Password Memorability and Securability 436
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
Freaking PDF files. (Score:5, Informative)
I suppose I should make a comment. Okay, here it is: looks like users are still the weakest link in security. Whoever said that social engineering was the ultimate hack is a genius.
Google (Score:5, Informative)
Use passphrases instead (Score:2, Informative)
It's really just a matter of changing mindset to use passphrases instead of passwords.
My password method (Score:5, Informative)
1. generate a password using some word algorithm: I was born on a Monday = "IwboaM"
2. come up with some kind of replacement strategy: w=m, a=1. IwboaM = Imbo1M
3. bookend it with the year you were born: Imbo1M = 19Imbo1M69.
It looks totally random, but there is a method to the madness. If you need to change it, you can just inc the year, or use some other rule on it. The strength is that you completely make up the rules, and they don't have to make any sense. All you have to do is remember the original phrase (easy) and your rules (easy to complex).
(and the example I gave is completely arbitrary)
You could also do one where your password is the answer to the question. Remember the question "What month was I born?" Answer: October
Password starting point = HalloweenMonth. Then apply crazy rules to it. In this way, you can write down your reminder phrase "Month born?" and it is nowhere near what your password is.
Re:Freaking PDF files. (Score:3, Informative)
I don't think that will ever change, unless we use the bio scanning methods (iris scans and whatnot)
I heard about DNA scan, but I can't see that working, it could be falseified. Even a finger print could be carried (cut off their finger if they wanted access enough).
The strongest way to do it is with multiple methods (text password, then voice password, the finger print scan, and then iris scan).
passphrase passwords (Score:3, Informative)
Re:Consonant-Vowel Method (Score:5, Informative)
Re:Freaking PDF files. (Score:1, Informative)
pwgen (Score:5, Informative)
It's definitely easy to remember mnemonic passwords. I've been able to not log into a machine for months, come back to it and remember the mnemonic password unique to that machine.
Passwords And Dice (Score:1, Informative)
Alternative to memnonics -- pronounceables (Score:5, Informative)
FIPS-181 [nist.gov] describes a NIST-endorsed system for producing pronounceable passwords. There is a GPLed FIPS-181 implementation here [nursat.kz].
Sample run:
$ apg
dyijenuloa
bifliecar
yishjied&
IfHydrovia
yutsOlg/
DipUkcat
APG is a lot more sophisticated than this, and allows you to do a lot of tweaking of the types of passwords it outputs, print pronunciation guides. It's a good tool, IMHO, for security-conscious types to have around.
For Fedora Core 2 users, Red Hat does not package apg in the base distribution, but it is available from freshrpms.
Re:Brute Force Attacks (Score:5, Informative)
> han Y accounts are locked for this reason in Z minutes, and as a community we'd
> effectively end all dictionary attacks
The problem with this solution is that so-called "dictionary attacks" are virtually never carried out using the target's manual authentication mechanism, or even their enrcyption library functions (which are usually deliberately performance-crippled). Any brute-forcer worth its salt (heh) is run on a fast, private computer with an optimized hashing function on hash data that is pulled off of the target wholesale.
In addition to, and more important than, the methods you describe, users must use better passphrases, policies must be enforced, and the authentication schemes used must become more robust (larger key size, multi-layer security, OTP, etc).
Re:quepasa (Score:5, Informative)
1. There's no file stored anywhere containing the passwords so you can't lose them, or have the file in order to get the password.
2. You don't have to do the random creation of passwords in the first place.
3. When it comes time to change passwords, just change the passphrase.
John.
Too lazy to come up with a good password? (Score:1, Informative)
As with a large number of problems... (Score:3, Informative)
...you can solve this one by throwing money at it.
Buy one of these [usahero.com] and relax. You'll never have to worry about passwords again.
Re:Length vs randomness (Score:5, Informative)
An 8 character password using unique upper case, lower case, digits and punctuation has about 94 different characters. If we picked a random 8 character password from this we would have:
94_P_8 = 94! / (94 - 8)! = 94! / 86! = 94 * 93 * 92 * 91 * 90 * 89 * 88 * 87 = 4.4x10^15 permutations
A 10 character password using only unique 26 lower case characters has:
26_P_10 = 26! / (26-10)! = 26! / 16! = 1.9x10^13 permutations.
So, the 8 character password using all characters is about 200 times more difficult to brute force than the 10 character password only using lower case characters.
Peter
Re:Random Passwords aren't the problem (Score:3, Informative)
It's more likely they'll take care of it, then.
Programmatic Enforcement (Score:2, Informative)
Re:quepasa (Score:2, Informative)
A local list of the public keys you keep on your own computer (as opposed to remotely on a keyserver). It's like an address book, except that it contains the public keys of your correspondents.
What's a public key?
A key you make public so that others can send messages to you. Likewise, others make their own public key known to you (or to the public in general) so you can encrypt messages to them.
A private key?
The key you need in order to decode the messages others have encrypted using your public key.
What do I do if my private key is compromised?
Generate a new private and public key. Send a revocation notice to the public keys server(s) you use and notify all your correspondents of your public key change.
I use an older version of a free program called Password Safe [schneier.com] and keep lots of backup copies of it's data file on floppies, etc. With the (ugly) newer version [sourceforge.net] you can also print out a hardcopy.
Re:a couple things i do (Score:3, Informative)
Re:Longest... summary... ever... (Score:3, Informative)
Re:Freaking PDF files. (Score:1, Informative)
Re:Random Passwords aren't the problem (Score:3, Informative)
*It is idealistic to think that a single authentication system will be shoehorned in to every system used in many enterprises. More than likely at least some application will not be able to use the networked authentication for one reason or another.
NOT secure (Score:3, Informative)
The table itself isn't a terrible idea, but where you really go wrong is printing it out. If anyone gets a look at your "alphabet," and you've used a simple dictionary password, then it's as simple as doing a dictionary attack -- just with your modified alphabet instead of the standard one.
This is why, as the article states, user-devised password schemes aren't very good (although yours is probably somewhat better than many), as they only give the illusion of security.
Cheers,
IT
Mitnick today (Score:5, Informative)
He was briefly in Chile for a US$420 a seat conference, and the head of the Computer Science Dept. asked him if he could give the students a little talk.
A representative answered exactly this:
Thank you for your inquiry. Kevin is indeed in Chile next week-- and would love to address your students. He does, however, charge a fee for his presentations (it's how he earns his livelihood)--- A standard presentation is 45 min. long plus 15 min. Q&A and covers the information presented in his book, The Art of Deception. The cost for a presentation like that is typically $15,000 US; however, due to the fact that you are an educational institution and Kevin will already be in the area delivering his other presentation, I could offer you a discounted price of $9,000 US (a savings of 40%)plus any related travel costs to/from your organization to his hotel.
Re:Teach People the Drums (Score:4, Informative)
Re:A note on hashing (Score:2, Informative)
Old way:
I wonder if anyone's password is just 'password'.
forall(user){test(user.hashedpasswor
New way:
I wonder if anyone's password is just 'password'.
forall(user){test(hash(user.login + 'password') = hash('password')}
2nd way requires more hashing to be done through the loop, but isn't really much harder.
PasswordSafe (Score:3, Informative)
PasswordSafe has random password generation that can be customized rather nicely.
Of course, the PasswordSafe database itself needs to protected by a passphrase...
[Disclaimer: I'm currently the project admin for PasswordSafe.]