Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Too Many Passwords

Zonk posted more than 8 years ago | from the setec-astronomy dept.

Security 516

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

cancel ×

516 comments

Sorry! There are no comments related to the filter you selected.

I know how it feels... (5, Funny)

XXIstCenturyBoy (617054) | more than 8 years ago | (#13661303)

I have a very very clever comment to add to that thread, but I forgot my password :(

Re:I know how it feels... (3, Insightful)

AKAImBatman (238306) | more than 8 years ago | (#13661363)

No kidding. Someone should invent a special "web token" of sorts that would keep you logged in. You know, it would be transmitted everytime you access the site. It wouldn't have to be very big, maybe a maximum of 4KB.

You know, I better go patent this idea before someone else thinks of it! :-P

Re:I know how it feels... (5, Insightful)

Fulcrum of Evil (560260) | more than 8 years ago | (#13661387)

Someone should invent a special "web token" of sorts that would keep you logged in.

Tried that. Turns out, nobody wants all their online identities to merge together.

... MSN Passport? (4, Informative)

everphilski (877346) | more than 8 years ago | (#13661407)

... nobody seems to be a big fan ...

-everphilski-

Re:I know how it feels... (2, Funny)

19thNervousBreakdown (768619) | more than 8 years ago | (#13661465)

He's talking about cookies, dumbasses.

Can't remember already... (2, Interesting)

richdun (672214) | more than 8 years ago | (#13661306)

Nothing for you to see here. Please move along.

Crap, what was the password to view /. stories?

Better than post-it notes (5, Interesting)

nizo (81281) | more than 8 years ago | (#13661307)

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:Better than post-it notes (4, Funny)

richdun (672214) | more than 8 years ago | (#13661344)

(maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

So could you please elaborate on this and also tell us how you remember other pieces of information, say, like, I don't know, just for example, your PIN, account number, and which bank you use? Just curious...

Re:Better than post-it notes (0)

Anonymous Coward | more than 8 years ago | (#13661360)

I'd be interested to see how you get that password from that matrix for the word bank...

seems like an interesting system.

Re:Better than post-it notes (3, Informative)

AKAImBatman (238306) | more than 8 years ago | (#13661432)

It took me a moment, but I figured out the system. The letters before the dash are the key, the letters to the right are the parts that are used in the password. So for "bank" you have:

b-?p
a-E9
n-4$
k-vw

He actually did make it a bit easier to read, but he forgot to use the ecode tags. Try this version:
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

Re:Better than post-it notes (1)

interiot (50685) | more than 8 years ago | (#13661556)

So what do you do for all the stupid places that:

a) require you to use numbers only for your ATM PIN

b) require you to use no special symbols (I wince in pain every time I see this one)

c) REQUIRE you to have at least one number, or one upper + one lower case, or one symbol (not every string in the table above has a number, or a symbol, etc)

I have four basic passwords, but then I have multiple variants of them for various password requirements that various entities force upon me.

Re:Better than post-it notes (1)

tajmorton (806296) | more than 8 years ago | (#13661434)

Look at the first line:
a-E9 b-?p c-&m

That tells you substitute b with ?p, a with E9, etc etc.

So, b (?p) a (E9) n (4$) k (vw) equals a password of ?pE94$vw. Make sense?

Taj

Re:Better than post-it notes (0)

Anonymous Coward | more than 8 years ago | (#13661451)

From the matrix...
b=?p
a=E9
n=4$
k=vw
so bank = ?pE94$vw
It is simple substitution, 2 chars for every letter of the alphabet

Re:Better than post-it notes (0)

Anonymous Coward | more than 8 years ago | (#13661467)

There's 26 groupings - one for each letter of the alphabet. The first letter group (for "a") is "E9". "b" = "?p", "c" = &m", and so on. His keyword is "bank". So simply take the character pair for b, a, n, and k and concatenate them.

Re:Better than post-it notes (2, Insightful)

cavemanf16 (303184) | more than 8 years ago | (#13661406)

Damn, that's way too much work! (And what about me and my 30-40 passwords... that's a BIG piece of paper!) Just GPG one file full of passwords, and remember your GPG key.

Re:Better than post-it notes (4, Informative)

AKAImBatman (238306) | more than 8 years ago | (#13661482)

Just GPG one file full of passwords, and remember your GPG key.

That's more or less what he did. Look again. The table isn't a list of passwords, rather, it's a standard substitution cipher. For each of the letters, he simply looks up the value to produce the password. The scheme is reversable as well, so you can retrieve the keyword from the password.

Here's an article [wikipedia.org] on substitution ciphers.

Re:Better than post-it notes (1)

Canadian_Daemon (642176) | more than 8 years ago | (#13661520)

You really don't understand how his system works, it isn't that each password is 'coded' onto the paper, but each letter gets replaced by a value. So all the paper has to have is 26 fields with 26 values.

