Forgot your password?
typodupeerror
Security

Users feel Password Rage 388

Posted by CmdrTaco
from the hulk-no-can-log-in-hulk-smash-puny-pc dept.
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
This discussion has been archived. No new comments can be posted.

Users feel Password Rage

Comments Filter:
  • by Anonymous Coward
    yup. that's my password.
  • USB keys (Score:5, Interesting)

    by chrysalis (50680) on Sunday September 07, 2003 @09:52AM (#6892495) Homepage
    USB keys are really neat to store keys (PGP, SSH, etc) .

    This is definitely the handiest way to replace multiple passwords.
    • I agree they are great until you find yourself at a machine that won't accept it (e.g., web kiosk).

      Personally, I use 5 passwds, 8 chars long, alpha + numeric + non-alphanumeric. The more sensitive the information being protected, the less frequently a particular passwd gets used.

      I haven't been cracked yet.

      That I know of. :)

      • Re:USB keys (Score:4, Interesting)

        by gl4ss (559668) on Sunday September 07, 2003 @10:36AM (#6892689) Homepage Journal
        and you should trust the computer you stick that stick in anyways.

        one guy i used to know had a system (5-7years ago?) of cycling passwords on his computer, so that if somebody find out one of the passwords it didn't really help the thief shit, banks use this type of system frequently.
    • Re:USB keys (Score:4, Interesting)

      by neglige (641101) on Sunday September 07, 2003 @10:02AM (#6892543)
      If you have a PDA, use a software to store the (encrypted) passwords. And make damn sure your PDA won't get stolen :)
    • Re:USB keys (Score:5, Interesting)

      by TCM (130219) on Sunday September 07, 2003 @10:23AM (#6892632)
      How does this protect malware to read it off your USB stick _and_ use it? Right, you protect your private PGP key with.. a password!

      The only thing that comes to mind that's even remotely sophisticated is an "intelligent" USB stick, so to speak. It contains your private key and never gives that out to anything. Instead, it gets fed a challenge, encrypts it using the key and sends it back to the computer where the corresponding public key is stored.

      Is anyone using something like this on a regular basis (for his home server/desktop)?
      • Re:USB keys (Score:5, Informative)

        by curious.corn (167387) on Sunday September 07, 2003 @10:43AM (#6892715)
        those are smartcards you are talking about. They contain a small general purpouse microprocessor and special storage for OS and data. Once locked, data cannot be read out of the device but only used within the programs stored within. It appals me that those things aren't ubiquitous and/or used for POS C/C systems. Some cryptalalysts managed to weasel some data out of them only by physically interfering with the operating device to cause program execution failures (heating or EM interference). Still much safer than a crummy magnetic strip and a numeric code.
    • Re:USB keys (Score:3, Funny)

      by vidnet (580068)
      USB keys are really neat to store keys (PGP, SSH, etc)

      I not only store my PGP and SSH keys on them, I also store my USB keys, that way I don't have to drag them around. Of course it collapses on itself and leaves a little black hole, but I just use it to dump cans and candy wrappers.

  • Wallet (Score:5, Interesting)

    by spoonist (32012) on Sunday September 07, 2003 @09:53AM (#6892499) Journal

    Store then in your wallet like Bruce Schneier [counterpane.com] does.

    Note: I don't store mine in my wallet, so keep your hands to yourself!

    • Re:Wallet (Score:5, Interesting)

      by amcguinn (549297) on Sunday September 07, 2003 @10:40AM (#6892707) Homepage Journal

      And check his reasons for doing it: A wallet is a secure container for things you don't want to lose or have stolen. If I lost my wallet, the handful of medium-high importance passwords I would compromise would be among the least of my worries.

      Using the same passwords for multiple different services is much more dangerous, and no-one could possibly memorise unrelated secure passwords for everything needed. I need about 20 just to do my work, and I'm usually required to change one or two of them every week.

      The worst was my office voicemail. I rarely used it, and the required password change frequency was set so high that it demanded a new password every single time I tried to pick up a message. The end result was I turned the fscking thing off as it wasn't worth the effort to use.

  • by JessLeah (625838) on Sunday September 07, 2003 @09:54AM (#6892500)
    I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.

    Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.

    Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).

    People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...

