Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Password Memorability and Securability

Hemos posted more than 10 years ago | from the what-about-portability dept.

Security 436

NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example: 1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed. 2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed. 3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked. 4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap- peared to be just as easy to remember as the other. So this belief is debunked. 5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."

cancel ×

436 comments

Freaking PDF files. (5, Informative)

Anonymous Coward | more than 10 years ago | (#9237186)

Freaking PDF files. Link [216.239.39.104] to a version translated into HTML. By the time this goes live, maybe the FTP will be slashdotted, too. Thanks, Google.

I suppose I should make a comment. Okay, here it is: looks like users are still the weakest link in security. Whoever said that social engineering was the ultimate hack is a genius.

Re:Freaking PDF files. (3, Informative)

QBasicer (781745) | more than 10 years ago | (#9237360)

I don't think that will ever change, unless we use the bio scanning methods (iris scans and whatnot)

I heard about DNA scan, but I can't see that working, it could be falseified. Even a finger print could be carried (cut off their finger if they wanted access enough).

The strongest way to do it is with multiple methods (text password, then voice password, the finger print scan, and then iris scan).

Re:Freaking PDF files. (2, Insightful)

somethinghollow (530478) | more than 10 years ago | (#9237369)

What does that make Kevin Mitnick [kevinmitnick.com] ?

Oh, yeah... I remember him. I forgot that guy after existed he was free and not a symbol of everything that was wrong with the legal system in the US.

Re:Freaking PDF files. (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9237424)

. . . looks like users are still the weakest link in security

Exactly, security through obscurity just does not work, passwords are not the answer.

Re:Freaking PDF files. (4, Insightful)

the_mad_poster (640772) | more than 10 years ago | (#9237429)

I second the HTML version. Good old Adobe - popped up a nice little window in the background bugging me to update and stalled the IE process. Since the window went to the background, all I could see was the stalled process, and I killed IE, which, of course, closed all my windows. I hate pdf files...

Anyway, here's a consideratoin: semi-disgruntled employees. For example, I'm not disloyal enough to actively seek to damage the company's systems or information, but with the way they treat employees, and the way my dysfunctional department operates, I'm not loyal enough to sit and try to think of strong passwords every month. So, I come up with creative ways to circumvent the draconian password policy instead. Ironically, some of my stronger passwords have been defeated by this overly strict ruleset and wound up with me simply appending a character to a weaker password to get around it.

The lesson: draconian password policies hurt security and audit your password lists on a regular basis (at least randomly sample them regularly). Most of your users probably don't give a crap about their passwords because they don't give a crap about what happens to the company's systems and information.

Re:Freaking PDF files. (1, Informative)

Anonymous Coward | more than 10 years ago | (#9237430)

I may be off-topic, but I linked PDF files to 'xpdf' in Firefox and I don't have problems anymore.

frost pist? (1)

haxorest (724387) | more than 10 years ago | (#9237189)

fp!@??

Google (5, Informative)

Mz6 (741941) | more than 10 years ago | (#9237194)

Google's HTML Cache Version [64.233.167.104]

Hackers? (0, Flamebait)

StefanoB (775596) | more than 10 years ago | (#9237195)

Here they go again...I thought crackers broke passwords, not hackers.

Steven

gosh, that sure is a lot of words... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9237198)

Now people won't even read the /. story before they post ignorant shit.

Re:gosh, that sure is a lot of words... (1, Funny)

Anonymous Coward | more than 10 years ago | (#9237248)

So, all systems normal, right?

I just use my phone number..... (2, Funny)

MrIrwin (761231) | more than 10 years ago | (#9237199)

oops!

Re:I just use my phone number..... (5, Funny)

Dr. GeneMachine (720233) | more than 10 years ago | (#9237245)

Hah! Now I also know how to reach you on the phone...

Longest... summary... ever... (4, Funny)

Da Fokka (94074) | more than 10 years ago | (#9237202)

Not RTFA has never been so easy! How am I supposed to have an uninformed opinion like this?!

Re:Longest... summary... ever... (1)

verbatim_verbose (411803) | more than 10 years ago | (#9237272)

You're not kidding...

Honestly, I'd rather have been given a link to the article though... would have been much easier to read. On a side note, why on earth does slashdot put almost all the text on the front page in italics?

Italics (-1)

Anonymous Coward | more than 10 years ago | (#9237298)

Italics are the way slashdot differentiates quoted submission text from editorial commentary.

The best security (0)

bwalling (195998) | more than 10 years ago | (#9237213)

The best security is to not have anything that is desirable to anyone else. Then, they won't want to bother with figuring out your password.

Re:The best security (2, Interesting)

Allen Zadr (767458) | more than 10 years ago | (#9237325)

It doesn't take much processing power to send SPAM. You'd be surprised at how little is desirable.

