Forgot your password?
typodupeerror
Security Technology

Password Memorability and Securability 436

Posted by Hemos
from the what-about-portability dept.
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example: 1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed. 2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed. 3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked. 4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap- peared to be just as easy to remember as the other. So this belief is debunked. 5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
This discussion has been archived. No new comments can be posted.

Password Memorability and Securability

Comments Filter:
  • Freaking PDF files. (Score:5, Informative)

    by Anonymous Coward on Monday May 24, 2004 @09:48AM (#9237186)
    Freaking PDF files. Link [216.239.39.104] to a version translated into HTML. By the time this goes live, maybe the FTP will be slashdotted, too. Thanks, Google.

    I suppose I should make a comment. Okay, here it is: looks like users are still the weakest link in security. Whoever said that social engineering was the ultimate hack is a genius.
    • by QBasicer (781745)

      I don't think that will ever change, unless we use the bio scanning methods (iris scans and whatnot)

      I heard about DNA scan, but I can't see that working, it could be falseified. Even a finger print could be carried (cut off their finger if they wanted access enough).

      The strongest way to do it is with multiple methods (text password, then voice password, the finger print scan, and then iris scan).

    • What does that make Kevin Mitnick [kevinmitnick.com]?

      Oh, yeah... I remember him. I forgot that guy after existed he was free and not a symbol of everything that was wrong with the legal system in the US.
      • Mitnick today (Score:5, Informative)

        by SoTuA (683507) on Monday May 24, 2004 @12:42PM (#9239023)
        is milking the conference circuit as hard as he can (it's how he makes his living now)

        He was briefly in Chile for a US$420 a seat conference, and the head of the Computer Science Dept. asked him if he could give the students a little talk.

        A representative answered exactly this:

        Thank you for your inquiry. Kevin is indeed in Chile next week-- and would love to address your students. He does, however, charge a fee for his presentations (it's how he earns his livelihood)--- A standard presentation is 45 min. long plus 15 min. Q&A and covers the information presented in his book, The Art of Deception. The cost for a presentation like that is typically $15,000 US; however, due to the fact that you are an educational institution and Kevin will already be in the area delivering his other presentation, I could offer you a discounted price of $9,000 US (a savings of 40%)plus any related travel costs to/from your organization to his hotel.

    • by the_mad_poster (640772) <shattoc@adelphia.com> on Monday May 24, 2004 @10:13AM (#9237429) Homepage Journal

      I second the HTML version. Good old Adobe - popped up a nice little window in the background bugging me to update and stalled the IE process. Since the window went to the background, all I could see was the stalled process, and I killed IE, which, of course, closed all my windows. I hate pdf files...

      Anyway, here's a consideratoin: semi-disgruntled employees. For example, I'm not disloyal enough to actively seek to damage the company's systems or information, but with the way they treat employees, and the way my dysfunctional department operates, I'm not loyal enough to sit and try to think of strong passwords every month. So, I come up with creative ways to circumvent the draconian password policy instead. Ironically, some of my stronger passwords have been defeated by this overly strict ruleset and wound up with me simply appending a character to a weaker password to get around it.

      The lesson: draconian password policies hurt security and audit your password lists on a regular basis (at least randomly sample them regularly). Most of your users probably don't give a crap about their passwords because they don't give a crap about what happens to the company's systems and information.

  • Google (Score:5, Informative)

    by Mz6 (741941) * on Monday May 24, 2004 @09:49AM (#9237194) Journal
  • by MrIrwin (761231) on Monday May 24, 2004 @09:49AM (#9237199) Journal
    oops!
  • by Da Fokka (94074) on Monday May 24, 2004 @09:49AM (#9237202) Homepage
    Not RTFA has never been so easy! How am I supposed to have an uninformed opinion like this?!
  • quepasa (Score:5, Interesting)

    by JohnGrahamCumming (684871) * <slashdot AT jgc DOT org> on Monday May 24, 2004 @09:50AM (#9237214) Homepage Journal
    So take a look at quepasa [sf.net]. It combines remembering a passphrase, with cryptographically generated passwords (SHA-256 hashing of the passphrase and account name followed by mapping of the hash to typeable characters).

    The combination means that I can always "recall" the password for any of my accounts using the quepasa application (all I remember is a single passphrase), and the passwords are not stored anywhere.

    John.
    • Re:quepasa (Score:4, Insightful)

      by alexatrit (689331) on Monday May 24, 2004 @09:57AM (#9237270) Homepage
      Looking at the end result of this, how is it any different that typing up a list of randomly generated passwords in vim/notepad/whatever, and encrypting the list with gpg? You still have to run and check the program every time you want to login to a service. The passphrase supplied to quepasa could easily be that to decode your gpg-encrypted list of passwords.
      • Re:quepasa (Score:5, Informative)

        by JohnGrahamCumming (684871) * <slashdot AT jgc DOT org> on Monday May 24, 2004 @10:32AM (#9237625) Homepage Journal
        The differences are:

        1. There's no file stored anywhere containing the passwords so you can't lose them, or have the file in order to get the password.

        2. You don't have to do the random creation of passwords in the first place.

        3. When it comes time to change passwords, just change the passphrase.

        John.

