Users feel Password Rage

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

USB keys

[chrysalis]

USB keys are really neat to store keys (PGP, SSH, etc) .

This is definitely the handiest way to replace multiple passwords.

Wallet

[spoonist]

Store then in your wallet like Bruce Schneier [counterpane.com] does.

Note: I don't store mine in my wallet, so keep your hands to yourself!

Password rage? Try password-phobia.

[JessLeah]

I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.

Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.

Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).

People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...

And then, of course, the techs (us!) would get blamed.

Old Problem

[R2.0]

Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.

Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.

And BTW - everyone on site, even the IT dept., did it the way I did.

use a token

[neglige]

For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.

This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.

A few thoughts

[arvindn]

OnceUponATime, I used to have a password dictionary for download, here's the thoughts on passwords I'd written on that page:

Humans are horrible at selecting and using passwords. We have to live with passwords, however, since no other authencation mechanism is good enough to find use outside niches. (Let's face it: when humans interact with computers, we still have to go more than halfway to meet them.) We keep forgetting passwords, because we aren't really good at remembering lexical/numerical data. There are three things people to about this: write passwords down, choose weak passwords and choose the same password for several unrelated accounts. All of these are bad. Very bad.

Choosing the same password for different accounts is particularly bad. I imagine script kiddies have well-maintained databases of username:password pairs going around. (If they don't, at least the NSA has one.) I remember reading somewhere about how someone could easily acquire a sizeable list of username:password pairs. Set up a website offering free porn. No popups or other annoyances, but require users to create an account before being able to access much. Get word out about your site. Bingo. There you go.

A lot of websites store their users' passwords as plaintext. If crackers were consceintious enough to update a centralized list every time a website got cracked, I suppose anyone who uses the same password everywhere can be more or less certain that the black hats have got it.

I'm guilty of reusing passwords myself. I use one of only about 3 or 4 for accounts on random websites, but at least I use different ones for the machines on which I have any data that matters. The alternative of remembering all your account:password pairs is simply too much work. Browsers that fill in your password for you alleviate the problem somewhat, but if you browse from a lot of different accounts its still a pain.

As a sysadmin there is nothing much you can do about users writing down passwords or reusing them (except perhaps lecturing), but you can ensure that they don't choose weak passwords.

Biometrics

[rikun]

Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.

Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboards /5f11/ [thinkgeek.com] plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.

I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.

Biometrics on it's own is weak authentication

[Herrieman]

Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:

- something you have (such as a token) or
- something you know (such as a password or pin :))

Re:USB keys

[neglige]

If you have a PDA, use a software to store the (encrypted) passwords. And make damn sure your PDA won't get stolen :)

Silly...

[mraymer]

Memorization is one of the easiest skills that the human brain is capable of. I think a lot of the frustration with passwords (and computers in general) is simply due to users lacking confidence.

Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"

Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.

Re:But where do you draw the line?

[JessLeah]

Post-it notes by keyboards don't bother me so much, unless they are on mission-critical accounts, in situations where untrusted individuals (e.g. janitors, or the public, as in the case of someone who works at an Internet Cafe/public library/school) can get to them.

What bothers me is when users use passwords like "sophia" or "pears" or "1952" and then expect ME to safeguard their accounts... AND to make matters worse they have zero clue about the risks they are placing OTHER accounts in by doing so.

passwords are easy to remember with this trick

[Anonymous Coward]

Pick a memorable phrase. Like "we have nothing
to fear but fear itself".

Use the first letter of each word in the phrase
as your password at site #1. Use the second
letter of each word at site #2. Using that phrase
the passwords would be:

whntfbfi
eaooeuet

Re:USB keys

[TCM]

How does this protect malware to read it off your USB stick _and_ use it? Right, you protect your private PGP key with.. a password!

The only thing that comes to mind that's even remotely sophisticated is an "intelligent" USB stick, so to speak. It contains your private key and never gives that out to anything. Instead, it gets fed a challenge, encrypts it using the key and sends it back to the computer where the corresponding public key is stored.

Is anyone using something like this on a regular basis (for his home server/desktop)?