All your i286 are belong to us.

Re:The best security (4, Funny)

the_mad_poster (640772) | more than 10 years ago | (#9237401)

So, basically, you're saying that Slashdot is impenetrable?

Teach People the Drums (4, Interesting)

soloport (312487) | more than 10 years ago | (#9237417)

Just use pattern passwords:
1) Put both hands on our friend, QWERTY
2) Move fingers into a natural, systematic position
3) Bang out a pattern using all fingers
4) Randomly include the shift key and those keys at the top, including the Back Space ;-)
5) Keep hitting some keys even after you've hit Enter; Then hold the Back Space key (optional)
6) "Practice, practice, practice!" so it can be typed very fast

Results?
* I rarely mistype a password
* I don't know my own password
* I couldn't share my password with security unless a keyboard was around
* I type it in so fast, it would take a video recording to spy-capture it (me thinks)

Of course, nothing can help you with key logging :-/

quepasa (4, Interesting)

JohnGrahamCumming (684871) | more than 10 years ago | (#9237214)

So take a look at quepasa [sf.net] . It combines remembering a passphrase, with cryptographically generated passwords (SHA-256 hashing of the passphrase and account name followed by mapping of the hash to typeable characters).

The combination means that I can always "recall" the password for any of my accounts using the quepasa application (all I remember is a single passphrase), and the passwords are not stored anywhere.

John.

Re:quepasa (3, Insightful)

alexatrit (689331) | more than 10 years ago | (#9237270)

Looking at the end result of this, how is it any different that typing up a list of randomly generated passwords in vim/notepad/whatever, and encrypting the list with gpg? You still have to run and check the program every time you want to login to a service. The passphrase supplied to quepasa could easily be that to decode your gpg-encrypted list of passwords.

Random Passwords aren't the problem (5, Insightful)

Stargoat (658863) | more than 10 years ago | (#9237302)

The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password, and then write even that simple to remember password down at their desk. The problem is with an HR department that doesn't care if IT policies are enforced, and management that doesn't care if HR isn't doing their job.

If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

Consonant-Vowel Method (5, Interesting)

Chess_the_cat (653159) | more than 10 years ago | (#9237215)

Mitnick had a neat suggestion in the Art of Deception. The Consonant-Vowel Method. It provides an easy to remember password because it is pronounceable. You take the following template and swap in consonants and vowels: CVCVCVCV. The examples he gave are MIXOCASO and CUSOJENA. The point is they won't be in the dictionary but you can remember these nonsense words.

Re:Consonant-Vowel Method (0)

Anonymous Coward | more than 10 years ago | (#9237257)

Does he also mention that it takes significantly less time to brute-force crack a password made up entirely of alphabetical characters?

Brute Force Attacks (5, Insightful)

Afty0r (263037) | more than 10 years ago | (#9237337)

Perhaps I'm crazy but I've always felt an application which allows a brute force attack is flawed.

Surely by this point in software development it should be regarded as standard for every program to LOCK access for a given account after X consecutive failed logon attempts?

Even setting this to something arbitrarily high like, say 1000, is more than any user would ever try before asking for help, but much MUCH MUCH less than any dictionary attack would require. Combine this with the possibility of real time notification for admins (facilitated by email/inter application messaging, or a small add-on service for the OS) when more than Y accounts are locked for this reason in Z minutes, and as a community we'd effectively end all dictionary attacks - or at least turn them into DOS attacks, but at least we'd know it was going on...

Re:Consonant-Vowel Method (1)

idsCypher (542075) | more than 10 years ago | (#9237261)

well its a neat suggestion indeed but i dream of a place where no passwords are required to remember or to use hahah :)

Re:Consonant-Vowel Method (-1)

Anonymous Coward | more than 10 years ago | (#9237362)

Would the world be a better place without hypothetical questions?

Re:Consonant-Vowel Method (1)

ajcbau (710239) | more than 10 years ago | (#9237281)

While this may be true for English [it is certainly easier to remember something you can pronounce], How well would it work for other languages? AB

Re:Consonant-Vowel Method (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9237292)

who cares about those terrorist languages

like this? (2, Interesting)

porcorosso (178451) | more than 10 years ago | (#9237294)

declare @consonants char(20),
@vowels char(5),
@password varchar(255),
@length tinyint -- passed to sp

select @consonants = 'bcdfghjklmnpqrstvwyz',
@vowels = 'aeiou',
@length = 8 -- maximum of 254. any more will overflow

while (@length > 0)
begin
select @password = @password + substring(@consonants, convert(int, ( round (rand()*100/5, 0) )),1)
if (@length > 1)
begin
select @password = @password + substring(@vowels, convert(int, ( round (rand()*100/25, 0) )),1)
end
select @length = @length - 2
end

select @password

Re:like this? (-1)

Anonymous Coward | more than 10 years ago | (#9237328)

Oddly, this algorithm wouldn't hit "mixocaso" because you seem to revere the letter `x'...

