Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spafford On Security Myths and Passwords

ScuttleMonkey posted more than 8 years ago | from the mostly-just-laziness dept.

356

An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."

cancel ×

356 comments

fp (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15194800)

fp Fp FP!!!

Dupe (0, Offtopic)

dadragon (177695) | more than 8 years ago | (#15194808)

If I recall correctly, this has been posted before.

Re:Dupe (3, Funny)

Warg! The Orcs!! (957405) | more than 8 years ago | (#15195072)

If I recall correctly, posts pointing out duplicate posts have been posted before.

Don't believe a word he says (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15194809)

He is lying through his teeth.

I'm not an activist, and I'm not a cynic. I'm just a person who wants to open students' eyes, minds, hearts, and souls to the world around them. For starters, inasmuch as I disagree with Mr. Eugene Spafford's accusations and find his ad hominem attacks offensive, I am happy to meet Eugene's speech with more speech and, if necessary, continue this discussion until the truth shines. I don't mean to throw fuel on an already considerable fire, but Eugene's apparatchiks believe that everything is happy and fine and good. I say to them, "Prove it" -- not that they'll be able to, of course, but because that fact is simply inescapable to any thinking man or woman. "Thinking" is the key word in the previous sentence. We find among narrow and uneducated minds the belief that Eugene can change his unsophisticated ways. This belief is due to a basic confusion, which can be cleared up simply by stating that teenagers who want to shock their parents sometimes maintain -- with a straight face -- that space gods arriving in flying saucers will save humanity from self-destruction. Fortunately, most parents don't fall for this fraud because they know that Eugene's goal is to pervert the course of justice. How scabrous is that? How pharisaical? How sullen? There are two related questions in this matter. The first is to what extent Eugene has tried to convert houses of worship into houses of fetishism. The other is whether or not if you think that the majority of deplorable, dour pipsqueaks are heroes, if not saints, then you're suffering from very serious nearsightedness. You're focusing too much on what Eugene wants you to see and failing to observe many other things of much greater importance, such as that if you're the type who dares to think for yourself, then you've probably already determined that he dreams of a time when he'll be free to paint people of different races and cultures as devious alien forces undermining the coherent national will. That's the way he's planned it, and that's the way it'll happen -- not may happen, but will happen -- if we don't interfere, if we don't punish him for his conceited complaints. Eugene asserts that his rodomontades are a breath of fresh air amid our modern culture's toxic cloud of chaos. That assertion is not only untrue, but a conscious lie.

I am not embarrassed to admit that I have neither the training, the experience, the license, nor the clinical setting necessary to properly provide you with vital information which Eugene has gone to great lengths to prevent you from discovering. Nevertheless, I unmistakably do have the will to view the realms of plagiarism and scapegoatism not as two opposing poles, but as two continua. That's why I claim that I deeply believe that it's within our grasp to offer true constructive criticism -- listening to the whole issue, recognizing the problems, recognizing what is being done right, and getting involved to help remedy the problem. Be grateful for this first and last tidbit of comforting news. The rest of this letter will center around the way that it's possible that he doesn't realize this because he has been ingrained with so much of clericalism's propaganda. If that's the case, I recommend that we bring fresh leadership and even-handed tolerance to the present controversy. Would Eugene like it if I were impetuous and ill-bred, too? I don't think so. If we contradict him, we are labelled effrontive sybarites. If we capitulate, however, we forfeit our freedoms. In case you have any doubts, a great many of us don't want him to make widespread accusations and insinuations without having the facts to back them up. But we feel a prodigious pressure to smile, to be nice, and not to object to his psychotic musings.

I'll let you in on a little secret: if Eugene can one day engage in an endless round of finger pointing, then the long descent into night is sure to follow. He keeps trying to deceive us into thinking that an open party with unlimited access to alcohol can't possibly outgrow the host's ability to manage the crowd. The purpose of this deception may be to withhold information and disseminate half truths and whole lies. Or maybe the purpose is to lash out at everyone and everything in sight. Oh what a tangled web Eugene weaves when first he practices to deceive. To end on a more positive note: The intent of this letter is certainly not hatred, but a probing look into an obviously significant issue.

Password changing (2, Insightful)

mikesd81 (518581) | more than 8 years ago | (#15194811)

I still think changing passwords periodically is a great idea. Even just to keep some cracker on his toes or incase you accidentally wrote it down or devulged it or typed it in the wrong field and is in clear text.

You have a more secure system if it's harder to use a password when un-authorized. Especially if the user is an Admin account.

Re:Password changing (5, Insightful)

Psychotria (953670) | more than 8 years ago | (#15194839)

I would expect that if passwords are required to be changed on a regular basis, then that would be more reason to write them down (if they're secure they're probably harder to remember). In this case it would seem that less-regular changing would be beneficial, resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin.

Re:Password changing (2, Informative)

mikesd81 (518581) | more than 8 years ago | (#15194849)

But if you can find a way to remember them (ex: 94FE5spd - 94 Ford Exploer 5spd) or if you must write them down, lock them in a desk drawer or lock box of hide them in that secret compartment in the bookshelf, then it's a little more acceptable..

No 94FE5spd is NOT my password for /. :)

Re:Password changing (1)

Psychotria (953670) | more than 8 years ago | (#15194855)

But if you can find a way to remember them (ex: 94FE5spd - 94 Ford Exploer 5spd) or if you must write them down

Yep, I couldn't agree with you more. I do this, and I am sure many others do this, just as I would hazard a guess that many more don't do this and choose a secure password and write it down somewhere. :-)

Re:Password changing (1)

hackwrench (573697) | more than 8 years ago | (#15194884)

I come up with an idea for a password and that idea changes a little bit, so at first I change it a few times until I settle on one remembered version.

Re:Password changing (2, Interesting)

mattkinabrewmindspri (538862) | more than 8 years ago | (#15194969)

"94 Ford Explorer 5-speed" would be a better password, and would be a lot stronger than "94FE5spd".

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

Re:Password changing (2, Interesting)

c_forq (924234) | more than 8 years ago | (#15194925)

resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin

I still don't see why this is a problem. To me if a person is able to get to where the password is written down that means they can have physical access to the machine (unless the computer is somehow locked inside a desk or something, which isn't very practical). With physical access it would be trivial to hook up a key-logger (I believe one of the OSTG sights, thinkgeek maybe, carries them). Or if you know what your doing set up a root-kit.