        • Re:quepasa (Score:5, Insightful)

          by bcrowell (177657) on Monday May 24, 2004 @10:52AM (#9237807) Homepage
          Also

          4. Encryption software tends to be hard to use, and to use it, you have to understand quite a bit about encryption. (What's a keychain? What's a public key? A private key? What do I do if my private key is compromised?)

          Personally I use a GPG-encrypted file, but quepasa does sound like a neat idea. My only misgiving about it is that it still requires users to have a clue, and the point of the article seems to be that having a clue (or caring enough to make an effort) is the limiting factor.

    • by Stargoat (658863) <stargoat@gmail.com> on Monday May 24, 2004 @09:59AM (#9237302) Journal
      The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password, and then write even that simple to remember password down at their desk. The problem is with an HR department that doesn't care if IT policies are enforced, and management that doesn't care if HR isn't doing their job.

      If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

      • by ImTwoSlick (723185) on Monday May 24, 2004 @10:20AM (#9237513)
        The real problem is the forced password changes every 90 days (for me), and the half-dozen (at least) passwords I have to change every time. Thank God my IT doesn't check for reused passwords, or I'd have to resort to writing them all down, or picking insecure sequences.
      • by Gorbag (176668) on Monday May 24, 2004 @10:21AM (#9237521)
        Random passwords, password aging, etc. are indeed the problem. The human element is a constant, and humans aren't that good (these days) at memorization. So all you are doing by assigning a random password and/or aging, is making it more likely (bordering on certainty) the password is going to get written down and sticky taped to the monitor.

        Catchphrases are far easier to remember, and simple mapping of words to punctuation symbols and numbers can go a long way to personalizing even a catchphrase. IT should train appropriate passwords, and run crack to catch problems.

      • by hal2814 (725639) on Monday May 24, 2004 @10:23AM (#9237540)
        One of our computer systems requires changing passwords regularly. The people at our office have tendency to write down a list of as few unique passwords as they must provide and "hide" this list either under their mouse pad and taped to their monitor. Some even have an arrow pointing to the current password. I feel much safer about the security of our other system that doesn't enforce changing passwords. At least then the hacker must look at a family album to determine the password instead of just looking under the mouse pad.
      • by Bronster (13157) <slashdot@brong.net> on Monday May 24, 2004 @10:25AM (#9237558) Homepage
        If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

        Actually, you're wrong. It's people that the business runs on in almost all cases. IT is a tool that makes people so much more efficient that processes now assume that it's available and most of those people don't know how to function without it (and more to the point the information they need to operate is stored in it rather than kept in folders on their desk where they could get at it).

        A design where authentication is centralised to a secure enough server and that authentication attempts are throttled so that guessing attacks are restricted means that you don't _need_ such a draconian password policy. My work uses RSA SecureID for all logins from outside the corporate intranet. Within the intranet we're a little soft and squishy, but that's considered a lower cost than the cost of having to tell people their passwords all the time. And yes, we do have password policies, but they're not insanely complex.
      • The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password

        (Why the slam on 40 year olds?)

        Anyway. The problem is with passwords--the fact that you're forcing someone who really doesn't want to and shouldn't be made to into picking a password. You should just randomly assign one, give it to the person, and tell them that this is THEIR password until it gets compromised.

        The 40-year old woman remembers her PIN, her SSN, and her street address. She can remember a "Strong Passsword"--she just can't choose one.
      • by hackstraw (262471) * on Monday May 24, 2004 @10:36AM (#9237664)
        The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password, and then write even that simple to remember password down at their desk. The problem is with an HR department that doesn't care if IT policies are enforced, and management that doesn't care if HR isn't doing their job.

        <sarcasm>
        Yeah, I'm a super for an apartment complex, and I have these problems all the time. These fucking 40 year old women use thier kids names as their passwords to get in their apartments, and then complain to me about how getto the apartment complex is because their apartments get broken into all the time. These dumbasses also have me call up tow trucks and passwordsmiths all the time because they cannot remember thier password for their car. I keep telling them to make better, easier to remember passwords, but they are all just morons.

        A buddy of mine is a super at another apartment complex, and they still use "old school" technology like keys to get into their apartments and cars, and they rarely if ever have these problems.
        </sarcasm>

        The moral of the story is that there are such things a physical tokens, smartcards, etc that can provide keys to authentiate people to access computer systems. I hate to break it to you, but username/password schemes only authenticate usernames and passwords.

        The only thing that has not been worked out cleanly with keys is revocation. Any ideas here?
      • by ericspinder (146776) on Monday May 24, 2004 @10:37AM (#9237685) Journal
        The real problem is 30 day password expiration. Short password expirations are (I believe) the largest security hole in IT. On the user side, most people don't cannot keep coming up with new complex passwords every few weeks, they know that they will forget, so they get into the habit of writing down the password, or trying to create a "moving password scheme" that is easier to remember. Also is a problem is the lack of a consolidated logon, meaning that the current password will not be updated in multiple distributed systems. Many users who "follow policy" and fail to keep mental track of their password are heavy users of password reset, which creates "social engineering" problems.