Re:like this? (1)

porcorosso (178451) | more than 10 years ago | (#9237445)

yeah, 100/5 = 20, not 21 so one consonant has to go for simplicity's sake. This works pretty well on some of the stuff I've worked on.

Re:like this? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9237378)

This is exactly the kind of terrorist language I'm talking about.

Re:Consonant-Vowel Method (3, Insightful)

Frit Mock (708952) | more than 10 years ago | (#9237317)


Nice try ... consonant-vovel is a nice pattern ... patterns are easier to break

Re:Consonant-Vowel Method (4, Insightful)

Plutor (2994) | more than 10 years ago | (#9237322)

Another thing to remember is that rules like this just make brute-forcing simpler. There are 2.18*10^14 mixed-case alphanumeric 8-character passwords, but only 3.11*10^10 mixed-case consonant-vowel passwords (1/7000th as many possibilities), and only 1.2*10^8 single-case C-V passwords.

Forcing 8-char passwords is just as inadvisable. There are 6.16*10^15 possibilities for 6-8 character passwords made up of all typeable characters (ACII 33-126). That'll take 195 days to search the whole keyspace at 1M tests per second. And hopefully your password rotation is more often than that.

Re:Consonant-Vowel Method (4, Interesting)

lukewarmfusion (726141) | more than 10 years ago | (#9237352)

True, but if the attacker knew that your passwords followed a certain template (those two are 8 characters, all caps, and alternate consonant vowel starting with consonants) they become much easier to attack.

My applications rarely force complexity (sometimes they require numbers or other non-alpha characters). The instructions are always there, but users rarely ever follow them.

One of my not-so-critical applications (a web messageboard!) from a while back stored the passwords as plaintext in the DB (I now use hashing, thank you very much). I once looked at the password list just to see how complex people chose their passwords:

~60% had one word passwords of about 5 or 6 letters, no numbers
10% used their username (which has since been prohibited)
10% had complex passwords - stuff that made no sense to me and used numbers, non-alphanumeric characters, etc.
The rest (a little more than 20%) had a word + a number, or something around those lines.

I did ask them all about password security, and I got two basic responses: My password is secure, or What does it matter?

Message Boards (4, Interesting)

Allen Zadr (767458) | more than 10 years ago | (#9237443)

On a message board, I always use a fairly simple password, simply because it doesn't matter to me...
If someone gets to post as Allen Zadr to slashdot, the worst that would happen is my karma would be burned. No big deal. I drop the account, start a new one, give Slashdot another 5 bucks.

The passwords I use on anything important, are far more secure.

For this reason, I would be far more suspicious of the 10% that use extremely complex passwords. Likelyhood is that those passwords will match their online banking account and work passwords.

Re:Consonant-Vowel Method (5, Informative)

joelhayhurst (655022) | more than 10 years ago | (#9237414)

There is also a unix utility called APG [nursat.kz] (Automated Password Generator) which will create pronounceable gibbrish passwords to your specifications. I usually use that, find one I like, then replace a few letters with l33t-speak numbers (to think, it has a use...).

Re:Consonant-Vowel Method (0)

Anonymous Coward | more than 10 years ago | (#9237420)

There is a publication which takes this to the next stage:

FIPS PUB 181 ( Federal Information Processing Standards Publication )

It generates "pronounceable" but random "words" of a given length, and avoids the pattern problem in this "method" from mitnik.

Unfortunately, it's also not as portable, but there is example c-code. I've seen it work in a couple places.

The other thing is that with a nonsensical word it's easy to remember ( ookdealiezago or something ), even if it's quite long ( say 12-14 characters ). Easier than mnemonics, too, I've found.

Sys admin and internal support (2, Interesting)

matthew.thompson (44814) | more than 10 years ago | (#9237221)

Sometimes even the most vigilant sys admin as not able to halt these problems.

Where I work the passwords are changed by internal support and logged into a database as well as entered into the system.

Despite requests to us strong passwords the internal support view is get as quiet a life as possible and just accept whatever password a user chooses.

The number of times I've seen summer1 is ridiculous.

Personally I think users should choose their own passwords and the system should limit them to >8 characters and a %age difference from their last 10 passwords. But I don't make up the policies.

Re:Sys admin and internal support (4, Insightful)

Liselle (684663) | more than 10 years ago | (#9237275)

Personally I think users should choose their own passwords and the system should limit them to >8 characters and a %age difference from their last 10 passwords. But I don't make up the policies.
I agree, but you do that and then your security will be circumvented by Post-it notes on monitors. We lost that fight before it even began.

