Password Memorability and Securability

NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example: 1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed. 2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed. 3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked. 4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap- peared to be just as easy to remember as the other. So this belief is debunked. 5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."

entering passwords is the biggest problem

[Whitecloud]

How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?

Why should passwords be difficult to guess?

[crow]

I'm confused as to why you would care how strong the passwords your users select are. As long as you control the authentication system, you can prevent repeated guessing--the days of globally-readable encrypted password files are gone. If you get more than a small number of failed guesses on a given account or from a given address, you cut off access, at least for a time.

The key is to detect the attack.

Re:quepasa

[alexatrit]

Looking at the end result of this, how is it any different that typing up a list of randomly generated passwords in vim/notepad/whatever, and encrypting the list with gpg? You still have to run and check the program every time you want to login to a service. The passphrase supplied to quepasa could easily be that to decode your gpg-encrypted list of passwords.

Re:Sys admin and internal support

[Liselle]

Personally I think users should choose their own passwords and the system should limit them to >8 characters and a %age difference from their last 10 passwords. But I don't make up the policies.

I agree, but you do that and then your security will be circumvented by Post-it notes on monitors. We lost that fight before it even began.

Make the attacker work a thousand times harder?

[arvindn]

That will never be possible, considering this [slashdot.org].

Seriously, even if you are using something other than passwords, say biometric authentication, security will remain as shabby as it is today unless users understand the importance of keeping the system secure. And that is a tall order.

Random Passwords aren't the problem

[Stargoat]

The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password, and then write even that simple to remember password down at their desk. The problem is with an HR department that doesn't care if IT policies are enforced, and management that doesn't care if HR isn't doing their job.

If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

Re:Size of Study

[Glonoinha]

Statistically speaking, a 400 person focus group is going to so accurately represent the population from which they were selected it is almost overkill. Bear in mind, however, that they don't represent users in general, but computer users that are smart enough to get into college, aged roughly 18-19 years old, and open minded enough to participate in a college survey regarding passwords on computers.

But yes, 400 people is way more than enough - heck you can usually predict the outcome of most elections using exit polls asking less people than that.

The #1 cause of poor passwords

[Shimmer]

Most of the time, people just don't care. And why should they?

I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.

Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.

So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.

Re:Consonant-Vowel Method

[Frit Mock]

Nice try ... consonant-vovel is a nice pattern ... patterns are easier to break

Randon or mnemonic?

[spidergoat2]

It just doesn't matter. It still going to be written on a yellow sticky and stuck on the screen.

Re:Consonant-Vowel Method

[Plutor]

Another thing to remember is that rules like this just make brute-forcing simpler. There are 2.18*10^14 mixed-case alphanumeric 8-character passwords, but only 3.11*10^10 mixed-case consonant-vowel passwords (1/7000th as many possibilities), and only 1.2*10^8 single-case C-V passwords.

Forcing 8-char passwords is just as inadvisable. There are 6.16*10^15 possibilities for 6-8 character passwords made up of all typeable characters (ACII 33-126). That'll take 195 days to search the whole keyspace at 1M tests per second. And hopefully your password rotation is more often than that.

Re:Length vs randomness

[Liselle]

The moment X method becomes popular, it is immediately less effective, because crackers will know what to poke at. If there is a world of unfriendly machines out there, one of your best bets is being a moving target. Password studies are interesting, but the results (of how hard they are to crack) can't be valid for long.

Brute Force Attacks

[Afty0r]

Perhaps I'm crazy but I've always felt an application which allows a brute force attack is flawed.

Surely by this point in software development it should be regarded as standard for every program to LOCK access for a given account after X consecutive failed logon attempts?

Even setting this to something arbitrarily high like, say 1000, is more than any user would ever try before asking for help, but much MUCH MUCH less than any dictionary attack would require. Combine this with the possibility of real time notification for admins (facilitated by email/inter application messaging, or a small add-on service for the OS) when more than Y accounts are locked for this reason in Z minutes, and as a community we'd effectively end all dictionary attacks - or at least turn them into DOS attacks, but at least we'd know it was going on...

good password generation

[CharAznable]

I find that a good way of generating passwords is to come up with a sentence or a phrase that makes sense to you, take the first letter of each word, and then 1337 it up. For instance, Windows XP loves the Sasser worm becomes: WxP175W It's cryptic enough and easy to remember

Re:No passwords...

