×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Users feel Password Rage

CmdrTaco posted more than 10 years ago | from the hulk-no-can-log-in-hulk-smash-puny-pc dept.

Security 388

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

388 comments

GNAA Announces acquisition of SCO (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6892488)

GNAA Announces acquisition of SCO
By Tim Copperfield
New York, NY - GNAA (Gay Nigger Association of America) today announced acquisition of The SCO Group [yahoo.com] for $26.9 million in stock and $40 million in gay niggers.

GNAA today announced it has signed a definitive agreement to acquire the intellectual property and technology assets of The SCO Group, a leading provider of Fear, Uncertainty and Doubt, based in Lindon, Utah. GNAA's acquisition of SCO technology will help GNAA sign up more members worldwide. In addition to developing new solutions, GNAA will use SCO engineering expertise and technology to enhance the GNAA member services.

"I'd love to see these GNAA types slowly consumed by millions of swarming microbes and converted into harmless and useful biochemicals." said an anonymous slashdot poster, blinded by the GNAA success in achieving first post on a popular geek news website, slashdot.org [slashdot.org].

"This GNAA shit is getting out of hand. Slashdot needs troll filters. Or better yet a crap flood mod that I can exclude from my browsing. Seriously, a good troll is art, what you dumb fucks are doing is just plain stupid." said spacecowboy420.

macewan, on linuxquestions [linuxquestions.org] said "Thanks for that link to the SCO quotes page. My guess is that they want to be bought out. Hrm, think they want GNAA to buy them??"

After careful consideration and debate, GNAA board of directors agreed to purchase 6,426,600 preferred shares and 113,102 common shares (the equivalent of 150,803 ADSs) of SCO, for an aggregate consideration of approximately US$26.9 million and approximately $40 million for gay niggers that were working in Lindon, Utah offices of The SCO Group.

If all goes well, the final decision is to be expected shortly, followed by transfer of most SCO niggers from their Lindon, UT offices to the GNAA Headquarters in New York.

About GNAA
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org]?
Are you a NIGGER [mugshots.org]?
Are you a GAY NIGGER [gay-sex-access.com]?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it.

Second, you need to succeed in posting a GNAA "first post" on slashdot.org [slashdot.org], a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org].

About SCO
The SCO Group [SCOX [yahoo.com]] helps millions of gay niggers in more than 82 countries around the world grow their penises everyday. Headquartered in Lindon, Utah, SCO has a network of more than 11,000 nigger resellers and 8,000 developers. SCO Global Services provides reliable nigger support and services to prospective members and customers.
SCO and the associated SCO logo are trademarks or registered trademarks of The SCO Group, Inc. in the U.S. and other countries. UNIX and UnixWare are registered trademarks of The Open Group in the United States and other countries. All other brand or product names are or may be trademarks of their respective owners.

This news release contains forward-looking statements that involve risks, uncertainties and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. These statements are based on management's current expectations and are subject to uncertainty and changes in circumstances. Actual results may vary materially from the expectations contained herein. The forward-looking statements contained herein include statements about the consummation of the transaction with SCO and benefits of the pending transaction with SCO. Factors that could cause actual results to differ materially from those described herein include the inability to obtain regulatory approvals and the inability to successfully integrate the SCO business. GNAA is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements, whether as a result of new information, future events or otherwise.


If you have mod points and would like to support GNAA, please moderate this post up.

________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ |
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

Anonymous Coward (2, Funny)

Anonymous Coward | more than 10 years ago | (#6892489)

yup. that's my password.

hello there sir (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6892490)

there is an more indepth article about this here [about.com]. if you're interested this, you should check it out.

./)/)
(._.)
(")(")

GOATALERT (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6892502)

Parent links to goatse through an about.com redirect.
http//politicalhumor.about. com/gi/dynamic/offsite. htm?site=http%3A%2F%2Fwww.goatse. cx%2F

WARNING: PARENT CONTAINS GOATSE LINK (0)

Anonymous Coward | more than 10 years ago | (#6892512)

fp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6892491)

shit just missed it :(

Re:fp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6892562)

YOU FAIL IT! Your first post stinks! Who taught you that? I suggest you go clean shit!

USB keys (4, Interesting)

chrysalis (50680) | more than 10 years ago | (#6892495)

USB keys are really neat to store keys (PGP, SSH, etc) .

This is definitely the handiest way to replace multiple passwords.

Re:USB keys (1)

winkydink (650484) | more than 10 years ago | (#6892521)

I agree they are great until you find yourself at a machine that won't accept it (e.g., web kiosk).

Personally, I use 5 passwds, 8 chars long, alpha + numeric + non-alphanumeric. The more sensitive the information being protected, the less frequently a particular passwd gets used.

I haven't been cracked yet.

That I know of. :)

Re:USB keys (3, Interesting)

gl4ss (559668) | more than 10 years ago | (#6892689)

and you should trust the computer you stick that stick in anyways.

one guy i used to know had a system (5-7years ago?) of cycling passwords on his computer, so that if somebody find out one of the passwords it didn't really help the thief shit, banks use this type of system frequently.

Re:USB keys (3, Interesting)

neglige (641101) | more than 10 years ago | (#6892543)

If you have a PDA, use a software to store the (encrypted) passwords. And make damn sure your PDA won't get stolen :)

Re:USB keys (1)

JeffTL (667728) | more than 10 years ago | (#6892564)

And moreover password your PDA -- last I checked the manual for my Palm, the only way to remove the password is to wipe the PDA.

Re:USB keys (2, Insightful)

axxackall (579006) | more than 10 years ago | (#6892636)

And even moreover keep the backup of your Palm in your bank. Just for a case if your PDA is stolen or broken.

Re:USB keys (5, Interesting)

TCM (130219) | more than 10 years ago | (#6892632)

How does this protect malware to read it off your USB stick _and_ use it? Right, you protect your private PGP key with.. a password!

The only thing that comes to mind that's even remotely sophisticated is an "intelligent" USB stick, so to speak. It contains your private key and never gives that out to anything. Instead, it gets fed a challenge, encrypts it using the key and sends it back to the computer where the corresponding public key is stored.

