Users feel Password Rage

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

Re:Old Problem

[LostCluster]

Overly tight security rules lead to Type II security errors... the kind where the people who are supposed to get into the system can't. As a result, people start circumventing the rules, which ends up weakening that overly tight security... oops.

People who make the rules need to think a little more sometimes.

Re:Password rage? Try password-phobia.

[trikberg]

I just have some photos of my cat there.

I've found that the best argument to this is to say that it does not matter what can be taken from you, but what can be done in your name by breaking the password. If the account is compromised anyone could send mail in your name or use your account to store illegal material.

Trying to explain about root access and such things will be met by a blank stare, It's more effective to talk about the drawbacks of being discovered with someone else's child pornography in your account.

What's so hard about remembering passwords?

[iapetus]

Build a system for generating passwords from other information that's easier to remember. Books and their authors. Songs. Quotes from your favourite movies. American Football players. It's easy enough to build a quick and easy set of rules for which letters should be capitalised, where numbers should appear and so on. And it's a hell of a lot easier for me to remember that my root password is American Pie than it is to remember that it's dm7aO2Eg, or that my password for the database server at work is One Week rather than bl31eOWs. There's a huge range of subject matter to pick from, and although the passwords aren't random and do have patterns that make them slightly weaker than genuinely random , they're a damn sight better than the ones most people use, they won't succumb to a dictionary attack, they're easy to remember, and they meet the requirements set down by any password security checker.

Inherently difficult problem

[RayBender]

Part of the problem is that by putting passwords on too many things you are requiring people to do something that most people simply can't do. Think about it, a good password has to be essentially random, at least eight characters long, and only used once. And then the passwords should be changed monthly. Seriously, how many of you can remeber %Fhe#jhx*, $%SDh!@l, (*^GKk32vc and sd)hdf@m? Studies done by various phone companies show that people tend to only be able to memorize about seven numbers at a time..

And think how many passwords you end up using: your account password on 3-4 computers, various root passwords, passwords to hotmail, your Amazon.com and eBay accounts, your ATM PINs, your credit card PINs, the access to your wireless router at home, and all the access codes to various subscription websites (hot asian teens and whatnot :) )?

Faced with this deluge of things to remember (which most people simply do not have the neurons to do), what do we do? Either use only one password, use something easy to remember, or write it down on a piece of paper kept in ones wallet. All of which are security no-nos. But security people have to face reality - passwords are only good security when used judiciously!

I Don't Get It

[tedrlord]

What's wrong with passwords? I love passwords! They're so fun to memorize. Especially when they belong to other people.

Seriously, though, not everyone thinks like your average computer geek. For most of us, passwords and other alphanumeric sequences are simple to memorize. For many other people, even phone numbers can be very difficult. Not that geeks are necessarily better (okay, we are, but that's beside the point), we're just skilled at soaking up random information. Other people have skills in other areas. We shouldn't really expect everyone to think like us.

what i do

[digitalsushi]

here's what i do... feel free to tear it apart if its actually a bad idea...

lets say i have 10 machines. for each of them, i just memorize an easy to remember 8 letter password. there's also one nasty long password stub that i have thats like 12 characters. i remember just one of those, and after i do the first 8 of the machine specific, simple password, i append the big nasty one, and that's the password for the machine. if someone gets one of them, i know i have however long it takes to brute force crack an 8 letter password to get the other machines.

not that i see what the big deal is -- isnt a password of "i like to eat pumpkin pie" just as strong a password as "sj34##@dj3"? (roughly; dont do the actual math as i know they are different. all i mean is that they're both good enough most of the time)

Password change policies

[Alioth]

The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.

The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.

Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.

It's a relative scale, though

[Anonymous Brave Guy]

Biometrics still have a lot of basic advantages over passwords.

Today:

[Informed cracker dials front desk]

Cracker: Hi, this is John in Support. We're having a problem with your account, could you just confirm the ID and password you use to log in so I can fix it up?

Clueless front desker: Sure, I type johndoe and the password is "reindeer flotilla".

Cracker: Great, thanks. I'll fix your account up right now, and you shouldn't see any difference from usual once it's done.

Next year:

[Informed cracker dials front desk]

Cracker: Hi, this is John in Support. We're having a problem with your account, could you just send me your fingerprint so we can fix it?

Clueless front-desker: Um...

Remember, the two biggest problems with passwords are (a) choosing dumb ones allowing brute-force attacks on a system, and (b) their vulnerability to social engineering attacks. Even simple biometrics would go a long way to fixing those, and thus restricting cracking to those who actually have a clue and not s'kiddies with nothing better to occupy their time.

Re:USB keys

[axxackall]

And even moreover keep the backup of your Palm in your bank. Just for a case if your PDA is stolen or broken.

Re:passwords are easy to remember with this trick

[Sphere1952]

Now...Was this site 15 or 16?

Re:Password rage? Try password-phobia.

