×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Password Security Not Easy

michael posted more than 9 years ago | from the duh dept.

Security 674

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

674 comments

Integrate the pin with securid (4, Interesting)

stecoop (759508) | more than 9 years ago | (#11053751)

required dongle is a note under your keyboard

There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.

Re:Integrate the pin with securid (5, Interesting)

wfberg (24378) | more than 9 years ago | (#11053873)

The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

Re:Integrate the pin with securid (0)

Anonymous Coward | more than 9 years ago | (#11053982)

The required dongle is in my pants.

Re:Integrate the pin with securid (0)

Anonymous Coward | more than 9 years ago | (#11054005)

I'd venture that's pretty damn safe then...don't think anyone is going *there*

I only have 2 passwords (3, Interesting)

xyeeyx (839193) | more than 9 years ago | (#11053757)

2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

Re:I only have 2 passwords (2, Insightful)

Kiryat Malachi (177258) | more than 9 years ago | (#11053796)

I have 5, now. Each time I rotate passwords (once per year, usually), the highest security one moves down a notch, and everything below it gets bumped down by one.

Re:I only have 2 passwords (5, Insightful)

ifdef (450739) | more than 9 years ago | (#11053832)

I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

Re:I only have 2 passwords (1, Funny)

Anonymous Coward | more than 9 years ago | (#11053902)

I use aaaaaaaa and goatse911 for everything. Haven't been rooted yet...

Re:I only have 2 passwords (2, Funny)

Anonymous Coward | more than 9 years ago | (#11053988)

Tell me about it, just the other day I rooted some guy who used aaaaaaaa and goatse911 for everything. Poor sucker probably doesn't even realize he's been rooted yet.

Re:I only have 2 passwords (2, Interesting)

maskedbishounen (772174) | more than 9 years ago | (#11053942)

Yes. :)

I have two different sets. One specifically for online site like PayPal, my bank, etc. The other is for generic internet thing.

The important stuff set is then further split into one of two passwords, chosen depending upon how "important" the site is. So my Amazon account won't use the same as my bank, and such.

The generic set is split into three, or occassionally four, also based on importance.

The rare fourth is my root password, the third my normal login, second for general web usage, and last for throw away usage.

I tend to use the throwaway one a lot. /., IRC, Gmail. In fact, all my friends know it, and I'd yet to have them play around with my stuff. YMMV, and you should still rotate passwords every so often . . . or so I'm told.

Re:I only have 2 passwords (2, Funny)

Profane MuthaFucka (574406) | more than 9 years ago | (#11053950)

My luggage is 1, 2, 3, 4, 5. Probably your luggage too.

Actually, I have my luggage combination written in sharpie on the outsize, right next to the lock. It's 0-0-0-0. That's so the TSA can open it up if the numbers happen to get bumped away from 0-0-0-0.

Online I have an easy password, which is used everywhere unimportant; a medium password, which is used on sites that I would not want to lose the account for; a hard password used on sites with sensitive and personal information; and a secure password which is used on sites with direct access into my bank account, such as bill pay sites.

At work they require us to have those unmemorizable passwords, so I just tatooed it on my cock where it's always 'handy'. Had a bit of trouble when they increased the length from 6 to 8 letters. Those last two letters hurt quite a lot.

Re:I only have 2 passwords (3, Interesting)

99BottlesOfBeerInMyF (813746) | more than 9 years ago | (#11053953)

anyone else have a few standard passwords?

For low security operations, like your online accounts, using a standard password is not too unreasonable. With just a hair more effort, however, you can use a standard password scheme. For example, instead of using "8dogs8food" as your password for all of the random online accounts you have, prepend or append the first letter of the web site you are accessing. For Amazon.com you can have "a8dogs8food" and for slashdot you can have "s8dogs8food." This gives you a better idea if your password is leaked, and keeps insiders from using your userid/passwd on other consumer sites. I think that a password scheme like this strikes a good balance of security and ease of use.