Is anyone using something like this on a regular basis (for his home server/desktop)?

Re:USB keys (4, Informative)

curious.corn (167387) | more than 10 years ago | (#6892715)

those are smartcards you are talking about. They contain a small general purpouse microprocessor and special storage for OS and data. Once locked, data cannot be read out of the device but only used within the programs stored within. It appals me that those things aren't ubiquitous and/or used for POS C/C systems. Some cryptalalysts managed to weasel some data out of them only by physically interfering with the operating device to cause program execution failures (heating or EM interference). Still much safer than a crummy magnetic strip and a numeric code.

Wallet (4, Interesting)

spoonist (32012) | more than 10 years ago | (#6892499)

Store then in your wallet like Bruce Schneier [counterpane.com] does.

Note: I don't store mine in my wallet, so keep your hands to yourself!

Re:Wallet (4, Interesting)

amcguinn (549297) | more than 10 years ago | (#6892707)

And check his reasons for doing it: A wallet is a secure container for things you don't want to lose or have stolen. If I lost my wallet, the handful of medium-high importance passwords I would compromise would be among the least of my worries.

Using the same passwords for multiple different services is much more dangerous, and no-one could possibly memorise unrelated secure passwords for everything needed. I need about 20 just to do my work, and I'm usually required to change one or two of them every week.

The worst was my office voicemail. I rarely used it, and the required password change frequency was set so high that it demanded a new password every single time I tried to pick up a message. The end result was I turned the fscking thing off as it wasn't worth the effort to use.

Password rage? Try password-phobia. (4, Interesting)

JessLeah (625838) | more than 10 years ago | (#6892500)

I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.

Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.

Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).

People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...

And then, of course, the techs (us!) would get blamed.

But where do you draw the line? (5, Informative)

reachinmark (536719) | more than 10 years ago | (#6892565)

Banks in Sweden are currently running a new BankID system. You can use this to access several government facilities, including submiting claims for sick leave and possibly in (the future) voting, over the internet. The password protection? Your certificate must be unlocked with a password that is at least 12 but at most 16 characters, of which at least 3 must be digits, and 4 alphabetical characters. Oh, and you can't simply repeat a word two or three times - they check for that. The end result? A password so annoying difficult to remember that of course everyone has it written on a post-it note by their keyboard.

Now THAT gives me password-rage.

Re:But where do you draw the line? (1, Interesting)

JessLeah (625838) | more than 10 years ago | (#6892580)

Post-it notes by keyboards don't bother me so much, unless they are on mission-critical accounts, in situations where untrusted individuals (e.g. janitors, or the public, as in the case of someone who works at an Internet Cafe/public library/school) can get to them.

What bothers me is when users use passwords like "sophia" or "pears" or "1952" and then expect ME to safeguard their accounts... AND to make matters worse they have zero clue about the risks they are placing OTHER accounts in by doing so.

Re:But where do you draw the line? (1)

Tack (4642) | more than 10 years ago | (#6892712)

Post-it notes by keyboards don't bother me so much, unless they are on mission-critical accounts, ...

But didn't you just say:

  • Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over).

A janitor sticking his mail password on his monitor might not be so disastrous, but, as you say, stepping stone ...

If people want to write their passwords in their wallet (with no reference to which account it is), because, well, to borrow Schneier's (paraphrased) words, "I have a life time of experience keeping my wallet safe." But post-it notes by the keyboard is definitely where I draw the line -- even if it is only a janitor.

Jason.

Re:But where do you draw the line? (3, Flamebait)

DNS-and-BIND (461968) | more than 10 years ago | (#6892692)

Hear, hear.

Fascist password policies annoy the living fuck out of me for two reasons. First, they give petty power pushers an ever-so-delightful way of punishing their users. Second, they don't freaking work because nobody can remember the passwords and they simply write them down and post them to the monitor. I'm as security-aware as anyone here, and I've done that before with irritatingly difficult passwords, only I keep them in my wallet instead of on my monitor.

I have a number of web-based email accounts and message board aliases, and for most of them I use the same password, easily guessable by Jack the Ripper or equivalent. It would give your average BSD admin a shitfit, but you know what? Fuck 'em. I have better things to do than pleasing anal-retentive system administrators. Been there, done that, didn't keep the trial issue or the free gift.

Re:Password rage? Try password-phobia. (2, Insightful)

trikberg (621893) | more than 10 years ago | (#6892578)

I just have some photos of my cat there.

I've found that the best argument to this is to say that it does not matter what can be taken from you, but what can be done in your name by breaking the password. If the account is compromised anyone could send mail in your name or use your account to store illegal material.

Trying to explain about root access and such things will be met by a blank stare, It's more effective to talk about the drawbacks of being discovered with someone else's child pornography in your account.

Re:Password rage? Try password-phobia. (1)

56ker (566853) | more than 10 years ago | (#6892579)

Yes but the flip side of that is that if users have hard to remember passwords eg tyGDgh6y - then they can often forget them (and be forever ringing up). Web servers should have procedures in place to at least slow down dictionary attacks anyway....

Re:Password rage? Try password-phobia. (2, Insightful)

SpaceLifeForm (228190) | more than 10 years ago | (#6892659)

Speaking of phobia, can anyone seriously explain the need to periodically change passwords?
If your password is good and you haven't given it out to anyone, what is the point of changing it? I mean, if the password is non-crackable via dictionary attack why change it to a different non-crackable password?

Re:Password rage? Try password-phobia. (4, Informative)

CommieOverlord (234015) | more than 10 years ago | (#6892695)

Because no password is uncrackable. One issue about cryptography is that things don't have to be uncrackable, so long as by the time they are cracked it is irrelevant.

If it's possible to crack your password in 7 months but you change it every 6, then the cracked password is useless. If you never change your password it can always be cracked.

Tactile memory and combinations (1)

Eric Ass Raymond (662593) | more than 10 years ago | (#6892511)

My passwords are 12-14 characters long alphanumeric codes. These codes are combinations of two 6-7 character long subsequences that I have in my tactile memory. This way I only have to remember which combination made up the password for which site.