Re:Better than post-it notes (5, Funny)

Anonymous Coward | more than 8 years ago | (#13661415)

To steal an old post to an old comment -- that's a very interesting perl program...could you post the output instead of the well-written perl code, though?

Re:Better than post-it notes (0)

Anonymous Coward | more than 8 years ago | (#13661437)

> I then print this, laminate it, and put it in my wallet

With all my passwords, that would hurt my butt.

Re:Better than post-it notes (1)

RDFozz (73761) | more than 8 years ago | (#13661444)

On those occasions where I had to write down a password, I would use a trivial ciphering mechanism: for example, move the first character to the end of the password (obviously, this works far better with random passwords than human-readable ones).

Re:Better than post-it notes (0, Flamebait)

Anonymous Coward | more than 8 years ago | (#13661458)

ePAy&mvw cXR3Ay

Frustration (2, Insightful)

mysqlrocks (783488) | more than 8 years ago | (#13661323)

This frustration is leading to behaviors that could jeopardize IT security, as well as compliance initiatives.

Any good sysadmin knows that if you make the password policy to strick you could actually be worsening your security situation. People will start sticking their passwords under their keyboards or on their monitors.

Re:Frustration (1)

L0C0loco (320848) | more than 8 years ago | (#13661540)

Ooh! under the keyboard - cool, I'll have to try that. Really, I gave up long ago with trying to keep track of my passwords at work since they change every 90 days. Now I just keep a file named PassWords.txt on my computer virtual desktop and remember my login password. Of course that is just for work. At home I get to manage my own password policies and do not have this problem.

Re:Frustration (1)

porkThreeWays (895269) | more than 8 years ago | (#13661575)

This is going to happen regardless...

Another admin and I were trying to figure out good passwords for 4 users for sensitive data. We spent a good 20 minutes figuring out memorable passwords that were secure and had meaning. They very easy to remember because they all had meaning to that individual person.
Well... a few weeks later I'm in that dept. helping pull cable. Sure enough on a monitor is a yellow post-it with site address, username, and password. Right there on the monitor. We could have just as well made it gobbly-goo because they are gonna stick it on the monitor regardless.

as usual, blame the users for trying (5, Insightful)

yagu (721525) | more than 8 years ago | (#13661324)

(BTW, this is basically a dupe from about four or five years ago...)

From the article (and the post):

The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are)...

First, I can't let this pass. I was on the IT team for a large company that had the described oodles of systems and oodles of passwords dilemma. And I'd been out on the floor where our users had to use these systems. The last thing in the world someone should be saying to them is, "You know how you are", as if these people are doing some wrong. Their jobs of dealing with the consumer public is hard enough without having to genuflect to the "security" (inconsistent, obfuscated, inane, ineffective, and myriad) measures of the systems from which they are supposed to server the consumers. I never had to deal with as many passwords as they did, but had I had to, I'd have been tempted to do the same thing.

As for the dilemma of too many passwords... yeah, there are too many passwords. And the funny thing about that is, they (in my opinion) provide little to no security and may even subtract from the overall security of the network. Especially in a closed access building (which these users were), passwords were and are a hindrance, not an enabler. I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building. Most stolen and broken passwords are via social engineering, and half the social engineering is just gaining access.

In the personal computing arena, I'd be awfully surprised if even 10% of the problems occur because of too many passwords. More likely it's because of incorrectly configured access levels for general users.

I'm guessing the world of passwords will never go away, but in settings where users have to deal with many (in the case described above, literally hundreds) of systems and their various password paradigms, passwords SHOULD go away (NOTE: the use of the plural... I'd be okay with somehow consolidating total access down to ONE password). Somehow it must be comforting to PHB's to know their universe is multiply protected by multiple schema, whether or not it affords any protection.

Re:as usual, blame the users for trying (2, Insightful)

thc69 (98798) | more than 8 years ago | (#13661469)

Heheh..."too many" passwords. I've found that the username/password pair concept is so alien and nonunderstandable by so many users that it's entirely pointless. My more saavy clients understand how it works, but use a single insecure password (including one who uses "password") everywhere.

I hate to say it, because the whole concept is so incredibly simple to me, but it's just not going to happen with users.

Further, they want to be _told_ that they're secure, they want to make somebody else suffer when their security is breached, but they do NOT want to work in any way to remain secure, even the ones who understand the concept.

Re:as usual, blame the users for trying (1)

WindBourne (631190) | more than 8 years ago | (#13661518)

Funny thing about this, is that a bad password is one of the top problems in *nix world. In the MS world, it is very low on the totem pole. Much more could be accomplished by updating Windows and all its anti-viral software on an everyday basis or by simply upgrading to a superior OS.