Re:Sys admin and internal support (2, Funny)

anon*127.0.0.1 (637224) | more than 10 years ago | (#9237375)

No, the post-it on the monitor is way too obvious.

Clever users put the post-it on the bottom of their keyboard, where no one will ever think to look.

Re:Sys admin and internal support (2, Funny)

Liselle (684663) | more than 10 years ago | (#9237419)

Hmm, bottom of the keyboard, I'll have to try that. I'm still trying to figure out how he guessed that my password was "summer1", though.

Re:Sys admin and internal support (0)

Anonymous Coward | more than 10 years ago | (#9237287)

passwords are changed by internal support and logged into a database

That doesn't sound like a great idea... what if the database was compromised? Every current password and a history showing what type of password the user prefers in an attackers hands.

Now keep them away from chocolate (5, Funny)

enkafan (604078) | more than 10 years ago | (#9237223)

Yeah, passwords and standards are fine as long as you keep snickers out of the office [bbc.co.uk]

Ha (0)

nycsubway (79012) | more than 10 years ago | (#9237225)

I've fooled them all... My password is so simple, yet so complex, no one will be able to figure it out! It also doesn't hurt to throw the hackers off track with a hint in the wrong direction by writing false passwords on sheets of paper near your computer. Or putting the real passwords there, then no one would try them.

Re:Ha (0)

Anonymous Coward | more than 10 years ago | (#9237274)

So, your password is blank. Thanks for the clues!

Oh, and when your ISP tells you your sending SPAM out, just ignore them.

Re:Ha (3, Insightful)

kpharmer (452893) | more than 10 years ago | (#9237405)

I used to do that back in the USMC - I converted my walllocker combination to base 7 and then put that on tape on the back of the lock. Everyone in the barracks tried it and failed. Meanwhile I had a nicely documented combination. Of course, I suppose I was fairly lucky that nobody simply removed the tape - but the same combination was also in my wallet along with all my pin numbers. Again in base 7...

Size of Study (1)

gambit3 (463693) | more than 10 years ago | (#9237226)

In order to investigate these trade-off factors in a real context of use, we have conducted an experiment involving 400 first-year students at our university.

While the size was larger than I initially expected it to be, I don't know if you can definitely "debunk" myths --as the poster definitively states -- using a 400 person focus group to simulate several dozen millions of varied abilities.

Re:Size of Study (4, Insightful)

Glonoinha (587375) | more than 10 years ago | (#9237312)

Statistically speaking, a 400 person focus group is going to so accurately represent the population from which they were selected it is almost overkill. Bear in mind, however, that they don't represent users in general, but computer users that are smart enough to get into college, aged roughly 18-19 years old, and open minded enough to participate in a college survey regarding passwords on computers.

But yes, 400 people is way more than enough - heck you can usually predict the outcome of most elections using exit polls asking less people than that.

Re:Size of Study (1)

gambit3 (463693) | more than 10 years ago | (#9237398)

I guess I should've rephrased my initial post.

I meant, 400 of the same classification, in this case, as you stated, first-year college students who are probably computer savvy leads me to belive that you can't make generalized conclusions for millions of different classifications of people.

Just my $0.02

Re:Size of Study (-1, Flamebait)

mumblestheclown (569987) | more than 10 years ago | (#9237330)

Note to gambit3: go learn something about statistics before contributing to the noise/signal ratio on slashdot again.

Length vs randomness (5, Interesting)

SWroclawski (95770) | more than 10 years ago | (#9237229)

One area I'd like to see would be strength of a password in terms of randomness, requireing use of characters, etc. vs length. Is an 8 character password with a punctuation mark better than a 10 character pasword with all lower case characters? If so, by how much?

Then we can determine a good password policy that fits with the security model at the facility.

Re:Length vs randomness (3, Insightful)

Liselle (684663) | more than 10 years ago | (#9237333)

The moment X method becomes popular, it is immediately less effective, because crackers will know what to poke at. If there is a world of unfriendly machines out there, one of your best bets is being a moving target. Password studies are interesting, but the results (of how hard they are to crack) can't be valid for long.

Re:Length vs randomness (4, Insightful)

_bug_ (112702) | more than 10 years ago | (#9237449)

Length and randomness go together and it should never be an either/or decision.

Plus it's difficult to factor in the domain of characters an attacker will use to brute force a password. Throwing in a puctuation mark on a relatively short password will be strong against any attackers who use only alphanumeric characters in their cracking scheme. But the first attacker who does include said punctuation will crack a short password relatively quickly.

L0phtcrack probably has the best approach in which a basic dictionary attack, then a hybrid attack by attaching numerals and punctuation on to the end of a dictionary word. Etc..