    And then, of course, the techs (us!) would get blamed.
    • by reachinmark (536719) on Sunday September 07, 2003 @10:07AM (#6892565) Homepage
      Banks in Sweden are currently running a new BankID system. You can use this to access several government facilities, including submiting claims for sick leave and possibly in (the future) voting, over the internet. The password protection? Your certificate must be unlocked with a password that is at least 12 but at most 16 characters, of which at least 3 must be digits, and 4 alphabetical characters. Oh, and you can't simply repeat a word two or three times - they check for that. The end result? A password so annoying difficult to remember that of course everyone has it written on a post-it note by their keyboard.

      Now THAT gives me password-rage.

      • Post-it notes by keyboards don't bother me so much, unless they are on mission-critical accounts, in situations where untrusted individuals (e.g. janitors, or the public, as in the case of someone who works at an Internet Cafe/public library/school) can get to them.

        What bothers me is when users use passwords like "sophia" or "pears" or "1952" and then expect ME to safeguard their accounts... AND to make matters worse they have zero clue about the risks they are placing OTHER accounts in by doing so.
      • by DNS-and-BIND (461968) on Sunday September 07, 2003 @10:37AM (#6892692) Homepage
        Hear, hear.

        Fascist password policies annoy the living fuck out of me for two reasons. First, they give petty power pushers an ever-so-delightful way of punishing their users. Second, they don't freaking work because nobody can remember the passwords and they simply write them down and post them to the monitor. I'm as security-aware as anyone here, and I've done that before with irritatingly difficult passwords, only I keep them in my wallet instead of on my monitor.

        I have a number of web-based email accounts and message board aliases, and for most of them I use the same password, easily guessable by Jack the Ripper or equivalent. It would give your average BSD admin a shitfit, but you know what? Fuck 'em. I have better things to do than pleasing anal-retentive system administrators. Been there, done that, didn't keep the trial issue or the free gift.

    • I just have some photos of my cat there.

      I've found that the best argument to this is to say that it does not matter what can be taken from you, but what can be done in your name by breaking the password. If the account is compromised anyone could send mail in your name or use your account to store illegal material.

      Trying to explain about root access and such things will be met by a blank stare, It's more effective to talk about the drawbacks of being discovered with someone else's child pornography in

    • Yes but the flip side of that is that if users have hard to remember passwords eg tyGDgh6y - then they can often forget them (and be forever ringing up). Web servers should have procedures in place to at least slow down dictionary attacks anyway....
    • Speaking of phobia, can anyone seriously explain the need to periodically change passwords?
      If your password is good and you haven't given it out to anyone, what is the point of changing it? I mean, if the password is non-crackable via dictionary attack why change it to a different non-crackable password?
      • by CommieOverlord (234015) on Sunday September 07, 2003 @10:37AM (#6892695)
        Because no password is uncrackable. One issue about cryptography is that things don't have to be uncrackable, so long as by the time they are cracked it is irrelevant.

        If it's possible to crack your password in 7 months but you change it every 6, then the cracked password is useless. If you never change your password it can always be cracked.
        • I agree, but in order to be cracked over time, the attacker must either have a copy of the encrypted password (ex: copy of passwd file) or allowed to attempt access indefinitely without detection (ex: login with no delay, no log of failures).

          In the first case, if the encrypted password can't be obtained in the first place, what does the attacker have to work with?

          In the second case the only way I see for the attack to be successful is if access to the software is given such that a brute force attack is

          • If it is possible brute force a a password crack (either because the cracker has a copy of the encrypted password or because they are allowed to repeatedly try passwords), then changing passwords frequently is required for security. Yes, it really does matter.

            Let's pretend you have a password for a system and a cracker gets ahold of the encrypted password. The cracker has to spend x time decrypting the password. If you change you password halfway through, then the password the cracker gets is now invalid.
      • "Speaking of phobia, can anyone seriously explain the need to periodically change passwords?"

        As time goes by, the probability the password has been compromised increases: The password was shared with a coworker who needed access, the storage location of the plaintext password (the place you wrote it down) was compromised, et cetera.

    • From "Outside the inner circle"
      The book gets into details of the 'bad things' that could happen.

      Some quick answers:
      "Why would anyone want my account I just post pictures of my cat"
      "Becouse some people are jerks, Some people hate cats, Some people hate FTP and some people can "make better use" of your account by distributing illegal or imortal matereal such as pirated software, MP3s, child porn or plans for bombs.
      Then you take the blame."

      "It's just an FTP account what could anyone possably do with that?"
      "B
    • by E_elven (600520)
      The problem most people have with passwords is that they try to *remember* them. That's alright for, oh, four to six passwords for a more technically oriented person, but unfortunately a lot of people are not technically oriented and/or have more than six passwords.