Re:Password changing (1)

Sique (173459) | more than 8 years ago | (#15195012)

Because there are environments, where physical access to your machine is no problem, and it still shouldn't compromise security (think: large office rooms with several desks). And if you have shared desks, then writing down passwords and keeping them near the computer is a quite bad idea.

Then there is another aspect in server environments: Password recovery always requires a reboot or at least a service disruption, so this is very likely to be noticed by people. Entering a password you just found on a stick it note might go without any notification.

Re:Password changing (3, Interesting)

LordLucless (582312) | more than 8 years ago | (#15195044)

I think the GPs point was that physical access to a machine compromises security by definition. If you have physical access to a mchine, you can install a keylogger to find the password (as simple as an inline USB dongle on the keyboard), remove the harddrive and crack at your leisure (a bit more noticable) or anything in between. Hell, you could just cart off the machine.

If you're in a place where security is sufficiently tight to have mechanisms to prevent this (ie: Security Guards) then they're likely to be sufficient to cover the little password notes in the top drawer as well as the machine itself.

Re:Password changing (2, Funny)

MrLizardo (264289) | more than 8 years ago | (#15195062)

The biggest threat to security is often from within the corporation/organization itself. And there's a big difference between being able to walk by someone's desk and see the sticky note with the password on it versus climbing under their desk and putting a key-logger between the system and the keyboard. Think about the following two scenarios:

Scenario 1:
Worker: What were you doing going through the drawers in my desk for while I was away?
Cracker: Sorry. I was looking for a stapler.

Scenario 2:
Worker: What were you doing crawling around under my desk, screwing with my computer?
Cracker: Sorry. I was looking for a stapler.

See, one of these is activities is a little more dubious than the other. Also, you don't have to be a 1337 hax0r to be a threat to security. All you have to do is have access to a file/account/system you shouldn't.

Re:Password changing (3, Interesting)

tazan (652775) | more than 8 years ago | (#15194899)

I disagree with his reasoning that the cracking method is obsolete. A couple of years ago I ran our password database through a cracker just out of curiousity. Of course 99% cracked immediately during the dictionary attack, but the ones with odd characters did in fact take over a month to crack. Iirc it took 6 weeks to get all of the users passwords.

Re:Password changing (5, Insightful)

harborpirate (267124) | more than 8 years ago | (#15195036)

I agree with the article, and not the parent post. Constant changing of a frequently used password is a complete failure in the exploration of logic regarding passwords. It is laziness, plain and simple; the reliance on the folklore of old to tell us what we should do. Frequent Password Changing Makes a System More Secure is an old wives tale.

Over time, even a hard password will be memorized by your average user. This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance. These should decrease with time. The user should become better educated and better able to remember the password, thus less likely to give it out. Only the chance of human error increases slightly (typing password in login box and such). Of the three, this presents the least risk by far of those three, and generally the user is aware of this occurrance and with proper education will know to immediately change their password.

Forcing a user to change password frequently is likely to only cause them to alter one character (likely the last) in the password because committing another secure password to memory is difficult. This causes both usability and security to be comprimised in the same fell swoop. The other option is that they will write the password down or otherwise record it, thus defeating its security. If you've got users with photographic memories who instantly memorize a new hard password every month, you must be the luckiest damn admin in the world.

As the article points out, modern computing and cracking techniques expose vulnerabilities much more quickly, so passwords would have to be changed so frequently as to make a changing password policy useless in many environments anyway.

Caveat:
The opposite is true of Administrator passwords or others which are rarely used. These are generally not committed to memory, and likely documented in some fashion (hopefully they are, or when the admin leaves you're screwed). If they're meant to protect a truly important system, a biometric and/or time sensitive method (such as a synchronized continously changing key generator) should be used in addition to the password. Changing these passwords with some frequency is a good idea, as it forces someone to ensure the validity of the current password (the account is not locked or disabled) as well as provide the aforementioned small measure of protection against cracking.

Please, stop forcing password changes on user accounts. Its a stupid idea. It serves no purpose other than to ensure the latest user password is written down at every desk.

Rant complete.

APG (5, Funny)

wuzzeb (216420) | more than 8 years ago | (#15194812)

I have found that using APG [nursat.kz] is a great way to generate passwords. They are easy to remember since you can pronounce them. For example, I just ran the generation and these are the passwords that popped out. I have found that most users can remember these kinds of passwords.

lewcyHirUx6 (lew-cy-Hir-Ux-SIX)
drywaWrop2 (dry-wa-Wrop-TWO)
ScekGul4 (Scek-Gul-FOUR)
lacWaup7 (lac-Waup-SEVEN)
IphIaft3 (Iph-Iaft-THREE)
glidTevPos8 (glid-Tev-Pos-EIGHT)

Re:APG (1)

MichaelSmith (789609) | more than 8 years ago | (#15194824)

I have found that using APG is a great way to generate passwords

In OpenVMS you can go set password/generate which combines the generation with normal passwd functionality. When I moved to unix I was surprised that you can't do this as standard.

Re:APG (1)

Nutria (679911) | more than 8 years ago | (#15195122)

In OpenVMS you can go set password/generate which combines the generation with normal passwd functionality.

I've been using VMS for 16 years, and never knew that... Now I must hate you forever.

CompuServe had the best password generation policy, which I still follow:
word digit word
Thus, I am able to use easily remembered words, but there is enough variation in combinations that guessing and dictionary cracking is well-nigh impossible.

Re:APG (0)

Anonymous Coward | more than 8 years ago | (#15195145)

CompuServe had the best password generation policy, which I still follow:
word digit word

Nope. This is a relatively weak password generation scheme. Many brute-force attack programs include this scheme in their dictionary attacks: shortword-digit-shortword. Some of them also include combinations with a second digit at the end (or beginning) of the password.

I would advise you to change your policy and add an extra non-alphanumeric character somewhere, or change one of the words to something that is not in a dictionary.

Re:APG (1)

dgatwood (11270) | more than 8 years ago | (#15194858)

Blech. There's no way in H*LL I would be able to remember any of those. They're completely random crap. It's hard enough to remember the twenty-plus passwords I have to keep track of that -I- created -without- somebody forcing me to use bloody line noise for one of them.