Re:as usual, blame the users for trying (1)

Otter (3800) | more than 8 years ago | (#13661522)

(BTW, this is basically a dupe from about four or five years ago...)

Huh? The study came out today! Poor Zonk catches enough flak already, without hassling him over this.

Unless you're saying that we've heard this before, which is certainly true (we get a story like this every week or two), but until the lesson starts to sink in to admins' heads, I say keep 'em coming!

kwallet (4, Interesting)

DarkProphet (114727) | more than 8 years ago | (#13661329)

I find that kwallet works well for this in KDE, but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)

I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...

Re:kwallet (1)

tktk (540564) | more than 8 years ago | (#13661403)

What about logins? Don't you ever encounter sites where the login you want has already been taken? Then you have to get the right combination of login and passwords.

Re:kwallet (0)

Anonymous Coward | more than 8 years ago | (#13661568)

I more often run into the case where they insist on giving you one login, or use your email as a login (which email did I give these idiots this time?). I usually end up going through the "forgot your password" routine to find out that I my login was my hotmail address.

Re:kwallet (1)

TheViffer (128272) | more than 8 years ago | (#13661536)

AnyPassword - http://www.romanlab.com/apw/ [romanlab.com] is just another Windows Program. Pretty nice. Load it up on a thumb drive and away you go.

Just use your Social Security number. (0, Flamebait)

team99parody (880782) | more than 8 years ago | (#13661330)

It's a number that's supposed to be kept secret with whomever you share it with (because society would collapse if they didn't) --- and it's a number that just about every organization seems to want anyway (so you don't have to fear revealing it to them since they have it anyway)

Good idea?

Re:Just use your Social Security number. (1)

AutopsyReport (856852) | more than 8 years ago | (#13661375)

And if the encryption scheme being used was later broken, not only would someone have all the passwords, but all the corresponding social security numbers as well. I'd say that's not too good :)

Re:Just use your Social Security number. (1)

AutopsyReport (856852) | more than 8 years ago | (#13661410)

Wow... Hook, line and sinker. What a bitch!

Re:Just use your Social Security number. (1)

everphilski (877346) | more than 8 years ago | (#13661446)

No letters. Won't pass on some password systems.

-everphilski-

Re:Just use your Social Security number. (0)

Anonymous Coward | more than 8 years ago | (#13661414)

I'm pretty sure the parent was shooting for "funny"....

But interestingly enough, the analogy seems sound because so many stupid companies (banks, brokerages) will happily reset your password if you give them your SS# and mother's maiden name (which is a common "i forgot my password" code).

Somehow we trust them with the Social Security numbers; but get all paranoid about sharing the much less valuable "password". This makes no sense. Rather than worrying about encrypting passwords; we should be worrying about encrypting the SS#s when we submit them to companies.

Re:Just use your Social Security number. (1)

team99parody (880782) | more than 8 years ago | (#13661495)

encrypting the SS#s when we submit them to companies.

Hmm.... For all these guys worrying about using a different password for each website - would it be legal to "make up" fake SS#s when dealing with stupid organizations who shouldn't really have access to it anyway. Personally, I think I'd feel quite a bit safer if my school (where I know the guys running IT) didn't have access to the same SS# for me as etrade.

And for that matter, I'd feel even safer if flakey companies like Visa who use even flakier companies like ChoicePoint [schneier.com] didn't have access to the same social security number that ETrade has.

Seems the real answer to me is what the parent poster suggested --- Visa should only have an encrypted version of my SS#, and ETrade should only have a version encrypted by a different key.

Re:Just use your Social Security number. (1)

AnonymousJackass (849899) | more than 8 years ago | (#13661442)

Good idea?

No!! That would give your boss and your Significant Other (assuming you give your S.O. such priviledges) access to your email/bank/whatever accounts! They're the last people you want accessing them!

Re:Just use your Social Security number. (2, Informative)

merreborn (853723) | more than 8 years ago | (#13661487)

Just use your Social Security number... Good idea?

No.

That's about as secure as your mother's maiden name, or your dog's name.

Which is to say, it's the worst password imaginable.

Do you want your father/mother to have access to all your accounts?

Hell, for wellsfargo.com, your SSN is your username!

Not to mention there are under 10^9 possible SSNs, and the first 3 (5?) digits can be calculated based on your place and date of birth! That reduces your number space to 10^6 or less, which, at one request/second, could be cracked in 11 days -- And 1/second is a very slow rate!

Re:Just use your Social Security number. (1)

elocutio (567729) | more than 8 years ago | (#13661583)

Just use your Social Security number. Good idea?

Well, considering that it's a NUMBER, and there are obvious and public rules [ssa.gov] that determine its composition, this is a very trivial brute-force crack waiting to happen.

The key reason why alphanumeric passwords are conventional (often a network password policy requires a certain combination of numbers and letters), aside from over-the-shoulder obfuscation, is that they are harder to crack with a dictionary or brute-force approach.