        Password reset is the number one help desk issue. All you need is some basic information about the user and a cracker could get the password reset to whatever they want. It's tough for companies to make resets as tough as they really need to be, the cost would be too high.

        I believe that the best solution is to enforce complex passwords and allow those passwords to last 6 months or longer.

      • by Aapje (237149) on Monday May 24, 2004 @10:48AM (#9237776) Journal
        The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password

        No, the problem is with the password police who requires those women to change their password every month. While that theoretically improves security, in reality it makes it worse because people are prone to forgot their changed passwords and thus write them down. That is not the user's fault. That those 40 year old women can't remember their passwords, especially when they change every month, is a fact of life. Ignoring that fact, changing the situation from bad to worse, means that you are stupid, not the users.

        </end rant about stupid sys admins>

        Anyway, if you really cared about security, you would use smartcards, fingerprints or whatever. Passwords for regular users are about as secure as locking your front door and putting the key under the mat*.

        *In a place I worked someone used 'secret' as a password and shouted it across the room. And yes, it was a 40 year old woman. ;)

        If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

        Sure, management is ultimately responsible for everything. But often, IT can also be blamed for not being informative enough. In the case of security, you should ideally have made a comparison between the security mechanisms and offer your boss a clear choice:
        - Passwords without enforcement/whining = little security + easy for users
        - Passwords with user enforcement = some security + hard on users
        - Chopping off a finger for every bad login attempt = good security + lawsuits
        - etc...

        Spell it out and get management to agree what your job is, what others should do and what things can still happen. Of course, then management can still be unfair, but you will be happy knowing that you are being professional.
      • Reading this article I remember a time -when I was still an application-manager for a large hospital- when I went to a small department to instruct a group in using the application.

        It went something like this:
        - Me: "What are your usernumbers? "
        - Women of the group: "xxxx, yyyy, zzzz, dddd, ffff"
        - Women: "Do you want our passwords too?"
        - Me: "No, I just need your login-info so I can fill in the necesarry forms."
        - Women: "It's okay, we all share the same password, you can have it."
        - Me [frowns]: "You

    • Re:quepasa (Score:5, Interesting)

      by nizo (81281) on Monday May 24, 2004 @10:41AM (#9237722) Homepage Journal
      For anyone who cares, an easy solution I use is a quickie perl program I wrote that generates something like:
      a TL b CP c t5
      d GR e KW f Nu
      g zM h 4& i pH
      j qk k sb l +J
      m %$ n dU o rm
      p 7D q 6F r ne
      s Z? t gQ u Ay
      v =Y w 2x x c!
      y vX z VS


      Basically it assigns random chars/numbers/symbols to each letter of the alphabet. It tosses things like zero, one, and eight and letters O, H, I, J, L, B (upper or lower, depending on confusion with the aforementioned numbers). Now I print this nice little table and use it for passwords all over the place. For example I could just remember "slash" which maps to the password Z?+JTLZ?4&


      Also, if someone gets that little peice of paper or sholder-surfs they don't get my passwords without at least a little effort. Oh and laminating it is a good idea, and an extra copy in a safe place wouldn't hurt too.

  • by Chess_the_cat (653159) on Monday May 24, 2004 @09:50AM (#9237215) Homepage
    Mitnick had a neat suggestion in the Art of Deception. The Consonant-Vowel Method. It provides an easy to remember password because it is pronounceable. You take the following template and swap in consonants and vowels: CVCVCVCV. The examples he gave are MIXOCASO and CUSOJENA. The point is they won't be in the dictionary but you can remember these nonsense words.

    • Nice try ... consonant-vovel is a nice pattern ... patterns are easier to break
    • by Plutor (2994) on Monday May 24, 2004 @10:02AM (#9237322) Homepage
      Another thing to remember is that rules like this just make brute-forcing simpler. There are 2.18*10^14 mixed-case alphanumeric 8-character passwords, but only 3.11*10^10 mixed-case consonant-vowel passwords (1/7000th as many possibilities), and only 1.2*10^8 single-case C-V passwords.

      Forcing 8-char passwords is just as inadvisable. There are 6.16*10^15 possibilities for 6-8 character passwords made up of all typeable characters (ACII 33-126). That'll take 195 days to search the whole keyspace at 1M tests per second. And hopefully your password rotation is more often than that.
      • Allow non-standard ascii into the password. What cracker is gonna check for '®æÝ'?
      • by aphor (99965) on Monday May 24, 2004 @11:07AM (#9237921) Journal

        Making this kind of argument is valid only if it is practical for people to use passwords from a maximum-entropy pool of acceptable passwords. Think about this for a second: what you are talking about, strictly speaking, is a cryptographic key. However, we keep using the term password. The difference is subtle but significant, and it is the crux of the issue in the article (RTFA). Passwords are a kind of word, used as a cryptographic key in this case. So, they are the intersection of the set of things that can be words and the set of things that can be cryptographic keys. If you get too strict with the definition of either of the two sets, you risk shrinking the intersection to a cryptographically insigificant number of brute-force attempts.

