Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Employee Calls for No More Passwords

Zonk posted more than 9 years ago | from the wise-man-in-a-unique-position dept.

Security 614

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

cancel ×

614 comments

Sorry! There are no comments related to the filter you selected.

Biometrics (4, Interesting)

nuclear305 (674185) | more than 9 years ago | (#11655809)

What about biometrics? Passphrases are nothing more than longer passwords. I can see several things resulting from
converting to all passphrases. First, the person will probably use the same passphrase for everything because it's too difficult
to remember multiple passphrases. Second, it's difficult to remember passphrases! Phone numbers (In the US, at least) are limited to
10 digits because research shows the average person can only memorize 10 digits, as a result...we tend to write things down, or in the case of
data people are likely to store their passphrases in a central location that is still prone to theft/decryption.

Biometrics, on the other hand, requires that you only have your body present at the time! No special USB keys to lug around, no pieces of
paper with important passwords/phrases. This won't solve the problem of possible data interception when talking about remote
authentication--but every form of authentication is prone to such attacks when transmitted.

Re:Biometrics (4, Insightful)

jbridge21 (90597) | more than 9 years ago | (#11655844)

something you have, something you are, something you know

Re:Biometrics (4, Insightful)

lachlan76 (770870) | more than 9 years ago | (#11655845)

Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.

This won't solve the problem of possible data interception when talking about remote
authentication--but every form of authentication is prone to such attacks when transmitted.


No it isn't, because if you use a salted hash (chosen by the server), you can't just replay the traffic.

Re:Biometrics (3, Funny)

ScrewMaster (602015) | more than 9 years ago | (#11655979)

because if you use a salted hash (chosen by the server)

That's true ... when I stop by our local Denny's for breakfast I let the waitress decide whether I get corned or roast beef with my eggs.

Re:Biometrics (5, Insightful)

mboverload (657893) | more than 9 years ago | (#11655851)

Biometrics is the most over-rated security idea ever thought of.

Once someone gets a copy of your fingerprint or retina, your credit card is comprimised for life. You can't change you biometrics, which is why they are a total joke.

Re:Biometrics (4, Interesting)

Blindman (36862) | more than 9 years ago | (#11655941)

The question is wheter or not one can spoof biometrics. I can probably get a copy of a lot of fingerprints, and I could post them on my wall. That doesn't mean I could make gloves with them. Despite how it appears in movies, I don't know how easy it would be to fake someone else's fingerprints or retina for that matter.

I agree that biometrics can't be changed, but will you ever need to?

Re:Biometrics (4, Informative)

lachlan76 (770870) | more than 9 years ago | (#11655973)

Read this. [dansdata.com] There is no problem faking them.

Not to mention that fingerprints are left EVERYWHERE.

Re:Biometrics (5, Funny)

DrMrLordX (559371) | more than 9 years ago | (#11656007)

You don't need to make gloves with someone else's fingerprints. All you need are gummy bears.

Gummy Bears! Bouncing here and there and everywhere! Foiling security beyond compare! They are the Gummy Bearrrrrrrrrrrs.

Re:Biometrics (1)

Taladar (717494) | more than 9 years ago | (#11655956)

Wrong. Once copies of fingerprints or retina in a quality good enough for the given authentication are possible everyones creditcard is compromised until the banks get a new system.

Re:Biometrics (2, Funny)

Qzukk (229616) | more than 9 years ago | (#11655869)

Biometrics, on the other hand, requires that you only have your body present at the time!

Or that someone else has your body present. Or just search google for jelly fingerprint to see how to duplicate other people's prints for fun and profit.

Biometrics is bound to stick around for a while, but the fad will hopefully fade before all my bank and credit card accounts get tied to my fingerprint and I have to have new prints carved into my fingers to replace the ones that some identity thief lifted off the scanner.

One Question (2, Insightful)

Hal The Computer (674045) | more than 9 years ago | (#11655883)

Would you leave you passphrase written down on every nearby surface?

Becuase your fingerprints will be all over unless you wear gloves all the time.

Other body parts aren't quite this extreame but still have similar weaknesses.

Re:Biometrics (0)

Anonymous Coward | more than 9 years ago | (#11655909)

No, the average person can only easily remember seven arbitrary digits, give or take two. The area code usually isn't specified, and even if it is, it's a single piece of data that's mapped to a geographic location.