But really, if you're not using a dictionary word as your password, the chances of a brute force attack being successful are very low.

An attacker is going to get your password through other means such as keylogging or packet sniffing.

Passwords are really only one tiny piece to the whole security plan and I think it's too focused on. How about more on how to physically protect a machine, how to prevent keyloggers or packet sniffers. How about social engineering? That's one of the last topics (if at all) to be covered during discussions about security.

No passwords... (2, Interesting)

Allen Zadr (767458) | more than 10 years ago | (#9237236)

That's why I assign passwords to my users. I know that they are random, cryptic, long enough, and if my user can't remember it, I can remind them.

On the other hand, I don't have a password retention policy either, so really if someone is in my employ for more than six months, there's a good chance of a password getting lost into the wrong hands. Yes, I know this is a bad idea.

Re:No passwords... (5, Insightful)

Glonoinha (587375) | more than 10 years ago | (#9237351)

Stay late one night. After they are all gone walk from desktop to desktop. Look for post-it notes on the side of the monitor and under the keyboard, and in their drawers. The results will scare you, if your users are anything like mine, and I bet after that you start letting them pick less cryptic passwords.

Also, if you know their password there goes any semblance of Non-Repudiation. And if you can 'remind them' either you have a very short list of users and can remember them, or you have a written list somewhere - nifty, but a bad idea.

entering passwords is the biggest problem (5, Insightful)

Whitecloud (649593) | more than 10 years ago | (#9237240)

How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?

Re:entering passwords is the biggest problem (3, Insightful)

Liselle (684663) | more than 10 years ago | (#9237383)

Problem I always have with biometric identification is that it lacks something that passwords have: I can change my password, but I can't change my fingerprints. It's both more secure and less secure at the same time. Not better, just different, imo.

Re:entering passwords is the biggest problem (2, Insightful)

Tim C (15259) | more than 10 years ago | (#9237421)

The good thing about passwords is that they can be changed if forgotten or compromised. If a system that uses biometric information is compromised, you don't have that option - I can't change my retinal pattern or finger prints.

Easy solution: (1, Funny)

Anonymous Coward | more than 10 years ago | (#9237241)

Just patent [happyworker.com] password cracking as a business method, and sue everybody for patent infringment who attempts to guess your passwords!

Mnemonic passwords.... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9237247)

http://www.hot4download.com/utilities/Mnemonic_Pas swords_20.htm

Downloads : 2
Publisher : Click this to go
[b]Date added : 09/30/2002[/b]
File Size : 402K
License : Free to try, $20 to buy
Requirements : Windows (all)

Publisher's Description
From the developer: "Mnemonic Passwords allows you to create -Safe- -Strong- passwords without having to commit them to memory. Mnemonic Passwords takes a phrase or set of easy to remember information and produces a password. Passwords can be customized, Passwords are individualized by computer, Gives an estimate of the strength of the password in seconds, minutes, days, years. Yet is easy to use: Run, Enter a Challenge Phrase, Click 'Generate' and you're done, there's the password."

Offtopic? (-1)

Anonymous Coward | more than 10 years ago | (#9237327)

"Prior art" seems to be one of /.'s most highly sought commodities. Here's one from almost 2 years ago.

-1 for BBCode use, but not offtopic. ;)

Why should passwords be difficult to guess? (4, Insightful)

crow (16139) | more than 10 years ago | (#9237249)

I'm confused as to why you would care how strong the passwords your users select are. As long as you control the authentication system, you can prevent repeated guessing--the days of globally-readable encrypted password files are gone. If you get more than a small number of failed guesses on a given account or from a given address, you cut off access, at least for a time.

The key is to detect the attack.

Re:Why should passwords be difficult to guess? (1)

spellraiser (764337) | more than 10 years ago | (#9237356)

The key is to detect the attack.

Ah, you are referring to something like this [bash.org] ?

Re:Why should passwords be difficult to guess? (1)

a55mnky (602203) | more than 10 years ago | (#9237423)

Depending upon what is at stake - attackers can be very patient. If you allow users to create their own passwords and don't enforce some complexity requirements, most will chose their name, kid's name, spouse, pet, etc. Give me a few days even with your authentication systems in place and I will guess the password.

Re:Why should passwords be difficult to guess? (1)

ArsenneLupin (766289) | more than 10 years ago | (#9237444)

If you get more than a small number of failed guesses on a given account or from a given address, you cut off access, at least for a time.

Well, this is fine as long as passwords are not so easy to guess that the attacker gets it on the first attempt (and believe me, with some of our users, it would be this bad, if we didn't enforce a minimal password choice policy...)