Just get rid of them... (3, Insightful)

danielrm26 (567852) | more than 9 years ago | (#11053762)

Asking users to learn to create and manage complex passwords is not realistic; user education and/or "awareness" just isn't all that viable. The way the password problem is going to be solved is very simple - they aren't going to be used anymore.

Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.

As an admin... (5, Funny)

0racle (667029) | more than 9 years ago | (#11053765)

I hate people that put their password under their keyboard. Like damn people, on the underside of the desk, is that so much to ask.

Re:As an admin... (0)

Anonymous Coward | more than 9 years ago | (#11053847)

Those are the same people who put their housekey under the welcome mat. There's no hope for them.

Re:As an admin... (2, Funny)

maskedbishounen (772174) | more than 9 years ago | (#11053972)

Pfft.

We all know "real" men just kick down the door after they lock themselves outside.

And real geeks lock themselves inside. ;)

Gadget (1)

John Girouard (716057) | more than 9 years ago | (#11053766)

Didn't ThinkGeek used to sell a little keychain device that was built to keep track of these things? I was looking for this a couple days ago, and couldn't find it for the life of me.

Known for quite some time... (3, Insightful)

Omniscientist (806841) | more than 9 years ago | (#11053768)

No matter how complex our security systems get, no matter how secure we can encrypt passwords to prevent brute force cracking of them, there will always be that human element of weakness. There will always be that one person who can be easily tricked over the phone to give out a password. There will always be that one person who will use their first name and last initial (ahem...half life 2 forum admin) as their password. So we really can't get top notch security without excellent education to these people on what to do in these situations.

Re:Known for quite some time... (2, Funny)

savagedome (742194) | more than 9 years ago | (#11053906)

There will always be that one person who will use their first name and last initial

Yeah. Bunch of idiots. That's why I drop the last initial.

Special Characters != More Secure (3, Insightful)

Anonymous Coward | more than 9 years ago | (#11053769)

I can't remember how may IT admins thought by requiring a password with special characters and numbers would make the system more secure. Sure it will add an extra 12 hours on a brute force attack, but if you don't notice a 8 hour running brute force attack you really are not a good admin.

Re:Special Characters != More Secure (2, Insightful)

jdunn14 (455930) | more than 9 years ago | (#11053885)

Note that not all brute force attacks take place against the online system. Through a bug in some service, a poorly configured database, or a single compromised username (plus a privalege escalation) an attacker may be able to send the passwd (hopefully shadow) file to another machine where they can brute force at their leisure. Much smaller chance of detection this way.

Also note that requiring special characters does far more than add "an extra 12 hours". In most cases the brute force attack would be many *times* longer when you increase the possible characters by 1, let alone a bunch of special characters. Of course, users tend to just append the characters, so brute forcing may take advantage of that, but at that point you're getting away from what a "brute force" attack implies.

If the required dongle is a note under your kb... (4, Insightful)

FreeUser (11483) | more than 9 years ago | (#11053774)

... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.

Yes. (2, Insightful)

captnitro (160231) | more than 9 years ago | (#11053776)

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

Absolutely it is. This is one of those examples of culture clash: the tech-inclined, and not. Absolutely it's too much to ask, just like asking mom or dad to "just open the command line.. it's so easy!" Yeah, it is too much.

Re:Yes. (1)

mphase (644838) | more than 9 years ago | (#11053843)

I was going to moderate this post but I think I'd rather respond. SARCASM YOU FOOL! The sentence you quote obviosly implies that this is absolutely too much to ask.

Re:Yes. (0)

Omniscientist (806841) | more than 9 years ago | (#11053881)

It contains some sarcasm perhaps, but I think its being serious. To protect the integrity and security of the company that you are working for, it is really not that much to ask for. And with proper training and time put in to make people do this, I think it can be done.

Re:Yes. (1)

captnitro (160231) | more than 9 years ago | (#11053920)

Yah, I know. :) But I've actually heard it before, and even the different password mnemonics (memorize a sentence, use first letter from each) are too much. When entire pages can be written on "password strategy", it's gotten out of control.