Re:Biometrics (1)

ScrewMaster (602015) | more than 9 years ago | (#11656012)

And that was the big objection when our local phone company (SBC, the Southern Boy's Club) decided to go to 10 digits. Nobody wanted to have to remember that many digits. I know it irritated the hell out of me. It still irritates me.

Re:Biometrics (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11655954)

During a presentation I heard (I don't claim credit for any of this research myself), Biometrics aren't enough by themselves. Researchers have pulled off attacks such as taking a high-res photo of an eyeball, or capturing someone's fingerprints from a surface the user just touched (such as the screen/plate used to authenticate the user!) on gelatin models and using those models to enter the system. In more extreme circumstances, many of them are still vulnerable to the "cadaver attack" (incidentally, in four years of Computer Science courses, this was by far my favorite phraase). Essentially, if I want to break into your system, I find a valid user, kill him (or at least chop off his arm), and authenticate myself that way. Basically, our tech isn't mature enough to foil all this in a cost-effective way.

With a password, if you lost it or someone guessed it, the administrator can easily replace it. On the other hand...well, that phrase gives it away, right there. It's much harder to give yourself a new hand/eyeball/whatever.

As for attacks during transmission, I recall there being conerns about man-in-the-middle attacks, but I don't recall any spectacular examples.

Re:Biometrics (4, Informative)

iocat (572367) | more than 9 years ago | (#11655975)

When you do a pass-phrase, each of the 10 "digits" you remember are words. Assuming you don't have dyslexia or other language-center-damaging brain issues, you don't have to remember the correct position of every letter of each word as though it was some random digit, because your brain encodes "Now is the time for all good men to come to their country's aid" much differently than "suh ob wjf nait fdn ap; qomf ..." -- you get the picture.

It's a lot easier to remember a series of words than a series of digits that have no obvious relationship to each other.

Offer Void on pre-2000 MS operating systems. (4, Informative)

LostCluster (625375) | more than 9 years ago | (#11655810)

One thing I just read in my MCSE study book... Windows 2000 and up support 127-character passwords, but Windows NT, Windows 9x and Windows ME only support 14-characters in a password. A user who has a Windows password greater than 14 characters simply cannot using the older operating systems even if they otherwise should be able to.

Therefore, if you have any legacy systems to support, these password tips don't apply to you, and that's got to be part of the reason there hasn't been much of a movement to suggest that users use longer passwords.

Re:Offer Void on pre-2000 MS operating systems. (1, Insightful)

kallisti777 (46059) | more than 9 years ago | (#11655838)


Yet another attempt by Microsoft to force people to upgrade to the latest version of Windows.

You know, even I'm not sure if I'm kidding.

Re:Offer Void on pre-2000 MS operating systems. (0)

Anonymous Coward | more than 9 years ago | (#11655935)


Yet another attempt by Microsoft to force people to upgrade to the latest version of Windows.

You know, even I'm not sure if I'm kidding.

So is Sun doing the same thing with Solaris 10?

Re:Offer Void on pre-2000 MS operating systems. (1, Informative)

Anonymous Coward | more than 9 years ago | (#11655849)

NTLM level 1 was the reason for this. NTLM2 has been retrofitted into all of those unsupported out of date OSes. If you're running 9x or NT kernel ... you have bigger problems.

Re:Offer Void on pre-2000 MS operating systems. (2, Interesting)

rickt (93968) | more than 9 years ago | (#11655974)

A variant of the "sentence as password" idea that I've been using for years, is to come up with a sentence (be it apropos to the system or not) and then use the first letter of each word in the sentence.

It combines the best of both worlds.

i) a 'complex' password because it can't be broken by a dictionary-based attack
ii) easy to remember (sentence-based)

Add to the mix some tranposition of characters (use 1's instead of i's etc etc) and you've got yourself a fairly decent password, at least better than most.

Works just fine on password-size challenged systems.

The only problem with a passphrase (1)

JeffTL (667728) | more than 9 years ago | (#11655814)

is that it takes longer to type. But for a highly secure system, I doubt you could beat a phrase or sentence -- particularly in an obscure language or containing obscure words, to make dictionary cracking even more difficult.

