on that assumption.
It's called a defense in depth [wikipedia.org] .

Or to look at it from another angle: we all have locks on our homes, but you still wouldn't leave $10,000 in cash just sitting on the kitchen table, would you?
Of course not, you'd hide it, preferably in a safe that's bolted to the floor.

We should increase password strength rules! (1)

tlambert (566799) | about 3 months ago | (#46916605)

We should increase password strength rules!

Right now, at most sites, the strength rules are such that they disallow a significant portion of the unconstrained search space.

If we keep increasing the number of constraints, we will further reduce the search space.

Eventually, we will get to the point where I only have to remember one password, because it's the only password I, or anyone else, is allowed to have.

Re:We should increase password strength rules! (0)

Anonymous Coward | about 3 months ago | (#46916709)

Nah. We need to have 1 for each password policy.

  • Minimum 3 lower-case letter
  • Minimum 2 digits
  • Minimum 1 upper-case symbol
  • Minimum 1 other symbol
  • Maximum 8 letters in password (sign the password is stored in plain-text as a fixed-length string in the database)

Adobe Password List top 100 (1)

lemur3 (997863) | about 3 months ago | (#46916623)

For those interested in the kind of stuff that people do.. here is the top 100 list of passswords from the 130million that Adobe lost last year: http://stricture-group.com/fil... [stricture-group.com]

The thing that amuses me (or terrifies) is that nearly 2million of the people had "123456" as their password..

nearly another million had one of these: "123456789" "12345678" "1234567", and "1234567890" ...345,000~ chose "password" as their password (good going adobe.. why is that even allowed?)

i like the people who chose "photoshop" as their password. ..

going through that list you can just see peoples minds working. it is crazy to see what people do.

Re:Adobe Password List top 100 (0)

Anonymous Coward | about 3 months ago | (#46916713)

I'll just pick the 100th password from that list and I'll have the safest password!

Huge massive gaping hole (3, Interesting)

EmperorOfCanada (1332175) | about 3 months ago | (#46916687)

A very simple problem opened up by making users rapidly change their passwords is that they will frequently forget what they just changed them to. They will change it last minute on Friday to something genius and on Monday scratch their heads and go, "Crap". So now they are going to call tech support who will walk them through some crude verifications and give them a new password.

A perfect example of this is a relative of mine who works for government. He was complaining about the frequent password changes he has to do. So I bet him that we could look under everyone's keyboard and find some passwords. Two of his people put them on post it notes under the keyboard, and another guy just had 30 passwords written on the bottom of his keyboard, which oddly provided some security as I couldn't guess which one was the newest.

But the best part was that I bet that with my relatives wallet and his most recent pay stub that I could talk IT into resetting his password. So I called them up and they promptly walked me through resetting his password; but they didn't ask me a single question. So in the end I asked them how they knew I was me (him) and they said, it was because of what phone I was calling from. I asked what they would have asked had I been home and they said, birthday, maybe the office's postal code.

So it wouldn't have mattered what genius password scheme they were using as the more genius it was the worse their social hacking problem would become.

A different relative who works for a different branch of government could even log in without her key fob as all she had to do was phone IT and whine until they let her in from home.

Now you might just wave your hand and say, no problem just bolster the security by telling them not to be nitwits. But those guys weren't being nitwits. In government or any large organization if you piss the wrong person off you will lose your job far faster than if someone hacks the system. So maybe for Sally secretary they might not be so persuaded but in the case of where I phoned in a forgotten password the person who should have been sitting at that desk could have an IT person's head very quickly. As could the other relative who whined past the need for a key fob.

wrong (1)

slashmydots (2189826) | about 3 months ago | (#46916689)

So you assign it a time rating. When someone steals the entire password, the ones with associated with the shortest time limits will basically say "brute force these ones." It's the stupidest idea ever.

I just read an interesting story about Pavlov. (5, Funny)

RevWaldo (1186281) | about 3 months ago | (#46916783)

One day Pavlov walked into a bar and ordered a cognac. He was about to take a sip when the barkeep rang him up. He dropped his glass and shouted "Shit! I've got to feed the dogs!" and ran out.

.

Let the user choose (1)

duke_cheetah2003 (862933) | about 3 months ago | (#46916803)

I really dislike any authentication system that rejects MY chosen password. It's my security, not yours, that I'm gambling on if I want a easy to type password. And the ones that make you change it x number of days are even worse.

This is outright stupid. You can't force people to choose a decent password, they either will or they won't and no 'system' is going to force it upon them. At best, you're just creating a support irritation as people forget the password they were forced into changing.

Just dumb, can't say it enough. Leave me and my (in)secure passwords alone!

Re:Let the user choose (0)

Anonymous Coward | about 3 months ago | (#46916939)

and when you get your shit deleted you'll be the first to waste someone else's restoring it

Pavlovian Psychology? (0)

Anonymous Coward | about 3 months ago | (#46916835)

Does that mean the password has changed when I start salivating?

I prefer Skinner's methodology... (1)

mmell (832646) | about 3 months ago | (#46916837)

...let me give them an electric shock (say, through the keyboard) with voltage inversely proportional to password strength. That ought to encourage the use of something stronger.

Forgot Password (0)

Anonymous Coward | about 3 months ago | (#46916925)

Had the same user chosen "t3st123@##$x", he would either have the password written on a piece of paper or he would himself forget it in 3 days.

Difficult passwords get written on post-it notes (0)

Anonymous Coward | about 3 months ago | (#46916927)

Difficult passwords get written on post-it notes stuck to the monitor, or in a diary etc. if they get changed regularly.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...