There's help for this... sorta (4, Funny)

LostCluster (625375) | more than 10 years ago | (#6892514)

Why not use a simple password manager program such as the popular Gator... uhm, er, uhm, maybe that's not such a wise idea!

No problem for me. (4, Funny)

NetDanzr (619387) | more than 10 years ago | (#6892519)

I keep my passwords on small post-its, stuck to the edges of the monitor. Even though I must admit that recently I had to upgrade to a larger monitor because I ran out of space...

Keychain (3, Informative)

Macgoon (608648) | more than 10 years ago | (#6892520)

Built into every Mac is a utility called Keychain that remembers all your passwords for you. Of course you can get add-ons for Windows that give the same functionality for a price...

Re:Keychain (0)

Anonymous Coward | more than 10 years ago | (#6892560)

Is it really "Built into every Mac" ?

lol...

Re:Keychain (1)

axxackall (579006) | more than 10 years ago | (#6892674)

Of course you can get add-ons for Windows that give the same functionality for a price...

Or you can encrypt all your passwords with pgp for free. Works fin for me on at least 5 OSes: Linux, Windows, Mac, Unix and BSD.

Re:Keychain (1)

SiliconJesus101 (622291) | more than 10 years ago | (#6892710)

There is something for Windows that is absolutely free that does this very same thing, it's called Gator. ...now If you'll excuse me, I have this strange feeling that someone is watching me..*sigh*

Old Problem (4, Interesting)

R2.0 (532027) | more than 10 years ago | (#6892522)

Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.

Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.

And BTW - everyone on site, even the IT dept., did it the way I did.

Re:Old Problem (3, Insightful)

LostCluster (625375) | more than 10 years ago | (#6892550)

Overly tight security rules lead to Type II security errors... the kind where the people who are supposed to get into the system can't. As a result, people start circumventing the rules, which ends up weakening that overly tight security... oops.

People who make the rules need to think a little more sometimes.

Re:Old Problem (1)

lone_marauder (642787) | more than 10 years ago | (#6892631)

Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

Which is exactly the problem with that sort of password policy. It's completely unworkable. I like the quality over quantity approach. Devise a good password, protect it, and there's no reason why you can't use it indefinately.

If that flies in the face of everything you think you know about security, consider this: if your security environment assumes that all passwords will be compromised, then you are playing the security by obscurity game, where obscurity is a function of time. That is clearly unacceptable. There simply is no substitue for good passwords and good password protection policies.

Re:Old Problem (2, Interesting)

Anonymous Coward | more than 10 years ago | (#6892645)

I feel your pain, I've been there. When I took charge of our network, things changed quite a bit. I implemented the scheme recommended in the NSA guides [conxion.com], where you force a change every 90 days and disallow repeating of the last umpteen passwords (don't remember the exact number offhand). The theory is to encourage strong passwords by giving them enough time between changes so the users don't feel like they're having to remember a new password every other day. Our users are much happier, and they actually do use stronger passwords now.

The biggest problem we have now is people being too quick to offer up their passwords. I've started randomly asking people what their password is, and if they tell me, they get a lecture on how I will *never* need their password, and to never tell anyone and why, then I make them change it immediately. It pisses them off (don't do this to the company president), but they get the point very clearly. Most people now roll their eyes and walk away when I ask, so it seems to be working.

Re:Old Problem (1)

mickwd (196449) | more than 10 years ago | (#6892667)

I've dealt with situations like this before.

You weren't the only one who treated it like you describe. I think many people used their basic password, followed by a two-digit number - often the month of the year.

The end result was that for many users a minimum password length of, say, 8 characters became a 6-character password, with a trivially-guessable two-digit suffix.

So the IT rules being enforced actually made things less secure.

use a token (4, Interesting)

neglige (641101) | more than 10 years ago | (#6892524)

For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.

This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.

Re:use a token (1)

Malfourmed (633699) | more than 10 years ago | (#6892634)

Great idea! Until you lend out your CD....

Re:use a token (1)

TCM (130219) | more than 10 years ago | (#6892668)

Great idea! Until you lend out your CD....

The point of the grandparent is this:

For those really secure passwords, I look around in my office, pick a token, and use something from it as a password.

The one that gets hold of his CD won't know what to use from it as the password or that it even contained one. It could be the MD5 sum of the first track, or the second, or some arbitrary byte range, or the starting letters of all songs whose track numbers appear in his birthday or whatever. That's a way to combine easily remembered data with more or less "random" input to form a stronger(?) password.

PS: IANACE (crypto expert)

Why are biometrics taking so long? (2, Informative)

Blaine Hilton (626259) | more than 10 years ago | (#6892526)

This article goes back to the never-ending argument about usability vs. security. I admit that I want my cake and eat it to, but there is no reason why we can't have both. Biometric devices are becoming more and more common. However, many of the systems I use are SGI Irix, and plain Linux systems that currently do not have any biometric support. Although Windows has many solutions, starting at only $99.

Until biometrics become more mainstream people should check out those cheap USB key chain mini drives. They work okay, but I still find them a pain to use.

Biometrics can't be revoked (1)

yerricde (125198) | more than 10 years ago | (#6892722)

A biometric authentication key, if compromised, cannot be revoked. You can't just be issued a new thumb.

Don't forget the admins.... (1)

Andrewkov (140579) | more than 10 years ago | (#6892527)

I get password rage myself, although it is caused by moronic users who can't remember their passwords. Since they laid off all the fist level support and helpdesk people in my company, now I'm stuck resetting passwords all day. I blame the users for this, but it *will* be nice for IT staff when biometrics replace passwords.

Re:Don't forget the admins.... (1)

Anonymous Brave Guy (457657) | more than 10 years ago | (#6892573)

I get password rage myself, although it is caused by moronic users who can't remember their passwords.