Most private investigators could tell you a person's social security number for a fee; in fact, many internet sites offer this same service.

In general, pairing obvious personal information with your identity/alias/etc is a bad, bad, bad idea. I remember from my technical support years, seeing passwords that were obviously bank card pin numbers, or SSN serials, or daughter's name. If your password stores more information than a keyed access to your private/proprietary systems, it's a bad password.

My Voice.. (2, Funny)

Blade80 (416070) | more than 8 years ago | (#13661331)

My voice is my passport.

SSH keys (0)

Anonymous Coward | more than 8 years ago | (#13661337)

SSH keys are all you need, entering passwords is so 20th century.

One Solution (0)

Anonymous Coward | more than 8 years ago | (#13661347)

SplashID [splashdata.com] or similar products give you a strongly encrypted database that you can sync with portable devices; in my case, a Palm OS based phone. I've been keeping my passwords and other sensitive information in there for years now. Works great.

You want to make the password protecting that database a good one, though...

Don't forget (5, Interesting)

GWBasic (900357) | more than 8 years ago | (#13661358)

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

I won't answer that! (2, Funny)

game kid (805301) | more than 8 years ago | (#13661370)

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

I'd answer, but then it'll give insight into my password preferences, and then I'll get c00tz0rs from t3h l33t h4x0r2!!1!eleventyone etc.

My password (1)

anonicon (215837) | more than 8 years ago | (#13661372)

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

I just use the rotating password of IAmGodsGiftToWomen01, 02, 03... No geek will ever come up with that one!

Re:My password (1)

game kid (805301) | more than 8 years ago | (#13661408)

Somehow I feel that post just invalidated those passwords. ;)

Re:My password (1)

RDFozz (73761) | more than 8 years ago | (#13661565)

Unfortunately, this is a common way to generate "unique" but memorable passwords, when passwords change frequently (say once a month).

IT requiring password changes (5, Interesting)

ChrisF79 (829953) | more than 8 years ago | (#13661380)

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.

Re:IT requiring password changes (1)

Ziviyr (95582) | more than 8 years ago | (#13661532)

I suppose they locked out incremental passwords too?

Re:IT requiring password changes (2, Interesting)

alan_dershowitz (586542) | more than 8 years ago | (#13661546)

Where I work (which shall remain nameless) people get around this password restriction by making their password "SOME STRING"1, then when they have to change it in a few weeks, "SOME STRING"2, and so on. I can't believe this is any sort of superior "security", badgering people into choosing terribly predictable passwords.

Unite the password... (1)

PHanT0 (148738) | more than 8 years ago | (#13661381)


All it takes is a fingerprint scanner, USB ID Key, good NIS setup, or my personal favorite - tiny RFID tags under the skin... ohh nelly... now I've got to cut off a chunk of johnny's hip to commit identity theft!

Re:Unite the password... (1)

Skadet (528657) | more than 8 years ago | (#13661501)

tiny RFID tags under the skin

THE MARK OF THE BEAST!! AHHHHH!!!!! *points and jumps up and down*

Given up (1)

mikejz84 (771717) | more than 8 years ago | (#13661389)

I have given up with passwords and just switched to 'asdfasdf1234' never cracked yet.

Clever storage is the secret (1)

NotFamous (827147) | more than 8 years ago | (#13661391)

45Ty34#

I store mine on Slashdot!

Too many systems (1)

airjrdn (681898) | more than 8 years ago | (#13661392)

Companies want products "now". That means using a new product written specifically for a given task, often times a purchased product. That in turn means no connectivity with existing systems, which leads to yet more logins & passwords. Keeping them in sync can be a nightmare. Even knowing this is the cycle, many companies will continue with their historical way of doing things, yet wonder why their staff need to remember 20 different login/password combinations.

Information Security (3, Informative)

Divide By Zero (70303) | more than 8 years ago | (#13661397)

Something you have (physical key)
Something you know (password)
Something you are (biometrics)

One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Re:Information Security (1)

John Harrison (223649) | more than 8 years ago | (#13661497)

There are products out there from companies such as ActivCard and Protocomm that will securely store your passwords and also enter them via a script. Generally the use has to remember one password (called a PIN) to open up their smart card and then they don't need to remember anything else. Having a token and a single comples password (and/or a biometric) is generally more secure than trying to juggle dozens of individual passwords.

Disclaimer: I install such systems for a living, so I might be a bit biased.

Password manager (1)

Neil Watson (60859) | more than 8 years ago | (#13661399)

I encrypt my passwords in a text file. Many passwords I can remember but, some are used infrequently. Keeping them encrypted yet easy for me to access has made my life easier. I wrote about it Here [watson-wilson.ca]

For everyday users I don't think constantly rotating passwords is a good idea. It's too inconvenient for them. Once that happens they start to write them down. I think a combination of a hardware key and a passphrase offer better security. As the saying goes, something you know, something you have or something you are.