Computing's biggest hurdle in the coming years is going to be disappearing entirely. By which I mean, if computers really are a magical black box that makes our lives easier, then things like security shouldn't be taking up chunks of my life. They should take care of themselves. Just, nobody's sure how to do it yet.

Re:Yes. (0)

Anonymous Coward | more than 9 years ago | (#11053898)

If only it were just seven different passwords. For most people it's more like 20 or 25 different ones.

Re:Yes. (1)

Telastyn (206146) | more than 9 years ago | (#11053961)

Hell, most tech saavy [and security savvy] people I know won't deal with 7 seperate passwords. If they do, it's because they've generated the passwords somehow, meaning that all of the passwords are compromised if someone figures out the pattern.

Change 'password'..... (2, Informative)

Anonymous Coward | more than 9 years ago | (#11053790)

... to 'passphrase'.

Then tell your users to think of a phrase like 'my son's name is Jim', and get them to use it as their password.

Putting in pucntuation makes it harder to crack too. Although it still won't stop social engineering.

My Password (3, Funny)

Greenisus (262784) | more than 9 years ago | (#11053793)

My password is weu@$9JKcpw34.

No one has ever guessed it.

Re:My Password (4, Funny)

Spudley (171066) | more than 9 years ago | (#11053860)

I use my dog's name as my password.

My dog is called Pchg65Lb, but he changes his name every few weeks. :-D

No it's not... (0)

Anonymous Coward | more than 9 years ago | (#11053919)

nice try

they way they do it at IU... (1)

AxemRed (755470) | more than 9 years ago | (#11053798)

The password has to be 8 characters, letter and number combo, not in the dictionary, and no repeating patterns. On the plus side, it doesn't expire.

Sticky Notes? (1)

Mamoth (89191) | more than 9 years ago | (#11053799)

What? Sticky notes with passwords on them aren't secure? Who would have guessed!

Re:Sticky Notes? (0)

Anonymous Coward | more than 9 years ago | (#11053865)

I encrypt my stickies by crumpling them up first.

Biometrics (1)

nightsweat (604367) | more than 9 years ago | (#11053805)

Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

Re:Biometrics (1)

scoser (780371) | more than 9 years ago | (#11053875)

Yeah, it is the wave of the future, but biometric scanners need to be worked on a lot more before they come into common/important use. Most commercial scanners tend to have a significant amount of false positives/negatives and some of them can be easily tricked using simple means.

Re:Biometrics (3, Insightful)

wfberg (24378) | more than 9 years ago | (#11053931)

Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.

You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).

Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.

(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)

Re:Biometrics (4, Insightful)

Jucius Maximus (229128) | more than 9 years ago | (#11053963)

"Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

Re:Biometrics (1)

Ced_Ex (789138) | more than 9 years ago | (#11053974)

How is biometrics any better? Fingerprint recognition can be messed up if you cut your hand. Retinal scanning is messed up if you happen to develop a retinal tear or a bruised eye. Voice recognition is bungled up when you have laryngitis.

Any security has a flaw because it has a hole in it. Even if you have only one hole which happens to be the authenticated user, who's to say that user is the authentic person?

Re:Biometrics (1)

bitslinger_42 (598584) | more than 9 years ago | (#11053984)

In addition to the points of the previous poster, biometrics also introduce new risks. For example, while it is fairly easy to revoke a compromized password, revoking a finger is much more, how shall I say, painful. It also means that a determined attacker will now have to consider physical damage to the user (i.e. the eyeball from Minority Report).

It's time... (1)

Twisted64 (837490) | more than 9 years ago | (#11053813)

...for biometrics to spread out a bit more. I want a retinal scanner! It protects data, and with any luck, saves my eyesight into the bargain!

Stupid rules == stupider passwords (0)

Anonymous Coward | more than 9 years ago | (#11053814)

The problem with stupid rules like chars+numbers is that people will still pick something easy to remember.... what movie is out now? "8 characters, needs numbers" oceans11 "8 characteres needs punction and numbers oceans11

Oceans 11 Password (1)

totallygeek (263191) | more than 9 years ago | (#11053959)

what movie is out now? "8 characters, needs numbers" oceans11 "8 characteres needs punction and numbers oceans11


That's pretty damn secure! I have been trying own root on your box all morning with "oceans12"....