You don't, by any chance, insist that all passwords consist of a minimum of 27 characters, of which no more than 17 may be alphabetic (but those are case-sensitive) and 40% of the non-alphabetic characters must be punctuation rather than digits, and then make them change to a different hard-to-remember password every five minutes, do you? ;-)

Re:Don't forget the admins.... (5, Funny)

BabyDave (575083) | more than 10 years ago | (#6892650)

... now I'm stuck resetting passwords all day. I blame the users for this, but it *will* be nice for IT staff when biometrics replace passwords.

User: I can't log in!
Tech: Your biometric data's become corrupted, we'll have to resample it
Tech pulls out meat cleaver
Tech: Now, are you left- or right-handed?

Make Password Open Source! (4, Funny)

Lieutenant_Dan (583843) | more than 10 years ago | (#6892530)

I think the enraged users would benefit from the years of experience contained within the Open Source developer community. Their impartial review of all password would facilitate the password creation password. By providing a publicly-available password list and the application of such password, users would be able to leverage off the peer-review methodology with is quite popular in Ukraine.

The Open Source developers would also be granted much quicker access and approval to systems that they deemed important to their project work. This would improve fund generation and IP (Intellectual Property) sharing which are some of the stumbling blocks in current academic circles.

Only when we improve the texture-layer vortex shading in the Matrox drivers can be unleash the full potential of quad-monitor Parphelia configuration.

Which is nice.

Re:Make Password Open Source! (0)

Anonymous Coward | more than 10 years ago | (#6892587)

You can never malloc enough cognitive psuedo-RAM to communicate the ideals of the Open Source developer community to the end user. Taking into account the non-linear transient nature of the end user and their pitiful requirements for lexical texture-layer vortex shading parsers.

So there!

See article 12 (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6892532)

English Universal Declaration of Human Rights Preamble Whereas recognition of the inherent dignity and of the equal and inalienable rights of all members of the human family is the foundation of freedom, justice and peace in the world, Whereas disregard and contempt for human rights have resulted in barbarous acts which have outraged the conscience of mankind, and the advent of a world in which human beings shall enjoyfreedom of speech and belief and freedom from fear and want has been proclaimed as the highest aspiration of the common people, Whereas it is essential, if man is not to be compelled to have recourse, as a last resort, to rebellion against tyranny and oppression, that human rights should be protected by the rule of law, Whereas it is essential to promote the development of friendly relations between nations, Whereas the peoples of the United Nations have in the Charter reaffirmed their faith in fundamental human rights, in the dignity and worth of the human person and in the equal rights of men and women and have determined to promote social progress and better standards of life in larger freedom, Whereas Member States have pledged themselves to achieve, in cooperation with the United Nations, the promotion of universal respect for and observance of human rights and fundamental freedoms, Whereas a common understanding of these rights and freedoms is of the greatest importance for the full realization of this pledge, Now, therefore, The General Assembly, Proclaims this Universal Declaration of Human Rights as a common standard of achievement for all peoples and all nations, to the end that every individual and every organ of society, keeping this Declaration constantly in mind, shall strive by teaching and education to promote respect for these rights and freedoms and by progressive measures, national and international, to secure their universal and effective recognition and observance, both among the peoples of Member States themselves and among the peoples of territories under their jurisdiction. Article I All human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of brotherhood. Article 2 Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status. Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty. Article 3 Everyone has the right to life, liberty and security of person. Article 4 No one shall be held in slavery or servitude; slavery and the slave trade shall be prohibited in all their forms. Article 5 No one shall be subjected to torture or to cruel, inhuman or degrading treatment or punishment. Article 6 Everyone has the right to recognition everywhere as a person before the law. Article 7 All are equal before the law and are entitled without any discrimination to equal protection of the law. All are entitled to equal protection against any discrimination in violation of this Declaration and against any incitement to such discrimination. Article 8 Everyone has the right to an effective remedy by the competent national tribunals for acts violating the fundamental rights granted him by the constitution or by law. Article 9 No one shall be subjected to arbitrary arrest, detention or exile. Article 10 Everyone is entitled in full equality to a fair and public hearing by an independent and impartial tribunal, in the determination of his rights and obligations and of any criminal charge against him. Article 11 1. Everyone charged with a penal offence has the right to be presumed innocent until proved guilty according to law in a public trial at which he has had all the guarantees necessary for his defence. 2. No one shall be held guilty of any penal offence on account of any act or omission which did not constitute a penal offence, under national or international law, at the time when it was committed. Nor shall a heavier penalty be imposed than the one that was applicable at the time the penal offence was committed. Article 12 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. Article 13 1. Everyone has the right to freedom of movement and residence within the borders of each State. 2. Everyone has the right to leave any country, including his own, and to return to his country. Article 14 1. Everyone has the right to seek and to enjoy in other countries asylum from persecution. 2. This right may not be invoked in the case of prosecutions genuinely arising from non-political crimes or from acts contrary to the purposes and principles of the United Nations. Article 15 1. Everyone has the right to a nationality. 2. No one shall be arbitrarily deprived of his nationality nor denied the right to change his nationality. Article 16 1. Men and women of full age, without any limitation due to race, nationality or religion, have the right to marry and to found a family. They are entitled to equal rights as to marriage, during marriage and at its dissolution. 2. Marriage shall be entered into only with the free and full consent of the intending spouses. 3. The family is the natural and fundamental group unit of society and is entitled to protection by society and the State. Article 17 1. Everyone has the right to own property alone as well as in association with others. 2. No one shall be arbitrarily deprived of his property. Article 18 Everyone has the right to freedom of thought, conscience and religion; this right includes freedom to change his religion or belief, and freedom, either alone or in community with others and in public or private, to manifest his religion or belief in teaching, practice, worship and observance. Article 19 Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers. Article 20 1. Everyone has the right to freedom of peaceful assembly and association. 2. No one may be compelled to belong to an association. Article 21 1. Everyone has the right to take part in the government of his country, directly or through freely chosen representatives. 2. Everyone has the right to equal access to public service in his country. 3. The will of the people shall be the basis of the authority of government; this will shall be expressed in periodic and genuine elections which shall be by universal and equal suffrage and shall be held by secret vote or by equivalent free voting procedures. Article 22 Everyone, as a member of society, has the right to social security and is entitled to realization, through national effort and international co-operation and in accordance with the organization and resources of each State, of the economic, social and cultural rights indispensable for his dignity and the free development of his personality. Article 23 1. Everyone has the right to work, to free choice of employment, to just and favourable conditions of work and to protection against unemployment. 2. Everyone, without any discrimination, has the right to equal pay for equal work. 3. Everyone who works has the right to just and favourable remuneration ensuring for himself and his family an existence worthy of human dignity, and supplemented, if necessary, by other means of social protection. 4. Everyone has the right to form and to join trade unions for the protection of his interests. Article 24 Everyone has the right to rest and leisure, including reasonable limitation of working hours and periodic holidays with pay. Article 25 1. Everyone has the right to a standard of living adequate for the health and well-being of himself and of his family, including food, clothing, housing and medical care and necessary social services, and the right to security in the event of unemployment, sickness, disability, widowhood, old age or other lack of livelihood in circumstances beyond his control. 2. Motherhood and childhood are entitled to special care and assistance. All children, whether born in or out of wedlock, shall enjoy the same social protection. Article 26 1. Everyone has the right to education. Education shall be free, at least in the elementary and fundamental stages. Elementary education shall be compulsory. Technical and professional education shall be made generally available and higher education shall be equally accessible to all on the basis of merit. 2. Education shall be directed to the full development of the human personality and to the strengthening of respect for human rights and fundamental freedoms. It shall promote understanding, tolerance and friendship among all nations, racial or religious groups, and shall further the activities of the United Nations for the maintenance of peace. 3. Parents have a prior right to choose the kind of education that shall be given to their children. Article 27 1. Everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits. 2. Everyone has the right to the protection of the moral and material interests resulting from any scientific, literary or artistic production of which he is the author. Article 28 Everyone is entitled to a social and international order in which the rights and freedoms set forth in this Declaration can be fully realized. Article 29 1. Everyone has duties to the community in which alone the free and full development of his personality is possible. 2. In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society. 3. These rights and freedoms may in no case be exercised contrary to the purposes and principles of the United Nations. Article 30 Nothing in this Declaration may be interpreted as implying for any State, group or person any right to engage in any activity or to perform any act aimed at the destruction of any of the rights and freedoms set forth herein.