Re:APG (1)

ZeroExistenZ (721849) | more than 8 years ago | (#15195156)

There's no way in H*LL I would be able to remember any of those.
After typing a certain random generated password for a few times, its engraved in your memory, no?

I find myself unable to "pronounce" most of my passwords, but I remember them without much thinking. (It's more remembering how to move my hands over my keyboard as to actually remember what I'm actually typing.)

It's the same with my PIN-codes. I just remember a figure and how to draw it in a certain order. Not the numbers themselves..

MOD PARENT +5 Funny! (2, Funny)

WoTG (610710) | more than 8 years ago | (#15194866)

Uh... yeah, those passwords look easy enough to remember.

Heck, I forgot my 4 digit alarm code about 6 months ago... and you want me to remember how to "spell" glid-Tev-Pos-EIGHT???

Re:APG (1)

woolio (927141) | more than 8 years ago | (#15194870)

Well, maybe YOU can pronounce them!!!!

And for the viewing audience, which one if your root password?

Easy for a Star Trek Fan Maybe... (5, Funny)

Qybylance (641665) | more than 8 years ago | (#15194976)

They do sound an awful lot like planet names... "Scotty, beam me down to Lac Waup 7!" "Can we recover the team on Sek Gul 4?" "The colony of Ip Laft 3 is under Romulan attack!"

Try phrases instead of gibberish (1, Interesting)

Anonymous Coward | more than 8 years ago | (#15195029)

While I like the idea of pronounceable gibberish passwords, an alternative is to use a pass-phrase and then abbreviate it - like so:

I don't trust password generators from Khazikstan -> Id'tpgfKz
My Birth-Day is February 29th - MB-DiF29th
I like beagle puppies for dinner at 6pm - Ilbpfd@6pm
I like hotdogs for lunch at 12pm - Ilhfl@12pm

Using a phrase like that lets you assign some sort of meaning to the password which can help you recall it in the future. It also lets use "themed" passwords like the last two which helps at sites with rapid password expiration - you can remember that for a certain system your password is always about a certain theme which makes it easier to remember when you have to change it frequently.

Re:Try phrases instead of gibberish (0)

Anonymous Coward | more than 8 years ago | (#15195107)

A problem with password sentences with a theme could be you can rember the theme (i.e. i like eating some dog thingy sometime during the day) but that it is difficult to rember which variant you used most recent for that particular site.

But you're probably much better at remembering things than i am.

Diceware (3, Interesting)

krunk4ever (856261) | more than 8 years ago | (#15195106)

Another common one is Diceware: http://world.std.com/~reinhold/diceware.html [std.com]

Example

Suppose you want a five word passphrase, as we recommend for most users. You will need 5 times 5 or 25 dice rolls. Let's say they come out as:

            1, 6, 6, 6, 5, 1, 5, 6, 5, 3, 5, 6, 3, 2, 2, 3, 5, 6,
            1, 6, 6, 5, 2, 2, and 4

Write down the results on a scrap of paper in groups of five rolls:

            1 6 6 6 5
            1 5 6 5 3
            5 6 3 2 2
            3 5 6 1 6
            6 5 2 2 4

You then look up each group of five rolls in the Diceware word list by finding the number in the list and writing down the word next to the number:

            1 6 6 6 5 cleft
            1 5 6 5 3 cam
            5 6 3 2 2 synod
            3 5 6 1 6 lacy
            6 5 2 2 4 yr

Your passphrase would then be:

            cleftcamsynodlacyyr


There's also rules on top of that where you can find which character to capitalize and where to add symbols and spaces.

Password change policy (4, Insightful)

MichaelSmith (789609) | more than 8 years ago | (#15194813)

We all know that its stupid. People write it down on post it notes etc. But when the luser gets hacked he is going to be gunning for the sysadmin who needs to be able to prove that he is serious about security so that he can put the onus back where it belongs.

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

Re:Password change policy (2, Funny)

KiloByte (825081) | more than 8 years ago | (#15194915)

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

I'm afraid that you have never seen a corporate environment; otherwise you wouldn't mention "doing the sensible thing".

Re:Password change policy (1)

shawb (16347) | more than 8 years ago | (#15195035)

Alot of people eventually do the second thing... but it usually requires two weeks of notice.

Re:Password change policy (1)

einhverfr (238914) | more than 8 years ago | (#15194957)

Well.... I think the author misses one real reason to change passwords every so often (monthly is good): If a password is compromised, then it is a good idea to have a periodic change so that the compromise may be at least somewhat limited automatically after a period of time. I think that in many environments, a change of a month is reasonable.

This doesn *not* mean you are necessarily reducing the chance of a breakin. What it does mean is that a break-in is going to be more limited in its impact even if undiscovered if it relies solely on passwords. In essence this has the effect of being able to increase the cost of an effective attack that will have an enduring impact.

Re:Password change policy (2, Interesting)

ehrichweiss (706417) | more than 8 years ago | (#15195067)

I only have one question. What if the cracker is the one who gets the "it's time to change your password" message, they change it to something they know and then back again to the original? Think anyone's gonna notice? Depending on the host OS, it could be trivial to exploit a man in the middle attack to acquire the password from that user when they logon, just have a script that checks for a value on a webpage(or a million other things) that you control..if it finds it then it puts the user right back infront of a legit looking logon screen..they re-enter and it emails the result to one of a large list of email addy's you have setup. Better check those .*shrc's.

As always, this stuff is for educational purposes only. If you're thinking of doing it, it's probably for illegal purposes so don't blame me if you get caught.

Re:Password change policy (1)

urbanriot (924981) | more than 8 years ago | (#15194997)

... People write it down on post it notes etc.

Agreed completely. In the "real world", the harder the password you supply a user with, the greater chance it will be recorded somewhere easily accessible by other employees.

In most of my environments, it's quite common to see post-it notes stickied to a monitor with both the login name and the associated password.

In a network environment where file security is paramount and the possibility of corporate espionage exists, then perhaps a strict password policy should be enforced. Otherwise, it's really just silly.

Re:Password change policy (0)

Anonymous Coward | more than 8 years ago | (#15195009)

Not only harder passwords, but *more* passwords. We've pared down the number of passwords lately, but we still have at least six passwords for each employee (not including passwords for accessing HR resources like Benefits, Retirement, etc..). If I had to re-memorize six "hard passwords" every month, they'd be written on a card in my wallet (or briefcase, desk drawer, etc.).