      Solution? As with computers, the human brain is an interesting device; and there are always ways around things. I, therefore, propose using a proxy for storing passwords: the motoric memory.

      I always use 10-16 character passwords, rule is at le
  • by LostCluster (625375) on Sunday September 07, 2003 @09:56AM (#6892514)
    Why not use a simple password manager program such as the popular Gator... uhm, er, uhm, maybe that's not such a wise idea!
    • While Gator is a very very very very bad idea, ordinary password managers installed on computers is a bit of a bad idea in itself.

      It only takes one keylogger that snaps your passphrase, and then a malicions person will have access to all your stored passwords.
      Password managers reduce the security of all your systems to one single point of failure, and if that point is a Windows machine, your passwords are not safe enough.

      This doesn't mean that password managers are bad in general, but they have to be a bi
  • by NetDanzr (619387) on Sunday September 07, 2003 @09:57AM (#6892519)
    I keep my passwords on small post-its, stuck to the edges of the monitor. Even though I must admit that recently I had to upgrade to a larger monitor because I ran out of space...
  • Keychain (Score:3, Informative)

    by Macgoon (608648) on Sunday September 07, 2003 @09:58AM (#6892520)
    Built into every Mac is a utility called Keychain that remembers all your passwords for you. Of course you can get add-ons for Windows that give the same functionality for a price...
    • Of course you can get add-ons for Windows that give the same functionality for a price...

      Or you can encrypt all your passwords with pgp for free. Works fin for me on at least 5 OSes: Linux, Windows, Mac, Unix and BSD.

    • by mnemonic_ (164550) <jamec AT umich DOT edu> on Sunday September 07, 2003 @12:16PM (#6893367) Homepage Journal
      I've never used Keychain so I'm not exactly sure what it's functionality is like. Many months ago an article in 2600 magazine informed me of "password bag" applications, software that stores multiple passwords in a file which is only accessible through a master password. Perhaps this is somewhat like Keychain?

      One such application for Windows is Password Safe [sourceforge.net]. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).

      I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.

      P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.
  • Old Problem (Score:4, Interesting)

    by R2.0 (532027) on Sunday September 07, 2003 @09:58AM (#6892522)
    Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.

    Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

    I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.

    And BTW - everyone on site, even the IT dept., did it the way I did.
    • Re:Old Problem (Score:4, Insightful)

      by LostCluster (625375) on Sunday September 07, 2003 @10:03AM (#6892550)
      Overly tight security rules lead to Type II security errors... the kind where the people who are supposed to get into the system can't. As a result, people start circumventing the rules, which ends up weakening that overly tight security... oops.

      People who make the rules need to think a little more sometimes.

    • Re:Old Problem (Score:2, Interesting)

      by Anonymous Coward
      I feel your pain, I've been there. When I took charge of our network, things changed quite a bit. I implemented the scheme recommended in the NSA guides [conxion.com], where you force a change every 90 days and disallow repeating of the last umpteen passwords (don't remember the exact number offhand). The theory is to encourage strong passwords by giving them enough time between changes so the users don't feel like they're having to remember a new password every other day. Our users are much happier, and they actuall
    • I've dealt with situations like this before.

      You weren't the only one who treated it like you describe. I think many people used their basic password, followed by a two-digit number - often the month of the year.

      The end result was that for many users a minimum password length of, say, 8 characters became a 6-character password, with a trivially-guessable two-digit suffix.

      So the IT rules being enforced actually made things less secure.
    • Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.

      Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

      This is precisely why at one of my former clients, where security was really tight, sysadmins were forbidden from using password expiry options. The reasoning was that if people have to remember too many passwords and renew them every month, they're too

  • use a token (Score:5, Interesting)

    by neglige (641101) on Sunday September 07, 2003 @09:59AM (#6892524)
    For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.

    This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.
    • Great idea! Until you lend out your CD....
    • Just to clarify, you're not reducing the number of passwords you need to remember, you're just using your environment around you to help you remember your passwords. It's just another memory trick to help you remember stuff, much like pneumonic devices.
  • by Blaine Hilton (626259) * on Sunday September 07, 2003 @09:59AM (#6892526) Homepage
    This article goes back to the never-ending argument about usability vs. security. I admit that I want my cake and eat it to, but there is no reason why we can't have both. Biometric devices are becoming more and more common. However, many of the systems I use are SGI Irix, and plain Linux systems that currently do not have any biometric support. Although Windows has many solutions, starting at only $99.

    Until biometrics become more mainstream people should check out those cheap USB key chain mini drives. They work okay, but I still find them a pain to use.