And for the contrary opinion (2, Informative)

joeflies (529536) | more than 8 years ago | (#13661401)

CNET commentator mentions that you should take the results with a grain of salt [com.com] . A company that sells tokens wouldn't publish a report saying that most people are ok with passwords. And also note at the end - the actual survey data is not available to you unless you're a member of the media.

Then there's also the fact that Lloyds performed a survey [lloydstsb.com] that contradicts the findings - passwords are fine as long as there's proper education.

Get rid of them (1)

Otter (3800) | more than 8 years ago | (#13661405)

At least part of the problem in my workplace is that there are dozens of different webapps (which is a problem in and of itself), each of which has a different login/pass combination. It is simply impossible to not write them down.

A simple solution would be to just eliminate password protection on most of them. They're only available on the intranet -- is there really a serious threat of people hax0ring other workers' accounts and taking their online sexual harassment training for them?

Re:Get rid of them (3, Funny)

Kainaw (676073) | more than 8 years ago | (#13661512)

is there really a serious threat of people hax0ring other workers' accounts and taking their online sexual harassment training for them?

Funny you should ask... I found the web-based Sexual Harassment training a stupid waste of time and energy. I tried to get it stopped, but management wouldn't listen. So, I wrote a script that pulled everyone's username from LDAP and completed the training for them on the first day it was available. Everyone got a "thank you" email and nobody wasted any time (except me - but then I spend my day reading slashdot).

The right tool for the job (1)

El Cubano (631386) | more than 8 years ago | (#13661412)

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

Just use the right tool: MyPasswordSafe [semanticgap.com]

There is also a GNOME or GTK tool that is similar, but I didn't like the features nearly as well. This thing will store your passwords in an AES encrypted file protected with (I believe) an arbitrary length passphrase (mine is about 100 characters). I believe that it similar to the password safe (or something like that) that comes with Mac OS X, but it has been a long time since I even had a look at it.

Re:The right tool for the job (1)

Drubber (60345) | more than 8 years ago | (#13661480)

There is also Password Safe [schneier.com] , from Bruce Schneier, author of the venerable Applied Cryptography tome. It's an open source project and very good, IMO.

Compromise (1)

Daveznet (789744) | more than 8 years ago | (#13661424)

Its about compromise. Having a crazy password policy implemented is going to force the end users to write down their passwords underneath thie keyboards etc, and having a simplistic policy is no good for obvious reasons. What needs to be done is have a policy that is useable and secure. Not only do policies regarding passwords generations need to be put in place but policies about writting them down and leaving them on your desk need to be an issue as well. Computer security has to be both on the computer and the user end.

One solution... (1)

jd (1658) | more than 8 years ago | (#13661433)

...would be to use one password you can remember, for everything. Almost. The key is in that "almost". You have a password calculator, on which you enter your password and the name of the facility you want to access as one long string. The calculator uses a hash function to turn that into a meaningless string. You now have one unique password per machine you want to use, but only one password to actually remember. Nothing is written down and if anyone examines the calculator, all they'll see is a device that does MD5 or SHA1 hashes - they won't be able to actually get any passwords from it.


Furthermore, unless someone DOES obtain the calculator AND knows how you identify the machine, you can tell who you like what the password you remember is. They'd still have to guess the hash function and the salt you're using. And if the user doesn't know how the calculator works (only that it does), social engineering won't help in getting the function, even if the cracker got all the other data. A cracker would need to actually try different hashing functions to be able to crack passwords for other sites, which increases the odds of them being detected.

Keep it simple (1)

$RANDOMLUSER (804576) | more than 8 years ago | (#13661436)

I use MYCROFTXXX.

tired of remembering all my PINs and passwords (1)

kalla (254222) | more than 8 years ago | (#13661443)

I have to remember at least two PIN numbers for my job, then at least four safe combinations, and then countless computer passwords. It's ridiculous. This sort of thing actually encourages worse security, because there is NO way I am going be using a different password on every account, so I use the same one on every box. Whenever I am forced to "change the password" I switch to password B. Then the next time, it's back to password "A". And don't get me started on the "must be at least ten characters, use random numbers, letters, at least one capital letter and special character" crap.

I use Password Safe (4, Informative)

alan_dershowitz (586542) | more than 8 years ago | (#13661455)

I use Password Safe [sourceforge.net] on a USB pen drive. It has a master password that it uses to encrypt all my other passwords in a tidy MFC application. In x86 Linux I access it using Wine [winehq.org] , which works fine. For my OS X machine, I use pwsafe [dyndns.org] , a console app that lets you access Password Safe databases, and dumps the password directly into the X clipboard buffer. (Use the CVS version, the latest regular build can't access the latest Password Safe database format.) I found other unix password safe compatible workalikes to be extremely poor.