One attack he didn't mention... (5, Funny)

patio11 (857072) | more than 8 years ago | (#15194815)

... getting your server brute-forced by a Slashdotting.

Couldn't agree more on some points (3, Insightful)

tanveer1979 (530624) | more than 8 years ago | (#15194822)

Monthly change policies. they are simple stupid. If your password is inherently weak, such as your car number, date of birth etc., it will be easy to crack. If you throw a monthly change policy at such people they will change their passwords to simple things. Other option is to educate them to choose good passwords, but that works with half the people. Best solution, let the users not choose a password. Let the machine generate random passwords. Then the user can choose out of those random combinations. At a place where I used to work, the web login system on internal network was set this way. You would click on a button saying, choose new password. Many options would appear and you choose one. If you dont like any of the options you could keep on generating new ones indefinitely. The change policy was that after 1 year you had to get a new password. Perfectly sane and secure. In those random 6 lettered words, sometimes easy to remember combinations would appear, like y1pl3t. Remeber it as yiplet!

If you dont have the benefit of a machine generator and want to specify something remembrable dont be too obvious. For example you have a poodle named fido(If you do I doubt you would be reading /.). So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible.

another trick (1)

tanveer1979 (530624) | more than 8 years ago | (#15194836)

Wish I had pressed preview! Anways this will work with non english speakers or if you know a language other than english. Well best are the languages like Punjabi, Hindi, Arabic etc., which are not popular in the web. You can have a word from those languages. Like bh44gj4. This is pronounced as Bhaag Ja. Which means Run away. Long time back I had a password which was t0g4dh4. This means To gadha, or "you donkey".

Re:Couldn't agree more on some points (3, Insightful)

dgatwood (11270) | more than 8 years ago | (#15194873)

Using a generator to force secure passwords may be the most insecure thing I've ever heard suggested to improve security. No, seriously.

If a user has to generate a password, it is something they can at least possibly remember. If a machine generates it, there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices will be able to access those people's accounts using the password reminder neatly affixed along the margin of the user's monitor.

Besides, 99% of security compromises aren't through guessed passwords anyway. They are through either social engineering (25% of people will give up a password when they receive a call that says "Hi, I'm Fred from the IT department, and I need to verify your account information"; try it if you don't believe me), buffer overflow attacks (l33t h4xx0Rz), or physical security compromises (while latency is terrible, it is difficult to overestimate the bandwidth of a pickup truck filled with backup tapes).

Seems to me that, generally speaking, admins are worried about entirely the wrong problems, and while this may help cover their a**es against being blamed for intrusion a bit, it does little to improve actual security.

Re:Couldn't agree more on some points (1)

tanveer1979 (530624) | more than 8 years ago | (#15194945)

It will be the most insecure thing if people are writing down their passwords. I suggested choose an easy to remember combination which can be guessed by nobody but you. For example h4r4m1. In an office environment its social engineering but with internet spreading you form a parallel identity. Sombody could hijack that identity and cause you lot of grief. Case in point. http://news.google.com/news/url?sa=t&ct=:ePkh8BM9E 2IFGm_AIgSzKgkkUGLAituezDwjgWL1DQKJ3Pxeu2LZfMLctqk CAEoGDEE/2-0&fp=444d618030161f0b&ei=5sVNRN-THb_uHP jSyegK&url=http%3A//timesofindia.indiatimes.com/ar ticleshow/1495553.cms&cid=0 [google.com] http://news.google.com/news/url?sa=t&ct=:ePkh8BM9E 2IFGm_AIgSzKgkkUGLAituezDwjgWL1DQKJ3Pxeu2LZfMLctqk CAEoGDEE/1-0&fp=444da6352b89004c&ei=CMZNRKrXHaqKHI Osif4K&url=http%3A//economictimes.indiatimes.com/a rticleshow/1495644.cms&cid=0 [google.com] Now he may have posted those messages himself, or his account may have been cracked. Now if its the latter, his laxness with his computer security has led to events which may change his life permanently. More often that not such attacks take place due to weak passwords or security. Having a m/c generated password will save you against dictionary attacks atleast!

Re:Couldn't agree more on some points (1)

iabervon (1971) | more than 8 years ago | (#15194967)

I think IT departments concerned about security should make it a stated policy that they will try to find out your password, and, if they succeed, they'll reset it and prevent you from ever using that one again, and you have to figure out yourself that it's been changed, and ask them to let you set it to something you know. That would quickly make people a lot more resistant to social engineering and less likely to write passwords down or choose obvious ones. It would also show that the IT department is doing something about password security, since they'd occasionally catch people revealing their passwords and enforce the policy.

(Obviously, they wouldn't use their special IT abilities, like being able to install keyloggers on people's computers, but anything that an arbitrary employee would be able to do without being too obvious or causing damage is fair game.)

Re:Couldn't agree more on some points (1)

gbobeck (926553) | more than 8 years ago | (#15195082)

Using a generator to force secure passwords may be the most insecure thing I've ever heard suggested to improve security.


I agree. I believe that trusting an algorithm to produce a "random" password is foolish because it is at best "pseudo random". The passwords generated aren't always good. In any case, all passwords can be brute forced given enough time and firepower.

Besides, 99% of security compromises aren't through guessed passwords anyway


I would also add escalation of privelages, backdoors, and of course, stupid administrator tricks (the "hey, no one would want to hack us... we aren't important enough" or "telnet, wtf uses telnet... we are safe!" kind of tricks).

Re:Couldn't agree more on some points (3, Funny)

cyborch (524661) | more than 8 years ago | (#15195102)

... there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices ...

... 99% of security compromises ...

... 25% of people ...

In other news: 87.3% of all surveys are made up on the spot.

Absolutely true (5, Insightful)

Chairboy (88841) | more than 8 years ago | (#15194825)

I worked at a company that rolled out increasingly stringent password policies. It got to a point where the passwords required upper and lower case characters, numbers, non-alpha numeric characters, and (this is the kicker) were required to be changed every few weeks.

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms. None of the people involved were bad, in fact, I worked with a fine bunch of people who really cared about security and individually had great ideas for making the company safer, but when they were all implemented simultaneously: Ka-BLAM.