Re:The only problem with a passphrase (1)

turnstyle (588788) | more than 9 years ago | (#11655828)

Plus, isn't it still basically just a longer password? A rose by any other name...

Auto-completion (1, Funny)

sammyo (166904) | more than 9 years ago | (#11655907)

ba ding :-)

Re:Auto-completion (2, Funny)

craXORjack (726120) | more than 9 years ago | (#11656009)

Or since it is Microsoft we are talking about:
[] Check this box to remember password

I've been doing this for ages (1)

ShieldW0lf (601553) | more than 9 years ago | (#11655912)

Just make a long strong password using the first letter from each word in a sentance.

iswtfmtosadgawd
I spend way too fucking much time on slashdot and don't get any work done

Give your users something funny and they won't forget it.

Re:The only problem with a passphrase (1)

Spy Hunter (317220) | more than 9 years ago | (#11655949)

Also, you are more prone to typing errors when typing a long passphrase. Though I suppose typing an English sentence could be easier than typing, for example, D84*#ijo).


I really wonder about the long-term viability of this solution as well. Sure, it makes brute-force attacks harder because the password is longer, but it also makes each character of the password much easier to guess because it makes up a coherent English sentence. Those crazy security wizards will probably come up with a way to defeat passphrases as well, by using an enhanced dictionary type attack that strings words together into semi-coherent sentences.


An eight-word password does have a lot more possibilities than an eight-character password, because there are a LOT more words than there are characters. However, in coherent English sentences, some words are WAY more common than others. Has the analysis been done to see if English sentence passphrases really are theoretically stronger than passwords?

Really? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11655815)

Well I call for a pussy to eat, and it doesn't happen, so tough shit.

Re:Really? (1)

conteXXt (249905) | more than 9 years ago | (#11655915)

Add a made-up word and that would be a fairly good passphrase

(I think that's why you posted it, correct?)

fp bitches (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11655817)

windows sucks ass

Re:fp bitches (0)

Anonymous Coward | more than 9 years ago | (#11655937)

you failed it, but i will agree windoze is kludge :^P

People are lazy (4, Informative)

hedronist (233240) | more than 9 years ago | (#11655820)

One of the main obstacles to better security is that people are fundamentally lazy. Typing 30 or 40 characters is difficult to do, and it takes time, so people won't do it. Or if forced to do it, they will whine about it -- a lot.

I have convinced a majority of my friends & family to at least stop using dictionary words and names of pets. Instead, I have them pick some favorite line from a movie or book and then use the first letter of each word. It's easy to remember, so they don't stick it on the bottom of their keyboard. It also is not a word in the dictionary so at least Crack & friends can't be used to guess it.

For example, if one of my friends is a Dead Head, he might use "stlasom.oticbs" If you're a Dead Head you'll probably be able to guess the lyric. But you *won't* be able to find it in a dictionary.

Re:People are lazy (1)

Frosty Piss (770223) | more than 9 years ago | (#11655870)

I use strings of random char, and than write it on a sticky, and stick it to my monitor.

Re:People are lazy (3, Insightful)

gcaseye6677 (694805) | more than 9 years ago | (#11655886)

Even the non-lazy wouldn't be happy about long passphrases. At work, I lock my screen whenever I leave the desk, and the password protected screen saver timeout is 5 minutes in case I forget. Would I be willing to do this if I had to type out 40 characters to get back into my machine? Hell no, I'd get a Homer-Simpson-like pecking bird to keep the keyboard active while I'm gone, resulting in less security. Although I understand what this guy is saying, the idea of super long pass phrases is a non-starter in any real world environment.

Re:People are lazy (0)

mboverload (657893) | more than 9 years ago | (#11655926)

It takes me around 2 seconds to type my 20+ character password for my PGP disks.

Wow, 4 seconds to type my 40 character passord, boohoo! Cry me a river.

Re:People are lazy (1)

LocoMan (744414) | more than 9 years ago | (#11656001)

There's also the thing of getting people to type it correctly without looking at the letters. I can type a long password without problems, but I don't watch the keys when typing... but my mother (and lots of other people I know) do the watch keyboard, type, watch screen, watch keyboard again, repeat, and I know that at least my mother has to try a couple of times sometimes writting regular passwords, I bet she would try a couple of times with a longer one and then go back to regular short passwords.