Spaceballs Password (3, Funny)

vivin (671928) | more than 9 years ago | (#11053816)

Best password/pin ever:

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
King Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
King Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
King Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
King Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
King Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!

Re:Spaceballs Password (1)

root2 (265347) | more than 9 years ago | (#11053859)

Plus, of course, there's the scene moments later, when Dark Helmet tells President Skroob the password ....

"Good heavens! That's the password I put on my luggage!"

The SlashDot Password Guessin' Game (2, Funny)

oexeo (816786) | more than 9 years ago | (#11053817)

(Disclaimer: Please don't play this game!)

1) Take the following five passwords:

- password
- slashdot
- 123456
- password123
- [Username]

2) Attempt to login to as many slashdotters accounts as possible.

3) Post incriminating/stupid/slanderous/troll comments on behalf of users you now 0wn.

4) While the FBI are busy smashing down your door: Take a hammer to your hard-drive's plateaus, and run like a screaming idiot while you think about how stupid you where to follow my instructions.

(Disclaimer: Please don't play this game!)

P.S. If your password was listed above: Change it!

even no password at all (1, Funny)

Anonymous Coward | more than 9 years ago | (#11053889)

incredible some slashdot users don't even use password

see this anonymous coward, shame on him

I noticed that the article mentions... (2, Insightful)

gandell (827178) | more than 9 years ago | (#11053820)

...the Sarbanes-Oxley act. Many financial institutions required to follow these regulations also are liable for the FFIEC regs. I believe that the FFIEC regs. DO require alphanumeric, 8 digit passwords.

Whether they do or not, the FDIC auditors emphasize this policy strongly. If it's not written in stone yet, it will be.

To be honest, I approve such a measure. It disturbs me to think that our local bank's security policy might be more lax than Yahoo's.

Re:I noticed that the article mentions... (1)

VE3ECM (818278) | more than 9 years ago | (#11053907)

The company I work for had to put in a new password policy in order to comply with Sarbanes-Oxley. They even pushed a global policy to the desktop making all workstations lock after 5 minutes of inactivity. 'Bout time.

Is it hard to make complexe passwords? (1)

Morgahastu (522162) | more than 9 years ago | (#11053821)

Yes.

It is hard.

When you work in an organization when you have 5-10 passwords for different applications such as the network domain (email), web apps, etc; each requiring complexe passwords that expire every 3 months it become VERY hard to keep track of all these passwords and think of something else to replace them all with.

Re:Is it hard to make complexe passwords? (0)

Anonymous Coward | more than 9 years ago | (#11053928)

Is it hard to make complexe passwords? -- Yes.

Actually, no. It's actually very easy to make complex, unguessable passwords - just mash a bunch of keys on your keyboard. Or use a random number generator.

It's just that it's just as easy to *forget* complex, unguessable passwords, especially if you don't use them every day.

Password Expired (1)

Smallest (26153) | more than 9 years ago | (#11053827)

Are seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

yes. when you're forced to change them every 30 days, and you can't repeat any of the last five, you quickly run out of things you can easily remember early in the morning.

What about biometric systems? (0)

Anonymous Coward | more than 9 years ago | (#11053838)

If a company is going to invest in a hardware solution like secureid, what about using a biometric solution like fingerprint scanners instead? I know it probably isn't worthwhile if a lot of people are remote, but are the systems secure enough these days for local security?

stick me (0)

Anonymous Coward | more than 9 years ago | (#11053839)

form the article:

[...] Mr. Darby says. "I'm thinking that tattoos are the way to go."

nope, but try you could become a password piece of art!

Why should the users be conserned about security. (1)

jellomizer (103300) | more than 9 years ago | (#11053840)

Seriously most uses see computer secuity an IT problem not thears. They just want to get there work done. All the education in the world and all the bickering will not stop them from making stupid easy to guess passwords. Now if IT had the power to fire people who account compimised the corprate system because some hacker guessed there passord and got in. Then maybe it would be different. But IT raily has that power. if 1234 logs them in then they will use it because it is easy to type. If it was up to them they don't even want there login IDs and Many forget theres because they just dont log off there system.