A security policy cannot be a list of best practices, it has to be a designed holistic plan that takes into consideration the very human nature of the people it is protecting.

Re:Absolutely true (1)

crossmr (957846) | more than 8 years ago | (#15194864)

I've seen forums that try to implement ridiculous password requirements. Not anything fancy, your standard web forum for Joe User requires that you have upper and lower case letters, that you include numbers, but the password can neither begin nor end with the number, that the number has to be 8 characters long and prime, if its a Tuesday it won't let you enter your password while wearing blue shorts, and other absolutely pathetic stuff. You're a web forum.. about cheese. Seriously you don't need security this tight.

Re:Absolutely true (1)

Vo0k (760020) | more than 8 years ago | (#15194901)

Login: bugmenot
Password: Bugm3n.+
Reminder: http://www.bugmenot.com/ [bugmenot.com]

Re:Absolutely true (1)

shmlco (594907) | more than 8 years ago | (#15195010)

FYI: A company I know of that relies on user registrations automatically flags email addresses, usernames, and passwords that contain anon, bugme, spam, asd, sdf, and other key words. Most such accounts are automatically closed.

Re:Absolutely true (0)

Anonymous Coward | more than 8 years ago | (#15195061)

I used to do business with that company untill the implemented that policy.

Sincerely,
Spamsdfbumeasdanon Smith

Re:Absolutely true (1)

shmlco (594907) | more than 8 years ago | (#15195114)

"... untill the [sic] implemented that policy..."

Yeah, it's obvious you're in their primary demographic.

Re:Absolutely true (1)

MichaelSmith (789609) | more than 8 years ago | (#15194872)

had begun writing their passwords down at their desks.

The ITS department where I used to work had a similar policy. One time I had to get a file or something from one of the civil engineering teams. The team leader was out but one of his staff knew the algorithm they had decided on for the password. It was something like initials+year+month.

I write passwords down... (3, Funny)

cirby (2599) | more than 8 years ago | (#15194881)

Well, they *look* like passwords.

They're not actually *to* the systems they're next to, but it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Re:I write passwords down... (2, Interesting)

MichaelSmith (789609) | more than 8 years ago | (#15194891)

it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Maybe honeypots will become a standard security thing. The password will always work but it won't get you anywhere useful.

Re:Absolutely true (2, Insightful)

Barnoid (263111) | more than 8 years ago | (#15194898)

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms.


If the people able to see your password are trustworthy, this is not necessarily only a bad thing. Firstly, you can write your password down without posting it to the monitor, and even so, a remote attacker still can't see your post-it notes on the screen.

In my lab, I don't worry about co-workers knowing passwords of their colleagues. I rather have them write it down if it withstands a brute force attack on the SSH/webmail interface.

Re:Absolutely true (0)

Anonymous Coward | more than 8 years ago | (#15194908)

Posting as AC.

As an onsite tech admin who rotates through many companies (im a rentable IT guy) I just visited a client today who had diligently recorded every password for the network, his account, the admin account, and his wife's account all in a paper folder that he referenced along with the network diagram and configuration.....

And his biggest concern was about physical theft of his server / hard drives. Someone could walk in, photo copy a piece of paper, and walk out and then copy the files at leisure.

Re:Absolutely true (0)

Anonymous Coward | more than 8 years ago | (#15194975)

People where I work at are staring to write password*s* down when corporate IT announced new password policy:

* password has to be at least 12 chracters

* has to contain uppper and lower case letter, number, special character and no word

* must change every 3 months

* must not repeat or be similar to the previous 12 passwords you have used

* and we have another system that we also have to use, which take at most 8 characters and does not allow special characters and is case-incensitive, the system also requires a different user ID from other systems, which happens to be case-insensitive but the user ID has to be at least 6 characters

* and there is yet another system that we also have to use at the same time, which takes case-sensitive letters, numbers as password, and depending on the version of that system, some of them limits the maxinum length of passwords to be 8.

And people have started writing down passwords.

Re:Absolutely true (3, Informative)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15195016)

>Writing. Their. Passwords. Down.

The part which should horrify you is the At. Their. Desks. part. If the paper with their password is in their wallet, protected as well as their ~$100 in cash, and especially if it doesn't have other login details on it -- well, some places need more security than that but not all. At that point the paper with the password on it becomes a strange kind of hardware token.

Even the At. Their. Desks. part should be kept in perspective. You should close attack paths on general principles of course but remember that anyone standing at the person's desk has physical access. Physical access gives you a lot of other worries though all of them require more motivation than reading somebody's password does.

Advice on passwords (4, Insightful)

Brandee07 (964634) | more than 8 years ago | (#15194827)

Advice my dear mother gave me a long time ago:

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

With that said, I'd like to argue the point made by the article about periodic changing of passwords. He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it. This actually happened in my high school, and then we had the admin password to every computer in the lab. And had that access until the last of us graduated. While periodic password changing won't protect you from a serious hacker, it will save you lots of grief from more petty mischief, especially if the person who has your password is clever enough to not let you know that he has it.

Re:Advice on passwords (4, Insightful)

dgatwood (11270) | more than 8 years ago | (#15194897)

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

Even if that's a real concern, the password shouldn't be typed in where someone can watch your fingers. In a lab, it might be of -slight- risk. In a private office, it basically is zero.

Thus, from this we can deduce that the #1 most serious security hole a company can have is the use of cubicle farms. :-)

No, seriously. It is.

Re:Advice on passwords (2, Funny)

raftpeople (844215) | more than 8 years ago | (#15194928)

It happened to me. I was logging onto some box after having passed through a few different operating systems on various boxes to get there, when I keyed in my password the damn thing got echoed back to the screen and the person behind me started laughing (it was one of those passwords you wouldn't tell your mom about!).

Re:Advice on passwords (1)

dgatwood (11270) | more than 8 years ago | (#15194947)

Heheheh. At least it was something so offensive that you'd know it if anybody found it out. :-)

Anyway, this is why I make it a point to only connect via ssh anymore. Telnet had lots of those issues (and was usually in the clear anyway).

Re:Advice on passwords (1)

loqi (754476) | more than 8 years ago | (#15194934)

No, seriously. He's talking about the cleartext username box.