Excellent! (5, Funny)

PedanticSpellingTrol (746300) | more than 9 years ago | (#11655821)

Now replacing my brute force wordlists with "He's dead, Jim", "In soviet russia, passphrases validate YOU" and "passwords are for old korean people" will allow root access to 90% of the internet.

Re:Excellent! (0)

Anonymous Coward | more than 9 years ago | (#11655971)


All your bases are belong to us.

Re:Excellent! (1)

Jeremiah Cornelius (137) | more than 9 years ago | (#11655986)

I like Mondegreens from obsure Donovan B-Sides.

Re:Excellent! (0)

Anonymous Coward | more than 9 years ago | (#11656011)

The other 10%:

somebody set us up the bomb
All your base are belong to us
and...
Imagine a Beowulf clust of those!

Time involved (1, Insightful)

blueadept1 (844312) | more than 9 years ago | (#11655824)

The amount of times I type in my passwords each day, it would be frustrating to take even more time out of my day to type these "pass phrases" in.

What we really need is more biometrics.

Re:Time involved (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11655871)

Also, not everyone can type reliably.
As the letters are not displayed when typing a password, people are going to be making mistakes all over the plave.

Re:Time involved (0)

Anonymous Coward | more than 9 years ago | (#11655899)

What we really need is more biometrics.

No we don't [zdnet.co.uk] .

Re:Time involved (0)

Anonymous Coward | more than 9 years ago | (#11656000)

The amount of times I type in my passwords each day...
Maybe you should re-think the way that you work so you don't have to type them so much.

Old news... (1)

LostCluster (625375) | more than 9 years ago | (#11655833)

Edited 10/18/2004:
This blog has gained far more attention than I could have ever imagined when I decided to create a small personal blog devoted to security incident response. I never imagined my first ever post would be as controversial or as widely published / linked as it has become!


If he thought his little blog had gained all of the attention it could back in October...

In other news Microsoft is waaayy ahead of him... (1, Funny)

rune2 (547599) | more than 9 years ago | (#11655841)

With all of the vulnerabilities and exploits in Windows who needs a password anyways? ;-)

password vs. passphrase (2, Funny)

CoolCash (528004) | more than 9 years ago | (#11655843)

So when the user creates there password it will be: "This is my passphrase" instead of "password"

Re:password vs. passphrase (1, Funny)

Anonymous Coward | more than 9 years ago | (#11655877)

No my passphrase is this:

Microsoft sux0rs really bad!

Which is just slightly harder to guess than "password".

Re:password vs. passphrase (0)

Anonymous Coward | more than 9 years ago | (#11655890)

at least it's more self-describing this way.

Why not a key? (1)

As Seen On TV (857673) | more than 9 years ago | (#11655848)

USB is ubiquitous now, and the technology to build USB keys has reached the commodity point. USB flash drives of a gigabyte or more are less than $200, and a security key wouldn't need to be anywhere near that big. One with just a few kilobytes of memory could contain an encrypted private key that's unlocked with a password.

This idea strikes me as being so obvious that I can't imagine I'm the only one to think of it. Where's the fatal flaw that I'm not seeing?

Re:Why not a key? (0)

Anonymous Coward | more than 9 years ago | (#11655908)

Honey did you wash my pants???

Re:Why not a key? (2, Insightful)

apparently (756613) | more than 9 years ago | (#11655947)

- the key could get lost? Can't say I like the idea of having to bring the user a new USB key each time he forgets it. - the key could get stolen? - the lazy users would keep the key in a drawer next to their PC?

Re:Why not a key? (0)

Anonymous Coward | more than 9 years ago | (#11656010)

Makes logging in remotely a bit trickier. Still, some companies do stuff with smartcards that is more -or-less the same, I think.

Lol... did he think of this himself? (0)

Ayanami Rei (621112) | more than 9 years ago | (#11655850)

Fact: Did you know that Windows 2000 based operating systems support pass-PHRASES of up to 127 characters including spaces...

Wow that's impressive.
Oh wait... no it isn't.

--- /etc/pam.d/system-auth ---
... snip ...
password required pam_unix.so md5 remember=5

--- /etc/security/policy.conf ---
... snip ...
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
... snip ...
CRYPT_DEFAULT=1 #Compatible with BSD/Linux MD5

Because you know, all those ancient Unix systems kept you from using passwords more than 8 letters long.