        Rules like this do *not* make brute-forcing simpler. What we need is more like them. Instead of forcing people to use a selection of truly random numbers as passwords, we should have a cornucopia of different mnemmonic password generation algorithms with different inputs that are likely to differ greatly (in two dimensions) from person to person and over time. The total brute force guesses would be the UNION of all of those sets, and they would also meet human factors requirements. The way to improve cryptographic security of passwords is to *increase* freedom, and to discourage conformity. Specifically ruling out different password mnemmonics actually shrinks your pool of brute-force possibilities and thus weakens your scheme. It is acceptable for some people to use dictionary-weak passwords sometimes as long as there is a much greater likelihood at any one time that they will not.

        The bigger the dictionary, the closer the attack comes to brute-force keyspace searching. GROW the dictionary to obtuse proportions!

    • by lukewarmfusion (726141) on Monday May 24, 2004 @10:05AM (#9237352) Homepage Journal
      True, but if the attacker knew that your passwords followed a certain template (those two are 8 characters, all caps, and alternate consonant vowel starting with consonants) they become much easier to attack.

      My applications rarely force complexity (sometimes they require numbers or other non-alpha characters). The instructions are always there, but users rarely ever follow them.

      One of my not-so-critical applications (a web messageboard!) from a while back stored the passwords as plaintext in the DB (I now use hashing, thank you very much). I once looked at the password list just to see how complex people chose their passwords:

      ~60% had one word passwords of about 5 or 6 letters, no numbers
      10% used their username (which has since been prohibited)
      10% had complex passwords - stuff that made no sense to me and used numbers, non-alphanumeric characters, etc.
      The rest (a little more than 20%) had a word + a number, or something around those lines.

      I did ask them all about password security, and I got two basic responses: My password is secure, or What does it matter?
      • Message Boards (Score:5, Interesting)

        by Allen Zadr (767458) * <<moc.liamg> <ta> <rdaZ.nellA>> on Monday May 24, 2004 @10:14AM (#9237443) Journal
        On a message board, I always use a fairly simple password, simply because it doesn't matter to me...
        If someone gets to post as Allen Zadr to slashdot, the worst that would happen is my karma would be burned. No big deal. I drop the account, start a new one, give Slashdot another 5 bucks.

        The passwords I use on anything important, are far more secure.

        For this reason, I would be far more suspicious of the 10% that use extremely complex passwords. Likelyhood is that those passwords will match their online banking account and work passwords.

    • by joelhayhurst (655022) on Monday May 24, 2004 @10:11AM (#9237414)
      There is also a unix utility called APG [nursat.kz] (Automated Password Generator) which will create pronounceable gibbrish passwords to your specifications. I usually use that, find one I like, then replace a few letters with l33t-speak numbers (to think, it has a use...).
      • by Danny Rathjens (8471) <slashdot2@@@rathjens...org> on Monday May 24, 2004 @11:41AM (#9238267)
        Replacing letters with l33t-speak numbers is not wise. That is one of the first variations that password cracking software will attempt after appending numbers.
        At least you aren't l33tifying plain dictionary words, ;) When I ran 'crack' on our university shadow files( during job as sysadmin ) the cracked passwords were usually stuff like 'termin8'.
        I recommend any sysadmins to download software like 'crack' or 'john the ripper' just to get an idea of the techniques used to break passwords. e.g. the fact that 'dictionaries' in the case of password cracking also include things likes lists of anime and cartoon characters, actors, actresses, scientists, etc. And, of course, the aforementioned leet pattern replacements like s/ate/8/ and s/e/3/.
  • Sometimes even the most vigilant sys admin as not able to halt these problems.

    Where I work the passwords are changed by internal support and logged into a database as well as entered into the system.

    Despite requests to us strong passwords the internal support view is get as quiet a life as possible and just accept whatever password a user chooses.

    The number of times I've seen summer1 is ridiculous.

    Personally I think users should choose their own passwords and the system should limit them to >8 characters and a %age difference from their last 10 passwords. But I don't make up the policies.
  • by enkafan (604078) on Monday May 24, 2004 @09:51AM (#9237223)
    Yeah, passwords and standards are fine as long as you keep snickers out of the office [bbc.co.uk]
  • Length vs randomness (Score:5, Interesting)

    by SWroclawski (95770) <serge.wroclawski@org> on Monday May 24, 2004 @09:52AM (#9237229) Homepage
    One area I'd like to see would be strength of a password in terms of randomness, requireing use of characters, etc. vs length. Is an 8 character password with a punctuation mark better than a 10 character pasword with all lower case characters? If so, by how much?

    Then we can determine a good password policy that fits with the security model at the facility.
    • by Liselle (684663) * <(ten.ellesil) (ta) (todhsals)> on Monday May 24, 2004 @10:03AM (#9237333) Journal
      The moment X method becomes popular, it is immediately less effective, because crackers will know what to poke at. If there is a world of unfriendly machines out there, one of your best bets is being a moving target. Password studies are interesting, but the results (of how hard they are to crack) can't be valid for long.
    • by _bug_ (112702) on Monday May 24, 2004 @10:15AM (#9237449) Journal
      Length and randomness go together and it should never be an either/or decision.

