Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Are Often-Changed Long Passwords Really Secure?

Cliff posted more than 9 years ago | from the as-long-as-you-don't-write-the-on-stickies dept.

Security 233

Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?""I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"

cancel ×

233 comments

Sorry! There are no comments related to the filter you selected.

Um my password is.. (2, Funny)

strikehosting (798386) | more than 9 years ago | (#11538749)

My password is password. (keep it quiet!)

Re:Um my password is.. (1)

unitron (5733) | more than 9 years ago | (#11539345)

That does meet the 8 character requirement but not the alphanumeric one so you should change it to p455w0rd to be totally secure.

Re:Um my password is.. (1)

biryokumaru (822262) | more than 9 years ago | (#11540294)

no it isn't! i just tried that! you lie! =p

This is the reason (4, Interesting)

popeyethesailor (325796) | more than 9 years ago | (#11538756)

things like SecurID [rsasecurity.com] were invented.. 2-factor authentification eliminates most of these special requirements.

Re:This is the reason (1)

Deekin_Scalesinger (755062) | more than 9 years ago | (#11538785)

I went googling for thumb scanners and the like but didn't come up with anything concrete (besides people's blogs where they relate their SF dreams of bypassing a thumb scanner and breaking into the Pentagon). Does anyone have a link to a body part scanner (thumb or finger is HIGHLY preferable to um, other things) that they have used successfully and is available on the open market?

Re:This is the reason (2, Informative)

Westley (99238) | more than 9 years ago | (#11538799)

The Microsoft keyboard I'm typing at now has a thumb scanner. Admittedly I don't use it, because it won't let me log into domains, but the recognition stuff does seem to work. How security it is is another matter.

Re:This is the reason (0)

Anonymous Coward | more than 9 years ago | (#11538822)

You were looking for the word "secure".

Re:This is the reason (4, Informative)

Atrax (249401) | more than 9 years ago | (#11538835)

the thumb scanner on the MS keyboard isn't marketed as a security product - actually it's for convenience only - rembering usernames and password which are retrieved on presentation of a thumb

it's trivial to defeat - see here [ep.liu.se]

Re:This is the reason (2, Informative)

malcomvetter (851474) | more than 9 years ago | (#11539212)


Read the packaging, there's a disclaimer: Do not use to protect anything you really care about.

Also, you should always remember that any use of biometrics without additional factors is for convenience-- never about security.

Re:This is the reason (3, Funny)

Anonymous Coward | more than 9 years ago | (#11538815)

Try googling for "bum scanner". Bum scanners are much more accurate than thumb scanners, because of the larger size of the inspected area.

NEW! Now it comes with extra sneak-peak functions to record female employees, erm, significantly identify-able parts!


It's a joke, laugh.

Re:This is the reason (0)

Anonymous Coward | more than 9 years ago | (#11538939)

It wasn't a funny joke.

Re:This is the reason (1, Funny)

ArsonSmith (13997) | more than 9 years ago | (#11539841)

because of the larger size of the inspected area.

Only useful in the US

Re:This is the reason (1)

j-turkey (187775) | more than 9 years ago | (#11539879)

Only useful in the US

Because the rest of the world's people have butts that are smaller than their thumbs.

Re:This is the reason (0)

Anonymous Coward | more than 9 years ago | (#11541499)

Thanks for telling us the obvious that some people are just assholes and some are bigger assholes than others.

Re:This is the reason (1)

xouumalperxe (815707) | more than 9 years ago | (#11540204)

U.are.U Pro by www.digitalpersona.com It's my dad's, but I have it right next to me (went to get the box to check the name). I think this is in the open market

Re:This is the reason (1)

Fatchap (752787) | more than 9 years ago | (#11538830)

Not if you have to have a token and pin for each application! I have managed to keep mine down to two so far.

Re:This is the reason (0)

Anonymous Coward | more than 9 years ago | (#11538988)

How does this accutally work? Cant w emake an FOSS version of this? Not with hardware but only software based?

Re:This is the reason (4, Informative)

hey! (33014) | more than 9 years ago | (#11539671)

They seem to work great, at least in the few places where I've seen them in use. The users, who don't understand security, think that these devices are a bit weird of course, but it doesn't matter. They get along fine, treating them like the keys to the office, which they are, in effect.

WRT to F/OSS, these are hardware devices. What you really need is a free reference design.

You could sorta fake it, but it wouldn't be the same. For example, suppose you kept GnuPG keys stored on a USB key fob. Then you encrypt the keyring with a simple password. Voila -- two factor security.

The only problem is that the key fob has to trust the computer it is connected to, because it is going to hand over the secret key to it. If they computer is compromised -- that's it.

What you really need is a device with its own computing power, such as an iButton. You then have software which sends a challenge from the server to the iButton, calculates a hash, then calculates another hash on that hash using standard password techniques. [maxim-ic.com]

The password of course would be very little addditional protection, but very little is needed. What you want is to buy a few hours of protection after you lose your device to notify the network administrators and get your account locked out.

Re:This is the reason (1)

raffe (28595) | more than 9 years ago | (#11539878)

Very interesting. Thanks!!!

Re:This is the reason (1)

Nos. (179609) | more than 9 years ago | (#11540037)

That was the first thing that jumped to my mind as well. The iButton seems built for this type of situation. I'm building my own home alarm and I was trying to think of the best way to do a arm/disarm control panel, and I've pretty much decided to use iButton for it. Nobody has to remember a password, yet if someone loses their iButton, I can update the database to no longer allow that one access to the system.