Password expiration (2, Interesting)

crow (16139) | more than 9 years ago | (#11053841)

This goes along with my other pet peeve--password expiration. Here at work, the Windows passwords must be at least 8 characters, with mixed case and numerals. They expire after 90 days, but can't be changed for at least 10 days when new.

My password is written on my whiteboard.

For serious security, passwords shouldn't expire. They shouldn't even have to be that obscure. The security effort should go into making a brute force attempt impractical.

And the IT department needs to recognize that once someone has physicall access to the network, there's not much left to secure, anyway.

Re:Password expiration (1)

digid (259751) | more than 9 years ago | (#11053964)

yah i hate it too...I just keep the same password but just change the last character in the password to say from 2 to 3 and in 90 days or whatever back from 3 to 2

Another problem (1)

rackhamh (217889) | more than 9 years ago | (#11053844)

The problem isn't just with remembering a strong password that you use on a daily basis. What about those one-time sign-ups that you have to do from time to time, for example to request a secure email certificate?

Two years down the road, you've changed all your other passwords a dozen times, you get a new laptop, and now you can't remember the password to unlock your certificate -- which means you won't be able to read any encrypted emails people send you anymore, until you get a new certificate and they all accept it.

Asking people to remember a few regularly used passwords may or may not be too much... but asking them to remember infrequently used passwords certainly is.

Re:Another problem (1)

maximilln (654768) | more than 9 years ago | (#11053960)

What about those one-time sign-ups that you have to do from time to time

INDEED.

I don't worry about spam e-mail. The e-mail boxes are all cluttered with kazillions of forgotten password request forms. I even have multiple instances of requests for the same password. Maybe the rest of the world likes to let their web browser remember all of their passwords--I'm not convinced that those mechanisms are secure enough that they can't be mined. Heck. Malware can install itself. What prevents it from mining passwords?

It's really silly the way the corporatization of the internet has made it nearly unusable. You can't even read today's news headlines without some corporate office asking for your complete CV and a 128-bit PGP encrypted .wav file with your vocal signature and a 15 character password with a mandatory inclusion of at least 3 extended ASCII characters.

seven different 8 character passwords (1)

wiredog (43288) | more than 9 years ago | (#11053845)

(with numbers and mixed cases) really too much to ask?

Yes. It is. I'm supposed to remember which password goes with which account/username on which one of 4 systems I may have to access at work, plus root and regular user on the home box? Then there are the user/pass combos for here, k5, husi, tnr, the atlantic, wash post, ny times, salon.com, and a couple of other ones.

That's something like 16-20 user/password combos. Fortunately I can use the same username across multiple sites. But I use different passwords.

Oh, and those passwords are all on different change cycles. Some 3 months, some 6, some never. So not only do I have to remember the old passwords, I have to remember the new ones as well.

Hell yes, I keep a cheat cheet in the wallet.

unique (1)

digid (259751) | more than 9 years ago | (#11053856)

my ten unique passwords are on my finger tips...you can even make combinations of fingerprint indentification for added security(user specified combination of fingerprints ex. left index finger + right pinky)

PasswordSafe (1)

rewt66 (738525) | more than 9 years ago | (#11053858)

PasswordSafe, from Bruce Schneier's outfit Conterpane Security, is a great help. I can have multiple passwords to different things stored in it; I can even have "secure" machine-generated ones, and I don't have to remember any of them. All I have to remember is one good, solid password - the password to PasswordSafe. (If you will, it's my "root" password.)

My take : three zones (4, Interesting)

Ars-Fartsica (166957) | more than 9 years ago | (#11053861)

My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

Re:My take : three zones (1)

fdicostanzo (14394) | more than 9 years ago | (#11053990)

Yeah yeah, same here.