    • Until biometrics works flawlessly too.

      If your password is LSKdfSLJ, if you get it wrong, it's human error until you type it right. If you use a fingerprint scan, it has to do more work to figure out that your finger isn't perfectly aligned with the picture. Just like OCR.

      Yeah, most people have many fingers and toes, but until it becomes infalable, getting locked out of your work machine on a daily basis, or 10% of the time, would make your workday a lot longer. Think of the time you waste on slashdot d
  • by Lieutenant_Dan (583843) on Sunday September 07, 2003 @09:59AM (#6892530) Homepage Journal
    I think the enraged users would benefit from the years of experience contained within the Open Source developer community. Their impartial review of all password would facilitate the password creation password. By providing a publicly-available password list and the application of such password, users would be able to leverage off the peer-review methodology with is quite popular in Ukraine.

    The Open Source developers would also be granted much quicker access and approval to systems that they deemed important to their project work. This would improve fund generation and IP (Intellectual Property) sharing which are some of the stumbling blocks in current academic circles.

    Only when we improve the texture-layer vortex shading in the Matrox drivers can be unleash the full potential of quad-monitor Parphelia configuration.

    Which is nice.
  • A few thoughts (Score:5, Interesting)

    by arvindn (542080) on Sunday September 07, 2003 @10:01AM (#6892536) Homepage Journal
    OnceUponATime, I used to have a password dictionary for download, here's the thoughts on passwords I'd written on that page:
    Humans are horrible at selecting and using passwords. We have to live with passwords, however, since no other authencation mechanism is good enough to find use outside niches. (Let's face it: when humans interact with computers, we still have to go more than halfway to meet them.) We keep forgetting passwords, because we aren't really good at remembering lexical/numerical data. There are three things people to about this: write passwords down, choose weak passwords and choose the same password for several unrelated accounts. All of these are bad. Very bad.

    Choosing the same password for different accounts is particularly bad. I imagine script kiddies have well-maintained databases of username:password pairs going around. (If they don't, at least the NSA has one.) I remember reading somewhere about how someone could easily acquire a sizeable list of username:password pairs. Set up a website offering free porn. No popups or other annoyances, but require users to create an account before being able to access much. Get word out about your site. Bingo. There you go.

    A lot of websites store their users' passwords as plaintext. If crackers were consceintious enough to update a centralized list every time a website got cracked, I suppose anyone who uses the same password everywhere can be more or less certain that the black hats have got it.

    I'm guilty of reusing passwords myself. I use one of only about 3 or 4 for accounts on random websites, but at least I use different ones for the machines on which I have any data that matters. The alternative of remembering all your account:password pairs is simply too much work. Browsers that fill in your password for you alleviate the problem somewhat, but if you browse from a lot of different accounts its still a pain.

    As a sysadmin there is nothing much you can do about users writing down passwords or reusing them (except perhaps lecturing), but you can ensure that they don't choose weak passwords.

  • Biometrics (Score:3, Interesting)

    by rikun (704741) on Sunday September 07, 2003 @10:01AM (#6892538)
    Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.

    Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboards /5f11/ [thinkgeek.com] plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.

    I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.
  • by Herrieman (167396) on Sunday September 07, 2003 @10:02AM (#6892540) Homepage
    Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:

    - something you have (such as a token) or
    - something you know (such as a password or pin :))

    • Biometrics still have a lot of basic advantages over passwords.

      Today:

      [Informed cracker dials front desk]

      Cracker: Hi, this is John in Support. We're having a problem with your account, could you just confirm the ID and password you use to log in so I can fix it up?

      Clueless front desker: Sure, I type johndoe and the password is "reindeer flotilla".

      Cracker: Great, thanks. I'll fix your account up right now, and you shouldn't see any difference from usual once it's done.

      Next year:

      [Informed cracker

  • Silly... (Score:5, Interesting)

    by mraymer (516227) <.mraymer. .at. .centurytel.net.> on Sunday September 07, 2003 @10:02AM (#6892544) Homepage Journal
    Memorization is one of the easiest skills that the human brain is capable of. I think a lot of the frustration with passwords (and computers in general) is simply due to users lacking confidence.

    Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"

    Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.

    • Re:Silly... (Score:5, Interesting)

      by Zachary Kessin (1372) <zkessin@gmail.com> on Sunday September 07, 2003 @10:29AM (#6892665) Homepage Journal
      Problem is we are good at memorizing paterns. And patterns are easy to guess. When Richard Feynman tried to crack the safes at Las Almos he found that a very large number of them were set to 31 41 59 or 27 18 28 (pi and e). We are good at memorizing things because we expect to find paterns, which is makes it easy to attach the password.