A few thoughts (4, Interesting)

arvindn (542080) | more than 10 years ago | (#6892536)

OnceUponATime, I used to have a password dictionary for download, here's the thoughts on passwords I'd written on that page:
Humans are horrible at selecting and using passwords. We have to live with passwords, however, since no other authencation mechanism is good enough to find use outside niches. (Let's face it: when humans interact with computers, we still have to go more than halfway to meet them.) We keep forgetting passwords, because we aren't really good at remembering lexical/numerical data. There are three things people to about this: write passwords down, choose weak passwords and choose the same password for several unrelated accounts. All of these are bad. Very bad.

Choosing the same password for different accounts is particularly bad. I imagine script kiddies have well-maintained databases of username:password pairs going around. (If they don't, at least the NSA has one.) I remember reading somewhere about how someone could easily acquire a sizeable list of username:password pairs. Set up a website offering free porn. No popups or other annoyances, but require users to create an account before being able to access much. Get word out about your site. Bingo. There you go.

A lot of websites store their users' passwords as plaintext. If crackers were consceintious enough to update a centralized list every time a website got cracked, I suppose anyone who uses the same password everywhere can be more or less certain that the black hats have got it.

I'm guilty of reusing passwords myself. I use one of only about 3 or 4 for accounts on random websites, but at least I use different ones for the machines on which I have any data that matters. The alternative of remembering all your account:password pairs is simply too much work. Browsers that fill in your password for you alleviate the problem somewhat, but if you browse from a lot of different accounts its still a pain.

As a sysadmin there is nothing much you can do about users writing down passwords or reusing them (except perhaps lecturing), but you can ensure that they don't choose weak passwords.

Biometrics (3, Interesting)

rikun (704741) | more than 10 years ago | (#6892538)

Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.

Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboards /5f11/ [thinkgeek.com] plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.

I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.

Re:Biometrics (1)

mt_nixnut (626002) | more than 10 years ago | (#6892730)

people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.

Tough to fire the bosses. ;)

Biometrics on it's own is weak authentication (5, Interesting)

Herrieman (167396) | more than 10 years ago | (#6892540)

Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:

- something you have (such as a token) or
- something you know (such as a password or pin :))

It's a relative scale, though (2, Insightful)

Anonymous Brave Guy (457657) | more than 10 years ago | (#6892626)

Biometrics still have a lot of basic advantages over passwords.


Today:

[Informed cracker dials front desk]

Cracker: Hi, this is John in Support. We're having a problem with your account, could you just confirm the ID and password you use to log in so I can fix it up?

Clueless front desker: Sure, I type johndoe and the password is "reindeer flotilla".

Cracker: Great, thanks. I'll fix your account up right now, and you shouldn't see any difference from usual once it's done.


Next year:

[Informed cracker dials front desk]

Cracker: Hi, this is John in Support. We're having a problem with your account, could you just send me your fingerprint so we can fix it?

Clueless front-desker: Um...


Remember, the two biggest problems with passwords are (a) choosing dumb ones allowing brute-force attacks on a system, and (b) their vulnerability to social engineering attacks. Even simple biometrics would go a long way to fixing those, and thus restricting cracking to those who actually have a clue and not s'kiddies with nothing better to occupy their time.

Re:Biometrics on it's own is weak authentication (1)

JonathanX (469653) | more than 10 years ago | (#6892630)

Mod parent up. Two factor authentication is the only real solution to this problem.

Let your OS remember them... (1)

plj (673710) | more than 10 years ago | (#6892541)

...and tell you if you forgot them. Your duty is only to remember the master password. That's called Keychain, and is provided by Mac OS X.

