Users feel Password Rage

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

Keychain

[Macgoon]

Built into every Mac is a utility called Keychain that remembers all your passwords for you. Of course you can get add-ons for Windows that give the same functionality for a price...

Why are biometrics taking so long?

[Blaine Hilton]

This article goes back to the never-ending argument about usability vs. security. I admit that I want my cake and eat it to, but there is no reason why we can't have both. Biometric devices are becoming more and more common. However, many of the systems I use are SGI Irix, and plain Linux systems that currently do not have any biometric support. Although Windows has many solutions, starting at only $99.

Until biometrics become more mainstream people should check out those cheap USB key chain mini drives. They work okay, but I still find them a pain to use.

Sometimes your hands are tied

[kaden]

Where I work, we (the IT department) realize the problems associated with overloading everyone with passwords, but our clients require us to do it. When you lose a multimillion dollar account if you don't make even the lowliest secretary have three different long, random passwords, there's not much you can do about it but just be understanding when employees forget their passwords.

I imagine it's a long process of finger pointing all over the corporate world, though. The bottom line is that this just might be an inherent flaw of conventional passwords, and we either have to accept that, or develop a better system.

Have a Palm?

[acceleriter]

If so, your problem's solved [zetetic.net]!

But where do you draw the line?

[reachinmark]

Banks in Sweden are currently running a new BankID system. You can use this to access several government facilities, including submiting claims for sick leave and possibly in (the future) voting, over the internet. The password protection? Your certificate must be unlocked with a password that is at least 12 but at most 16 characters, of which at least 3 must be digits, and 4 alphabetical characters. Oh, and you can't simply repeat a word two or three times - they check for that. The end result? A password so annoying difficult to remember that of course everyone has it written on a post-it note by their keyboard.

Now THAT gives me password-rage.

Re:Spreadsheet

[Lieutenant_Dan]

Maybe this [openwall.com] will help.

Yeah, the password list can be handy sometimes ...

Two Words...

[MesiahTaz]

Apple Keychain

Now I only have to remember 2 or 3 different passwords. Keychain does the rest of the thinking for me.

Diceware

[kiltedtaco]

Diceware [std.com] definitly provides the most secure but easily remembered passwords, and even lets you make pretty exact estimates of the entropy content of your passwords, which makes all sorts of calculations simple and fun.

Re:Password rage? Try password-phobia.

[CommieOverlord]

Because no password is uncrackable. One issue about cryptography is that things don't have to be uncrackable, so long as by the time they are cracked it is irrelevant.

If it's possible to crack your password in 7 months but you change it every 6, then the cracked password is useless. If you never change your password it can always be cracked.

Re:USB keys

[curious.corn]

those are smartcards you are talking about. They contain a small general purpouse microprocessor and special storage for OS and data. Once locked, data cannot be read out of the device but only used within the programs stored within. It appals me that those things aren't ubiquitous and/or used for POS C/C systems. Some cryptalalysts managed to weasel some data out of them only by physically interfering with the operating device to cause program execution failures (heating or EM interference). Still much safer than a crummy magnetic strip and a numeric code.

Re:Password rage? Try password-phobia.

[Felinoid]

From "Outside the inner circle"
The book gets into details of the 'bad things' that could happen.

Some quick answers:
"Why would anyone want my account I just post pictures of my cat"
"Becouse some people are jerks, Some people hate cats, Some people hate FTP and some people can "make better use" of your account by distributing illegal or imortal matereal such as pirated software, MP3s, child porn or plans for bombs.
Then you take the blame."

"It's just an FTP account what could anyone possably do with that?"
"Besides distributing illegal matereal (child porn, bomb instructions) FTP is very powerful and contains a number of powerful features that could be used by people who how how FTP works to gain more access to the system."

"They couldn't access your root/admin from my account could they?"
"There is a whole book on the subject"

Another professional security geek: I disagree.

[rjh]

I agree with you in part, but I think it's premature to dismiss biometric security entirely. There are instances and occasions where it makes good sense. For instance, let's say that you're a bank teller. Every day you deal with a steady stream of customers, the vast majority who don't know their account number.

No problem. Do what Citibank's been doing for the last few years; put ATM keypads at each teller window. To authenticate yourself, swipe your ATM card and enter your PIN. Poof. While this isn't the best system around it's not too bad, especially since there's a teller standing right beside it to make sure you don't do anything obviously hinky with it.

But then there are going to be lots of people who don't have their ATM card with them for whatever reason--let's say they accidentally left it at home. Okay, the system still works, but instead of swiping your ATM card and punching your PIN you show the teller your driver's license. The teller looks you up in their database, makes sure you match your photograph, etcetera.

What happens if your wallet's been stolen and you have no identification? Let's say you're mugged and you lose your wallet, and you're forced at gunpoint to give up your PIN. As soon as you get away you run to your bank and talk to the teller. You have no ATM card. You have no driver's license. There's no way they can authenticate you.

But you still have your thumbprint.