      Now if you are cleaver you can change things just enough, or say put in letters of two langages. But most people just pick something stupid and go with it.

      I will admit to having a throw away password, that I use when I need a password for something I don't care about.
  • Experts (Score:2, Funny)

    by Muttonhead (109583)
    Security experts say...

    I never thought I'd hear that on Slashdot.

  • Where I work, we (the IT department) realize the problems associated with overloading everyone with passwords, but our clients require us to do it. When you lose a multimillion dollar account if you don't make even the lowliest secretary have three different long, random passwords, there's not much you can do about it but just be understanding when employees forget their passwords.

    I imagine it's a long process of finger pointing all over the corporate world, though. The bottom line is that this just mi

  • Spreadsheet (Score:4, Funny)

    by sms (130675) on Sunday September 07, 2003 @10:04AM (#6892553)
    I keep all my passwords in a spreadsheet. The spreadsheet is passworded. That password is the concatenation of all my passwords so it's hard to break into and if I forget a password, all I have to do is.....hmmmm, wait.....
  • Have a Palm? (Score:2, Informative)

    by acceleriter (231439)
    If so, your problem's solved [zetetic.net]!
  • by Serapth (643581) on Sunday September 07, 2003 @10:06AM (#6892563)
    I dont so much mind managing the dozen or so passwords I have to memorize... namingly because I get to pick them. What I cant get over is our damned voicemail system!!!

    First off... the damned thing expires every 3 weeks, secondly, it remembers your last 10 or so entries and wont allow you to repeat them. Also, the damned thing does pattern recognition... Ironically, the most secure thing I have is my phone at work right now! ;)

    Its gotten so bad, probrably half the phones at work have their voicemail password sticky noted to the phone. Weakest link is always the user, eh?
    • I have to agree. It is the user that contimually supports web sites, .zip files, system logons, voicemail systems, corporate intranets and so on all of which perpetuate the password issue.

      Perhaps a discussion of boycott will motivate web designers and other developers to consider picture matching and other forms of authentication and help do away with the over-passwording...

      Then the end user will stop supporting poor interface design, and cease to be the (second) weakest link.

  • by yeti-graf (218334) on Sunday September 07, 2003 @10:07AM (#6892569)
    One guy I worked with set his password to "Viewsonic" so that whenever he forgot it he could just look at his monitor.
  • Two Words... (Score:2, Informative)

    by MesiahTaz (122415)
    Apple Keychain

    Now I only have to remember 2 or 3 different passwords. Keychain does the rest of the thinking for me.
  • by iapetus (24050) on Sunday September 07, 2003 @10:11AM (#6892583) Homepage
    Build a system for generating passwords from other information that's easier to remember. Books and their authors. Songs. Quotes from your favourite movies. American Football players. It's easy enough to build a quick and easy set of rules for which letters should be capitalised, where numbers should appear and so on. And it's a hell of a lot easier for me to remember that my root password is American Pie than it is to remember that it's dm7aO2Eg, or that my password for the database server at work is One Week rather than bl31eOWs. There's a huge range of subject matter to pick from, and although the passwords aren't random and do have patterns that make them slightly weaker than genuinely random , they're a damn sight better than the ones most people use, they won't succumb to a dictionary attack, they're easy to remember, and they meet the requirements set down by any password security checker.
  • by RayBender (525745) on Sunday September 07, 2003 @10:12AM (#6892594) Homepage

    Part of the problem is that by putting passwords on too many things you are requiring people to do something that most people simply can't do. Think about it, a good password has to be essentially random, at least eight characters long, and only used once. And then the passwords should be changed monthly. Seriously, how many of you can remeber %Fhe#jhx*, $%SDh!@l, (*^GKk32vc and sd)hdf@m? Studies done by various phone companies show that people tend to only be able to memorize about seven numbers at a time..

    And think how many passwords you end up using: your account password on 3-4 computers, various root passwords, passwords to hotmail, your Amazon.com and eBay accounts, your ATM PINs, your credit card PINs, the access to your wireless router at home, and all the access codes to various subscription websites (hot asian teens and whatnot :) )?

    Faced with this deluge of things to remember (which most people simply do not have the neurons to do), what do we do? Either use only one password, use something easy to remember, or write it down on a piece of paper kept in ones wallet. All of which are security no-nos. But security people have to face reality - passwords are only good security when used judiciously!