[Glonoinha]

Stay late one night. After they are all gone walk from desktop to desktop. Look for post-it notes on the side of the monitor and under the keyboard, and in their drawers. The results will scare you, if your users are anything like mine, and I bet after that you start letting them pick less cryptic passwords.

Also, if you know their password there goes any semblance of Non-Repudiation. And if you can 'remind them' either you have a very short list of users and can remember them, or you have a written list somewhere - nifty, but a bad idea.

Re:Freaking PDF files.

[somethinghollow]

What does that make Kevin Mitnick [kevinmitnick.com]?

Oh, yeah... I remember him. I forgot that guy after existed he was free and not a symbol of everything that was wrong with the legal system in the US.

Re:entering passwords is the biggest problem

[Liselle]

Problem I always have with biometric identification is that it lacks something that passwords have: I can change my password, but I can't change my fingerprints. It's both more secure and less secure at the same time. Not better, just different, imo.

Physical tokens are better

[Slick_Snake]

Use of a physical token combined with an easy to remember pin is more secure than passwords. Since pin numbers tend to be short there is no problem with choosing them randomly. Furthermore with a limit on the number of failed attempts before disabling the token you make it nearly impossible for someone to break in.

Looking at through cynical eyes it doesn't matter how secure your method is because, you are ultimately placing trust in the typical user who will most likely do something stupid when given the chance.

Re:Ha

[kpharmer]

I used to do that back in the USMC - I converted my walllocker combination to base 7 and then put that on tape on the back of the lock. Everyone in the barracks tried it and failed. Meanwhile I had a nicely documented combination. Of course, I suppose I was fairly lucky that nobody simply removed the tape - but the same combination was also in my wallet along with all my pin numbers. Again in base 7...

Re:entering passwords is the biggest problem

[Tim C]

The good thing about passwords is that they can be changed if forgotten or compromised. If a system that uses biometric information is compromised, you don't have that option - I can't change my retinal pattern or finger prints.

Re:Freaking PDF files.

[Anonymous Coward]

. . . looks like users are still the weakest link in security

Exactly, security through obscurity just does not work, passwords are not the answer.

Re:Freaking PDF files.

[the_mad_poster]

I second the HTML version. Good old Adobe - popped up a nice little window in the background bugging me to update and stalled the IE process. Since the window went to the background, all I could see was the stalled process, and I killed IE, which, of course, closed all my windows. I hate pdf files...

Anyway, here's a consideratoin: semi-disgruntled employees. For example, I'm not disloyal enough to actively seek to damage the company's systems or information, but with the way they treat employees, and the way my dysfunctional department operates, I'm not loyal enough to sit and try to think of strong passwords every month. So, I come up with creative ways to circumvent the draconian password policy instead. Ironically, some of my stronger passwords have been defeated by this overly strict ruleset and wound up with me simply appending a character to a weaker password to get around it.

The lesson: draconian password policies hurt security and audit your password lists on a regular basis (at least randomly sample them regularly). Most of your users probably don't give a crap about their passwords because they don't give a crap about what happens to the company's systems and information.

Re:Length vs randomness

[_bug_]

Length and randomness go together and it should never be an either/or decision.

Plus it's difficult to factor in the domain of characters an attacker will use to brute force a password. Throwing in a puctuation mark on a relatively short password will be strong against any attackers who use only alphanumeric characters in their cracking scheme. But the first attacker who does include said punctuation will crack a short password relatively quickly.

L0phtcrack probably has the best approach in which a basic dictionary attack, then a hybrid attack by attaching numerals and punctuation on to the end of a dictionary word. Etc..

But really, if you're not using a dictionary word as your password, the chances of a brute force attack being successful are very low.

An attacker is going to get your password through other means such as keylogging or packet sniffing.

Passwords are really only one tiny piece to the whole security plan and I think it's too focused on. How about more on how to physically protect a machine, how to prevent keyloggers or packet sniffers. How about social engineering? That's one of the last topics (if at all) to be covered during discussions about security.