Moreover, if you only cut off access to the offending IP address, be careful: with most ISPs today, you just need to log off and on again, and you get a different IP (not to mention open proxies and other niceties)

Use these... (5, Funny)

mcgroarty (633843) | more than 10 years ago | (#9237262)

These are the best passwords ever:
jieph9Ee eik4zahW que8aiQu wahK6pee nie1eCho aNg2raew

exeif0Ta ooqu9Aye Eid7iici eiZ6boin Waeg5kah Mi9vegoh
eelae9Oo Ua7yojie Jiquaud5 Vohw7iwi Eit7laax Aesae2ax
They are relatively random, easy to remember (you can kind of pronounce all of them), and best of all, nobody has guessed a single one of them yet. I've been using these for years, and you should too!

Re:Use these... (0)

Anonymous Coward | more than 10 years ago | (#9237342)

... How wonderful pwgen is ...

DESCRIPTION
pwgen generates passwords which are designed to be easily memorized by humans, while being as secure as possible.

I sense a good social engineering technique here (5, Funny)

Spatula Sam (770957) | more than 10 years ago | (#9237268)

"Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."

Revolutionary... (2, Funny)

danielrm26 (567852) | more than 10 years ago | (#9237277)

What's next? Long passwords better than short ones?

mynuts won: most memorabull score? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9237284)

user name: eyecon0meter

pword: pateNTdead

real creators suggest using newclear power vs. (Score:mynuts won, pairannoyed)
by Anonymous Coward on Monday May 24, @09:39AM (#9237105)
unprecedented evile, whilst participating in the increasingly popular planet/population rescue initiative.

no contest. this stuff is unbreakable, & wwworks on several (more than 3) dimensions.

it's probably just a suggestion.

consult with/trust in yOUR creators.... with power to spare.

eye gas va lairIE/robbIE's pateNTdead corepirate nazi sponsored PostBlock(bm) devise, is STILL not working?

Due to excessive bad posting from this IP or Subnet, anonymous comment posting has temporarily (forever, if we had some ept) been disabled. You can still login to post. However, if bad posting continues from your IP or Subnet that privilege could be revoked as well. If it's you, consider this a chance to sit in the timeout corner or login and improve your posting . If it's someone else, this is a chance to hunt them down (like with fuddles' phonIE bouNTy hunter scam). If you think this is unfair, we just don't care.

a couple things i do (4, Interesting)

millahtime (710421) | more than 10 years ago | (#9237288)

There are a couple things i do....

1) On my servers te password changer forces them to not use dictionary words, has to have numbers, letters and nonnumeric characters, and they can't use their previous so many passwords
2) For my password I use a few things from my childhood that no one will ever come up with.
3) There is nothing like keeping up on your security patches.

Make the attacker work a thousand times harder? (2, Insightful)

arvindn (542080) | more than 10 years ago | (#9237289)

That will never be possible, considering this [slashdot.org] .

Seriously, even if you are using something other than passwords, say biometric authentication, security will remain as shabby as it is today unless users understand the importance of keeping the system secure. And that is a tall order.

Posssible Solution? (1)

adamvjackson (607836) | more than 10 years ago | (#9237296)

How about using a smartcard for system logon and decryption of an AES database with your passwords?

http://keepass.sourceforge.net looks like it has potential.

Re:Posssible Solution? (1)

porcorosso (178451) | more than 10 years ago | (#9237350)

keep ass? sounds naughty ...

Remembering "random" passwords (0)

Anonymous Coward | more than 10 years ago | (#9237307)

I don't think it's that hard to remember random passwords of a size like 8-9 chars.. It depends on how often you need to log in, when you logged in 3 times you can mostly remember them

Use passphrases instead (2, Informative)

Anonymous Coward | more than 10 years ago | (#9237309)

Back in the days of limited capacity, 8 or 10 character passwords made sense. Today, there's no reason why we shouldn't be moving towards pass phrases of 20-50 characters. How difficult would it be for someone to remember "It was the best of times, it was the worst of times." as their password, and yet, how difficult would it be to crack a 52 character password?

It's really just a matter of changing mindset to use passphrases instead of passwords.

The #1 cause of poor passwords (5, Insightful)

Shimmer (3036) | more than 10 years ago | (#9237314)

Most of the time, people just don't care. And why should they?

I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.

Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.

So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.

Randon or mnemonic? (4, Insightful)

spidergoat2 (715962) | more than 10 years ago | (#9237320)

It just doesn't matter. It still going to be written on a yellow sticky and stuck on the screen.

Phonetic Passwords (4, Interesting)

N8F8 (4562) | more than 10 years ago | (#9237326)

I used to work on a military installation with really elaborate guidelines for choosing passwords. It would usually take me at least a dozen times to choose a valid, unused password. My buddy had a trick that would get him a good password every time. Being fluent in Korean, he would come up with a phrase in Korean and spell it out phoenetically to produce a new password. I wonder how many foreign language workers in the US do the same thing?