Re:This is the reason (1)

TheLink (130905) | more than 9 years ago | (#11541282)

"What you really need is a device with its own computing power, such as an iButton. You then have software which sends a challenge from the server to the iButton, calculates a hash, then calculates another hash on that hash using standard password techniques."

Sounds a bit like a smartcard [howstuffworks.com] .

Re:This is the reason (4, Insightful)

hey! (33014) | more than 9 years ago | (#11539558)

Amen.

This whole password thing has got to the point where it's ridiculous. It was Ok when you were on a mini computer with a few hundred users, but it is so inadequate and there is so much at stake, it's absurd that we're still using this dark ages technology.

Two factor security with strong cryptographic keys on devices that don't have to give up their secrets to any host -- that's the way to go.

Re:This is the reason (5, Interesting)

Bastian (66383) | more than 9 years ago | (#11541561)

I hacked my own together with a USB key containing an encrypted keychain and encrypted copies of my SSH key files. (Granted, I have no idea if a PC equivalent exists - my office lives in Mac-and-Unix-Land.) The keychain is backed up to another secure location every time I add or change a password, because the passwords I use look like what you get when you fall asleep on the keyboard. The USB key comes with me when I leave the computer, and the keychain get's locked automatically after 10 minutes in case I forget.

Not perfect, but it's better than post-it notes, and it does implement its own version of the "something you have and something you know" philosophy.

Desk (5, Insightful)

maeka (518272) | more than 9 years ago | (#11538769)

As long as they don't check the post-it note under your desk - the password is secure!

But seriously, does a policy like this do anything but encourace people to write down their passwords?

Re:Desk (0)

Anonymous Coward | more than 9 years ago | (#11538779)

Darn it, I can't spell 'tis morning.

Re:Desk (1)

Erik Hensema (12898) | more than 9 years ago | (#11538789)

But seriously, does a policy like this do anything but encourace people to write down their passwords?

Yes. Plain and simple: Yes.

People simply can't/won't remember difficult passwords.

Re:Desk (1)

Atrax (249401) | more than 9 years ago | (#11538793)

I don't have mine written down, but it IS visible, in print, somewhere in my house (in a non-L33t-ised form). Find it if you come round for a beer one day.

it's 16-22 characters dependent on how I vary it and gets changed (strictly speaking varied by 1-5 characters) once every 60 days. So far no problem remembering it or typing it. I'd have trouble telling it to someone, but that's not what it's for anyway....

Re:Desk (1)

Kosi (589267) | more than 9 years ago | (#11538821)

Yes, it encourages them to change it like this:

MyPetsName1
MyPetsName2
MyPetsName3
MyPetsNam e4

I must admit that I've come to a similar method, I have several base passwords like t/E2.p?aFhBO that I alter in one or two positions when forced to change.

Re:Desk (3, Insightful)

Mr.Ned (79679) | more than 9 years ago | (#11538868)

"But seriously, does a policy like this do anything but encourace people to write down their passwords?"

It depends where you write it down. If you write it down in some sort of password safe that's encrypted, and keep that only on your hard disk and PDA, that's a heck of a lot safer than the post-it note, and I'd go so far as to call that secure - provided you make sure to keep the encrypted copies in your posession and keyed with a "good" password (longer than 8 characters, who is the story poster kidding).

Seriously, if you're in IT, don't you already have a bunch of passwords you need to keep track of? Do you really expect to keep those in memory? Why *don't* you have some sort of password vault by now?

Re:Desk (1)

Riddlefox (798679) | more than 9 years ago | (#11541246)

Do you have any suggestions for a passworld vault?

At the moment, I only have a PGP-encrypted text file on my hard drive that I have to decrypt every time I want to remember one of my less-often used passwords. It works, but it's a pain.

Re:Desk (1)

therblig (543426) | more than 9 years ago | (#11541335)

I have used the password vault in Firefox, but if someone thinks that is a bad one to use, I would appreciate hearing about it. I use a strong password to protect that vault.

Re:Desk (1)

gadget junkie (618542) | more than 9 years ago | (#11539468)

The company I work for has such a policy. Beside proliferating bad habits (writing down passwords, "trading" passwords between colleagues, etc), it is in a way nonsensical. Why not leave it at "passwords must be over 10 and under 255 characters"? that way, easily remembered phrases can replace unwieldy 8 chars things.

Re:Desk (1)

clesters (793568) | more than 9 years ago | (#11540462)

http://www.schneier.com/passsafe.html

it encourages writing down passwords (0)

Anonymous Coward | more than 9 years ago | (#11541069)

My company has a password policy like that, and it requires longer than 8 characters, checks similarity, forces changes every 90 days, etc. There are a bunch of systems that require passwords, and they started to unify them, but in the process made it harder--we're left with a number of passwords that have similar names, plus random other systems with passwords that aren't unified.

You're not supposed to use any keychain type thing like what's found in macs or various browsers.

I checked recently on the IT web page (because I had forgotten my password) and there was a little note in the corner that said it was now "acceptable to write down your password as long as you keep it hidden in a file cabinet" or something to that effect.