But then you can always forget the password on those sites and it will ask you a simple question before letting you in like your mother's maiden name or the last 4 digits of your SSN (your universal, can't-be-changed password). I would bet a lot of that information is obtainable rendering the whole password scheme meaningless.

Various passwords (1)

TheMadRedHatter (716344) | more than 9 years ago | (#11053867)

I have about 6 different passwords. My longest, 20 chars, is for root on one of the boxes.

All of them are alpha numeric.

I created a random password generator, wrote them down.... memorized them..... then burned the paper.

-- TheMadRedHatter

Well, from the WSJ article it wasn't stupid users (1)

MerlynEmrys67 (583469) | more than 9 years ago | (#11053884)

From the article (read yesterday in the dead tree edition), one poor woman was required to type 8 passwords to log into the things that she needed to log into. Each password a combination of letters and numbers, and each having to change every 3 months. So that is 32 passwords a year.

Frankly if my work was so dumb - I'd write them down too - or come up with a script that would do all of the logging in after the initial password. This is an IT staff problem, not a user problem... Please, one password is enough

Failings of Two-Factor Authentication (1)

totallygeek (263191) | more than 9 years ago | (#11053890)

So, we get issued key fobs for RSA authentication via Cisco VPN and guess what happens: three users have already taped their PIN to the back of the fob so they won't need to remember it. One wrote it with a metallic silver Sharpie!

Math nuts are the worst... (1)

physicsphairy (720718) | more than 9 years ago | (#11053894)

I have a lot of friends who are math people, and they infallible choose mathematical constants for their passwords. Granted, they know these constants to insane decimal places and so, against a brute force crack, their passwords are of the most secure. But if you happen to know them, guessing their password is often as trivial as looking up pi, e, and gamma.

Just something I thought was interesting. . . .

Passwords are hard to remember... (1)

EspressoMachine (815675) | more than 9 years ago | (#11053901)

That's why only have one account for everyone where I work. Username: admin Password: admin That way, people never forget!

In case you forget them.... (2, Funny)

lukewarmfusion (726141) | more than 9 years ago | (#11053903)

...just put them all in an Excel spreadsheet, keep a copy printed out and stored in your filing cabinet under a folder labeled "Passwords" and don't lock the cabinet.

I gave my two weeks' notice and this was the first thing my bosses wanted me to do: write down all the passwords for them so they could keep everything on file.

Fantastic.

Keepass (1)

Greenspan (245650) | more than 9 years ago | (#11053909)

I recently started using Keepass, an open source, encrypted database for storing all your login/password information. Keepass uses AES and Twofish for encryption, and also gives you the ability to generate passwords, based on several criteria (upper/lowercase, special characters, extended ascii characters, etc.) All you need to remember is a "master" key that unlocks the DB.

http://keepass.sourceforge.net/features.php/ [sourceforge.net]

My Slashdot password (as if it needed much security), is 101 bits, and I couldn't tell you what it was if I wanted to. I just open up keepass, select "copy to clipboard", and paste the password when prompted for login info. Keepass clears the clipboard after 10 seconds, and stops functioning if you haven't used the program in 30 (?) seconds.

I think it's great. Up until now, I had four fairly insecure passwords that I rotated among dozens of accounts/sites. This is much easier, and MUCH more secure.

Re:Keepass (1)

xyeeyx (839193) | more than 9 years ago | (#11053967)

Keepass uses AES and Twofish for encryption

but ./ doesn't encrypt your pass when you log in.

Security (1)

SteroidMan (782859) | more than 9 years ago | (#11053910)

Breaks down into 3 realms

Something you have, something you know, something you are.

The best systems incorporate a little of each.
For a phone banking application:
A unique transaction number out of a booklet your bank sent you. (something you have)
A voice sample of you saying the numbers (something you are)
Your birthday (something you know)

Even though each of these individually is 95-97% secure at best, the combination is highly secure.

Easy trick... (4, Funny)

GillBates0 (664202) | more than 9 years ago | (#11053912)

Get someone to kick you in the nuts everytime you forget your password.

