Users feel Password Rage 388
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
Keychain (Score:3, Informative)
Why are biometrics taking so long? (Score:3, Informative)
Until biometrics become more mainstream people should check out those cheap USB key chain mini drives. They work okay, but I still find them a pain to use.
Sometimes your hands are tied (Score:2, Informative)
I imagine it's a long process of finger pointing all over the corporate world, though. The bottom line is that this just might be an inherent flaw of conventional passwords, and we either have to accept that, or develop a better system.
Have a Palm? (Score:2, Informative)
But where do you draw the line? (Score:5, Informative)
Now THAT gives me password-rage.
Re:Spreadsheet (Score:2, Informative)
Yeah, the password list can be handy sometimes
Two Words... (Score:2, Informative)
Now I only have to remember 2 or 3 different passwords. Keychain does the rest of the thinking for me.
Diceware (Score:2, Informative)
Re:Password rage? Try password-phobia. (Score:5, Informative)
If it's possible to crack your password in 7 months but you change it every 6, then the cracked password is useless. If you never change your password it can always be cracked.
Re:USB keys (Score:5, Informative)
Re:Password rage? Try password-phobia. (Score:3, Informative)
The book gets into details of the 'bad things' that could happen.
Some quick answers:
"Why would anyone want my account I just post pictures of my cat"
"Becouse some people are jerks, Some people hate cats, Some people hate FTP and some people can "make better use" of your account by distributing illegal or imortal matereal such as pirated software, MP3s, child porn or plans for bombs.
Then you take the blame."
"It's just an FTP account what could anyone possably do with that?"
"Besides distributing illegal matereal (child porn, bomb instructions) FTP is very powerful and contains a number of powerful features that could be used by people who how how FTP works to gain more access to the system."
"They couldn't access your root/admin from my account could they?"
"There is a whole book on the subject"
Another professional security geek: I disagree. (Score:3, Informative)
No problem. Do what Citibank's been doing for the last few years; put ATM keypads at each teller window. To authenticate yourself, swipe your ATM card and enter your PIN. Poof. While this isn't the best system around it's not too bad, especially since there's a teller standing right beside it to make sure you don't do anything obviously hinky with it.
But then there are going to be lots of people who don't have their ATM card with them for whatever reason--let's say they accidentally left it at home. Okay, the system still works, but instead of swiping your ATM card and punching your PIN you show the teller your driver's license. The teller looks you up in their database, makes sure you match your photograph, etcetera.
What happens if your wallet's been stolen and you have no identification? Let's say you're mugged and you lose your wallet, and you're forced at gunpoint to give up your PIN. As soon as you get away you run to your bank and talk to the teller. You have no ATM card. You have no driver's license. There's no way they can authenticate you.
But you still have your thumbprint.
So now you authenticate yourself via a thumbprint scanner. The teller takes the thumbprint scanner out of a locked drawer (where it's been stored precisely to limit the amount of access people can have to it, and thus, their opportunities for malfeasance with it) and sets it out in front of you.
Presto, you're logged in, and the teller can have some degree of confidence that you're a customer and need to have your credit cards and ATM access cancelled.
Yes, there are significant problems with biometrics over the Net. Most of these problems can be alleviated by adding a trusted human being to the equasion, someone to stand by the biometric reader and make sure nobody does anything obviously hinky with it. (In this case, the teller serves that function.)
I certainly agree that biometrics aren't a panacea and they aren't a replacement for a real security policy. But I think you go a little too far to say that security people think biometrics ought never be used for over-the-Net transactions.
Keyring for PalmOS (Score:5, Informative)
Try using LoginGuardian.com...very neat! (Score:1, Informative)
This javascript utility generates a different password for any site I want. Much less hassle than managing pwds on my palm (fearing I might lose it, or not having it with me when I need it!)
Also, I'm not worried about using this utility from an internet cafe where a keylogger might grab my passphrase, since you use a mouse to input the characters of your passphrase/password. (this is actually it's primary function, the universal password thing seems to be a minor feature for them)
And yes, I've actually looked at the javascript code to make sure its not sending my passphrase to be recorded somewhere.
Check it out at www.loginguardian.com [loginguardian.com] (click on the LoginGuardian icon under "see it in action", and then click the "More..." button on the virtual keyboard)
Password Safe is free (Score:4, Informative)
One such application for Windows is Password Safe [sourceforge.net]. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).
I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.
P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.
Password Creation Panacea (not really) (Score:3, Informative)
1. Make up a phrase that you will remember - make it fairly long - at least 12 words, e.g:
night of the living dead zombies eat flesh for fun and kicks
2. Pick out key letters. A simple key is to use is just the first letters of each word - you can get more complex by alternating the first and the last letters or some number of letters, like alternating 1st and 3rd letters (on words smaller than 3 letters just use the last letter) etc. We will just use the simple method:
night of the living dead zombies eat flesh for fun and kicks
so we end up with:
notldzefffak
3. Make it even more difficult to break by inserting numbers and special characters in the password. Many password systems are set up to require numbers within passwords - so you may not have a choice in the matter; also, some systems will not let you use special characters - adjust as needed for your local conditions:
notl96dzefff%ak
And there you have it, a password that a normal dicationary lookup will not break - and yet one you can easily remember by recalling the original phrase, and applying your letter picking rule. No need to keep stickies on your computer, or in your desk drawer, or under your desk, or in a book, or in your wallet etc... (you would be amazed where you can find people's passwords just by examining their work area...lol).
Now, get out there and change your passwords!
Good luck!
Apple's Keychain (Score:5, Informative)
Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.
The keychain is basically a small, encrypted database with an accompanying API [apple.com] that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.
Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.
Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.
One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.
Re:use a token (Score:2, Informative)
For some reason it's easier for me to think: "It's April, and the theme is Ice Cream." As long as a flavor is buried somewhere in all the letters and numbers of a password, I'll remember it.
I haven't yet forgotten a theme, and I like to do this because the themes reside in my head rather than in the surrounding room as tokens would.
Anne
Re:Have a Palm? (Score:1, Informative)
Re:USB keys (Score:3, Informative)
http://www.zetetic.net/
Ever hear of kerberos? (Score:3, Informative)
Passport is a great example of such a system (obviously lacking in implementation, but the idea is great).