The net effect is much lower security. It would be much better to enforce selection of strong passwords (and teach people how to choose strong password with mnemonics so they don't forget) and not require such frequent changes.

(posted anon to avoid any chance of identifying the employer)

Re:Desk (1)

Bastian (66383) | more than 9 years ago | (#11541212)

I see someone has been playing Blue Chairs recently.

Re:Desk (1)

usernotfound (831691) | more than 9 years ago | (#11541731)

my bank makes me change my password every so often, and they keep tightening the requirements (use letter, number, symbols, AND capital letters) and you can't repeat previous passwords to a certain degree (4567yydlso is the "same" as YYdlso4567, etc.) I

have a password "scheme" that i have always use, and forever will use, on every one of my 50+ random places i need passwords...EXCEPT my bank password, because i've used every combination it will let me in my scheme. i've resorted to using such things as "13illGate$" and random shit that firefox stores, but i can NEVER remember, because it is stored.

As for double verification being the way to go, i already practically do that on my bank accountt, too. I forget my password that nobody including myself could be expected to remember, so i call the bank, verify personal information, they reset my password to something, and i put it in and am forced to change it again to something i wont remember.

Most likely i would lose the piece of paper in the 2 months between needing it :\

You don't have to remember them all (1, Informative)

Anonymous Coward | more than 9 years ago | (#11538777)

In case you don't know, your "navy-colored corp." sells a fingerprint reader that automatically puts the correct password in whichever field you need it..
You just set it, make the program learn it, and you're done. You don't _HAVE_ to remember them all.
Passwords can be saved on crypted files (not word please, as we all know that they can be cracked open in milliseconds), and your access to your corporate thinkpad can be granted at the BIOS level with the embedded fingerprint reader.

Go T42! GO! ;)
cheers

Re:You don't have to remember them all (2, Funny)

varuul (663954) | more than 9 years ago | (#11540321)

I use a ROT-26 encrypted text file for that transparent security.

Password Safe (5, Interesting)

MaccaUK (761566) | more than 9 years ago | (#11538781)

Funnily enough, the use of a password safe - an app that keeps track of multiple passwords, similar to Apple's Keychain - is available (even encouraged) in that blue company :-)

Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...

Re:Password Safe (3, Informative)

malcomvetter (851474) | more than 9 years ago | (#11539243)


For the Windows folks [sourceforge.net]

For the *nix folks [sourceforge.net]

Re:Password Safe (1)

malcomvetter (851474) | more than 9 years ago | (#11539321)


Don't mean to reply to my own, but I thought I might add that the windows version [sourceforge.net] also provides "auto-typing" the "user -tab- pass" keystrokes for you in the last app that had focus. It's not perfect, but designed for coping in a less than ideal situation.

Re:Password Safe (1)

afabbro (33948) | more than 9 years ago | (#11539972)

An alternative is some kind of PDA-based system with a desktop companion. I'm not going to shill for them - PalmGear lists several. That way your Palm and your PC would both have to die.

Re:Password Safe (1)

diamondsw (685967) | more than 9 years ago | (#11541585)

Mind posting the name of the recommended program? I work for said navy company, and I haven't seen any mention of it.

My voice is my passport.... (5, Funny)

MikeyToo (527303) | more than 9 years ago | (#11538790)

verify me.

And the answer is... (5, Informative)

It doesn't come easy (695416) | more than 9 years ago | (#11538803)

No, the requirement does not make for more security.

I, like everyone else on the planet, work to make things easier for me and to hell with security. A new password every 90 days means people will design a password that passes the requirements but is easy to remember when you have to change it. For example, my last job required at least an 8 character password with at least two numbers and one case change, and you could not reuse passwords for at least 5 changes. So my first password was Th1s1smE. Anyone want to guess what my next password was after the first 90 days?

Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough.

My opinion: It would be better to provide a tool that would allow a user to rate a password which would let them come up with a password that passes a minimum quality requirement, a password that they could remember without writing it down, and then require it to be changed less frequently (like once per year). And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).

Beside, my experience with gaming a requirement like this is that users tend to mess up their password frequently and end up with their password set back to a known default (assuming the admins provide such a default, which in of itself is a very bad security decision). And so sometimes a policy like this will actually provide less security, because at any given time there will be a relatively high percentage of user accounts which are set to a known password. Years ago, I personally demonstrated this situation with one of the VP's of the company I worked for by going through the ID's of the senior managers until we found one using the default password.

So, long story short, changing passwords frequently does not automatically mean better security. But we all knew that, right?

Re:And the answer is... (1)

zeath (624023) | more than 9 years ago | (#11539114)

It's easy to create a program that pounds through the first few stages of a brute force algorithm to see which passwords might be susceptible; however, it's difficult to create a program that will rate the human guessability of a user's password, such as incorporating information like maiden names, birthdates, or anniversaries. Though difficult to brute force, guessable passwords like those are a security risk to the individual sitting down at a terminal and making guesses, especially if they have a calendar nearby with the date in question marked. I doubt end-users would ever make the connection, or care if they did, that they have their password in plain sight on their desk.

Re:And the answer is... (1)

hbackert (45117) | more than 9 years ago | (#11539140)

And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).