You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

For added effect, construct horribly complex and impossible to remember passwords a few times every day. Over time, basic survival instincts and the urge to avoid the inevitable kick in the balls will overcome the limitations posed by your poor memory.

Acronym passwords? (1)

Desco (46185) | more than 9 years ago | (#11053915)

How long before people making brute-force dictionary searchers use the internet to find popular phrases and make acronym brute-force guesses?

Single Sign On (1, Informative)

Anonymous Coward | more than 9 years ago | (#11053916)

Ideally, you have a centralized authentication system like Kerberos, and one password is good for all the network services you need. Also, password storage utilities like Bruce Schneier's Password Safe [schneier.com] or Apple's Keychain help a lot, since you can use a single master password to store (in crypted form) all those other passwords you don't want to remember.

Strong Password Algorithms are a Myth (1)

tjstork (137384) | more than 9 years ago | (#11053923)

Telling people to not use whole words as passwords because they might be included in dictionary searches seems like it might be a good idea, but the problem is that you usually wind up giving people an algorithm for password generation that might actually yield an even worse password. Where I work at, for example, the suggested practice is to use acronyms followed by numbers. You remember a pet phrase and extract out the acronym. "Eagles Will Beat the Cowboys on Sunday" might become ewbtcos42, some random number after that. Sounds good, but what's to stop an attacker from including acronyms based on common english phrases in an attack dictionary?

The problem isn't so simple (2, Insightful)

Slick_Snake (693760) | more than 9 years ago | (#11053925)

Current security models require passwords to be changed every three months or so. On top of that the password cannot be one last 5 or so used. On top of that it must be different than the last password by x number of characters. On top of that the user must remember x number of passwords of which he/she only uses one on a regular basis. To complicate matters the passwords must contain numbers, letters (upper and lower case), and sometimes special characters (but only certain ones). The expectations placed on the worker are unrealistic and that is what leads to poor password management. Simple password with dongle (smart card, usb device, RFID chip, etc...) is a better solution.

Even "good" passwords are bad (3, Interesting)

bitslinger_42 (598584) | more than 9 years ago | (#11053929)

Between Moore's Law and modern cracking techniques (dictionary attacks, hybrid attacks using both dictionary and brute force, and hash precalculation), nearly any 7-8 character password that will be easy for Joe User to remember is crackable in a very short period of time. Rather than blaming the users for security failure, we should be looking to improving the overall system.

There are a number of things that can be done. First, and most importantly, eliminate the use of protocols that pass usable credentials (password, reversable password hashes, etc.) across the network in the clear. This means no longer using telnet and FTP (except for kerberized versions), doing something with/about Microsoft's NTLM/LanMan hashes, and probably using client certificates as well as server certs for encrypted web traffic.

Beyond that, there are proven techniques that aren't too hard for users to understand. Time sequence tokens (i.e. RSA's SecurID) have been around for a long time and have yet to be broken except for when the attacker has access to the critical seed records. There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

The point here is that unless we get rid of the users, we will never be able to educate all users all the time. The best way to get the security levels that appear to be needed is to take the human element out of the process as much as possible.

17 passwords and counting... (0)

Anonymous Coward | more than 9 years ago | (#11053933)

I believe people are lazy or can't be bothered. After reading through I've realized that I have more passwords memorized than I care to recognize. All are alpha numeric, some consist of alternate case and a few require the shift + numbers.

1 - domain
2 - email addresses
12 - workstation logins at work
1 - instant messaging
1 - online banking
1 - home pc login

I really see no reason why anyone, through simple repetition of logging in can't remember a password no matter how complex.

Spaceballs (1)

krygny (473134) | more than 9 years ago | (#11053940)

I always keep with the same convention; what's so hard?!

1 2 3 4 ...

Q W E R T Y ...

A S D F G ...

Passwords are passe (1)

ikewillis (586793) | more than 9 years ago | (#11053947)

For a workplace, there's no better solution than single-sign-on (Kerberos or the like) using a SmartCard. People understand how to keep something like a key safe, but keeping a bit of information safe, especially when it's something they have to keep in their head, is considerably more difficult.