Re:Old Problem

[Anonymous Coward]

I feel your pain, I've been there. When I took charge of our network, things changed quite a bit. I implemented the scheme recommended in the NSA guides [conxion.com], where you force a change every 90 days and disallow repeating of the last umpteen passwords (don't remember the exact number offhand). The theory is to encourage strong passwords by giving them enough time between changes so the users don't feel like they're having to remember a new password every other day. Our users are much happier, and they actually do use stronger passwords now.

The biggest problem we have now is people being too quick to offer up their passwords. I've started randomly asking people what their password is, and if they tell me, they get a lecture on how I will *never* need their password, and to never tell anyone and why, then I make them change it immediately. It pisses them off (don't do this to the company president), but they get the point very clearly. Most people now roll their eyes and walk away when I ask, so it seems to be working.

Re:Silly...

[Zachary Kessin]

Problem is we are good at memorizing paterns. And patterns are easy to guess. When Richard Feynman tried to crack the safes at Las Almos he found that a very large number of them were set to 31 41 59 or 27 18 28 (pi and e). We are good at memorizing things because we expect to find paterns, which is makes it easy to attach the password.

Now if you are cleaver you can change things just enough, or say put in letters of two langages. But most people just pick something stupid and go with it.

I will admit to having a throw away password, that I use when I need a password for something I don't care about.

Re:USB keys

[gl4ss]

and you should trust the computer you stick that stick in anyways.

one guy i used to know had a system (5-7years ago?) of cycling passwords on his computer, so that if somebody find out one of the passwords it didn't really help the thief shit, banks use this type of system frequently.

Re:Wallet

[amcguinn]

And check his reasons for doing it: A wallet is a secure container for things you don't want to lose or have stolen. If I lost my wallet, the handful of medium-high importance passwords I would compromise would be among the least of my worries.

Using the same passwords for multiple different services is much more dangerous, and no-one could possibly memorise unrelated secure passwords for everything needed. I need about 20 just to do my work, and I'm usually required to change one or two of them every week.

The worst was my office voicemail. I rarely used it, and the required password change frequency was set so high that it demanded a new password every single time I tried to pick up a message. The end result was I turned the fscking thing off as it wasn't worth the effort to use.

Thinkgeek has something for this..

[Darth Fredd]

..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.

http://www.thinkgeek.com/gadgets/security/5a60/

Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.

Weakest link is always the user, eh?

[ChozCunningham]

I have to agree. It is the user that contimually supports web sites, .zip files, system logons, voicemail systems, corporate intranets and so on all of which perpetuate the password issue.

Perhaps a discussion of boycott will motivate web designers and other developers to consider picture matching and other forms of authentication and help do away with the over-passwording...

Then the end user will stop supporting poor interface design, and cease to be the (second) weakest link.

My Pet Peave

[jbrayton]

I understand why most passwords are needed. I also understand why needed passwords need to be difficult to guess (and therefore difficult to remember.

That said, I get very irritated when web sites require you to set up a user account, supply an email address, and remember the username and password for that account just to access some information.

For example, to get to many of Oracle's technical documents on technet.oracle.com [oracle.com], one needs to have a password-protected user account. The account is free, but its only purpose appears to be to allow them to track users. I really wouldn't care if someone broke into my Oracle account, as all it lets them do is search Oracle technical documents. This is just one example.

A few previous posters have noted that strict memorization of passwords is not that difficult. I don't dispute that fact. But my password database has, literally, about a hundred passwords. It grows regularly. I could certainly study the list, but who has time -- especially as the list grows and the passwords need to be frequently changed.

I hope that SSL/SSH client authentication alleviates the need to memorize passwords to some extent. The difficulties are that users use multiple computers, and that the client software to manage this is more difficult to use than many are prepared to deal with.

fingerprint, retina scan, access card

[praedor]

Three things that would be a nice replacement for passwords in every day life. Of the three, the easiest/nicest would probably have to be access card. We are beginning to use them in the military - our new IDs act as our access card. The biometric data on the card need not be intrusive (certainly less so than military ID cards) for common use. States could standardize on using a common driver's license with a chip on it with no more information stored in it than is on a normal driver's license. This and a single pin number would suffice.