I wholehearly second this. I've been long enough in the computer business to see lots of good and bad password (or equivalent) schemes. From th standard "lower/upper case, one digit, one special char, at least 6 chars long, non-repeating, checking with dictionary) to hardware tokens a la RSA (infact only RSA tokens). The more restirictive the password part gets, the more likely users write it down somewhere. It's natural and whoever is ignorant of the lazyness of people, is doomed. Of course people told collegues their password so they could receive their mails. Passwords printes on post-it notes attached on the monitor or below the keyboard. You know it.

This all is impossible with a hardware token. The only exception is when someone gives their token to a collegue. Company policy must forbid this, or the token is used when entering/leaving the company building. Beside the need to have a small electonic device (with yearly charges), a much easier password needs to be used in conjuction with the number displayed on the token. And there you go: simple, easy to remember password, always unique, impossible to write down and share. Even when stolen it's not that useful as it's easily deactivateable on the authentication server side, and without the (simple) password, it's useless.

Now use this in a single sign-on system (LDAP comes into mind as almost everything which looks like a computer can handle LDAP, especially since MS Active Directory), and all problems (except the yearly bill) go away. But compared to the costs of a potential security leak/data theft, they are not that expensive.

I wonder why this is not in use in about every company which is concerned about security and especially password security...anyone knows why? It can't be the costs, can it be? For a 5 people company it's expensive, but for anything more than 100 people the additional costs are next to nothing, right?

Re:And the answer is... (1)

earlgrey (15039) | more than 9 years ago | (#11539673)


I wonder why this is not in use in about every company which is concerned about security and especially password security...anyone knows why? It can't be the costs, can it be? For a 5 people company it's expensive, but for anything more than 100 people the additional costs are next to nothing, right?


It is expensive and not so simple. Is every one of your applications LDAP aware? If not, you have to write custom code that fills in every login mask. The largest problem however is setting up the infrastructure and keep it running - you have to issue hardware tokens, renew them, usually build a PKI around it (which is either very expensive, doesnt't work as well as advertised or doesn't scale. Which will be a problem especially in orgs with >> 100 people

Re:And the answer is... (1)

earlgrey (15039) | more than 9 years ago | (#11539176)

I completely agree. Having several account leads to using the same password for every account (in the worst case for that super secret accounting application and your telnet access); forced changes with a policy of not reusing the last n passwords leads makes most of the people cycle though n+1 passwords. That cycle is either highly predictable or written down. Having to use 20 applications with different passwords means, you are always carrying a huge password sheet with you and leave it at the cafeterie. And one can estimate the price for supporting password reset (divide the number of people in your org by how often they call the servicedesk because they are locked out, this sample will give you quite stable predictions (maybe 5% will call any given day). multiply with some cost estimate that you get from a Quija Board and compare this to some single sign on solution (Smartcard). The lowest end would probably be a mandatory password keeper (like on a PDA) with one _really_ _good_ _enforced_ Masterpassword that is rarely changed.

Re:And the answer is... (0)

Anonymous Coward | more than 9 years ago | (#11540027)

You just violated your employer's security policy by publishing one of your passwords on Slashdot. Now you can never use that password again. I'd never do that, passwords that meet the rules and are easy to remember are just too hard to come by.

You should at least have posted anonymously.

Re:And the answer is... (1)

unitron (5733) | more than 9 years ago | (#11540123)

"Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough."

How would those of us with the other half do?

Complexity or Quantity (5, Insightful)

Fatchap (752787) | more than 9 years ago | (#11538825)

Is the problem not that your password has very strict complexity requirements but that there are too many of them?

I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love /. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.

Re:Complexity or Quantity (1)

It doesn't come easy (695416) | more than 9 years ago | (#11538841)

Assuming you have access and the system will allow it, computers are fast enough these days to try every possible combination of an 8 character password, regardless of it's difficulty for a human to guess. An 8 character password is NOT secure anymore. It takes a minimum of 20 characters these days to be reasonably secure.

Re:Complexity or Quantity (3, Insightful)

Fatchap (752787) | more than 9 years ago | (#11538885)

Surely that depends on what you are securing and what you are securing it against?

I my house secure? Sure I have never been burgled.

Should we shut down fort knox and store all the bullion in my spare room? Probably not

If I want to protect my information against my flatmate or a friend from opening it then an 8 character password is probably ok. If I want to protect my bank's central records or the ID's of my intelligence agents in North Korea 20 characters will not cut the mustard either.

Perhaps I did not make my point very well, the posters problem was not that they had to keep changing their password frequently and could not alternate between "password1" and "password2" but that they had to have several different passwords for several different systems. I was saying that by using personalised passphrases or passphrase acronyms this could be accomplished quite easily until SSO is implemented properly

SSO working fully fits in somewhere betweeen a totally secure Windows, a working manageable PKI and a viable method of stopping spam, pop-ups, 419 fraud and link spamming!! ;)

Re:Complexity or Quantity (0)

Anonymous Coward | more than 9 years ago | (#11541514)

I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly.

I also read a paper, which I can't find either. I think it was from the 60's or 70's. Anyway salt is used to protect against dictionary attacks. It has been used as long as I can remember in UNIX, but Microsoft didn't use them in early versions of Windows over a decade after UNIX started using salt. I guess they thought they knew better. They use salt now. I take this as a sign of Microsoft's "not designed here" culture.

Don't know what salt is? Just search for password and salt on google.

Long passwords (4, Interesting)

Masa (74401) | more than 9 years ago | (#11538843)

"A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*"

So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.

I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.

To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).