      Plus it's difficult to factor in the domain of characters an attacker will use to brute force a password. Throwing in a puctuation mark on a relatively short password will be strong against any attackers who use only alphanumeric characters in their cracking scheme. But the first attacker who does include said punctuation will crack a short password relatively quickly.

      L0phtcrack probably has the best approach in which a basic dictionary attack, then a hybrid attack by attaching numerals and punctuation on to the end of a dictionary word. Etc..

      But really, if you're not using a dictionary word as your password, the chances of a brute force attack being successful are very low.

      An attacker is going to get your password through other means such as keylogging or packet sniffing.

      Passwords are really only one tiny piece to the whole security plan and I think it's too focused on. How about more on how to physically protect a machine, how to prevent keyloggers or packet sniffers. How about social engineering? That's one of the last topics (if at all) to be covered during discussions about security.

    • by pyro_peter_911 (447333) on Monday May 24, 2004 @11:28AM (#9238148) Homepage Journal
      One area I'd like to see would be strength of a password in terms of randomness, requireing use of characters, etc. vs length. Is an 8 character password with a punctuation mark better than a 10 character pasword with all lower case characters? If so, by how much?


      An 8 character password using unique upper case, lower case, digits and punctuation has about 94 different characters. If we picked a random 8 character password from this we would have:


      94_P_8 = 94! / (94 - 8)! = 94! / 86! = 94 * 93 * 92 * 91 * 90 * 89 * 88 * 87 = 4.4x10^15 permutations


      A 10 character password using only unique 26 lower case characters has:


      26_P_10 = 26! / (26-10)! = 26! / 16! = 1.9x10^13 permutations.


      So, the 8 character password using all characters is about 200 times more difficult to brute force than the 10 character password only using lower case characters.


      Peter

  • No passwords... (Score:3, Interesting)

    by Allen Zadr (767458) * <<moc.liamg> <ta> <rdaZ.nellA>> on Monday May 24, 2004 @09:53AM (#9237236) Journal
    That's why I assign passwords to my users. I know that they are random, cryptic, long enough, and if my user can't remember it, I can remind them.

    On the other hand, I don't have a password retention policy either, so really if someone is in my employ for more than six months, there's a good chance of a password getting lost into the wrong hands. Yes, I know this is a bad idea.

    • Re:No passwords... (Score:5, Insightful)

      by Glonoinha (587375) on Monday May 24, 2004 @10:05AM (#9237351) Journal
      Stay late one night. After they are all gone walk from desktop to desktop. Look for post-it notes on the side of the monitor and under the keyboard, and in their drawers. The results will scare you, if your users are anything like mine, and I bet after that you start letting them pick less cryptic passwords.

      Also, if you know their password there goes any semblance of Non-Repudiation. And if you can 'remind them' either you have a very short list of users and can remember them, or you have a written list somewhere - nifty, but a bad idea.
  • by Whitecloud (649593) on Monday May 24, 2004 @09:53AM (#9237240) Homepage
    How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?
  • by crow (16139) on Monday May 24, 2004 @09:54AM (#9237249) Homepage Journal
    I'm confused as to why you would care how strong the passwords your users select are. As long as you control the authentication system, you can prevent repeated guessing--the days of globally-readable encrypted password files are gone. If you get more than a small number of failed guesses on a given account or from a given address, you cut off access, at least for a time.

    The key is to detect the attack.
  • by mcgroarty (633843) <brian,mcgroarty&gmail,com> on Monday May 24, 2004 @09:56AM (#9237262) Homepage
    These are the best passwords ever:
    jieph9Ee eik4zahW que8aiQu wahK6pee nie1eCho aNg2raew

    exeif0Ta ooqu9Aye Eid7iici eiZ6boin Waeg5kah Mi9vegoh
    eelae9Oo Ua7yojie Jiquaud5 Vohw7iwi Eit7laax Aesae2ax
    They are relatively random, easy to remember (you can kind of pronounce all of them), and best of all, nobody has guessed a single one of them yet. I've been using these for years, and you should too!
  • by Spatula Sam (770957) * on Monday May 24, 2004 @09:57AM (#9237268)
    "Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."
  • by danielrm26 (567852) * on Monday May 24, 2004 @09:57AM (#9237277) Homepage
    What's next? Long passwords better than short ones?
  • a couple things i do (Score:5, Interesting)

    by millahtime (710421) on Monday May 24, 2004 @09:58AM (#9237288) Homepage Journal
    There are a couple things i do....

    1) On my servers te password changer forces them to not use dictionary words, has to have numbers, letters and nonnumeric characters, and they can't use their previous so many passwords
    2) For my password I use a few things from my childhood that no one will ever come up with.
    3) There is nothing like keeping up on your security patches.
    • by jhkoh (588461)
      and they can't use their previous so many passwords
      I have a friend who worked on a system with a similar restriction in their password-changing policy. So, when the system forced him to change his password, he just changed it "so many" times until it let him go back to his old one...
  • by arvindn (542080) on Monday May 24, 2004 @09:58AM (#9237289) Homepage Journal
    That will never be possible, considering this [slashdot.org].

    Seriously, even if you are using something other than passwords, say biometric authentication, security will remain as shabby as it is today unless users understand the importance of keeping the system secure. And that is a tall order.