Re:Random Passwords aren't the problem

[ImTwoSlick]

The real problem is the forced password changes every 90 days (for me), and the half-dozen (at least) passwords I have to change every time. Thank God my IT doesn't check for reused passwords, or I'd have to resort to writing them all down, or picking insecure sequences.

Re:Random Passwords aren't the problem

[Gorbag]

Random passwords, password aging, etc. are indeed the problem. The human element is a constant, and humans aren't that good (these days) at memorization. So all you are doing by assigning a random password and/or aging, is making it more likely (bordering on certainty) the password is going to get written down and sticky taped to the monitor.

Catchphrases are far easier to remember, and simple mapping of words to punctuation symbols and numbers can go a long way to personalizing even a catchphrase. IT should train appropriate passwords, and run crack to catch problems.

Re:Random Passwords aren't the problem

[hal2814]

One of our computer systems requires changing passwords regularly. The people at our office have tendency to write down a list of as few unique passwords as they must provide and "hide" this list either under their mouse pad and taped to their monitor. Some even have an arrow pointing to the current password. I feel much safer about the security of our other system that doesn't enforce changing passwords. At least then the hacker must look at a family album to determine the password instead of just looking under the mouse pad.

Re:Random Passwords aren't the problem

[Bronster]

If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

Actually, you're wrong. It's people that the business runs on in almost all cases. IT is a tool that makes people so much more efficient that processes now assume that it's available and most of those people don't know how to function without it (and more to the point the information they need to operate is stored in it rather than kept in folders on their desk where they could get at it).

A design where authentication is centralised to a secure enough server and that authentication attempts are throttled so that guessing attacks are restricted means that you don't _need_ such a draconian password policy. My work uses RSA SecureID for all logins from outside the corporate intranet. Within the intranet we're a little soft and squishy, but that's considered a lower cost than the cost of having to tell people their passwords all the time. And yes, we do have password policies, but they're not insanely complex.

Getting users to comply with password policy.

[TheTXLibra]

Well, having been a System Administrator, I can sympathize with this plight. Even a small non-compliance percentage is a bad thing, since there's only about 50-million cracker tools that will give the list of usernames for the network. Here's a few things I can recommend. Most are common sense, but just in case, I thought it might help:

1. Educate your users in 1337-speak. - You know, 3's as E's, 7's as T's, etc. Point out that they can make nearly any normal, easy to remember password more secure by using 1337-speak. This will help prevent tools like L0phtCrack from breaking the code in minutes, but rather might change it to days. I did a bit of security consulting and found this to be the easiest way of ensuring compliance at the user level. For added security, have them make phrases using the special characters. For instance $4Bugs is a rather secure six-letter password (though really I'd prefer 8+).
2. Fear Works Wonders - Divulge that if their account is hacked because of a non-compliant password, the entire office will know of it, and they will probably be lynched, but only after the cracker has stolen all their bank account info and ss#. This may or may not be the truth, but the people listening to you say this are the same people who are using their CD-ROM drive bay for a cup holder.
3. Tools a la Sneakers - Of course, you can turn on password enforcements, that's the first one. Now try to crack your own network. Not a Cracker? All right, then just go download YAPS, LANGuard, and L0phtCrack and run those. Yeah, they're only scripts, but unless your network has somehow garnered the attention of a serious cracker, the only ones assaulting you will be script-kiddies. So fill in the blanks, and see how your network holds up.
4. Given Time, Serious Hackers Will Get In - There's only so much security you can have without just simply yanking the network from any outside connections. If the network you are supporting is government, big-money, or anything of interest to a serious hacker, it is only a matter of time. Forced PW changes (every 14 days) or so, will help reduce this chance a lot, but will also anger your users. But if passwords are allowed to sit for 30 days, and a compliant admin-access password only takes 25 days to crack, then it will be cracked.
5. Sure, let them keep their PWs on stickies... IN A LOCKED CABINET - Most offices will give you a drawer with a lock on it. These locks are almost never used. Find the Facilities person for this office and get those keys. Let the users write down their PWs in a notebook or stickies, but make it clear they need to lock those books up at night or take them home. Getting a custodial job to crack a network by writing down PWs from stickies on the monitor is the oldest trick in the book (and by god, it still works great). If you catch someone with password stickies on their monitor, punish them.
6. Breed ph34r and paranoia - I printed out some old WWII propaganda posters and changed the lettering on them to refer to passwords and security. It was fun, livened up the walls a bit in the office, and served as a subtle reminder to the users that SAM the Cracker was always out there, trying to steal their (fill in the blank). Of course, in truth, we only had one serious hacking attempt, but it was a lot of fun scaring them, and it made them more attentive to possible security breaches. Sometimes annoyingly so, but hey, we never got cracked in the time I was there.