Quicker and/or easier...computers come with a card reader and you can just purchase or get a dedicated access card when you get a new computer/reader. Each card could simply contain some generic, unique data in it that combined with a pin is all you need. If using a standard card/data system then all corporations, schools, etc, could adopt it. One card, or just a few, no more onerous than carrying around several credit cards, insurance cards, etc. The only thing you need to memorize is one or two pins. Tied to public key (no M$ DRM server-type nonsense), best to use PGP/GPG to keep it open and universal, and you are set.

C D B

[Aetrix]

Let me recommend a book for anyone having serious issues with inventing and memorizing secure passwords.

William Steig wrote a wonderful series of books which were like cryptograms. When you read a seemingly random string of numbers and letters you would have a full sentence.

For example:
CDB! (See the bee!)
D B S A B-Z B (The bee is a busy bee.)
O, S N-D! (Oh, yes indeed!)

The phrases become increasingly complicated and start adding numbers and symbols.

CDB has been the definitive guide to helping me choose passwords that are secure and I will easily remember them. For example, on one machine that was sitting underneath a poster of Corn from around the world, the password WAS (And is no longer...) e10a3-rfrn. (eating an ear of corn).

CDB! [amazon.com]

My approach

[kilf]

I remember one password for all websites- BUT- I add a few characters from the website name to the password. So I've generated a unique password for each site, but only have to remember one.

e.g. for SlasDot.org the password might be "Sdogn4meD" and for mybank.com it might be "Mdogn4meB", etc etc.

Strict password guidelines = easier to crack?

[Max Webster]

I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.

Re:use a token

[Anonymous Coward]

One of the oldest encryption techniques in the world was the "book technique". The encryption key was based on a line or page from a book that the sender and receiver both know. If you don't know what book, page, and line they used, it was extremely difficult to figure out the key.

I use a similiar technique to generate passwords. I use alphanumeric combinations based on lines from a book. I know what book, but I never write it down, my database I use for reference lists page number and line (in case I forget) have new unused passwords prelisted in the database so I don't have to reference the book very often, and always have new ones handy.

It may not work for everyone, but it works for me.

Re:use a token

[PurpleFloyd]

So someone would go through every item in your office, trying to find possible alphanumeric strings that might be a password, and type it in? Using a password like "CD" or "book" is a very bad idea, but using the password "0441328008-sand" (the ISBN of my copy of Heretics of Dune, which I just picked at random out of my 1000+ books, plus a random word relating to the book), isn't something that's easily guessable.

Furthermore, until it gets firmly implanted in my tactile memory, I just have to remember "Heretics of Dune" rather than a long ugly string of numbers. Things aren't nearly as easy for an attacker, though. Any attacker looking to get my password would have to first know that it is a book they're looking for, then go through every single book I own, typing in likely numbers (not only the ISBN, but also the barcode, and any other likely numbers; for example, I might work the price in there somehow).

Also, an attacker would have to have physical access to my home for a good long time to even know what books, CDs and other things I own. The set of all possible passwords, although restricted compared to a truly random string, is still incredibly massive and would take a long time to crack with a dictionary attack. Assuming I change the password every 2 to 3 months, the attacker would be better off looking for exploits to bypass the password mechanism entirely.

Re:USB keys

[iabervon]

Not quite true; with a challenge/response system instead of a fixed password, malware may take advantage of the authentication you performed through it, but does not get information which could be used to reproduce the authentication later.

Using a device with computation power and storage can increase the security, because it can perform computations which a person either couldn't perform or couldn't remember the information for. Of course, a human could use a challenge/response system (challenge: page, paragraph, line, word; response: the word at that position from a book the two ends both have; used to be popular), and a device could use a password, in which case the device would be weaker against malware.

Re:USB keys

[Tony-A]

You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise.
I don't see why it's so bad to have low-security when high-security is unwarrented.
Personally, I think it's bad to have high-security where only low-security is warranted. I have systems where the computer name is the same as the user name is the same as the password, writ large on the keyboard. Part of effective security is limiting exposure as much as possible. For high-security, you want the minimum exposre possible, by the fewest people and for the shortest durations and for only very limited purposes. This has to mean that most everything is not that well secured.
Your office has a certain level of security. Surely you've got a bunch of things that require better guards than say your slashdot password. You have an increased level of security in desk drawers that are closed.