For extra security you can also put your keychain to an USB key along with your GPG & SSH keys, and keep it away from your computer when you're not using it.

You've got a Windows box? Sorry. I'm quite sure there are some similar solutions for Linux out there, though.

Silly... (4, Interesting)

mraymer (516227) | more than 10 years ago | (#6892544)

Memorization is one of the easiest skills that the human brain is capable of. I think a lot of the frustration with passwords (and computers in general) is simply due to users lacking confidence.

Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"

Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.

Re:Silly... (4, Interesting)

Zachary Kessin (1372) | more than 10 years ago | (#6892665)

Problem is we are good at memorizing paterns. And patterns are easy to guess. When Richard Feynman tried to crack the safes at Las Almos he found that a very large number of them were set to 31 41 59 or 27 18 28 (pi and e). We are good at memorizing things because we expect to find paterns, which is makes it easy to attach the password.

Now if you are cleaver you can change things just enough, or say put in letters of two langages. But most people just pick something stupid and go with it.

I will admit to having a throw away password, that I use when I need a password for something I don't care about.

Sometimes your hands are tied (2, Informative)

kaden (535652) | more than 10 years ago | (#6892548)

Where I work, we (the IT department) realize the problems associated with overloading everyone with passwords, but our clients require us to do it. When you lose a multimillion dollar account if you don't make even the lowliest secretary have three different long, random passwords, there's not much you can do about it but just be understanding when employees forget their passwords.

I imagine it's a long process of finger pointing all over the corporate world, though. The bottom line is that this just might be an inherent flaw of conventional passwords, and we either have to accept that, or develop a better system.

Spreadsheet (4, Funny)

sms (130675) | more than 10 years ago | (#6892553)

I keep all my passwords in a spreadsheet. The spreadsheet is passworded. That password is the concatenation of all my passwords so it's hard to break into and if I forget a password, all I have to do is.....hmmmm, wait.....

Way to remember (1, Funny)

Anonymous Coward | more than 10 years ago | (#6892559)

I just pick a poem/song text/... that I know by heart, and take the first letter of every word. That gives me an easy to remember, random-looking password of ~20-30 chars.

VoiceMail is the biggest piss off! (3, Funny)

Serapth (643581) | more than 10 years ago | (#6892563)

I dont so much mind managing the dozen or so passwords I have to memorize... namingly because I get to pick them. What I cant get over is our damned voicemail system!!!

First off... the damned thing expires every 3 weeks, secondly, it remembers your last 10 or so entries and wont allow you to repeat them. Also, the damned thing does pattern recognition... Ironically, the most secure thing I have is my phone at work right now! ;)

Its gotten so bad, probrably half the phones at work have their voicemail password sticky noted to the phone. Weakest link is always the user, eh?

Weakest link is always the user, eh? (2, Interesting)

ChozCunningham (698051) | more than 10 years ago | (#6892746)

I have to agree. It is the user that contimually supports web sites, .zip files, system logons, voicemail systems, corporate intranets and so on all of which perpetuate the password issue.

Perhaps a discussion of boycott will motivate web designers and other developers to consider picture matching and other forms of authentication and help do away with the over-passwording...

Then the end user will stop supporting poor interface design, and cease to be the (second) weakest link.

easiest solution (0)

Anonymous Coward | more than 10 years ago | (#6892567)

IMHO, the easiest (cheating wisely) solution is to pick 2-3 keyboard sequences then add shifts at various places to created a number of passwords per sequence. This way you only have to remember 2 or 3 typing patterns (um not repeating or obvious ones mind you....try to be random) and then where you used or don't use shifts. It also lets you switch passwords regularly without having to force yourself to remember a new pattern. I usually change my patterns up at least once ever year (probably not enough but I'm lazy and if you want my pr0n collection more than me then God bless, I probably don't need it, anyway)

Remembering passwords... (5, Funny)

yeti-graf (218334) | more than 10 years ago | (#6892569)

One guy I worked with set his password to "Viewsonic" so that whenever he forgot it he could just look at his monitor.

Two Words... (2, Informative)

MesiahTaz (122415) | more than 10 years ago | (#6892577)

Apple Keychain

Now I only have to remember 2 or 3 different passwords. Keychain does the rest of the thinking for me.

Re:Two Words... (0)

Anonymous Coward | more than 10 years ago | (#6892602)

What if your Mac dies, or you have to use a different computer somewhere far away?

Re:Two Words... (0)

Anonymous Coward | more than 10 years ago | (#6892623)

iDisk... which is also a useful way to sync passwords if you have more then one Mac.

This way a thief needs to break your iDisk password and then your keychain password.

What's so hard about remembering passwords? (3, Insightful)

iapetus (24050) | more than 10 years ago | (#6892583)

Build a system for generating passwords from other information that's easier to remember. Books and their authors. Songs. Quotes from your favourite movies. American Football players. It's easy enough to build a quick and easy set of rules for which letters should be capitalised, where numbers should appear and so on. And it's a hell of a lot easier for me to remember that my root password is American Pie than it is to remember that it's dm7aO2Eg, or that my password for the database server at work is One Week rather than bl31eOWs. There's a huge range of subject matter to pick from, and although the passwords aren't random and do have patterns that make them slightly weaker than genuinely random , they're a damn sight better than the ones most people use, they won't succumb to a dictionary attack, they're easy to remember, and they meet the requirements set down by any password security checker.

This is news? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6892592)

While this may be fascinating stuff on Slashdot, you'd think that Baltimore [baltimore.md.us] would have more pressing news to report. Must be a really slow news day.

Inherently difficult problem (2, Insightful)

RayBender (525745) | more than 10 years ago | (#6892594)

Part of the problem is that by putting passwords on too many things you are requiring people to do something that most people simply can't do. Think about it, a good password has to be essentially random, at least eight characters long, and only used once. And then the passwords should be changed monthly. Seriously, how many of you can remeber %Fhe#jhx*, $%SDh!@l, (*^GKk32vc and sd)hdf@m? Studies done by various phone companies show that people tend to only be able to memorize about seven numbers at a time..