Re:Lol... did he think of this himself? (2, Insightful)

Otter (3800) | more than 9 years ago | (#11655914)

If you're going to completely misunderstand him, could you at least quote his whole sentence?

Anyway, believe it or not, "ancient Unix systems" didn't use the same password machinery as what's in your Linux distribution.

It's called sarcasm. (1)

Ayanami Rei (621112) | more than 9 years ago | (#11655993)

Modern unicies broke away from crypt(1) a _long_ time ago and advocated the use of passphases vs. passwords. Ever hear of Jack the Ripper?

Why is it that suddenly now when a microsoft employee "discovers" this last year it's news? I feel sorry for the guy.

Consistency (1)

backslashdot (95548) | more than 9 years ago | (#11655852)

Microsoft has been quite consistent with their position on passwords.

Hackers, worms, and trojans have long been able to get into Windows without passwords.

Lipsum (1)

mod_critical (699118) | more than 9 years ago | (#11655855)

I've actually used a Lipsum generator for passwords for a long time on sensitive machines. Because they consist of very pronouncable latin roots, its easy to remeber them. One I don't use anymore for example was Etiam_Tristique_Turpis. Not easy to crack for I imagine, but easy for me to remeber.

password/passphrase? (1)

nitio (825314) | more than 9 years ago | (#11655857)

isn't password just a common name? I mean, if you want, you could just use a phrase as your password, afaik blank space still counts as a character...

mod u4 (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11655858)

and sold in the in jocks or 3haps

Only a few thousand years behind... (4, Funny)

physicsphairy (720718) | more than 9 years ago | (#11655860)

And I quote, "Open Sesame!"

Workaround (1)

shirai (42309) | more than 9 years ago | (#11655863)

An easy way to get stronger passwords is to make them consist of the first letter of every word in a phrase. For example:

I wish I had some nachos to eat at work

would become:

IwIhsnteaw

Okay, it can still be brute force attacked but it certainly can't be efficiently dictionary hacked. Furthermore, for most of our needs, this works just fine. Add a number into the phrase and even better.

As the article mentions, passwords get hard to brute force at about 10 characters.

Re:Workaround (1)

apparently (756613) | more than 9 years ago | (#11655982)

the l0phtcrack hash tables (or similar) mentioned in the article summary would find that password in a few minutes. iirc, l0phtcrack 5's hash table approach doesn't work if you include a special character in the password, i.e.: IwIhsnteaw!

Perhaps... (0)

Anonymous Coward | more than 9 years ago | (#11655866)

Perhaps we should just forget passwords all together and just trust one another...trust that when you walk away without locking your workstation that a mass email is going to be sent out from your workstation telling folks that you're coming out of the closet....no wait...you can't trust people.

My passphrase... (4, Funny)

Noryungi (70322) | more than 9 years ago | (#11655867)

In many companies where I worked, for kind of reason, my passphrase always ended up as:

  • [name_of_boss]isabloodyidiot


or

  • whatabloodyidiot[name_of_boss]is


Make of that what you want, but:

  • it's always accepted by whatever program is in charge of checking password
  • it's easy to remember, yet hard to crack (unless you know me and the bloody^W... er... boss...
  • it always made me smile as this was the first thing I had to type in the morning


Of course, I changed the password to something more politically correct before leaving the companies....

Re:My passphrase... (1)

saskboy (600063) | more than 9 years ago | (#11655927)

That's all fine, until you go to log into a system, and accidentially type in the password where the user name goes, and the boss is looking over your shoulder.

I know what my first passphrase will be... (0)

Anonymous Coward | more than 9 years ago | (#11655872)

"If you play a Windows XP installation CDROM backwards, you hear a message from Satan. Even worse... if you play it forwards, it installs Windows XP."

That should be easy to remember.

I'm a sysadmin ... (1)

GNUALMAFUERTE (697061) | more than 9 years ago | (#11655875)

And i'm to paranoid to put my rsa key in the trusted hosts file of all the servers y administrate, so, i type nearly 10 different passwords, and each of them is 10 characters in length, numbers + words, all with DIferENt CasES. I have to type them all the time, having such long passwords as sentences, would be tottally impractical.