[SpaceLifeForm]

Speaking of phobia, can anyone seriously explain the need to periodically change passwords?
If your password is good and you haven't given it out to anyone, what is the point of changing it? I mean, if the password is non-crackable via dictionary attack why change it to a different non-crackable password?

Re:Password rage? Try password-phobia.

[edp]

"Speaking of phobia, can anyone seriously explain the need to periodically change passwords?"

As time goes by, the probability the password has been compromised increases: The password was shared with a coworker who needed access, the storage location of the plaintext password (the place you wrote it down) was compromised, et cetera.

Biometrics are hated by real security geeks.

[perry]

I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.

Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.

Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.

In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.

Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.

Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.

Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.

Mac Keychain

[pudge]

It's perhaps bad because it's a single point of failure, but all of my passwords are, one way or another, stored using the Mac Keychain. Safari stores its passwords in there, as do some other browsers. I use PasswordWallet [selznick.com] (for Mac and Palm) to store passwords (and more) in an encrypted file, which is accessed via a passphrase stored in the Keychain. Even my SSH passphrases are stored in there (accessed via SSHPassKey [versiontracker.com]).

Anyway, what prompted this was Schneier saying, "Don't let Web browsers store passwords for you." [counterpane.com] Sometimes, the browser is as secure as anything else on your computer, as in the case with Safari + Keychain.

Re:Why are biometrics taking so long?

[the uNF cola]

Until biometrics works flawlessly too.

If your password is LSKdfSLJ, if you get it wrong, it's human error until you type it right. If you use a fingerprint scan, it has to do more work to figure out that your finger isn't perfectly aligned with the picture. Just like OCR.

Yeah, most people have many fingers and toes, but until it becomes infalable, getting locked out of your work machine on a daily basis, or 10% of the time, would make your workday a lot longer. Think of the time you waste on slashdot daily!

For something that is either, "allowed in" or "locked out", I'd rather a password, RSA SecureID or some sorta smart card anyday. For a tool to help find information, sorta the baysan filter for people, it makes sense. Think about it. You can walk freely through your office, no key card or whatever, but you are restricted by a face scan. If you fail that, go to your good ol' backup of a secureid, where you need a password AND token.

Re:Password change policies

[DaveAtFraud]

Someone needs to do a real world study to compare the achieved security between:

1) Tight password rules and users get instructions on how to ceate good passwords but only need to change say every 6 months.

vs.

2) Real world where passwords must be changed every 30 days but there is little or no emphasis on quality of the password, how they're kept by users, etc.

At the moment someone at work has decided to start reminding people that their password needs to be changed 15 days before it expires on a 30 day expiration schedule. I think I'll change mine to P455w0rd.53pt.

Re:Password rage? Try password-phobia.

[SpaceLifeForm]

I agree, but in order to be cracked over time, the attacker must either have a copy of the encrypted password (ex: copy of passwd file) or allowed to attempt access indefinitely without detection (ex: login with no delay, no log of failures).

In the first case, if the encrypted password can't be obtained in the first place, what does the attacker have to work with?

In the second case the only way I see for the attack to be successful is if access to the software is given such that a brute force attack is allowed to continue indefinitely. And in the second case, it doesn't really matter how recently you changed your password.

Re:USB keys

[Carmody]

Most of the users in my environment simply write all their passwords on a piece of paper and stick them to their computer.

Problem solved!

You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise.

For example, I post on slashdot. I need a password, so pranky kids don't post under my name, saying rude things. Fine. Now let's say I wrote the password on a piece of paper, taped to my monitor.

Who sees my monitor? The custodian. I know Bernadette - she is a nice lady and isn't going to hack my slashdot account. My colleagues? They haven't the slightest interest in doing such a thing, nor do they have the time.

There are also low-stakes passwords. If my net-flix password got out, you all could ADD AND DELETE MOVIES FROM MY QUEUE! Oh the horror! If someone wanted my net-flix password, they could break into my office and find it in a .txt file on my computer desktop. But once I noticed my queue had been changed, I would alter the password.

Obviously, I am careful with my bank password, etc. But otherwise, I don't see why it's so bad to have low-security when high-security is unwarrented.

Re:use a token

[Pendersempai]

For those really secure passwords, I look around in my office, pick a token, and use something from it as a password

This is a terrible, terrible way to pick a password that needs to be secure. It's the first thing anyone will mimic after they've tried your name, your birthday, your pet's name, etc.

It's one of the classic examples of what NOT to do.

Re:USB keys

[zootread]

I haven't been cracked yet.

The problem is not that you're going to get cracked. The problem is that one of your passwords may be sniffed out, and since you've used that password in more than one place, all those other places can be compromised. Every one of your accounts with sensitive information should all have unique passwords that you use nowhere else.

Re:Biometrics are hated by real security geeks.

[Minna Kirai]

Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with.

That's why biometrics should only be used in an environment with physical security of the client-side hardware (airports, factories, etc. And maybe even ATMs).