And think how many passwords you end up using: your account password on 3-4 computers, various root passwords, passwords to hotmail, your Amazon.com and eBay accounts, your ATM PINs, your credit card PINs, the access to your wireless router at home, and all the access codes to various subscription websites (hot asian teens and whatnot :) )?

Faced with this deluge of things to remember (which most people simply do not have the neurons to do), what do we do? Either use only one password, use something easy to remember, or write it down on a piece of paper kept in ones wallet. All of which are security no-nos. But security people have to face reality - passwords are only good security when used judiciously!

Biometric Encryption Thingamajigs (BET) (1)

OldHawk777 (19923) | more than 10 years ago | (#6892599)

Biometric Encryption Thingamajigs (BET) cards, pins, chips, ... would be great, but dang there ain't no frick'en standards. Guess how many BETs would be on your key-ring and/or in your wallet/purse .... Yep, that's right maybe as many as your passwords.
Each credit card company will require you use theirs, each business/agency/... and maybe departments will require that only theirs be used for this da-dumb location/job, you banks do not want to use the same BETs as your brokerages, the city/county will want their own BET for property taxes/..., the state and federal will require different BETs be used for driving, travel, airlines, passports, ....
I guess, more piss-poor-planning before it gets any better. We may as well continue with passwords, because it won't cost anymore and BETs won't help the situation improved anytime soon.

OldHawk777

Reality is a self-induced hallucination.

passwords are easy to remember with this trick (1, Interesting)

Anonymous Coward | more than 10 years ago | (#6892601)

Pick a memorable phrase. Like "we have nothing
to fear but fear itself".

Use the first letter of each word in the phrase
as your password at site #1. Use the second
letter of each word at site #2. Using that phrase
the passwords would be:

whntfbfi
eaooeuet

Diceware (2, Informative)

kiltedtaco (213773) | more than 10 years ago | (#6892611)

Diceware [std.com] definitly provides the most secure but easily remembered passwords, and even lets you make pretty exact estimates of the entropy content of your passwords, which makes all sorts of calculations simple and fun.

Re:Diceware (1)

Phantasmo (586700) | more than 10 years ago | (#6892720)

Diceware is definitely the best passphrase solution that I've ever seen.

Unfortunately, a lot of systems require passwords. A strong Diceware passphrase is about 5 words long, with maybe four to six characters per word (including spaces). So what do you do when you're at a Novell-enabled Windows 2000 machine (which limits you to 14 characters)?

Generate a weak (~3 word) Diceware passphrase, generate a cryptic and hard-to-remember password, or just use "password" itself.

I Don't Get It (2, Insightful)

tedrlord (95173) | more than 10 years ago | (#6892614)

What's wrong with passwords? I love passwords! They're so fun to memorize. Especially when they belong to other people.

Seriously, though, not everyone thinks like your average computer geek. For most of us, passwords and other alphanumeric sequences are simple to memorize. For many other people, even phone numbers can be very difficult. Not that geeks are necessarily better (okay, we are, but that's beside the point), we're just skilled at soaking up random information. Other people have skills in other areas. We shouldn't really expect everyone to think like us.

what i do (2, Insightful)

digitalsushi (137809) | more than 10 years ago | (#6892618)

here's what i do... feel free to tear it apart if its actually a bad idea...

lets say i have 10 machines. for each of them, i just memorize an easy to remember 8 letter password. there's also one nasty long password stub that i have thats like 12 characters. i remember just one of those, and after i do the first 8 of the machine specific, simple password, i append the big nasty one, and that's the password for the machine. if someone gets one of them, i know i have however long it takes to brute force crack an 8 letter password to get the other machines.

not that i see what the big deal is -- isnt a password of "i like to eat pumpkin pie" just as strong a password as "sj34##@dj3"? (roughly; dont do the actual math as i know they are different. all i mean is that they're both good enough most of the time)

How I do it (0)

Anonymous Coward | more than 10 years ago | (#6892620)

Well, I have a bunch of passwords - email, sites, chats, and so on, this is what I do:

I use word+number combinations; I have passwords with several structure types: WACKY_WORD+SOME_NUMBER and WORD+SOME_NUMBER+ANOTHER_WORD and even WORD+SOME_nUMBER+ANOTHER_WORD+SOME_OTHER_NUMBER

Usually the two words relate to each other, and the numbers are in a range of my favorite numbers - which I don't tell anyone - which makes it easier to remember. Sometimes it's not even a real word, but something that's readable/pronunceable (spelling?). The biggest one I use has like 15 chars...

I avoid using real tottaly random stuff like: a020xoasjdksi90 which may be a pain to remember if you use more than one. BUT, if the purpose is to use *real random* strings, then the best thing is to have like 3 of them and use them in the several services.

User Passwords... (1)

CaptScarlet22 (585291) | more than 10 years ago | (#6892622)

I try not to remember users passwords at my work, just to watch my ass....But let me tell you...Users passwords are dumbest password I've seen. Everyone uses there kids name or pets name or something releated to them. That's the worst passwords in the world!!

How easy is that to hack!!! Use letters and numbers!!

My company has a bad way with passwords in the past too...the password for the MAIN NT server was....PASSWORD!! I couldn't believe that!!!

It's all about security, they had none....

Password change policies (4, Insightful)

Alioth (221270) | more than 10 years ago | (#6892625)

The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.

The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.

Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.

my passwords (0)

Anonymous Coward | more than 10 years ago | (#6892639)

when I need to fill out a new password I just use "level" and then add the general name for that service, fe: levelisp, levelmail, levelwork, levelweb, levelforum etc.

OpenBSD Overkill (1)

zerocool^ (112121) | more than 10 years ago | (#6892653)

We recently put an openBSD machine on the network as our "admin login server". Previously, we were just logging into our main server directly via ssh, which wasn't really extremely safe, but, i mean, it was IP restricted to a /22 of IP's that we all had at home (lack of ISP's in the area lends to all of us using the same one).