  • Biometric Encryption Thingamajigs (BET) cards, pins, chips, ... would be great, but dang there ain't no frick'en standards. Guess how many BETs would be on your key-ring and/or in your wallet/purse .... Yep, that's right maybe as many as your passwords.
    Each credit card company will require you use theirs, each business/agency/... and maybe departments will require that only theirs be used for this da-dumb location/job, you banks do not want to use the same BETs as your brokerages, the city/county
  • Diceware (Score:2, Informative)

    by kiltedtaco (213773)
    Diceware [std.com] definitly provides the most secure but easily remembered passwords, and even lets you make pretty exact estimates of the entropy content of your passwords, which makes all sorts of calculations simple and fun.
    • Diceware is definitely the best passphrase solution that I've ever seen.

      Unfortunately, a lot of systems require passwords. A strong Diceware passphrase is about 5 words long, with maybe four to six characters per word (including spaces). So what do you do when you're at a Novell-enabled Windows 2000 machine (which limits you to 14 characters)?

      Generate a weak (~3 word) Diceware passphrase, generate a cryptic and hard-to-remember password, or just use "password" itself.
  • I Don't Get It (Score:3, Insightful)

    by tedrlord (95173) on Sunday September 07, 2003 @10:18AM (#6892614)
    What's wrong with passwords? I love passwords! They're so fun to memorize. Especially when they belong to other people.

    Seriously, though, not everyone thinks like your average computer geek. For most of us, passwords and other alphanumeric sequences are simple to memorize. For many other people, even phone numbers can be very difficult. Not that geeks are necessarily better (okay, we are, but that's beside the point), we're just skilled at soaking up random information. Other people have skills in other areas. We shouldn't really expect everyone to think like us.
  • what i do (Score:3, Insightful)

    by digitalsushi (137809) * <slashdot@digitalsushi.com> on Sunday September 07, 2003 @10:18AM (#6892618) Journal
    here's what i do... feel free to tear it apart if its actually a bad idea...

    lets say i have 10 machines. for each of them, i just memorize an easy to remember 8 letter password. there's also one nasty long password stub that i have thats like 12 characters. i remember just one of those, and after i do the first 8 of the machine specific, simple password, i append the big nasty one, and that's the password for the machine. if someone gets one of them, i know i have however long it takes to brute force crack an 8 letter password to get the other machines.

    not that i see what the big deal is -- isnt a password of "i like to eat pumpkin pie" just as strong a password as "sj34##@dj3"? (roughly; dont do the actual math as i know they are different. all i mean is that they're both good enough most of the time)
  • by Alioth (221270) <no@spam> on Sunday September 07, 2003 @10:21AM (#6892625) Journal
    The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.

    The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.

    Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.
    • Someone needs to do a real world study to compare the achieved security between:

      1) Tight password rules and users get instructions on how to ceate good passwords but only need to change say every 6 months.

      vs.

      2) Real world where passwords must be changed every 30 days but there is little or no emphasis on quality of the password, how they're kept by users, etc.

      At the moment someone at work has decided to start reminding people that their password needs to be changed 15 days before it expires on a 30 day
  • We recently put an openBSD machine on the network as our "admin login server". Previously, we were just logging into our main server directly via ssh, which wasn't really extremely safe, but, i mean, it was IP restricted to a /22 of IP's that we all had at home (lack of ISP's in the area lends to all of us using the same one).

    So anyway, we locked down the main server and set up an admin-only login server, running OpenBSD. Previously, my password had been (backwords name of a person + two numerals), which
  • I would have had first post but I forgot my Slashdot password. :-(
  • I simply make up random passwords for web forms or entry boxes and a program I use automatically captures the information, encrypts it, and stores it in a database. Each time I need a password again, it automatically fills it in for me. This system can be configured to require a master password every time it is used, to be on a timer, or to stay unlocked for as long as I am logged in. I can configure it based on application depending on how much I "trust" the program to use my passwords. I can always re
  • by d0n quix0te (304783) on Sunday September 07, 2003 @10:35AM (#6892688)
    ...those crackers/hackers from the movies will usually guess it on the third try... while mouthing inanities like " "It's a UNIX system, I know this..."