ALMAFUERTE

yeah right (0)

Anonymous Coward | more than 9 years ago | (#11655880)

Weather a finger print or longer password (passphrase) is used makes absolutly no difference.

As long as data can be sniffed between computers, nothing is secure. When are they going to pull thier finger out and see that the real security lies within the communication protocols themselves and the OS you use. Its that simple.

If a secure connection can be established, everything else doesnt matter.

been doing it for years (0)

Anonymous Coward | more than 9 years ago | (#11655881)

the root password on all my Linux boxen is about the size of a paragraph, a small dirty poem i made up...

Irresponsible journalism (2, Informative)

flopsy mopsalon (635863) | more than 9 years ago | (#11655894)

The headline to this story is an example of the kind of journalistic sensationalsism that is leading this country down the road to ruin and chaos. It gives the exciting implication that a Microsoft employee is proposing the abolition of the commonly-used password verification system and perhaps its replacement with some new and cutting edge technological method such as biometrics or one-way phrenosenticism.

Instead, the Microsoft employee is merely suggesting the use of longer passwords. I am shocked and appalled that a respectable forum such as Slashdot is stooping to "sexing up" its material in this manner.

Re:Irresponsible journalism (1)

Homology (639438) | more than 9 years ago | (#11655952)

Instead, the Microsoft employee is merely suggesting the use of longer passwords. I am shocked and appalled that a respectable forum such as Slashdot is stooping to "sexing up" its material in this manner.

Note to moderators : This is an example of irony [k12.ny.us]

No problem (0)

Anonymous Coward | more than 9 years ago | (#11655895)

I don't really have a problem with passwords since I keep them all stored at c:\pass.txt.

For generation of strong and easy to remember ... (2, Informative)

Homology (639438) | more than 9 years ago | (#11655896)

passphrases, just visit The Diceware Passphrase Home Page [diceware.com] :

This page offers a better way to create a strong, yet easy to remember passphrase for use with encryption and security programs. Weak passwords and passphrases are one of the most common flaws in computer security. Take a few minutes and learn how to do it right. The information presented here can be used by anyone. No background in cryptography or mathematics is required. Just follow the simple steps below.

Heh.. (1)

hugo_pt (759790) | more than 9 years ago | (#11655897)

That blog is from 2004.. Anyway, I've been using pass-PHRASES for years, on BSD systems and Windows 2000. My Windows 2000 password used to have 63 characters. Nobody believed me, because nobody realized it wasn't any kind of random junk, but two mixed sentences I could easily remember.

good news, everybody (2, Interesting)

jonastullus (530101) | more than 9 years ago | (#11655900)

this is a simple idea I'm surprised more people haven't been doing this more often.

*yeah, right*
this "idea" is described in every single tutorial/howto/paper/note about password security. it's a good idea, i've been doing it for years, it has most likely been mentioned on slashdot countless times, but here we go again.

at times i forget why i am such an avid reader; it provides me with "stuff that matters" and makes me feel like i know more than all the others, from time to time ;-)))

jethr0

No one will ever break my password! (4, Funny)

Nova Express (100383) | more than 9 years ago | (#11655905)

It's the inscription on the One Ring, translated into Klingon, then rendered in l337! Three levels of Ubergeek encryption ensures maxiumum security!

Re:No one will ever break my password! (3, Funny)

Tenebrious1 (530949) | more than 9 years ago | (#11655942)

Crap... now I gotta go change all my passwords.

Re:No one will ever break my password! (0)

Anonymous Coward | more than 9 years ago | (#11655969)

But are you translating from original Quenya or Sindarin?

Needs a little fuzziness. (1)

shumacher (199043) | more than 9 years ago | (#11655906)

I like the passphrase idea. The only thing I see as an issue is the minor shift people tend to apply to things when memorized.

Read other people's messages before posting your own to avoid simply duplicating what has already been said.

Read other people's messages before posting yours to avoid simply duplicating what has been said already.

Read other peoples message before posting your own to avoid simply duplicating what's already been said. ...could all be the same passphrase.

In standard user applications, like hotmail and the like, how bad could it be?

Bible as the next crack dictionnary? (2, Interesting)

hsoft (742011) | more than 9 years ago | (#11655916)

Bible dictionnary attack could work for a lot of passphrase if this kind of password were to become mainstream.