Re:Long passwords (1)

tmbg37 (694325) | more than 9 years ago | (#11538873)

So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones. Well, in *my* company, our passwords have to be 20 characters long, alphanumeric mixed case with punctuation and it changes every day! *And* we have to walk 50 miles through the snow uphill both ways!

Re:Long passwords (1)

MarkGriz (520778) | more than 9 years ago | (#11539610)

For the want of a </i>, the joke was lost.

Re:Long passwords (3, Funny)

zcat_NZ (267672) | more than 9 years ago | (#11540430)

Q276304 - Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords

A Microsoft Windows error message as reported by comp.risks 21.37

Re:Long passwords (1)

catch23 (97972) | more than 9 years ago | (#11541556)

I don't think this is actually more secure. They also have that same 30-day change-over and can't be same as the last 10 ones password policy at my company. But do you know what happens? People just append an incrementing numeric at the end of their password because they have to change it so often. So "password" becomes "password1" then "password2" ad infinitum. I don't think this is anymore secure than having a single long password.

Not happy about it either (1)

John Harrison (223649) | more than 9 years ago | (#11538858)

I saw the same memo. I am not looking forward to this. What we really need to do is implement a secure single sign on solution like ActivCard that utilizes a smart card and/or biometrics.

There was an internal badging initiative about a year ago that was looking at moving away from mag stripes for door access. If we bought the right cards for physical access we could leverage that investment for logical.

Re:Not happy about it either (3, Insightful)

maxume (22995) | more than 9 years ago | (#11540987)

Do you really want to attach value to things like your thumbs, fingers and eyes? I mean the kind of value that makes someone else want them; I like and value mine quite a bit. Also, if your fingerprint happens to get compromised(i.e. somebody manages a working fake), how do you plan on obtaining a new one?

Terrified of biometrics until somebody gives me compelling reasons not to be...

Re:Not happy about it either (4, Insightful)

John Harrison (223649) | more than 9 years ago | (#11541066)

many readers have pretty good live finger detection. If somebody wants something badly enough to cut off my finger, I will simply give it to them.

It's because of Italian law (I work for the same.. (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11538881)

Navy-colored company, but I'm staying cloaked.)

The Italians enacted some sort of privacy-oriented legislation which required these password rules. Because the Navy-colored company does business in Italy, and wants uniform rules throughout the company, they propagated this change throughout the company.

Like it or not, secure or not, that's where it came from.

Don't focus on this as the single point of security stupidity - there are far worse. We won't mention them, however.

Less secure (4, Insightful)

tod_miller (792541) | more than 9 years ago | (#11538889)

Longer harder to remember passwords require more human intervention (IT helpdesk reset passwords to 'monday' when you forget it).

You also are tempted to write them down, or use consequtive patterns as passwords:

qwer789456123
0ok9ij8uh

Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.

Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant. :-)

Re:Less secure (1)

Otter (3800) | more than 9 years ago | (#11539453)

You also are tempted to write them down, or use consequtive patterns as passwords:

At the IT orientation at my current job, we were told to use consecutive passwords! The genius "security head" explained the rules (long, complex passwords, 60 day life), everyone groaned and he said "Don't worry -- you can do something like..." and described a trivially guessable series of passwords.

Changing passwords (3, Funny)

tod_miller (792541) | more than 9 years ago | (#11538930)

Is silly, if you stop brute force... with intrusion detection systems, if a password does get lost, why give yourself a 45 day (average) allowance? so it is ok for someone to have a password for 45 days, but not longer.

Also, the root password for my laptop is 'swordfish' (oh halle... I love your baps, but when the line 'it isn't just a multi-monitor system' comes up, I really have to kill nearby carbon based lifeforms.) but noone has hacked it yet for 3 reasons:

1: It is linux, therefore unhackable, even with r00t password
2: It has no networking capability
3: It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...

So have some auditing and heuristic behaviour analysis. Use one time passwords, rigorously check all intrusions based on internal/external. Follow up a failed pssword attempt with a human call (SOMETIMES computers can be the weak link in security) ;-)

Re:Changing passwords (1)

Otter (3800) | more than 9 years ago | (#11539464)

It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...

Good thing you don't have one of those new Powerbooks!

A few points (5, Informative)

v1z (126905) | more than 9 years ago | (#11538932)

1.
Changing passwords is ofcourse to reduce impact when a password is stolen/cracked. 90 days sounds a bit long -- is this policy based on evaluating what's *needed* or just based on vague assumptions ?

If it is expected that keyloggers, bruteforcing or some other form of password-theft is likely, 30 days might be more apropriate.

2.
According to various textbooks on computer security, forming a password from 1st (or some'th) letter in a sentence forms passwords which in general terms are as hard to brute-force as "truly" random passwords:

madly typing at keyboard: 32nfia.-!

I once saw four naked girls dancing in the moonlight: I1s4ngditm!

The latter form *may* be slightly more open to guessing the frequency of letters -- but bruteforcing a password with 12 alpha-numeric characters takes a *lot* of effort.

The main point is that passwords "generated" like that is *much* easier to remember. They may also be more "random" than just typing at the keyboard...

Some punctation and variations in capitalization should be encouraged/enforced.

3.
If you are authenticating against Active Directory -- just use pass phrases. Harder to bruteforce -- and prevents the ntlm-hash (16 chars, one case) being accepted by some braindead system.