This solution works well for me. Just make sure you back up your pen drive.

Simple Method (1)

abscondment (672321) | more than 8 years ago | (#13661456)

I never seem to run into this problem. I have one password, with roughly four levels of complexity. Each version has the same meaning, and as such they're all easy to remember. Which one I use depends on the criticality of the resource it protects, but no matter which one it is, I'm never more than 3 tries away.

Now, when there are policies in effect that enforce password changing and prohibit reuse of old passwords, this presents a problem: it's hard to continue generating new obfustications of the same phrase.

What about passphrases? (1)

jotok (728554) | more than 8 years ago | (#13661457)

It's a lot easier for me to remember "It was the best of times, it was the worst of times" or "Iwtbot,iwtwot" than some "strong" password (say, 10 characters, case-sensitive, with special characters and numbers thrown in).

Although we'd still have to deal with most of my co-workers using "Git r dun!" as a passphrase...le sigh.

Password Database, Encrypted (1)

Atlantic Wall (847508) | more than 8 years ago | (#13661472)

The best password database storage app i have used is Password manager by Cp-Lab. It encrypts your passwords with 8 diff types of encryption in a small db. Well developed, cheap, allows for custom printing and custom fields. For IT admins this is a must NOT A SLASHVERTISEMNET http://www.cp-lab.com/ [cp-lab.com]

I work in web hosting... (2, Interesting)

Skadet (528657) | more than 8 years ago | (#13661473)

In the (California-based!) tech support center. You might be shocked at the number of people who have no idea how security works.

Prime example. When a customer wants to cancel their account, we direct them to an online form which asks for their registration # or domain name and their password to verify their identity. Invariably, the customer forgets their password and when we respond that we can't cancel their account without that information, they ALWAYS ask, "can you tell me my password?"

I am not joking. People call in all the time wanting their login information without being able to verify a thing. By the way, when this happens, there are two options - the "forgot password" form which mails the info to the admin address on record, or providing the billing CC# (you pay the bill, you get the key)

But I digress. Ultimately, the general public couldn't care less about passwords because they don't truly understand their function other than "it gets me where I need to be"

Microsoft Passport (1)

Evil Butters (772669) | more than 8 years ago | (#13661474)

What? You mean you all don't just use Microsoft Passport?

HA! HA!

Re:Microsoft Passport (1)

Skadet (528657) | more than 8 years ago | (#13661554)

I was completely expecting the HA! HA! guy from fark. /don't mod if you don't know what I'm talking about //where'd the ha ha guy go?

johnny mnemonics (1)

Uzik2 (679490) | more than 8 years ago | (#13661483)

mnemonics make it simpler. Think of a phrase that's important to you personally, such as "now is the time for all good men to come to the aid of their country". For site #1 use the first letter of
each word as your password: "nittfagmtcttaotc". For site #2 use the second letter, etc. If the word is short substitute the site number. It can be easily remembered without any paper to prompt
you and generates long passwords not findable by dictionary
attacks.

I hope they didn't waste taxpayer money on that study.

I'm suprised that nobody has mentioned..... (2, Interesting)

8127972 (73495) | more than 8 years ago | (#13661488)

..... Single Sign-On Manager by RSA. [rsasecurity.com] The IT manager then has the choice of using an RSA SecurID Authenticator, RSA Smart Card, RSA USB Authenticator, a biometric or (god forbid) a password.

Security (4, Informative)

Widowwolf (779548) | more than 8 years ago | (#13661489)

Thsi is why i use a free a free program called Password Safe (http://www.schneier.com/passsafe.html [schneier.com] ) You remember 1 password to login to your safe and then you can see all your entries from there..and as far as i know there is no limit on #1 the entries in each list, #2 The amount of lists you can have..you just have to remember that one password..a definitely good utility for windows..all you apple and linux heads..dont know if it will work for you.It only takes a second to login and your are ready to go.. and when the fiel that stores them auto encrypts your data..as far as i know no one has broken it..From thier front page

With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.