IMHO, passphrase would make it easier for a hacker to successfully hack a system. For example, myself:

- Make a google search for my name
- See that The White Stripes is among my favourite groups
- Add The White Stripes lyrics to the crack dictionnary
- Attack, and probably succeed (password = "Why can't you be nicer to me?").

The list of all quotes in imdb mustn't be THAT big. Thus "I will have my vengeance, in this life or the next" would be a bad password. (not to mention "whoa" :) )

Of course, IANASB (security blogger), I could be wrong.

Typos by Design (1)

StaticEngine (135635) | more than 9 years ago | (#11655999)

Anyone smart who uses passphrases, will sufficiently mangle them to defeat dictionary attacks. For example, why use "They were the best of times, they were the worst of times," when with a little forethought, you could as easily remember "They were the b3st of t1mes, they were the w0rst of tim3s." Those numbers could go anywhere, and switching out all the possibilities for every character of every phrase would take far longer than just a brute force dictionary attack.

hrm ...something he didn't mention: (0)

Anonymous Coward | more than 9 years ago | (#11655917)

...with your new long pass-phrase (decent idea there), pick some letters to substitute with numbers or punctuation. Yes, it'll look like 1337 scratch, but hey, all the more fucked up, all the better. And it's quite easy to remember what you substituted if you use it fairly often.

My solution: Creole words (1)

rsborg (111459) | more than 9 years ago | (#11655929)

I just make up long words that are a mix of several languages (English/French/Chinese/C++/Scheme/etc), and funny types of common misspellings I've made in the past (ie, a friend in grade schoool would always mispronounce "Basilisk" as "baalisk"... always stuck with me, so I remember this...)

Mix them together and you have a fairly secure password that can't be guessed unless the attacker knows you very well or has some keylogger.

However, the problem that remains is that people are lazy and a small mistake will still invalidate the password... and as you go to 30-40 characters, its more and more likely that you make a simple speling mistake or spaceommision or s;omething. What is really needed for "passphrase" acceptance is a level of "fuzziness" so that you can make one or two minor mistakes but it still accepts your input... but then again, pass phrases are more accepted in voice input than typing.

Re:My solution: Creole words (1)

MythMoth (73648) | more than 9 years ago | (#11655964)

Suddenly a thousand people try to pinch your slashdot account.

The first rule of passwords is...? Anyone?

Bueller?

For anyone still looking for a Gmail account... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11655936)

I have posted 500 of them at the site below. Yes, 500. Google is handing them out to the current users like crazy now. There's no reason everyone shouldn't have one now....enjoy.

http://www.jiggybyte.com/Gmail [jiggybyte.com]

just tell users to use passphrases (1)

t1nman33 (248342) | more than 9 years ago | (#11655944)

I ended up stumbling upon this concept, and wondered why it wasn't recommended more often.

I had to create a secure-shell passphrase. The program, when I created the private key, didn't ask me to name a "password." It said, please enter a "passphrase." As a result, I have a much longer, more secure password, and absolutely no difficulties in remembering it.

Think about it this way:

a) Please enter a password, made of letters, characters, numbers, etc, but no dictionary words, and keep it over 8 characters long, and remember that you're going to have to change it every week, and no fair writing it down. Examples: w%df#flw0234, 534##@slkfjkljluiui, ajajajoiejflkjd2341324.

or

b) Please enter a phrase, 3-10 words long. Examples: Ireallyenjoydrinkingbeer, runningintowallskindofhurts, touchmymonkeytouchit.

Which of the two would you rather do? So why don't we just tell people to enter a passphrase than a password?

two obvious problems with this idea (4, Insightful)

mattdm (1931) | more than 9 years ago | (#11655948)

1) it's just as easy (give or take the odd case where you're just able to sample a few bytes) to sniff a passphrase as a password

2) if most people's passphrases are made of dictionary words take from their active vocabularies, dictionary attacks are still very possible. If we figure a typical vocabulary of 25000 words and a six-word phase, hmmm, some quick math indicates we're in the range of a 14-character random alphanumeric+punctunation password -- not too bad. (Especially if you grant people bigger vocabularies [worldwidewords.org] ....) But, suddenly, we're open to language-based attacks -- there's probably thesis project in here for someone to come up with good algorithms to narrow down the required attack dictionary.