I think the best approach is something like a Sun Microsystems Sunray environment where you can stick your SmartCard into any Sunray and instantly pull up your session from the server. Instead of having to "log out" you simply pull your SmartCard out of the Sunray, and that's the end of your session (even though it stays going on the server)

Seven different passwords? (1)

vaporakula (674048) | more than 9 years ago | (#11053949)

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

I hope this is rhetorical. Seriously.

I'm the sort of person who does this; I have many levels of password for different occassions and situations. But that's not the case for most people, especially in business. They don't want to have to jump through hoops to be able to use their machines. It should just work!

It's not about business culture needing to change to understand the importance of digital security; it's about people implementing digital security systems understanding a little bit about people and how they want to use their machines.

Use stuff that everyone is already familiar with, and that doesn't take brainpower to implement! Build one system for the masses who turn up to work, sit at a terminal all day and then leave, and build another system for people who actually need to access their data from off-site. Make the simple system very, very simple - not insecure, just simple - and 80% of this problem goes away.

It really, honestly shouldn't be a requirement for the vast majority of office workers to remember 7 different passwords. That *is* too much to ask.

Automatic Human pronouncable password generators. (1)

gokulpod (558749) | more than 9 years ago | (#11053971)

Good human pronouncable (thus easy to remember) passwords can be generated using tools like these [net-security.org] it is even a part of debian (apt-get install apg). try it out, the generated password are generally very good, mix of cases, numbers etc.

ASCII Characters (0)

Anonymous Coward | more than 9 years ago | (#11053989)

Back in the day, my understanding was that an ASCII-based password could not be broken, and I believe that I applied l0phtcrack (and other programs) to test that out. Anyone know if brute force crackers are able to break ASCII-based passwords?

All passwords should be strong (0)

Anonymous Coward | more than 9 years ago | (#11053992)

The necessity for the strength of the password is not necessarily relative to the importance of the data you are protecting which the user has access to.

In many cases any account can be used to run an exploit which can "root" the user. Once that's done, the attacker can use this as a jumping off point to get into other systems, get a copy of the registry (which may have domain admin password hashes in it) etc.

Unless you use your computer strictly for gaming, and there are no other computers on your network, a strong password is important.

I'd venture to say that if they don't need to write it down, and put it in their wallet, it isn't strong enough, unless they have the rainman's memory and calculation abilities.

difficult to remember with a wide variety of characters arranged in ways that do not spell or sound like an existing word combination = hard to crack

Too Many Passwords! (1)

shamowfski (808477) | more than 9 years ago | (#11053993)

I work for a health conglomerate. Each one of the specialized programs run at the hospitals requires a seperate username/password. While the inital thought was greater security it has actually backfired in that with a simple perusal of a user's office you can generally fine all of their user names and passwords. That is why single sign-on single password is far superior, because chances are they can handle the one username/password.

Passwords under keyboard .... (0)

Anonymous Coward | more than 9 years ago | (#11053996)

...of course not. I keep mine under my phone.

Picture Passwords (4, Interesting)

spun (1352) | more than 9 years ago | (#11054007)

One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

It's a no win scenario (1)

JudgeFurious (455868) | more than 9 years ago | (#11054010)

Here we just let users pluck a password out their asses and keep it forever when I started. It had been that way since the dawn of time at this company and nobody wanted to change it. Admittedly we don't have much in the way of truly sensitive information but it was pretty lax.

Finally we said ok, this is going to have to change in some way and we instituted some basic requirements. Minimum number of characters, must contain at least one capital letter and at least one lower case letter. Very simple right? Not much more effective than we had before either. Say a users password had been "austin" before the change. That user simply changed it to "Austin1". I swear I think sometimes every knucklehead working here did that. At one time the support people here (all two of us) knew everyones password by heart. Now when we aren't sure we try the old one with a capital letter at the beginning and the number "1" on the end and it works most of the time. When we get to the point where they have to change it again I'm betting it's going to change to "2".

We've talked about forcing them to get complex but all that's going to do is generate a couple hundred post-it's with passwords written on them at the various desks.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...