Text file with automatic encryption/decription (1)

Gzip Christ (683175) | more than 8 years ago | (#13661490)

Here's my solution... I have emacs set up to automatically encrypt and decrypt files that end in .gpg when I open/save them. It's very handy for safely keeping all my passwords. I use crypt++ [freshmeat.net] and this snippet for my .emacs file:
(setq exec-path
(nconc exec-path
'(
"/usr/local/bin"
)))
(load-librar y "mailcrypt")
(setq crypt-encryption-type 'gpg)
(require 'crypt++)

There's some decent password managers (4, Informative)

Nik13 (837926) | more than 8 years ago | (#13661494)

Too many passwords? Definately, especially if you work in IT, I have dozens of them to remember... Even for home stuff I got dozens: different forums (web related, IT related, AV related, etc), news sites like /., dozens of online stores, email, etc... It's just too much for my memory, so instead of using the same password everywhere or writing them down or such, I resorted to use a decent password manager. I've picked KeyPass (worth every penny they ask IMHO), but there's lots of others - including some F/OSS ones like KeePass or Oubliette, you can even find a bunch on sourceforge, and they're usually quite simple programs to "tweak or enhance" if they're not exactly like you wish they were (add new cryptos, GUI changes, new features, etc). I've looked at the code of a couple and it was nicely done, good quality code, pretty secure stuff. It would be quite simple to make a basic one from scratch too (using some of the high level languages with very complete libraries and frameworks like we have nowadays), the DPAPI could be useful too.

Ideally it should run without being installed (and without too many dependancies), off a memory stick or PDA for portability. Some browsers have password managers, but it's a partial solution (only good for websites, and only work in this specific browser on this very PC), and I have problems trusting some of them (IE) to keep passwords secure at all.

Not sure what's out there for linux though...

App on my Palm Pilot (2, Interesting)

f_g_goss (470787) | more than 8 years ago | (#13661506)

I have two apps on my Palm: one generates passwords, another stores them in a "vault" with a master password. Works well especially the password generator. I just select upper/lower/mixed case, alpha characters and how long to make the password string. Copy-paste into the password vault. Done.

Fa1lz0rs!? (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13661507)

Quaareled; on [goat.cx]

I tried reasoning with the IT people (2, Interesting)

TomorrowPlusX (571956) | more than 8 years ago | (#13661509)

I made the argument, some time ago, that instead of forcing us to make new passwords every 45 days ( which is basically a solid way to guarantee weak, easily dictionary-attacked passwords stuck on the monitor ) they should allow us to keep our passwords longer the more complicated they are.

Say, I choose an easily dictionary attacked password with just 5 lowercase letters. Whammo -- I'm told I can use that password for 3 days. So I make a 20 character, non-dictionary password with a mix of letters, numbers, random symbols, etc and I'm told I can keep it for a year.

Seems to me that's a reasonable approach: reward people for better passwords.

Suffice to say, I was told: "No way, we like it as it is"

Biometrics not the solution (4, Interesting)

millermj (762822) | more than 8 years ago | (#13661515)

There's a way to exploit just about anything. It's guaranteed someone is going to invent a way to fake a fingerprint or a retina to gain access. At least a password can be changed once guessed. I'd like to see you try changing your fingerprints.

Its easy.. (2, Informative)

slashmojo (818930) | more than 8 years ago | (#13661516)

There's loads of handy password management apps around for all platforms such as..

Revelation [gnomefiles.org] for linux/gnome.

Lots more you can find on http://tucows.com/ [tucows.com] or your favourite software download site..

I have close to a hundred logins stored (encrypted) and gave up trying to remember them all a long time ago.. its really not an issue with such a program. Just make sure to keep a backup somewhere or you are screwed when your pc dies.. ;)

Password Management Software (1)

binaryspiral (784263) | more than 8 years ago | (#13661517)

FlexWallet or eWallet.

I prefer FlexWallet for all of my passwords. I use more than 30 passwords just for systems I am responsible for accessing. It has a desktop app and a pocketpc version that syncs when docked.

Triple encrypted goodness on the database it uses. Now I just have to remember the password for that.

My System for Passwords (2, Interesting)

under_score (65824) | more than 8 years ago | (#13661519)

I have three "good" passwords upon which I create variants. The three basic passwords all have a pseudo random combination of caps, lowercase, numbers, and punctuation. Then, when I have to change a password due to corporate policy, I simply change a single character so that my password gradually evolves... and stays very memorable. Admittedly, remembering the base passwords in the first place was a bit painful. But so far that I know of in over ten years of use, I have never had a password compromised, including passwords on servers that are publicly accessible. In my own experience, most tech users who are not technically inclined do indeed have very poor passwords: sometimes just their names even. I try to educate people on it but it is hard going. Most people just don't feel that it is worth the bother... and probably from their own perspective, a risk analysis would show they are correct.

My girlfriend does this (1)

AutopsyReport (856852) | more than 8 years ago | (#13661521)

If my girlfriend needs a new password, she doesn't think of something personal to turn into a password, but instead finds objects around the computer (that will usually never stray from it) and uses that as her password. So for example, a Dell Trinitron monitor, her password becomes trinitron. She picks up brand names from things associated with her work area or things around the house, and uses it once. At least the password isn't carried over to different accounts she has, and the password is easy to remember when its right in front of you. Eventually she memorize's it by constantly having to look for it. Though I wouldn't recommend this technique for the Slashdot crowd -- Playboy is such an obvious password.