  • by Shimmer (3036) <brianberns@gmail.com> on Monday May 24, 2004 @10:00AM (#9237314) Homepage Journal
    Most of the time, people just don't care. And why should they?

    I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.

    Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.

    So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.
    • We have a vBulletin board with 2,500 members. 5% of those members have passwords hashes that match:

      a
      1
      12
      123
      1234
      12345
      123456
      1234567
      123 45678
      123456789
      1234567890

      A few others use the name of the site and the word "password".

      They don't care. That is true.
  • by spidergoat2 (715962) on Monday May 24, 2004 @10:01AM (#9237320) Journal
    It just doesn't matter. It still going to be written on a yellow sticky and stuck on the screen.
  • Phonetic Passwords (Score:5, Interesting)

    by N8F8 (4562) on Monday May 24, 2004 @10:02AM (#9237326)
    I used to work on a military installation with really elaborate guidelines for choosing passwords. It would usually take me at least a dozen times to choose a valid, unused password. My buddy had a trick that would get him a good password every time. Being fluent in Korean, he would come up with a phrase in Korean and spell it out phoenetically to produce a new password. I wonder how many foreign language workers in the US do the same thing?
  • My password method (Score:5, Informative)

    by gosand (234100) on Monday May 24, 2004 @10:05AM (#9237344)
    I have been able to successfully remember randomly generated passwords, but once they slip your mind - you are screwed. My password method is this:

    1. generate a password using some word algorithm: I was born on a Monday = "IwboaM"
    2. come up with some kind of replacement strategy: w=m, a=1. IwboaM = Imbo1M
    3. bookend it with the year you were born: Imbo1M = 19Imbo1M69.

    It looks totally random, but there is a method to the madness. If you need to change it, you can just inc the year, or use some other rule on it. The strength is that you completely make up the rules, and they don't have to make any sense. All you have to do is remember the original phrase (easy) and your rules (easy to complex).

    (and the example I gave is completely arbitrary)
    You could also do one where your password is the answer to the question. Remember the question "What month was I born?" Answer: October
    Password starting point = HalloweenMonth. Then apply crazy rules to it. In this way, you can write down your reminder phrase "Month born?" and it is nowhere near what your password is.

    • Writing random passwords has always been my personal policy. The password must be a mix of upper and lower case letters with at least 2 numeric digits and a length of at least 6. I try never to have the numbers next to each other but this happens on occasion.

      The trick is then to remember the passwords. My own personal systems at home have root and at least two users with login, ftp, and samba passwords for each. There are also e-mail passwords, /. password, various internet service passwords, and passw
    • 1. generate a password using some word algorithm: I was born on a Monday = "IwboaM"

      That's what I do with all my passwords, for example:

      People Always Suspect Secret Words Or Random Dates
      Wait a minute, D'oh!
  • Keyboard patterns? (Score:5, Interesting)

    by Amoeba (55277) on Monday May 24, 2004 @10:06AM (#9237364)
    I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious) but things like !@()ZX>? Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.

    Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?

    It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?

    Amoeba
  • passphrase passwords (Score:3, Informative)

    by thogard (43403) on Monday May 24, 2004 @10:08AM (#9237380) Homepage
    Some people have been claiming that using things like "fsa7ya" or "4sa7ya" as the 1st letters of "four score and 7 years ago" is a good way to make up paswords. I've got a friend who has a dictionary of about 20,000 such phrases and it took a few of us about a half hour to find a common quote that wasn't in his list. He also happens to have a 50 word lists that is very effective at brute force attacks.

  • by Slick_Snake (693760) on Monday May 24, 2004 @10:09AM (#9237394) Journal
    Use of a physical token combined with an easy to remember pin is more secure than passwords. Since pin numbers tend to be short there is no problem with choosing them randomly. Furthermore with a limit on the number of failed attempts before disabling the token you make it nearly impossible for someone to break in.

    Looking at through cynical eyes it doesn't matter how secure your method is because, you are ultimately placing trust in the typical user who will most likely do something stupid when given the chance.

  • by pandrijeczko (588093) on Monday May 24, 2004 @10:10AM (#9237397)
    After all, with creatures like Cthulhu, Nyalarthotep, Tsathoggua, Hounds Of Tindalos, the Wendigo, etc., there's plenty of scope for non-dictionary passwords and I've never seen a Cthulhu mythos word file for password crackers...

    ...having said that, with having uttered these names so frequently in the past, I now have a large black tentacle growing from the back of my neck and keep seeing strange shapes lurking in the shadows...

    Gibber...

  • by Anixamander (448308) on Monday May 24, 2004 @10:10AM (#9237399) Journal
    My menmonic, which should have been hard for people to guess, was "Please ask sister sally where's our rottweiler dog"

    And the thing is, we didn't even have a rottweiler, it was a shepherd. But people still guessed it, so I don't use mnemonics anymore.
  • by cedmond (515813) <cedmond AT snet DOT net> on Monday May 24, 2004 @10:13AM (#9237433)
    Using the term "folk belief" more than once in a paragraph can become very annoying. This belief is confirmed.
  • by ID_Roamer (725238) on Monday May 24, 2004 @10:15AM (#9237454)
    I read a story about a book method for developing crypto keys. It was a fairly common method in the past before computers. I thought about it and have used it for years for choosing my passwords. Then tend to be mnemonics, but I can right down a hint sheet that is pretty safe.