    ---
    A woman is helping her computer-illiterate husband set up his computer, and tells him that he will now need to choose and enter a password that he wants to use when logging on. The husband, thinking he'll be oh-so-manly, types in the following letters when prompted for his desired password by the computer... m - y - p - e - n - i - s His wife rolls her eyes. Then she nearly falls off her chair howling with laughter when the computer replies: PASSWORD REJECTED. NOT LONG ENOUGH
  • The concept of single is good. but i hate the idea of using commercial/proprietary/closed-source technology like netegrity's siteminder to implement authentication on my application/servers. What happen if siteminder goes belly-up or they triple the siteminder's licenses???? Nothing is stopping them from doing that. Then my application will secured by a technology that i can NOT afford to license......
  • by Darth Fredd (663620) <DarthFredd@g[ ]l.com ['mai' in gap]> on Sunday September 07, 2003 @10:42AM (#6892714) Journal
    ..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.

    http://www.thinkgeek.com/gadgets/security/5a60/

    Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.
  • It would make a lot more sense if websites allowed you to identify yourself by your PGP or SSH public key. At the very least this could provide a secure way of doing the 'I've forgotten my password, please reset it' thing.
  • Imagine this: Creating account for Yahoo:

    Sharpfang
    Sharpfng
    shrpfng
    sharp_fang
    sharp . fang
    sharp-fang
    shrpfang
    sfang
    sharpf
    sharpy
    sharp

    Yahoo claims all of the above are already in use.
    Do you believe them?

    That's one of the reasons why I stopped using Netscape Mail, my original account name was deleted (supposedly it conflicted with someone when Netscape joined its all services. I really doubt so), and I couldn't come up with anything nearly decent. More and more our usernames start to resemble really good passw
  • When users have password rage, look out! They might start throwing all those letters and numbers at you!
  • by perry (7046) on Sunday September 07, 2003 @10:49AM (#6892766)
    I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.

    Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.

    Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.

    In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.

    Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.

    Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.

    Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.
    • I agree with you in part, but I think it's premature to dismiss biometric security entirely. There are instances and occasions where it makes good sense. For instance, let's say that you're a bank teller. Every day you deal with a steady stream of customers, the vast majority who don't know their account number.

      No problem. Do what Citibank's been doing for the last few years; put ATM keypads at each teller window. To authenticate yourself, swipe your ATM card and enter your PIN. Poof. While this isn
    • Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with.

      That's why biometrics should only be used in an environment with physical security of the client-side hardware (airports, factories, etc. And maybe even ATMs).

      However, another critical failure of biometric IDs is that they are yet another form of "security through obscurity". With a good security system, you could recover from a tota
    • Why, then, do biometrics keep getting press?

      Yes, you're right in saying that it's partially because they are so sexy and that millions of development dollars are going into them...and there is quite a lot at stake. Biometric companies have to make sure that people trust their products for the job at hand, and they're putting their money to that task.

      People really do not understand security issues...they seem to think of security as a very basic transaction. If you click the link in my .sig, you'll find m
  • "Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future"

    What kind of "security expert" would reccomend fixed, unchangable biometric "passwords" in place of text passwords? They have their place in some situations, but for general use they're as bad as putting the same password on every account and never changing it even if you know that it's been compromised.
  • Mac Keychain (Score:3, Insightful)

    by pudge (3605) * <.slashdot. .at. .pudge.net.> on Sunday September 07, 2003 @10:57AM (#6892829) Homepage Journal
    It's perhaps bad because it's a single point of failure, but all of my passwords are, one way or another, stored using the Mac Keychain. Safari stores its passwords in there, as do some other browsers. I use PasswordWallet [selznick.com] (for Mac and Palm) to store passwords (and more) in an encrypted file, which is accessed via a passphrase stored in the Keychain. Even my SSH passphrases are stored in there (accessed via SSHPassKey [versiontracker.com]).

    Anyway, what prompted this was Schneier saying, "Don't let Web browsers store passwords for you." [counterpane.com] Sometimes, the browser is as secure as anything else on your computer, as in the case with Safari + Keychain.
  • by praedor (218403) on Sunday September 07, 2003 @11:32AM (#6893014) Homepage

    Three things that would be a nice replacement for passwords in every day life. Of the three, the easiest/nicest would probably have to be access card. We are beginning to use them in the military - our new IDs act as our access card. The biometric data on the card need not be intrusive (certainly less so than military ID cards) for common use. States could standardize on using a common driver's license with a chip on it with no more information stored in it than is on a normal driver's license. This and a single pin number would suffice.


    Quicker and/or easier...computers come with a card reader and you can just purchase or get a dedicated access card when you get a new computer/reader. Each card could simply contain some generic, unique data in it that combined with a pin is all you need. If using a standard card/data system then all corporations, schools, etc, could adopt it. One card, or just a few, no more onerous than carrying around several credit cards, insurance cards, etc. The only thing you need to memorize is one or two pins. Tied to public key (no M$ DRM server-type nonsense), best to use PGP/GPG to keep it open and universal, and you are set.