4.
I personally think single-sign on is an important part of a good security strategy because it allows for more frequently changing of passwords -- admins would typically still need 2-3 accounts (normal user, admin role, testing role), but more managble than 10+

5.
Just because a password is written down does *not* mean it's compromised! If security really is so important that everyone needs 5 or more 8 letter "random" and uniqe passwords, I would *strongly* recommend that arangements be made for all passwords to be kept in escrow in a safe.

That way employees won't have an excuse to keep the password somewhere insecure. Everyone should be able to get their password during work-hours easily (for instance the receptionist that either knows everyone, or is instructed to _demand_ id, could have access to the safe).

The downside with any kind of escrow, is ofcourse, that one is forced to trust the few people with access to all passwords completly. This is a tradeoff -- but so are all security decisions.

6.
You mention bios boot passwords. Is that truly neccessary ? Bios configuration password sounds more reasonable to me. But either one is of rather limited use, unless you are using some form of fortified pc case.

If you do mean configuration passwords, that is a primary candidate for writing down, and locking in a safe IMHO. Normally all admins would have access to this, so that seems reasonable.

Kerberos (2, Interesting)

Trevelyan (535381) | more than 9 years ago | (#11539013)

Isn't this the point of things like kerberos. ie to provide single sign on in you network. so you don't have to remember lists of passwords.

integrate it with pam, and then you'll get a ticket when you log in, that will be used to authenticate you when you access things like ftp or mail server.

Ofcourse this wont help with off site login, but at the point you use them you have access to the already mentioned password safes or security managers (eg mozilla's psm or kde's wallet)

as to the oringinal point, the more checks you can do for good password the better, but a 3 month life undermines any effort made to generate a good password.

I dont see the point of changing passwords, unless you can't keep it to your self. most methods of gaining your password are not effected by its age (eg sniff the wire, brute force, social engineering(is subsequent password going to be any less dependant on your frame of mind then the last?)). Then, once 'they' have it, they're likely to install another method of access asap and then no longer dependant on knowing your password.

Re:Kerberos (1)

man_ls (248470) | more than 9 years ago | (#11541184)

Kerberos is half-heartedly implemented where I am currently. Everything and every service, portal, and daemon is Kerberized but not a single one of them actually talks to, or communicates information with, any other one.

i.e. there is no "single sign on", there's repeated typing of the same account credentials over and over again to access various distribution nodes, services, accounts, machine resources, etc.

Having to type the same "single sign on" password 4-5 times in any given session to get anything done gets really old.

This can make things worse (4, Informative)

Kris_J (10111) | more than 9 years ago | (#11539050)

Policies like this typically result in more people breaking the rules and writing down their passwords, which in turn reduces security.

Security D'ohLTs (4, Interesting)

paol (461811) | more than 9 years ago | (#11539057)

Bruce Tognazzini has covered this kind of stupidity before.

"I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
(...)
My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"

Read it: http://asktog.com/columns/058SecurityD'ohlts.html [asktog.com] . Better yet, have the people who are implementing this policy read it. Point out it's by one of the leading usability experts in the world. Odds are it won't change anything, but hey at least you tried...

Its just common sense longer PSWD is safer (2, Interesting)

museumpeace (735109) | more than 9 years ago | (#11539097)

My company just upped the ante for anyone trying to guess one of our passwords...min of 10 characters of which at least one each of UPPER CASE , special, numeric and lowercase are required...Its hard to produce a memorable password under these conditions. I have about a dozen passwords to remember between the various OSes, LAN security, Mail, and then there is my firewall and systems at home.
One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.

Translation (4, Funny)

skinfitz (564041) | more than 9 years ago | (#11539098)

Is there any research to support whether such requirements actually increase security?

Translation: I can't be bothered changing my password and am too dumb to come up with arguments against this policy to give to my boss on my own.

We've been doing that forever (1)

Curien (267780) | more than 9 years ago | (#11539107)

Where I work, that's been the requirement for years. Users are used to it, so it's not a big deal. You don't find stickies lying on the desk either (well, you do, but only passwords for additional systems -- we don't have SSO yet). Actually, our requirements are harsher because you can't reuse a password that's less that two years old. Also, they run a password cracker against everyone's passwords every once in a while, just to make sure people really are making good passwords.

I like to use mathematical formulae. I memorized them years ago -- might as well make use of them now.

Mathematical Formulae (1)

malcomvetter (851474) | more than 9 years ago | (#11539392)


Try using a different subset of characters of pi [slashdot.org] encoded in hex.

Absolutely (2, Interesting)

bryanp (160522) | more than 9 years ago | (#11539165)

Every 90 days has been the standard everywhere I've worked. For us Sysadmin types it's every 30 days. I can keep up with it, but many end users with the 90 day restriction do exactly as you describe. They write them down, they use the same repetitive patterns, whatever. One user I used to support had a page of passwords in a little notepad he kept in his desk.