Re:Advice on passwords (5, Insightful)

wfberg (24378) | more than 8 years ago | (#15194948)


Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.


The problem lies with badly designed operating system/windowing system software that allow windows to grab focus. No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus (whether it's a pop-up ad or any sort of dialogue). Unfortunately, this happens all the time. Especially windows applications love to pop up messages, dialogues, windows, and all allow you to quickly (without noticing) press OK and continue typing your password in plain sight in the application that just hijacked your focus! XP's "prevent applications from stealing focus" doesn't always work, and never works if an application happens to be spawning in the background (like during startup, which might be a good time to enter a password into putty's pagent for example).. *sigh*

Re:Advice on passwords (1)

noidentity (188756) | more than 8 years ago | (#15194959)

"Passwords are like toothbrushes; change them every three months and don't share them with your friends."

I like to be thorough so I go even further by asking around to be sure my passwords aren't the same as anyone else's.

Re:Advice on passwords (4, Funny)

wildsurf (535389) | more than 8 years ago | (#15194987)

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

Passwords are like toothbrushes. Don't get too enameled with yours, or it'll cause a dentin security and may even expose your root.

Re:Advice on passwords (1)

Zantetsuken (935350) | more than 8 years ago | (#15194995)

and that you dont share it with the dipshits that are going to visit half the porn sites on the net (who knows, maybe that would be fine if the system got so overloaded with spyware?)

Merifs of the one password per site policy (4, Interesting)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15195031)

Porn sites, in fact, were Bruce Schneier's idea for large-scale password theft. A crook could send out spam advertising a free porn site, simply requiring a no-cost signup. Umpteen suckers sign up, they choose umpteen passwords, some fraction f uses the same password for everything, and your "porn site" has just accumulated f*umpteen valid passwords and associated IP addresses.

Re:Advice on passwords (1)

LarsWestergren (9033) | more than 8 years ago | (#15195015)

Advice my dear mother gave me a long time ago:
Passwords are like toothbrushes; change them every three months and don't share them with your friends.


That is great advice! Your mother works with security I take it?

myth #1 (0)

Anonymous Coward | more than 8 years ago | (#15194834)

writing passwords down is not secure. This is untrue, Sticky Notes now has a special invisible ink mode.

I don't need to REMEMBER passwords on sticky notes (1, Informative)

crazyjeremy (857410) | more than 8 years ago | (#15194841)

An old company I was with found out how many users forgot their passwords & the stats for password resets with the Help Desk (passwords usually account for more tickets than anything). Upper management didn't like the number of tickets for passwords, so they told people to start using family names for their passwords and suggested they put all the passwords on a sticky note near their desk "in case they forgot".

My Rule of Thumb (4, Insightful)

QuantumG (50515) | more than 8 years ago | (#15194846)

I tell this to every sysadmin that turns on 100% of the annoying features of enforced password change policies:

      "You have to balance security with convenience."

Otherwise people will just circumvent your security by changing their password twice (or 10 times), resulting in the same password they started with, or just write their password down.

Re:My Rule of Thumb (1)

bhima (46039) | more than 8 years ago | (#15194924)

Years ago a new admin saddled us with ridiculous & onerous password requirements and when numerous people complained and wanted an explanation the official party line was that it was up for discussion. So more or less instantly they alienated anyone with any tenure and passwords have been on post-it notes on desks ever since. Because we have no input in these sorts of decisions most of us feel like it's not our problem. When the story broke about people giving their passwords to strangers who asked for them in the lobby (for a chocolate) the general consensus around here was despite the fact that we all knew what was going on, if our backups were up to date we'd give our passwords to anyone for the asking... again it's not our problem (once the data for your project is backed up).

And in a real sense, in our environment, passwords are nearly useless. In order to open the door to the building you either have to have a keycard or have the security man to let you in. To get into the lobby you have to have a keycard or an escort from security. To get to my department you have to pass through two more secured doors, the door to my lab requires a keycard and the door to my office requires a real key. By then if you are there and you shouldn't be you are starring in Mission Impossible and a small thing like me having a password with 12 alphanumerics (1 capitalized) and 1 symbol isn't going to slow you down much.

So like I said some person in the lobby asking for passwords is a stooge for the IT group and they better have good chocolate.

Re:My Rule of Thumb (1)

jonwil (467024) | more than 8 years ago | (#15195008)

In my workplace (which shall remain nameless), to get into the building during normal hours you need a photo badge passcard.
To get in after hours, you need a photo badge passcard and a pin number.
I also have an individual key to my desk to keep any confidential paper or other physical materials secure plus several different access passwords for different parts of the system (email, login, corporate intranet, other locations), all of which have to be changed periodically.

Without passwords, there would be nothing to stop cleaners (who all have the same photo badge passcard access as I do), repair guys or even other engineers (I work in software development) accessing your machine and pretending to be you to steal confidential information or cause other problems.

Re:My Rule of Thumb (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15195057)

Your keycard should be your login token.

The technology is available.

The real myth about passwords is that they still make sense. Passwords are dead. Passwords that can hold up to a good cracking program are outside the memory capacity of normal people. (I memorized a 10-word Diceware [diceware.com] passphrase with 129 bits of entropy once, but that only proves I'm abnormal).

Your employer would improve both their security and your convenience by letting you have a hardware login.

Re:My Rule of Thumb (1)

jonwil (467024) | more than 8 years ago | (#15195000)

What about systems that remember every password you ever use (or remember so many that its unfesable to go to one you used before)?

pass PHRASE (3, Insightful)

Tumbleweed (3706) | more than 8 years ago | (#15194871)

Doesn't anyone remember the 'pass phrase' thing from awhile back? You know - less complex but much longer passwords, so they're secure but easy to remember? "The quick fox jumps over the lazy brown dog" type of thing (though that should probably not be allowed :)

Just please, NO biometrics.

Re:pass PHRASE (4, Interesting)

Vo0k (760020) | more than 8 years ago | (#15194883)

> Doesn't anyone remember the 'pass phrase' thing from awhile back?
> "The quick fox jumps over the lazy brown dog"

Way too long to type.

> D'tart'pp;tfawb?
> Tqfjotlbd

Passphrase-based passwords (take each first leter, caps and semigraphics retained) are a good option.