Some problems with the system. (1)

joseamuniz (790421) | more than 9 years ago | (#11655950)

"If we weren't all crazy we would go insane" (Jimmy Buffet rules) "Send the pain below!" (I like Chevell too) "Mean people suck!" (it's true) These are 'sample passphrases' provided in the article. However, there are two main things that I consider make of this a not-so-good idea: a) Being that these are actual phrases, is it that easy to remember the exact punctuation, capitalization, and even grammar used? Hell, even for case insensitive passwords, you still have to remember exactly how it is written. For instance, what if I wrote: "Mean people suck!" (It's true), or "Mean people suck!" (it is true)?? b) Most textboxes where one is to input one's password are actually shadowed, so that you can't actually see what you're typing. How fun would it be typing your passphrase and not knowing exactly where you were at once you have something like ********************?

It's rather simple... (1)

OneOfAKind (842855) | more than 9 years ago | (#11655955)

The password prompts just need to read "Pedo mellon a minno."

great password (1)

mboverload (657893) | more than 9 years ago | (#11655959)

"I see dead pe0ple in the middle of the night. Help!"

Simple, easy to remember, contains a number, has a period and comma, and is over 50 characters. I don't know about you, but these phrase passwords sound like a good idea.

It's not LoftCrack (2, Informative)

TheCabal (215908) | more than 9 years ago | (#11655963)

it's l0phtcrack

passwords? passphrases? (2, Interesting)

Gaima (174551) | more than 9 years ago | (#11655968)

Perhaps I'm too sleepy to think (I'm too sleepy to read the article), but precisely what is the difference?
A password is a string you know, a passphrase is a string you know.
One is probably longer than the other, big deal.

2, or 3, or 4 factor authorisation schemes are the only way forward. Like those used by some banks in, erm, Sweden ?

dictionary attack? (1)

lart2150 (724284) | more than 9 years ago | (#11655976)

most/all users will use words in the dictionary so that 20 or so pass phrase would not be as hard to hack as a 20 char password with "random" letters. maby add space . ? ! to your things before/after/between words and your no longer trying to do something that can't be done with the current computers.

This guy obviously doesn't know his own customers. (1)

JessLeah (625838) | more than 9 years ago | (#11655980)

The average Windows end-user in America still "hunts and pecks". Typing 30 to 40 characters without mistakes would take them several minutes.

The very idea that someone who should know better could propose something this ludicrous is astonishing.

Asking the typical Joe Sixpack Windows user to type 30 to 40 characters is like asking them to cut their own nose off. I've once had someone tell me how "painful" it was to type my email address. Which has under a dozen characters in it.

Eh (0, Redundant)

Quiet_Desperation (858215) | more than 9 years ago | (#11655983)

This sounds really annoying.

Can't we just shoot the crackers?

summary (1)

mincognito (839071) | more than 9 years ago | (#11655990)

Excel can't compute big numbers.

Well, I've done that before ... (1)

Hektor_Troy (262592) | more than 9 years ago | (#11656002)

My password is a 79 character alphanumerical combination of numbers and words.

Of course it's rather hard to tell people what the password really is ...

Smartcards and other hardened tokens (1)

Cthefuture (665326) | more than 9 years ago | (#11656004)

The thing about a token is that you only have to remember a "simple" 4-8 character PIN, yet it can still provide high quality keys. It can be used to store very long, complex passwords, or it can do PKI type things on the token itself without ever exposing the private key(s).

The protection is in the fact that you can't use a brute force attack against most of these tokens because they lock or destroy themselves after a certain low number of incorrect PIN attempts.

As an IT admin I see the need for this. (1)

rune2 (547599) | more than 9 years ago | (#11656008)

If you make passwords too complex or hard to remember then people forget them all the time or do things that make negate the security aspects of passwords completely such as writing them down saving them inside an application or making them incredibly easy to guess so that they can remember them. However is replacing them with sentences or phases really a better idea? While they are likely more difficult to crack who wants to type in a sentence every time they want to login? As an alternative biometric options are finally starting to become more affordable. There are relatively inexpensive biometric mice now that will read a finger print. Perhaps these could be used as a password substitute.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>