All I can really do is tell them the truth: If anyone gets on the network with their credentials they will be held responsible for what happens. It's hard enough just getting people to lock their screens when they go to lunch. One user got reamed out pretty badly when someone used her email account to send a scathing note to the CEO. The only reason she didn't get fired is that she was at lunch with several people who could vouch for her whereabouts at the moment the email was sent.

or you comply and store all passwords encrypted... (4, Interesting)

hankwang (413283) | more than 9 years ago | (#11539167)

I have stored all my passwords encrypted, with a script to easily access them... The essential part is:
stty -echo
read pw
stty echo
echo $pw |
gpg --no-secmem-warning --decrypt --passphrase-fd 0 $pwf.gpg |
perl -ne "if (/^$1/)"' { s|\[([^ ]+)\]|[\033[40;30m$1\033[0m]|; print; }' |
less -r
The passwords are enclosed in [] and the script displays the password in "black-on-black", so that you can copy-paste it without anybody looking over your shoulders seeing it, or you remembering it.

And the master password to this file hasn't ever changed... heh

Changing passwords frequently does not help (4, Insightful)

smahesh (845383) | more than 9 years ago | (#11539202)

Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.

The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.

Re:Changing passwords frequently does not help (1)

ivan256 (17499) | more than 9 years ago | (#11540305)

Later on this was increased to 24 unique passwords before you could reuse the original password.

Sounds like you need a script to change your password 25 times in a row so you can always have the same password.

Diceware (1)

Anonymous Cowherd X (850136) | more than 9 years ago | (#11539248)

Just use the Diceware method [diceware.com] and stop whining.

Make the user responsible (2, Funny)

Dammital (220641) | more than 9 years ago | (#11539425)

Expirations and complex rules for passwords are lame and work at cross-purposes. So here's what you do: allow your employees to assign any password they like, with the understanding that you are going to try to crack 'em. If you are successful, then they're fired.

Just. Like. That.

Re:Make the user responsible (1)

dtfinch (661405) | more than 9 years ago | (#11539690)

Can you do that? Fire your own boss or another tenured employee for choosing a weak password?

Re:Make the user responsible (1)

Dammital (220641) | more than 9 years ago | (#11540093)

Sure, if they understood the rules to begin with. Make them sign at the same time that they sign your Acceptable Use Policy. (You do have an AUP, right?)
"Your job REQUIRES access to our computer systems. If you are unable to select passwords that are resistant to automated attacks, then you are unable to fulfill the requirements of your job and are subject to immediate dismissal."

I take your point that the Boss or his Son is hard to fire, whatever their levels of stupidity.

Convenience vs Security (1)

4of12 (97621) | more than 9 years ago | (#11539441)

At MyCorp we tend to move haltingly and staggeringly towards greater security and inconvenience. [No, we're not quite up to military standards where no security policy, no matter how stupid and ineffective, would ever be rejected on the grounds that it caused inconvenience:)]

There's a well-known tradeoff between security and convenience, but it's possible to not be on the maximum locus of that curve: i.e., it's possible to have incredibly inconvenient security policies that provide very little actual security.

Anyway, given that 8 character gobbledygook passwords can be brute-forced in increasingly shorter time intervals which, at some point, make it tough on users to remember new passwords, we're moving towards SecureID.

"Help me!" (3, Funny)

dtfinch (661405) | more than 9 years ago | (#11539625)

"I forgot my password! It changes too often."

You've gotta do what everyone else does and write it down. Stick a copy in your wallet, under your keyboard, on the side of your monitor, etc. Now I'll just use my admin login to reset your password and you'll be on your way.

why not just.... (1)

ted1488 (832376) | more than 9 years ago | (#11539732)

change your os to linux and not have to worry that much about security in the first place?

Alternating alphanumerics (3, Funny)

RoboRay (735839) | more than 9 years ago | (#11539789)

I'm actually not allowed to use two consecutive letters in my password to one government system. Every letter must be followed by a number. It also must be 8 characters, no more, no less, and can't contain any punctuation or special symbols. It changes every 90 days. And you can't reuse old passwords, either. Ever.

So, my first password was A1A1A1A1. Guess what my next one was?

Ultimately (4, Insightful)

dtfinch (661405) | more than 9 years ago | (#11539995)

There is always a bigger risk. 8 character random alphanumeric is a around 40-48 bits of protection, depending on if you mix upper and lowercase (harder to remember). I've written a strong password generator here [mytsoftware.com] . While 8 character alphanumeric is breakable, especially at 40 bits, it's unlikely you'll encounter such perserverance. A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days, and limit their time to take advantage of a broken password, but beyond that it's just going to ensure that more users will write down their passwords. There is no set amount of time needed to break a random password. They could break it in a day or never. A rotation isn't going to have the effect of making them start over or anything.

There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.

Stop being a big pussy (0)

Anonymous Coward | more than 9 years ago | (#11540127)

And just change your damn password. In fact, I'm calling your admins right now and telling them it should be 16 chars and changed every 2 weeks, just because your password right now is "pussy13".

Security is irrelevant (3, Insightful)

Mozai (3547) | more than 9 years ago | (#11540170)

I work at a medium, mango-hued company and we had to implement the same policy for "security reasons." I get about three calls a week asking for passwords to be reset.

The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.

Sucks, but c'est l'entreprise.