A secure password secures that one aspect only. It does nothing whatever to improve any other aspect of security, and to the extent that it gives a false sense of security, works strongly against overall security.

Re: 'Caching' passwords

[E_elven]

The problem most people have with passwords is that they try to *remember* them. That's alright for, oh, four to six passwords for a more technically oriented person, but unfortunately a lot of people are not technically oriented and/or have more than six passwords.

Solution? As with computers, the human brain is an interesting device; and there are always ways around things. I, therefore, propose using a proxy for storing passwords: the motoric memory.

I always use 10-16 character passwords, rule is at least two numbers, two capitals, two lowercases and one special character. I have about 15 or 16 passwords I need to remember, a few of which I change monthly, and while I usually do actually remember all, the method I use for storing the information is in the beginning to actively only remember the first character of the password per each site, and let my fingers do the rest of the work on their own. I usually tap the password in a few times right after I set it (and usually jot it down on a piece of paper if I need a reference -I always destroy said piece of paper at the end of the day I set the password, and until that it's stored in the secret compartment of my change pocket.)

Anyway, they point is: people can walk, run, swim, jump, write, play an instrument. All of those are subconscious motoric memories, and the capability can be easily used to store trivial things (compared to, say, walking, which requires hundreds of muscle movements) like a sequence of keys.

For beginners (the 'cool, my new pc has a neat apple logo on it and it's got an integrated cupholder' folk you work with all day), actual keypress sequences can be devised -for example, left-index, right-ring, right-index, right-pinky, left-ring & right-pinky and so on; however, purely motoric (i.e. non-mnemonic) memory is better in the long run.

Subconsciousness is the key. It works great for me until I can actually remember the password so I don't need a keyboard to write it -and I'd assert most people would never need to remember theirs at all. Of course, I've noticed sliht problems since I started learning Dvorak :)

--
Most of us are just pseudonymous cowards.

forget password lists: use mnemonic lists

[thisoneguy]

I store a "password" list online. Instead of writing the password down, however, I put down something like "college addr##" against an entry and use some version of one of my many college addresses. Memorization is about tricks, and mnemonics are a common answer. I can't be bothered to remember the mnemonics so I write those down! Its odd, but so am I!

Re:Biometrics are hated by real security geeks.

[JimBobJoe]

Why, then, do biometrics keep getting press?

Yes, you're right in saying that it's partially because they are so sexy and that millions of development dollars are going into them...and there is quite a lot at stake. Biometric companies have to make sure that people trust their products for the job at hand, and they're putting their money to that task.

People really do not understand security issues...they seem to think of security as a very basic transaction. If you click the link in my .sig, you'll find my security document theory whitepaper, which talks about photo ID cards. People think of the photo ID card concept in such simple terms, when it's really a very ugly, complex security model. (I have this theory that people are bedazzled by the photograph, and really don't think much about where that photograph came from. Honestly, you could probably do quite a lot of crimes if you had a laminated photo ID hanging around your neck. )

With regards to biometrics, I believe the trust comes from the 1 to 1 correspondence idea. When an indivdual is professionally fingerprinted, and then later the same individual is profesionally fingerprinted again, the likelyhood that you would choose the wrong individual is very low, that's why fingerprints work so well in establishing identity of criminals. People assume that that can therefore be translated into some sorta security authetication system, which is simply not the case.

A fingerprint is simply an image. Nothing more, nothing less. Yes, it's an unusual image, small and compact. Sometimes this image isn't scanned visually, but scanned 3 dimensionally (like with a small electrical current...that's how some of the more advanced fingerprint readers work.) But it's still a damn image. Same applies to retinal scans, facial recognition, palm prints (which then may combine heat with an image. Ooo. Temperature...how unusual.) Since a counterfeit photo ID card is really just a plastic card with...an image, how are biometrics any different?

(Incidentally...how did photo ID cards become so popular? Cuz photo ID card manufacturing companies through a lot of money at convincing us they're worthwhile. You didn't see the photo driver's licenses (in the US) until Polaroid came up with instant color photography.)