Re:Phonetic Passwords (1)

Mz6 (741941) | more than 10 years ago | (#9237451)

I wouldn;t be surprised....

I also work on a military installation and it takes forever to be able to choose a password. Not only do you have to use the basic methods already described here, but it also cannot be similar to used passwords or dictionary passwords in any way. Therefore, it checks for a password such as keyboard23 or 2clock10. Add that with all the other password tricks (alphanumeric, etc..) and it takes a good 5 minutes to pick a password before the system takes it.

pretty non-intuitive results? (1)

Monofilament (512421) | more than 10 years ago | (#9237331)

I'm confused.... all those answers that were listed in the front page version of the article (yes in true slashdot style .. i don't even wanna read the actual link..and have no time otherwise)

are pretty much what i would think of passwords. I think i lost some knowledge by reading the results of that study. It amazes me how people can study things to come up with a non-scientific proof answer to things we already know. I mean its a survey.. its not exact... we all knew the answers anyways.. so why even survey .. not like its a real proof or anything.

I think the real problem with passwords is nobody ever teaches anybody how to make a strong password that is easy to remember. You're just told the parameters and left to fend for yourself. I myself personally have always come up with combinations of letters and numbers and special characters that have a seemingly random look and in fact have a correlation to some phrase i have in my head, and usually its a phrase i would only think of and not neccessarily say in real conversation to people.

good password generation (2, Insightful)

CharAznable (702598) | more than 10 years ago | (#9237343)

I find that a good way of generating passwords is to come up with a sentence or a phrase that makes sense to you, take the first letter of each word, and then 1337 it up. For instance, Windows XP loves the Sasser worm becomes: WxP175W It's cryptic enough and easy to remember

My password method (4, Informative)

gosand (234100) | more than 10 years ago | (#9237344)

I have been able to successfully remember randomly generated passwords, but once they slip your mind - you are screwed. My password method is this:

1. generate a password using some word algorithm: I was born on a Monday = "IwboaM"
2. come up with some kind of replacement strategy: w=m, a=1. IwboaM = Imbo1M
3. bookend it with the year you were born: Imbo1M = 19Imbo1M69.

It looks totally random, but there is a method to the madness. If you need to change it, you can just inc the year, or use some other rule on it. The strength is that you completely make up the rules, and they don't have to make any sense. All you have to do is remember the original phrase (easy) and your rules (easy to complex).

(and the example I gave is completely arbitrary)
You could also do one where your password is the answer to the question. Remember the question "What month was I born?" Answer: October
Password starting point = HalloweenMonth. Then apply crazy rules to it. In this way, you can write down your reminder phrase "Month born?" and it is nowhere near what your password is.

Better than Nothing (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9237345)

For users who claim they can't remember passwords, I recommend that they use the names of two of the favorite pets they have had in their lifetime, with one or more numeric or symbolic characters in between and/or at the beginning or end.

i.e. Rover8Kitty!

It's not great, but better than Mary2.

Keyboard patterns? (4, Interesting)

Amoeba (55277) | more than 10 years ago | (#9237364)

I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious) but things like !@()ZX>? Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.

Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?

It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?

Amoeba

Mnemonics and shared passwords. (1)

oneiros27 (46144) | more than 10 years ago | (#9237377)

Mnemonics can be annoying when you have different people creating them -- it people use slightly different rules when creating the passwords, it can cause all sorts of problems --
  • do you perform any subsequent modifications (a -> @; s-> $; e-> 3), once you have the password?
  • are you consistent in your capitalization rules?
  • Are you consistent in your punctuation rules?

I find it particulary annoying when people use what I call the 'license plate' passwords -- if you know what the mnemonic is, the password makes sense, but it's difficult to consistently go from the mnemonic to the password --
  • !4m32s@y -> Not for me to say -> !4me2say
  • !4us2d0 -> Not for us to do -> !4us2do
(yes, I worked with some people who were rather negative) ... but it'd get annoying when you're told what root's been changed to, and they don't have consistent rules for the passwords.

Personally, I was working on a program for generation of passwords from fortune, so that things are handled consistently, but I've stalled the idea until I get get it to use a significantly larger basis for the mnemonics (as if you knew the source of the mnemonics, and the rules for generating passwords, it's just as easy to brute force as a dictionary attack)

passphrase passwords (2, Informative)

thogard (43403) | more than 10 years ago | (#9237380)

Some people have been claiming that using things like "fsa7ya" or "4sa7ya" as the 1st letters of "four score and 7 years ago" is a good way to make up paswords. I've got a friend who has a dictionary of about 20,000 such phrases and it took a few of us about a half hour to find a common quote that wasn't in his list. He also happens to have a 50 word lists that is very effective at brute force attacks.