Thank you! (1)

Pfhor (40220) | more than 8 years ago | (#15194958)

Thank you!

I have been looking for ways at new password generation for system administration, and that is brilliant. Throw in some l33t speak for number / letter swaps and the suggestion you mentioned is golden.

Re:Thank you! (1)

Vo0k (760020) | more than 8 years ago | (#15195055)

For better remembering effect and to help your imagination at 'inventing' the passphrases have it "written" somewhere around the workplace. Use a sentence from a cover of some user's manual, writing on some poster, "safety regulations notice" or such lying around. Just sit at given computer and look around for some text. If you feel especially rude, swipe the text right from the login screen, like from the standarised footer of the login page with a copyright notice and such :) Especially helpful if you give the password with explanation to the user. "You don't need to write it down, it's written RIGHT HERE already." Steganography rules ;)

He's wrong (1)

gvc (167165) | more than 8 years ago | (#15194877)

There was never any rational basis for rotating passwords. Spafford's 70's rationale is amusing but bogus.

Re:He's wrong (2, Interesting)

honkycat (249849) | more than 8 years ago | (#15194979)

I think you're right -- even if you assume it takes a month for the systematic password search on the mainframe to try every password combination, changing your password doesn't help much.

It does buy you a tiny bit, if they are actually trying every combination. Suppose it takes them two months to try every combo and after one month, your password is still unknown. They are now guaranteed to have it within the next month if you do not change it. If you do change it, then there's a 50% probability that you change it to something in the half they've already run tried. It's not hard to work out the expected time to compromise, and you will find that there is some way to maximize it by changing your password at just the right rate.

However, it's a pretty minor benefit. Furthermore, if they are doing anything less than checking every single password, then I'd bet it actually buys you nothing at all. The difference is because in that case, they're not guaranteed to guess your password after a fixed time interval.

Admin passwords, generating passwords, passphrases (1)

Acer500 (846698) | more than 8 years ago | (#15194885)

Several comments actually:

1- What's the usually accepted frequency of changing the admin password where you work? I work in a Microsoft shop, and there are way too many systems that have the password hard-coded (yes, I know that should not be), and everytime we change it everything breaks down, bringing down the wrath of upper management (the very same upper management that pushes for more frequent changes and more stringent password policy).

2- Another company I know of forced so many frequent changes that users started generating short passwords with an incremental number (d00D$001, d00D$002, d00D$003), making them easy to guess once you learn one (but complying with the password policy otherwise). Is that acceptable? (no I did not read TFA)

3- There was a nice article on Microsoft on passphrases and how they are so much better than passwords. Has anyone had a good (or bad) experience with that?

Re:Admin passwords, generating passwords, passphra (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15194970)

Not reading TFA is like not bothering to unzip, not bothering to point at the porcelain, just letting go in your pants.

Sure, it saves time, but everyone gets to see the big old wet patch.

Picture Passwords (5, Interesting)

Metabolife (961249) | more than 8 years ago | (#15194887)

I always thought the picture based passwords shown here [bbc.co.uk] were a creative way of making passwords.

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Shoulder surfable. (3, Insightful)

loqi (754476) | more than 8 years ago | (#15194946)

You ever wonder why password fields don't echo the actual characters back to the screen?

Auto change? (0, Redundant)

posterlogo (943853) | more than 8 years ago | (#15194919)

Wouldn't it be simple to set the system to automatically request a password change from the user at manageable intervals? I know it's a "shove it down their throat" approach to security, but if it works...

Then again, changing passes too frequently causes people to forget them and the end up writing them down, which might be worse. I dunno, it's a tough nut to crack. Need something unique to the person... biometric, RFID, retinal scan, brain wave scan, etc.

Re:Auto change? (1)

mikesd81 (518581) | more than 8 years ago | (#15194939)

Biometric has gotten big lately, and personally I like it. Hell, I think I even saw a commercial where a car compant incorporated it into their doors (Lexus?). You can't really get someone's DNA or whatever and crack with it..unless you're a clone I suppose.

I haven't seen too much biometric stuff for Linux though, other than servers/stations that come with it built in out-of-box.

Re:Auto change? (2, Interesting)

Zantetsuken (935350) | more than 8 years ago | (#15195007)

I think Lenovo is starting to sell a lot of finger-print-biometric-scanner notebooks now, it seems to be one of their big selling points for business buyers - not sure if it would work under Linux, but if its something where you have to scan your finger before it gets through with BIOS it oughta be something embedded into CMOS or some other part of the motherboard, in which case I would think it would still work whether you run Windows or Linux on it...

Re:Auto change? (1)

mikesd81 (518581) | more than 8 years ago | (#15195030)

Right, but how many people password a BIOS?


The bio read before the computer boots up is great, but what about timed logouts during ssh sessions?

Passwords? (5, Interesting)

bm_luethke (253362) | more than 8 years ago | (#15194923)

The last supposed "high security" place I worked (Oak Ridge National Labs) had a pretty sane password scheme - computer generated every 6 months or year (too long ago, I do not remember now). They generated a big list and you picked one so you could get one you could remember. It was good combination of stuff, not really something that was attackable by a dictionary and they watched external requests pretty hard (ad most of the service providers did also).

But, the problem was that every single hack/intrusion we knew of (either on our machines or lab wide) had nothing to do with password and all to do with users desktops on SSH key management. Everyone wanted symetric keys so they never needed to type a passphrase of password. No one wanted to mess with keeping thier computer updated. So once one computer was violated nearly all in the lab were - even those of us who tried to patch and watch were brought down by what the users demanded. We were really damned when an offsite place (say a university) was weak and a user had symmetric keys installed.

That ended up being a VERY difficult issue to educate on - it's a fairly abstract idea. Very very very few of the people there were unintelligent but few were educated enough in that field to even really understand the issues (no reason why a chemist should understand key management any more than I should know how carbon rings react in some random environment). Password management is pretty obvious, heck many of us even had "secret" clubs in elementary school that did similar stuff. However strong encrypted keys tend to be something different, offering the ease of no password and the security of really strong ones (when done correctly). It take some amount of knowledge to "get it" along with thinking about having the private keys stored in unsafe places.

*shrug* I think that password management (in secure business processes) is becoming much less important. Even hotel reservation systems are mostly moving over to SSH and key management. For logging into your credit card service? SSH key and passphrase is great. For much of business practice, as SSH and similar type things become the standard password management this is MUCH more important. Right now we are horrid in that area of education.