    It works like this. I choose a book at random from my work area, choose a page at random and then pick a line. I develop a mnemonic password from that line. If I need a hint, I write down the page and line number on a piece of paper, I can even stick it to my monitor if I need to. My average library of reference books at work is over 50 books. How big a hint to an atacker is 347 12? All I have to remember is what book I chose.

    My last job, my boss couldn't remember any password that wasn't part of his name until I introduced him to mnemonic passwords.
  • by Sheepdot (211478) on Monday May 24, 2004 @10:18AM (#9237493) Journal
    Let me give you some insight into how a 'cracker' looks at this since I just cracked an alpha-symbol-numeric Windows NT LM hash about an hour ago in about 5 minutes time. Your password isn't enough. You, as an administrator, have to get in there and modify the authentication scheme.

    Or use SHA2. Cause I don't have rainbow tables to crack that. Yet. For those of you who don't or cannot follow security, the new buzz is creating your own crack tables in a couple of weeks or months. There is more info at the project rainbowcrack [antsight.com] page.

    The misconception that everyone has about passwords now (because we as sysadmins pushed it so hard in the late 90s, early 00s) is that alphanumeric is the way to go. With the advent of generating your own cracking tables, that is no longer the case anymore.

    An alphanumeric md5 set of rainbow tables can be generated in about a weeks time with a 2.4 ghz processor. That's my rough estimate based on the couple days it took me to make the alphanumeric one for LM hashes.

    I would highly suggest that if you want your users to come up with good passwords you have them make a "one-time" password, seed with a 20-character salt that looks like someone pounded the keyboard, and store it inside a SHA2 hash.

    A good administrator is going to salt their passwords with a string of characters that already satisfies the "alpha-numeric-symbol" requirement. If there is any reason to do something other than the first name of your child it is to stop coworkers or friends or people that already know about you.

    When using brute-force/guess method this is what I try first and my guess is that at least 1% of Slashdot fathers use this or a form of it as their pass. It's okay to be proud of your kid, but don't think you're honoring them by including them in your password.

  • pwgen (Score:5, Informative)

    by jsebrech (525647) on Monday May 24, 2004 @10:19AM (#9237499)
    You can easily generate mnemonic passwords using pwgen [sourceforge.net].

    It's definitely easy to remember mnemonic passwords. I've been able to not log into a machine for months, come back to it and remember the mnemonic password unique to that machine.
  • by MajorDick (735308) on Monday May 24, 2004 @10:19AM (#9237504)
    Well when going through a really rough divorce (I had an easy one too) I was in serious fear , and justifably so of my Ex hacking accounts using some of my known Passwords , I like many others have a cycle of about 10 that are used interchangably. All these were , with the exception of 1 personal passwords. I found she was accessing my work mail and personal mail almost immediatley , Soooo I decided to have some fun with it, passing all kinds of bogus information into forged emails to myself. Then came court, she was ACTUALLY Stupid enough to bring up several points in court, my Attorney was aware and asked where she found this informationout, "Around, friends, etc" Bwwwahhaaaa talk about someone looking stupid she bought it hook line and sinker.

    Sometimes easy to crack passwords are a GOOD thing :)

    On another note, after I took her to the cleaners at court I decided to TIE one One, well....NEVER....and I mean NEVER....change you passwords while really drunk..it took me 2 days to reconfigure redit and reset all my passowrds I changed on that drunken celebration. I still have NO idea what some of them were or how I came to decide on their usage
  • passflt.dll (Score:3, Interesting)

    by Zog The Undeniable (632031) on Monday May 24, 2004 @10:23AM (#9237536)
    I'd be interested in a password cracking study comparing passwords where this DLL was turned on (for Windoze domains) and where users are given a free choice. The DLL enforces stronger passwords, but IME few companies use it.
  • by TheTXLibra (781128) on Monday May 24, 2004 @10:28AM (#9237590) Homepage Journal
    Well, having been a System Administrator, I can sympathize with this plight. Even a small non-compliance percentage is a bad thing, since there's only about 50-million cracker tools that will give the list of usernames for the network. Here's a few things I can recommend. Most are common sense, but just in case, I thought it might help:

    1. Educate your users in 1337-speak. - You know, 3's as E's, 7's as T's, etc. Point out that they can make nearly any normal, easy to remember password more secure by using 1337-speak. This will help prevent tools like L0phtCrack from breaking the code in minutes, but rather might change it to days. I did a bit of security consulting and found this to be the easiest way of ensuring compliance at the user level. For added security, have them make phrases using the special characters. For instance $4Bugs is a rather secure six-letter password (though really I'd prefer 8+).
    2. Fear Works Wonders - Divulge that if their account is hacked because of a non-compliant password, the entire office will know of it, and they will probably be lynched, but only after the cracker has stolen all their bank account info and ss#. This may or may not be the truth, but the people listening to you say this are the same people who are using their CD-ROM drive bay for a cup holder.
    3. Tools a la Sneakers - Of course, you can turn on password enforcements, that's the first one. Now try to crack your own network. Not a Cracker? All right, then just go download YAPS, LANGuard, and L0phtCrack and run those. Yeah, they're only scripts, but unless your network has somehow garnered the attention of a serious cracker, the only ones assaulting you will be script-kiddies. So fill in the blanks, and see how your network holds up.
    4. Given Time, Serious Hackers Will Get In - There's only so much security you can have without just simply yanking the network from any outside connections. If the network you are supporting is government, big-money, or anything of interest to a serious hacker, it is only a matter of time. Forced PW changes (every 14 days) or so, will help reduce this chance a lot, but will also anger your users. But if passwords are allowed to sit for 30 days, and a compliant admin-access password only takes 25 days to crack, then it will be cracked.
    5. Sure, let them keep their PWs on stickies... IN A LOCKED CABINET - Most offices will give you a drawer with a lock on it. These locks are almost never used. Find the Facilities person for this office and get those keys. Let the users write down their PWs in a notebook or stickies, but make it clear they need to lock those books up at night or take them home. Getting a custodial job to crack a network by writing down PWs from stickies on the monitor is the oldest trick in the book (and by god, it still works great). If you catch someone with password stickies on their monitor, punish them.
    6. Breed ph34r and paranoia - I printed out some old WWII propaganda posters and changed the lettering on them to refer to passwords and security. It was fun, livened up the walls a bit in the office, and served as a subtle reminder to the users that SAM the Cracker was always out there, trying to steal their (fill in the blank). Of course, in truth, we only had one serious hacking attempt, but it was a lot of fun scaring them, and it made them more attentive to possible security breaches. Sometimes annoyingly so, but hey, we never got cracked in the time I was there.


    -The Libra
    "You've got no kids, no wife, no job, and you're not in The Tigger Movie!!!"
    - my best friend's son, Gabe, at 5 years old. [everything2.com]
    • I don't know how this got modded insightful.
      Response to #1: L0phtcrack and several other cracking tools have had character substitution methods for years. This method no longer works as a security measure.
      Response to #2 and #6: Breeding fear and paranoia through alarmist propaganda is a really bad idea, because there will always be enough people in that office who will know better, and it's better to have those people on your side rather than in contempt of you.
      Response to #3: These tools are not scripts
  • by 0x0d0a (568518) on Monday May 24, 2004 @10:28AM (#9237592) Journal
    I occasionally like memnonic passwords, but another good alternative is a randomly-generated but pronounceable password. It turns out that we're much better at remembering passwords that we can pronounce. (Where "Voolakun5" is pronounceable and "zqx17yvy" is not).

    FIPS-181 [nist.gov] describes a NIST-endorsed system for producing pronounceable passwords. There is a GPLed FIPS-181 implementation here [nursat.kz].

    Sample run:

    $ apg
    dyijenuloa
    bifliecar
    yishjied&
    IfHydrovia
    yutsOlg/
    DipUkcat


    APG is a lot more sophisticated than this, and allows you to do a lot of tweaking of the types of passwords it outputs, print pronunciation guides. It's a good tool, IMHO, for security-conscious types to have around.

    For Fedora Core 2 users, Red Hat does not package apg in the base distribution, but it is available from freshrpms.
  • by jhagler (102984) on Monday May 24, 2004 @10:44AM (#9237744)
    The question I would like looked into is how many "old" passwords should a system remember and not allow a person to reuse.

    I'll give you an example, a place I used to work required all the standard things: caps, non-alpha, 90 day expiration, etc. but what bugs me is that your new password can't be the same as any of your previous 6. Now, I have three or four good solid passwords that meet (or can be made to meet) all those requirements, but when I have to come up with 7 different ones, they start getting weaker and weaker near the end. I know that in most systems you can just run through half a dozen passwords in about two minutes and get your old one back, but they also instituted a minimum age so you couldn't do that.

    All these things are generally considered good network security, at what point do you start doing more damage than good though? How many passwords does your system require, and does anyone else find themselves in the same situation I'm in?

  • by 26199 (577806) on Monday May 24, 2004 @11:11AM (#9237962) Homepage

    ...you can solve this one by throwing money at it.

    Buy one of these [usahero.com] and relax. You'll never have to worry about passwords again.

  • by Avumede (111087) on Monday May 24, 2004 @11:19AM (#9238045) Homepage
    When I was working at NASA, I was still using a very simple password consisting of a very unusual word plus a number. One day the sys admin sends me a mail and says "Hey, I cracked your password. You must be a fan of [band name who had a song by this title]". I was embarassed enough that I immediately changed my password to something much stronger, and use a strong password to this day.

    It works well because many people (myself included) just didn't get how easy it is to crack simple passwords until someone does it. If it's your friendly sysadmin, a normal desire to appear less idiotic is a sufficient motivator to choose a strong password.
  • by MoreDruid (584251) <moredruid@gma i l .com> on Monday May 24, 2004 @11:20AM (#9238055) Homepage Journal

    IANAL&IneverRTFA

    Oh wait... did I just give away John Katz's password?

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...