However, another critical failure of biometric IDs is that they are yet another form of "security through obscurity". With a good security system, you could recover from a total theft of the password file as soon as all users select new keys.

Biometrics makes changing your password impossible- once compromised, it's compromised FOREVER. (Painful & dangerous surgical intervention aside). If your network relies on iris-scanning for authentication, what do you do if 2-3 users have their opthalmolgist's records stolen? (Replace the whole thing with a fingerprint scanning system, which will be almost secure until an employee dines in a public restaurant)

This is especially important because users don't just stay at one job forever. They move around over the course of a career, often working for competitors in the same industry. With a sense of healthy paranoia, one should assume that all prior employers of a potential recruit will have her biometric descriptions still buffered in THEIR OWN security files.

Sure, there will probably be a law forcing biometric identifiers to be purged once the user ends affiliation with your group, but a diligent security designer shouldn't rely on everyone else deleting those files with no trace.

Biometric -- unsecure

[Anonymous Coward]

Biometrics is a dumb idea, it does take a rocket sciencetist or a hacker to figure out the flaw.

Use biometrices would mean you have a single password for your entire lifetime. No matter how long a the digital code is, someone will figure it out. Whether from a trojan for a internet cafe you or from a bank ATM that printed out your account and password and dumped into the trash.

You can never change your biometic password. Think about that!

Re:But where do you draw the line?

[Daniel_Staal]

It can't start with numbers, have duplicates, and more stupid conditions. Even a password like w4Pl3w2abn would be rejected because it contains "w" twice and a and b in order.

At some point that's going to be counter productive: they are narrowing the password space so much that a brute force attack will become effective, if it knows the rules. (Quite simply there are so many passwords not allowed that the 'available' list is small enough to search.)

Personally, most of my passwords are quite easy to guess, but I don't consider the accounts secure. On the few 'secure' accounts I have the passwords are much stronger, and all unique.

Please check for dictionary attacks

[tiggles]

I doubt anyone will get down to reading this but too much of this discussion is being approached from the wrong side. A password of 2 simple english words (ie: treecat) would be enough to require a dictionary attack of 500 000 tries (1000 common words squared or better yet, 3 words for 500 000 000). Enough time that a dictionary attack could be detected because regular users alwyas give up after 12 or so failed tries.

If 12 failed attempts in an hour required you to call IT to reset the counter then 500 000 attempts now takes 40 000 hours or 40 000 calls to IT; either of these makes it unusable as a hacking route. Even a distributed attack would only get 12 tries an hour on jdoe's account. The worst side effect would be jdoe getting locked out while his account was being hacked (rather a DoS attack that way... which is a different problem and not my forte)

Why is attack detection not given more attention than making users remember noisy passwords?

Passwords and e-commerce sites.

[stickb0y]

(Part of a rant I originally posted to Ars Technica's forums. [infopop.net])

I admit that I know nothing about business, but it seems clear to me one of the primary goals should be to to make it as easy as possible to separate willing customers from their money. If people want to give you money, don't make them jump through hoops.

For example, an alarming number of sites I've visited require me to create an account to buy something. This is a turn-off.

• For a first-time shopper who may never visit your site again, it's an extra, unnecessary step.

• An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.

• Creating an account means I have to supply a password. This means that I either make up a new password (which I will need to remember but won't should I ever return), or I re-use a password I've used elsewhere. In other words, that's either one more password I need to remember or one more place where someone can steal it.

  I have no evidence of this, but I suspect at least 90% of people re-use passwords. As a consequence, I must ask myself: do I trust your site with my password? (It suddenly strikes me as odd that I would trust a site with my credit card number but not my password, but I do.) Even if the answer is yes, that's one more decision the customer who has already decided to buy something from you has to make; that's one more point where the customer can change his/her mind.

Please, don't require accounts. Provide them as a convenience to repeat customers, but don't make them a barrier to first-timers. Make the first- timers happy, build up trust, and they'll be more likely to come back.

(If you do use accounts, it would be reassuring to know if your site hashes or encrypts passwords before storing them.)

Re:Password rage? Try password-phobia.

[CommieOverlord]

If it is possible brute force a a password crack (either because the cracker has a copy of the encrypted password or because they are allowed to repeatedly try passwords), then changing passwords frequently is required for security. Yes, it really does matter.

Let's pretend you have a password for a system and a cracker gets ahold of the encrypted password. The cracker has to spend x time decrypting the password. If you change you password halfway through, then the password the cracker gets is now invalid. They have to start all over again with the new password.

Re:Password rage? Try password-phobia.

[k8to]

There are other issues.

For example, if someone manages (as a lucky break) to snarf your password running across the internet logging into a financial site, they could simply have access to private data indefinitely until you change the password. At this point the password would have to be re-acquired for monitoring to continue, which is overall unlikely.

Depending upon the situation, password change can greatly shrink the window of exposure.

As for the continued brute forcing, sometimes there is a lantency between the changing of the access requirements and the access to that change by the crack-attempter.