So anyway, we locked down the main server and set up an admin-only login server, running OpenBSD. Previously, my password had been (backwords name of a person + two numerals), which was fairly secure. So, when I was setting up my account on the OpenBSD machine, i logged in via the password that my coassociate had given me, and tried to change my password to the other password. But, it wouldn't let me.

I was kinda miffed, but i just su'd to root, to change my password as root with passwd username. But, it wouldn't let me change it there either! It told me that it was too simple! So, i changed it, in case the program recognized people's names, backwards, for some reason - Changed it to a random string of 6 characters plus 2 numerals. Still wouldn't accept it!

Sometimes you can take security too far. If I am ROOT on a system, I AM GOD. If I want my password to be "1", i should be able to do that. I was very resentful when that system told me that I couldn't do something when I was root. If I'm root, I should be able to rm -rf /bin. Pissed me off royally. I mean, if you're root, you should understand and weigh the consequences of a password like RfoLr65 as opposed to WsukF&2, and understand that the &, while making it very hard to crack, is also an annoyance to someone who has to type it a hundred times a day.

There's always a trade off. And, if I'm root, don't fucking tell me I can't do something.

~Will

Range. (1)

Asterax (522761) | more than 10 years ago | (#6892666)

I recall the lack of imagination I had towards passwords. I would always use something like: "Good Administrators Never Use Passwords Other Then Alphanumeric 528"

I don't have this problem (1)

iElucidate (67873) | more than 10 years ago | (#6892686)

I simply make up random passwords for web forms or entry boxes and a program I use automatically captures the information, encrypts it, and stores it in a database. Each time I need a password again, it automatically fills it in for me. This system can be configured to require a master password every time it is used, to be on a timer, or to stay unlocked for as long as I am logged in. I can configure it based on application depending on how much I "trust" the program to use my passwords. I can always recover my passwords by simply launching the app, clicking the key I want, and clicking to decrypt it. This program is built into my operating system and is hooked into every program I use. It is called the Apple Keychain, and it is a life saver.

It doesn't matter what password you use... (4, Funny)

d0n quix0te (304783) | more than 10 years ago | (#6892688)

...those crackers/hackers from the movies will usually guess it on the third try... while mouthing inanities like " "It's a UNIX system, I know this..."

---
A woman is helping her computer-illiterate husband set up his computer, and tells him that he will now need to choose and enter a password that he wants to use when logging on. The husband, thinking he'll be oh-so-manly, types in the following letters when prompted for his desired password by the computer... m - y - p - e - n - i - s His wife rolls her eyes. Then she nearly falls off her chair howling with laughter when the computer replies: PASSWORD REJECTED. NOT LONG ENOUGH

Too many passwords (0)

Anonymous Coward | more than 10 years ago | (#6892696)

Another component to the problem is the 500000 websites that want passwords - web forums, etc, etc. (Slashdot...) Most of them I could care less about if someone were to crack the password - oooh, someone could look at my personalized list of stories or post under my name, I better use a good 9-digit random password for that! :-)

So I have a low-security password I use for all of them (though it's not dictionary-attackable), and only use "real" passwords for sites and computers that protect real information. But even for those, I mostly use one longer, harder-to-crack password because even eliminating the don't-cares, I still have WAY too many sites/computers to reasonably remember totally different passwords, let alone change them regularly.

The security expert interviewed recently (story linked to on Slashdot) about the Patriot Act said similar things - his solution is to write them down and put them in his wallet. As he put it, he has a lifetime of experience in keeping his wallet safe. (Though I hope he has a backup piece of paper somewhere...)

single sign-on??? (1)

stonebeat.org (562495) | more than 10 years ago | (#6892699)

The concept of single is good. but i hate the idea of using commercial/proprietary/closed-source technology like netegrity's siteminder to implement authentication on my application/servers. What happen if siteminder goes belly-up or they triple the siteminder's licenses???? Nothing is stopping them from doing that. Then my application will secured by a technology that i can NOT afford to license......

Dear Friends, THANKS for the help! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6892701)

My best friends BigBreastBetty and StrapOnMama of the Mean Balling Bitches group find your comments helpful in developing their open password cracker. Don't expect to find it posted at WAREZ, CDC, or DoD anytime soon ... there are other places preferred by programming dykes. To many USA spies monitor the traffic at some sites.

Getting around annoying password requirements (1)

jonathan_ingram (30440) | more than 10 years ago | (#6892703)

I used to work somewhere which had fairly draconian password requirements (needs to include digits, can't be made up of real words, can't have more than two characters in a row the same), including changing passwords every month. I ended up picking a simple pattern on the keyboard ('qq1122qq'), and just moving the pattern along by one character each time I had to change it. I've yet to find a password system which rejects this password pattern sequence, despite its simplicity.

Thinkgeek has something for this.. (3, Interesting)

Darth Fredd (663620) | more than 10 years ago | (#6892714)

..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.

http://www.thinkgeek.com/gadgets/security/5a60/

Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.

Why not public key? (1)

Ed Avis (5917) | more than 10 years ago | (#6892731)

It would make a lot more sense if websites allowed you to identify yourself by your PGP or SSH public key. At the very least this could provide a secure way of doing the 'I've forgotten my password, please reset it' thing.

What about Username Rage? (1)

SharpFang (651121) | more than 10 years ago | (#6892733)

Imagine this: Creating account for Yahoo:

Sharpfang
Sharpfng
shrpfng
sharp_fang
sharp. fang
sharp-fang
shrpfang
sfang
sharpf
sharpy
sharp

Yahoo claims all of the above are already in use.
Do you believe them?

That's one of the reasons why I stopped using Netscape Mail, my original account name was deleted (supposedly it conflicted with someone when Netscape joined its all services. I really doubt so), and I couldn't come up with anything nearly decent. More and more our usernames start to resemble really good passwords, in digits and punctation characters in them... And I bet the "huge services" reserve ALL the possible good names (i.e. no digits in them) for some potential VIPs and lie that they are "already taken".

Look out! (1)

ndogg (158021) | more than 10 years ago | (#6892737)

When users have password rage, look out! They might start throwing all those letters and numbers at you!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...