So now you authenticate yourself via a thumbprint scanner. The teller takes the thumbprint scanner out of a locked drawer (where it's been stored precisely to limit the amount of access people can have to it, and thus, their opportunities for malfeasance with it) and sets it out in front of you.

Presto, you're logged in, and the teller can have some degree of confidence that you're a customer and need to have your credit cards and ATM access cancelled.

Yes, there are significant problems with biometrics over the Net. Most of these problems can be alleviated by adding a trusted human being to the equasion, someone to stand by the biometric reader and make sure nobody does anything obviously hinky with it. (In this case, the teller serves that function.)

I certainly agree that biometrics aren't a panacea and they aren't a replacement for a real security policy. But I think you go a little too far to say that security people think biometrics ought never be used for over-the-Net transactions.

Keyring for PalmOS

[arth33]

Just protects the passwords so you don't have to lock down your whole PDA all the time (I don't really care if someone nabs my schedule/phone list). It works really well, and seems to be written with security in mind (as opposed to ease of use). According to the website, it uses "secure triple-DES encryption using a 112-bit key derived from the password". And the best part: it's open source. Pick it up here: http://gnukeyring.sourceforge.net/ [sourceforge.net]

Try using LoginGuardian.com...very neat!

[Anonymous Coward]

I use it for most of my online accounts, because all I need to memorize is a single passphrase and one password. (look for "universal password" on their home page for info)

This javascript utility generates a different password for any site I want. Much less hassle than managing pwds on my palm (fearing I might lose it, or not having it with me when I need it!)

Also, I'm not worried about using this utility from an internet cafe where a keylogger might grab my passphrase, since you use a mouse to input the characters of your passphrase/password. (this is actually it's primary function, the universal password thing seems to be a minor feature for them)

And yes, I've actually looked at the javascript code to make sure its not sending my passphrase to be recorded somewhere.

Check it out at www.loginguardian.com [loginguardian.com] (click on the LoginGuardian icon under "see it in action", and then click the "More..." button on the virtual keyboard)

Password Safe is free

[mnemonic_]

I've never used Keychain so I'm not exactly sure what it's functionality is like. Many months ago an article in 2600 magazine informed me of "password bag" applications, software that stores multiple passwords in a file which is only accessible through a master password. Perhaps this is somewhat like Keychain?

One such application for Windows is Password Safe [sourceforge.net]. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).

I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.

P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.

Password Creation Panacea (not really)

[Lodragandraoidh]

Okay guys and gals, I am going to share the methodology I use to create pseudo random passwords:

1. Make up a phrase that you will remember - make it fairly long - at least 12 words, e.g:

night of the living dead zombies eat flesh for fun and kicks

2. Pick out key letters. A simple key is to use is just the first letters of each word - you can get more complex by alternating the first and the last letters or some number of letters, like alternating 1st and 3rd letters (on words smaller than 3 letters just use the last letter) etc. We will just use the simple method:

night of the living dead zombies eat flesh for fun and kicks

so we end up with:

notldzefffak

3. Make it even more difficult to break by inserting numbers and special characters in the password. Many password systems are set up to require numbers within passwords - so you may not have a choice in the matter; also, some systems will not let you use special characters - adjust as needed for your local conditions:

notl96dzefff%ak

And there you have it, a password that a normal dicationary lookup will not break - and yet one you can easily remember by recalling the original phrase, and applying your letter picking rule. No need to keep stickies on your computer, or in your desk drawer, or under your desk, or in a book, or in your wallet etc... (you would be amazed where you can find people's passwords just by examining their work area...lol).

Now, get out there and change your passwords!

Good luck!

Apple's Keychain

[EelBait]

Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.

The keychain is basically a small, encrypted database with an accompanying API [apple.com] that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.

Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.

Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.

One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.

Re:use a token

[annielaurie]

I don't use a token, but I pick a theme: ice cream flavors, car parts, old movies, whatever. The theme gets changed every three months or so, and the passwords all have to relate to it. They also have to comform to the administrative requirements of whatever system I'm using or my own standards.

For some reason it's easier for me to think: "It's April, and the theme is Ice Cream." As long as a flavor is buried somewhere in all the letters and numbers of a password, I'll remember it.

I haven't yet forgotten a theme, and I like to do this because the themes reside in my head rather than in the surrounding room as tokens would.

Anne

Re:Have a Palm?

[Anonymous Coward]

umm, no. Try gpgkeys, instead. It's opensource, and it stores passwords as well as keys. It's also on sourceforge :)

Re:USB keys

[nbvb]

Use STRIP. Best software going ...

http://www.zetetic.net/

Ever hear of kerberos?

[BeerSlurpy]

Kerberos or more generally, trusted 3rd party authentication was invented to solve this problem. You enter one password to gain access to the ticket granting service, and that service handles authenticating you for all the other ones you can use. This problem has been solved correctly for a long time, there is no need for fancy tricks like biometrics to solve it again.

Passport is a great example of such a system (obviously lacking in implementation, but the idea is great).