Company handed me passwords..accidentally (4, Funny)

dmorin (25609) | more than 9 years ago | (#11540284)

The bank I worked for implemented a "change your password every 60 days" rule the same year they handed us one of those motivational desktop calendars that had a word of the month like "teamwork", "integrity", and so on. The password checker would not let you repeat your previous passwords, but it did NOT check for dictionary words! So whenever it nagged me to change words I would just reach up to the desk calendar, flip over to the next month, and type in the word of the month. Certainly solved the "where can I write it down" problem. Anybody walking into my office would just think that I did not keep the calendar up to date.

stealth one time pad (2, Interesting)

zogger (617870) | more than 9 years ago | (#11540380)

just use a paperback book, change the book occassionaly. All you have to remember is the page number, paragraph number and line number, those are your random digits that preface or follow the letters. They refer to the phrase or sentence in that location, where you get your letters. Interposing can be your choice of course, straight ahead or rotating backwards to forwards, etc. Example page *237(insert first word)*, paragraph *5(insert first word)*, line *4(insert first word)*. Ton of variations on that theme, and in this example you only need to remember *23754* in case you forget the entire passphrase sequence. The book can be an ebook for that matter on your PDA or any other stealthy/innocent written thing you have handy. Throw in some special characters and it gets even more difficult of course, or instead of inserting a word, do several words that you find there within the number and special characters. You can add an additional wildcard to help stop a dictionary attack on the word, add a 4th digit, that reminds you to remove every 4th letter from every word for example, or add a special character at that place. So then you would only have to remember in this example *237544(insert special character to remember this cycle)* for your hint. One more number added to the initial memorized number is an additional hint as to where to look if you forget the whole thing, example, 2375448 would be a hint to look at book 8 for the other hints on your shelf of tech books perhaps.

One time pads especially when it's only you using them and not two or more people are a good thing. Of course it won't beat a boss injected keylogger someplace in the mix. In this example, even if joe bad guy has your book,and knows you are using it, those sorts of combinations are immense, especially with the special characters on the keyboard to use. And if it's gotten that far you are most likely cooked anyway, so time for plan B to avoid the rubber hoses, heh. I recommend a .45, a bag of cash in well used bills, several gold pieces, and a really fast motorcycle. Might as well have fun during your escape I always say;) Oh and don't forget the self destruct key for your cubicle....

Don't want to use a book, you can use something like the playlist and metadata for the song on your music player gadget. Example song 909, beatles, heyjude, something minutes and seconds or something KB in song length,etc. You only need to rember one song title per 90 day period then, along with the original placement number in the menu.

Ton of ways to do a one time pad variant easily, you just want it stealthy so no one realises that's where your passphrase hint is stored. Do you get any quarterly journals of the dead trees variety? You can use that, fits the 90 day rule too, and an excuse to have that journal kicking around already. You could do it optically with random "things" that are around your office. Look up, you might have a calendar, some houseplant, a picture in a frame, the color of the wall, how many tiles on the ceiling between x place and y place in the office, etc. Just rotate your junk around, then all you have to do is look at the placements, along with that quarters number sequence you remember. Example number 48910(wildcard character), this quarters passphrase might be january4*spiderplant8*mom9*cream10*

have fun

8 characters is not long (1)

jhoffoss (73895) | more than 9 years ago | (#11540449)

My password currently is about 35 characters; it's a sentence with punctuation and all, but not ordered correctly. It's easy to remember and easier to type. And I'd give you a year with a handful of systems and you wouldn't brute-force it.

IMO, 8 chars, complex, changed every 90 days is the absolute minimum for password strength for any system beyond generic webmail or /. accounts.

Same thing here (1)

hrieke (126185) | more than 9 years ago | (#11540856)

DOD mandate.
And I work in the HMO world, but one of our customers does work for the DOD and thus we have to comply with the standard.

Carry a frickin' notebook... (1)

firebeaker (52242) | more than 9 years ago | (#11541228)

... a small, spiral bound notebook, and write 'em down. At least that's what I did...

The paper's also good for keeping you warm when you get sick of working there & quit. So's the navy blue sweatshirt I got 2 days after I left.

Yes it sucks, suck it up and write them down. Lock it in your drawer. Bring your key home with you, and your secure. (At least that was the company policy when I was there. God, I hated those workstation security audits.... if it wasn't labeled 'Non-Confidential', you failed.)

PDA password keepers (2, Informative)

Weasel Boy (13855) | more than 9 years ago | (#11541597)

are very handy. I have about 45 passwords stored in mine.

My password app includes a utility to generate random but pronounceable passwords (which I don't generally use). My coworker told me one of these a year ago. I haven't used it in 9 months, and I still remember it. Oh $%^*, the system probably expired it. ;-)

Gnu Keyring (3, Insightful)

kentborg (12732) | more than 9 years ago | (#11541801)

I get *SO* pissed at these password fascists, particularly when their
rules reduce my password security.

I use secure, easy to type, and easy remember passwords (see
http://ask.slashdot.org/comments.pl?sid=1323 27&cid =11054456 for
details on that).

I never reuse passwords except in a few rare circumstances (on
different Linux computers I personally control I reuse some
passwords).

To keep track of all those passwords I bought a (relatively
inexpensive) Palm Zire 31. On it I run Gnu Keyring
(gnukeyring.sourceforge.net). I have one significantly secure
password that I then use to encrypt all my other passwords. I backup
this Palm using an SD card. I also back up to via IR to my Linux
notebook where there is a client that can decrypt the data.

I also have a Palm-based phone (Samsung i330) that can run Gnu
Keyring--but I don't trust it. It makes mysterious 10-second data
calls that bother a paranoid such as me. Yes, I don't have any good
reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
don't need to trust it so much.

I recommend Gnu Keyring.

-kb
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?