It doesn't matter... (1)

italiannavigator (769943) | more than 10 years ago | (#9237385)

...how good the password is if the users keeping taping them to their monitors. Incredible, to say the least.

a password policy I've been dying to implement... (2, Funny)

rivaldufus (634820) | more than 10 years ago | (#9237389)

1. password must be at least 64 characters long, with no dictionary words, and at least 8 special characters
2. Passwords expire in 24 hours
3. Account is locked out after two mistakes
4. A given character may be used only once in a particular password (No repeated characters)
5. Account locks out on second attempt

I'd love to see someone implement this policy at some corporation - just so long as I'm not the administrator there.

Physical tokens are better (3, Insightful)

Slick_Snake (693760) | more than 10 years ago | (#9237394)

Use of a physical token combined with an easy to remember pin is more secure than passwords. Since pin numbers tend to be short there is no problem with choosing them randomly. Furthermore with a limit on the number of failed attempts before disabling the token you make it nearly impossible for someone to break in.

Looking at through cynical eyes it doesn't matter how secure your method is because, you are ultimately placing trust in the typical user who will most likely do something stupid when given the chance.

Read Lots Of HP Lovecraft For Password Ideas (3, Funny)

pandrijeczko (588093) | more than 10 years ago | (#9237397)

After all, with creatures like Cthulhu, Nyalarthotep, Tsathoggua, Hounds Of Tindalos, the Wendigo, etc., there's plenty of scope for non-dictionary passwords and I've never seen a Cthulhu mythos word file for password crackers...

...having said that, with having uttered these names so frequently in the past, I now have a large black tentacle growing from the back of my neck and keep seeing strange shapes lurking in the shadows...

Gibber...

Mnemonics questionable (5, Funny)

Anixamander (448308) | more than 10 years ago | (#9237399)

My menmonic, which should have been hard for people to guess, was "Please ask sister sally where's our rottweiler dog"

And the thing is, we didn't even have a rottweiler, it was a shepherd. But people still guessed it, so I don't use mnemonics anymore.

my password.... (1)

pickledick (782404) | more than 10 years ago | (#9237412)

I use "socket2me" for a password. Is this random enough not to be guessed?

6. The sixth folk belief... (5, Funny)

cedmond (515813) | more than 10 years ago | (#9237433)

Using the term "folk belief" more than once in a paragraph can become very annoying. This belief is confirmed.

Observations on random passwords (1)

clone22 (252516) | more than 10 years ago | (#9237447)

In my consulting practice I will often set up new server at a client site and assign a password, which is always a random string of letters and numbers. I usually get a shocked look when I tell them the password, but they do commit it to memory (I've never had a client write it on a post-it). I repeat the password with a cadence that makes it easy to remember.

One thing I have noticed is that clients will often be reluctant to change a random password they have memorized, as if their brain can only memorize one random string. I'll go back months later to find they are still using that same password. In fact, it often becomes the "standard password" on numerous systems.

The one practice that really makes my skin crawl is the system of using words with numbers replacing letters, like "5ecur1ty" and "pa55w0rd". No one would ever think of adding those to a dictionary attack, would they?

My password technique (3, Interesting)

ID_Roamer (725238) | more than 10 years ago | (#9237454)

I read a story about a book method for developing crypto keys. It was a fairly common method in the past before computers. I thought about it and have used it for years for choosing my passwords. Then tend to be mnemonics, but I can right down a hint sheet that is pretty safe.

It works like this. I choose a book at random from my work area, choose a page at random and then pick a line. I develop a mnemonic password from that line. If I need a hint, I write down the page and line number on a piece of paper, I can even stick it to my monitor if I need to. My average library of reference books at work is over 50 books. How big a hint to an atacker is 347 12? All I have to remember is what book I chose.

My last job, my boss couldn't remember any password that wasn't part of his name until I introduced him to mnemonic passwords.

Monthly password changes (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9237457)

I have to change several passwords every month or 3 months. The systems have all the integrity checks for the passwords, checks for dictionary words, numbers in the middle, special characters, all that stuff. it used to take me several trys to come up with a password that met criteria and that I could remember.

So finally I figured out a pattern of keyboard taps that would meet the rules no matter which key on the keyboard you started with. So now I memorize 1 pattern and effectively have a 1 character password for every system I deal with.

Is it secure? no clue. Since I type it 1 fingered, it is probably vulnerable to shoulder surfers, but other than that I don't see a problem with it. I only know one other person that uses this technique, so there are probably not any specific attacks for it.

But if someone makes me use a Dvorak Keyboard, I am SOL.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...