Didn't there used to be a keychain fob for this? (1)

mckwant (65143) | more than 8 years ago | (#13661525)

I seem to recall something on thinkgeek or something that had five buttons, and required 5+ keystrokes to validate that you could get into the password file. Then, on the attached LCD display, you'd see your passwords.

Seems like exactly the sort of thing that would be useful in this sort of situation. Anybody else had experience with this gadget, or similar?

What's news? (1)

Tony (765) | more than 8 years ago | (#13661531)

Every few months somebody makes the "discovery" that users can't remember all their various passwords, and that help-desks are swamped changing passwords, usually for the same dozen users that can't remember how to do their own job on the computer, and are always asking for help with some program called "Microsoft," as in, "Oh, I'm using Microsoft, and I need to know how to find out how many departments have gone over budget."

This is the same damned thing that's been going on for almost twenty years. And yes, corporate password policies add to the problem, rather than fixing it. As a superuser, I've been using "God as their password" as my password for years, since I heard that most 1337 h4ck3r6 use "God as their password." I've never been hacked. Or cracked. Or sniffed. Or snuffed. Go figure.

So, this is exactly the same thing they'll find out next year, too.

Can we say "duh"? (1)

phlegmofdiscontent (459470) | more than 8 years ago | (#13661534)

Seriously, I've got maybe 9 email addresses, 3 or 4 different logins at work and dozens of websites with passwords. With the websites, I can have the password manager do it's trick, but I'm screwed if I use someone else's PC or if someone uses mine, for that matter. So, I've had to resort to using the same couple passwords for the majority of things and I have to write down my work passwords. Who the hell can remember all of those passwords, especially if they rotate on a monthly (or whatever) basis and have to conform to rigorous password requirements?

I write my passwords down. (3, Interesting)

LionKimbro (200000) | more than 8 years ago | (#13661537)

I write my passwords down in a special location in a special book.

  • You can't look at my password over the Internet.
  • You can't (for at least 30 years) make a robot that will find my passwords.
  • If a server that stores my password is compromised, then it is only that password that is compromised.


I have offloaded Internet security into Material security.

I use a separate password for every forum I care about. My passwords on my personal computers are changed regularly. I can do this, because of my password book. Without it, this would be implausible.

It is conceivable that someone will get my password by taking my book from me, and snapping pictures of the password pages with their cell phone. Very well then, let someone make the $500 airplane trip over here, come into the office, find my book, and then start snapping pictures. Or maybe find me on the streets if it's lunch time, and rip the book out of my backpack. Conceivable.

But I think this is prohibitively expensive for most people. It would be cheaper to hack a website, and get some other guy's password, and see where else the password might be usable.

I think it is less risky to keep a watchful eye on my password book, than to use only a finite number of passwords.

If someone thinks this is wrong, tell me what you do, and tell me why it is more secure. Not what you can imagine doing; Rather, tell me what you really do.

Simple, elegant solution (2, Interesting)

pubjames (468013) | more than 8 years ago | (#13661558)

I saw on a web site somewhere (sorry can't remember where) a simple, elegant solution to this problem, at least when it concerns logging on to web sites.

You have a single password. This password is combined with the domain name and then processed with an appropriate mechanism (e.g. MD5) to produce a unique password for an individual site.

I think that's a great solution and think it should be incorporated into all open source web browsers. The user doesn't even have to know it is happening. Much more practical than biometric solutions.

I hate passwords (0)

null etc. (524767) | more than 8 years ago | (#13661560)

Passwords are too complicated to remember. So are username, account details, etc. That's why I just hack into other people's accounts. Their passwords are much easier.

It was a joke, people.

Some of my pswds (old ones..really) (1)

mayhemt (915489) | more than 8 years ago | (#13661569)

Gx2700- impossible to guess ( the model number of Dell machine i logon to..)
7940 - imp to guess again..well its a pin for our corporate voip number...7940 happens to be my cisco phone model number too..
Fedoracore4 - imp to guess again..(That i m not telling what it is for...)

Kerberos (1)

PureCreditor (300490) | more than 8 years ago | (#13661573)

why can't all companiese simplify and streamline their system access by using single sign-on systems like Kerberos?

Then they can enforce frequent password change policies (45/90 days) without requiring the user to keep track of a dozen system accesses.

i used to work in a bank that has 2 passwords for the intranet, one for Novell/Windows, 1 for Oracle, 1 for DB2, and about 4 seperate Unix servers. gaaaaaaaaaaaaaaaaaaa

Use tokens, and let users pick their passwords (2, Interesting)

m50d (797211) | more than 8 years ago | (#13661577)

If you try and force users to use stronger passwords than they can remember or change them too frequently you'll just get post-its and helpdesk. If their passwords aren't secure enough, get them to use etokens or something similar.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>