  • by Lodragandraoidh (639696) on Sunday September 07, 2003 @12:25PM (#6893479) Journal
    Okay guys and gals, I am going to share the methodology I use to create pseudo random passwords:

    1. Make up a phrase that you will remember - make it fairly long - at least 12 words, e.g:

    night of the living dead zombies eat flesh for fun and kicks

    2. Pick out key letters. A simple key is to use is just the first letters of each word - you can get more complex by alternating the first and the last letters or some number of letters, like alternating 1st and 3rd letters (on words smaller than 3 letters just use the last letter) etc. We will just use the simple method:

    night of the living dead zombies eat flesh for fun and kicks

    so we end up with:

    notldzefffak

    3. Make it even more difficult to break by inserting numbers and special characters in the password. Many password systems are set up to require numbers within passwords - so you may not have a choice in the matter; also, some systems will not let you use special characters - adjust as needed for your local conditions:

    notl96dzefff%ak

    And there you have it, a password that a normal dicationary lookup will not break - and yet one you can easily remember by recalling the original phrase, and applying your letter picking rule. No need to keep stickies on your computer, or in your desk drawer, or under your desk, or in a book, or in your wallet etc... (you would be amazed where you can find people's passwords just by examining their work area...lol).

    Now, get out there and change your passwords!

    Good luck!
  • Apple's Keychain (Score:5, Informative)

    by EelBait (529173) on Sunday September 07, 2003 @12:37PM (#6893589)

    Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.

    The keychain is basically a small, encrypted database with an accompanying API [apple.com] that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.

    Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.

    Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.

    One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.

  • by Max Webster (210213) on Sunday September 07, 2003 @01:10PM (#6893847)
    I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.
  • by BeerSlurpy (185482) on Sunday September 07, 2003 @02:58PM (#6894484)
    Kerberos or more generally, trusted 3rd party authentication was invented to solve this problem. You enter one password to gain access to the ticket granting service, and that service handles authenticating you for all the other ones you can use. This problem has been solved correctly for a long time, there is no need for fancy tricks like biometrics to solve it again.

    Passport is a great example of such a system (obviously lacking in implementation, but the idea is great).
  • RAGE-mania (Score:3, Funny)

    by mabu (178417) on Sunday September 07, 2003 @03:00PM (#6894504)
    What is it now with this "Rage"-mania? Why do we have to give even the most trivial behavior some pathological nomenclature?

    There was a story in the local paper here about a guy who woke up and fired his shotgun at a bunch of bass fishermen who zoomed by his camp in their speedboats. He was labeled the guy with "wake rage". I guess in a few months Pfizer will have some pill for this, accompanied by the "It's not your fault - it's a disease and it's treatable" drivel.

    Excuse me, I think I may be getting Rage-Rage. Is there a pill for that?
  • by stickb0y (260670) on Sunday September 07, 2003 @04:04PM (#6894805)
    (Part of a rant I originally posted to Ars Technica's forums. [infopop.net])

    I admit that I know nothing about business, but it seems clear to me one of the primary goals should be to to make it as easy as possible to separate willing customers from their money. If people want to give you money, don't make them jump through hoops.

    For example, an alarming number of sites I've visited require me to create an account to buy something. This is a turn-off.

    • For a first-time shopper who may never visit your site again, it's an extra, unnecessary step.

    • An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.

    • Creating an account means I have to supply a password. This means that I either make up a new password (which I will need to remember but won't should I ever return), or I re-use a password I've used elsewhere. In other words, that's either one more password I need to remember or one more place where someone can steal it.

      I have no evidence of this, but I suspect at least 90% of people re-use passwords. As a consequence, I must ask myself: do I trust your site with my password? (It suddenly strikes me as odd that I would trust a site with my credit card number but not my password, but I do.) Even if the answer is yes, that's one more decision the customer who has already decided to buy something from you has to make; that's one more point where the customer can change his/her mind.

    Please, don't require accounts. Provide them as a convenience to repeat customers, but don't make them a barrier to first-timers. Make the first- timers happy, build up trust, and they'll be more likely to come back.

    (If you do use accounts, it would be reassuring to know if your site hashes or encrypts passwords before storing them.)

"Well hello there Charlie Brown, you blockhead." -- Lucy Van Pelt

Working...