Less articles about password management, if it has not been beat into your head by now you are a lost cause. Lets spend some time on key management and other security issues that are becoming MUCH more useful.

I've (unfortunately) forced this on users before (3, Insightful)

Corbets (169101) | more than 8 years ago | (#15194954)

From a comment I just made on Spaf's blog....

I've mandated rotating passwords before. My thought was that I knew my users shared passwords over time (oh, I need to use your computer for a few minutes, but your screen is locked) so by forcing a change I was hoping that if a person left the company they wouldn't retain access to anyone's accounts. However, the better solution in that case would have been termination for people who shared passwords and/or forcing all users (only about 15-20 in the company) to change passwords everytime someone left.

And of course, there are times in larger companies where I simply got told by those higher up that passwords would be rotated.

Re:I've (unfortunately) forced this on users befor (4, Insightful)

tbird81 (946205) | more than 8 years ago | (#15195013)

You'd fire people for sharing a password??

Seriously, what's more important to the company: people logging in as another employeee, or actually having employees with morale!

Who cares if people use the same password. I've worked in a hospital where everyone shares passwords, and in a lab where everyone's password was the same. (Won't say where, but it happens everywhere)

There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.

Re:I've (unfortunately) forced this on users befor (3, Insightful)

Corbets (169101) | more than 8 years ago | (#15195045)

Yes, I would fire people for that. I'd fire people for any intentional violation of corporate policy. It's one thing if you don't know, it's another if you choose to break the rules, especially after repeated warnings. I've often found that people who break little rules will ocassionally break big ones - like those kids in school you mentioned, those who tell little lies will from time to time tell a whopper.

It's an issue of trust, not to mention security (why bother with multiple user accounts at all if people are going to have access to all accounts anyway?).

Being able to trust your employees leads to them being able to trust you (and yes, vice versa, I'm aware of that implication). This in turn creates an atmosphere with good employee morale.

There's nothing worse than a ./er trying to insult someone and having to pull from his own life example of being that poor little geeky kid that nobody liked....

Password "best practices" are counter-productive. (3, Informative)

Symphonix (901135) | more than 8 years ago | (#15194960)

The company I work for enforces a lot of these password "best practice" rules. Most of our systems require passwords to be exactly 8 characters long, contining one digit but not in the first or last position, and must be changed every month. I'm certain this only makes things less secure, as users have a tendency to use even dumber and less secure passwords under these rules. For instance, if you instruct ten thousand users to change their password every month, then at least 500 of them will have "APRIL" or "APR" in their password at this very moment - even if you expressly forbid them to do this. Having complicated rules like "You must use 8 characters, including a digit in the middle" means that helpdesk staff often need to explain to the user several times what their password can be, and what they might or might not be able to have. When the average luser is now spending 3 minutes asking helpdesk - quite loudly in a crowded office - whether "BENJIDOG4" is a good password or not - then you've instantly lost the security of the password. Would it be more secure to let the user set a password without any requirement for it to contain numbers, or is it more secure to include the requirement and have every second user holding a long and loud discussion with everyone around them about what they're putting in and why won't it frickin work?

Re:Password "best practices" are counter-productiv (1)

mark-t (151149) | more than 8 years ago | (#15194980)

There are two dangerous policies that they implement.

One, the requirement that passwords be exactly 8 characters long. An minimum length specification is fine, but it shouldn't be the same as the maximum.

Further, changing every month is too often. You end up with people having to write them down because they don't have time to get used to any one. I'm all for changing passwords reguarly, but that's waaaaay too often. On average, I think the ideal number of times that you should change a password is maybe 4 times in one year.

Re:Password "best practices" are counter-productiv (0)

Anonymous Coward | more than 8 years ago | (#15195059)

I used to work for a banking institution, that had a similar policy.
8 characters, had to have a special character somewhere in the middle, change every month, last 20 passwords cannot be re-used.

The result: Post-It notes with password written on them on most monitors or at least under keyboards.

Re:Password "best practices" are counter-productiv (1)

rainman_104 (591178) | more than 8 years ago | (#15195112)

One, the requirement that passwords be exactly 8 characters long. An minimum length specification is fine, but it shouldn't be the same as the maximum.

To elabourate... 8 characters long reduces the number of permutations a password can have. Brute force attacks take less time because of this password policy. Minimum good, but forced length will take considerable less time.

Further, changing every month is too often.

No kidding, especially when the warning comes 15 days in advance. That means you have 15 days of nagging and 15 days of quiet time. I can't stand that 30 day password rule. I do what another poster said - cycle through passwords five times until I get my same password again.

Re:Password "best practices" are counter-productiv (1)

pryonic (938155) | more than 8 years ago | (#15195064)

Do you work for RWE Npower? We have exactly the same policy on the client site I'm working on at the moment and it drives me mad. Pretty much everyone I know writes their password down, and its always a pain to think of a new one. Even though I try to be security concious i only have about three passwords, and i rotate them myself, and occasionally change the upper/lower case or the number. The old policy of changing every 3 months worked much better.

Re:Password "best practices" are counter-productiv (0)

Anonymous Coward | more than 8 years ago | (#15195078)

As a sysadmin, It's always a red flag with me when the idea (password changes, use of 'root', etc) is being sold as a 'best practice'. I almost feel it's the equivalent of 'blah blah blah', used when a person can't be bothered to present meaningful dialogue.

If it's a best practice, it should be referenceable. I want page and source.

We knew this already. They don't. Won't change. (1)

jthill (303417) | more than 8 years ago | (#15195076)

TFA:
In summary, forcing periodic password changes given today's resources is unlikely to significantly reduce the overall threat -- unless the password is immediately changed after each use.
Security is one of those things that complete ignoramuses believe they understand without benefit of thought or experience. ~Just make it too hard~. Experience says there is simply no reaching these people. I can actually find some sympathy for them: the least whiff of an implication that their existing security policies were wrong is politically all but intolerable.

Requirements... (4, Funny)

Vo0k (760020) | more than 8 years ago | (#15195087)

A real error message from a real e-store registration, denying access for a customer who entered his actual, legit personal data:

"Your surname name is too short. Surname must be at least 4 characters long."

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...