-The Libra
"You've got no kids, no wife, no job, and you're not in The Tigger Movie!!!"
- my best friend's son, Gabe, at 5 years old. [everything2.com]

Re:Random Passwords aren't the problem

[Planesdragon]

The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password

(Why the slam on 40 year olds?)

Anyway. The problem is with passwords--the fact that you're forcing someone who really doesn't want to and shouldn't be made to into picking a password. You should just randomly assign one, give it to the person, and tell them that this is THEIR password until it gets compromised.

The 40-year old woman remembers her PIN, her SSN, and her street address. She can remember a "Strong Passsword"--she just can't choose one.

Re:Random Passwords aren't the problem

[hackstraw]

The problem isn't with passwords. The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password, and then write even that simple to remember password down at their desk. The problem is with an HR department that doesn't care if IT policies are enforced, and management that doesn't care if HR isn't doing their job.

<sarcasm>
Yeah, I'm a super for an apartment complex, and I have these problems all the time. These fucking 40 year old women use thier kids names as their passwords to get in their apartments, and then complain to me about how getto the apartment complex is because their apartments get broken into all the time. These dumbasses also have me call up tow trucks and passwordsmiths all the time because they cannot remember thier password for their car. I keep telling them to make better, easier to remember passwords, but they are all just morons.

A buddy of mine is a super at another apartment complex, and they still use "old school" technology like keys to get into their apartments and cars, and they rarely if ever have these problems.
</sarcasm>

The moral of the story is that there are such things a physical tokens, smartcards, etc that can provide keys to authentiate people to access computer systems. I hate to break it to you, but username/password schemes only authenticate usernames and passwords.

The only thing that has not been worked out cleanly with keys is revocation. Any ideas here?

Re:Random Passwords aren't the problem

[ericspinder]

The real problem is 30 day password expiration. Short password expirations are (I believe) the largest security hole in IT. On the user side, most people don't cannot keep coming up with new complex passwords every few weeks, they know that they will forget, so they get into the habit of writing down the password, or trying to create a "moving password scheme" that is easier to remember. Also is a problem is the lack of a consolidated logon, meaning that the current password will not be updated in multiple distributed systems. Many users who "follow policy" and fail to keep mental track of their password are heavy users of password reset, which creates "social engineering" problems.

Password reset is the number one help desk issue. All you need is some basic information about the user and a cracker could get the password reset to whatever they want. It's tough for companies to make resets as tough as they really need to be, the cost would be too high.

I believe that the best solution is to enforce complex passwords and allow those passwords to last 6 months or longer.

Re:Teach People the Drums

[Nick Harkin]

Actually, key logging can be gotten around, if you click around windows, or even within the actual password field, entering numbers in the wrong order....

But other than that, your method works, I have a sequence of passwords I remember soley on how my fingers touch the keyboard, although I do still know what the password is, I don't even have to think about it to type it in.

Re:Random Passwords aren't the problem

[Aapje]

The problem is with the 40 year old women in the office who use their kids names over and over with different numbers at the end of the password

No, the problem is with the password police who requires those women to change their password every month. While that theoretically improves security, in reality it makes it worse because people are prone to forgot their changed passwords and thus write them down. That is not the user's fault. That those 40 year old women can't remember their passwords, especially when they change every month, is a fact of life. Ignoring that fact, changing the situation from bad to worse, means that you are stupid, not the users.

</end rant about stupid sys admins>

Anyway, if you really cared about security, you would use smartcards, fingerprints or whatever. Passwords for regular users are about as secure as locking your front door and putting the key under the mat*.

*In a place I worked someone used 'secret' as a password and shouted it across the room. And yes, it was a 40 year old woman. ;)

If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.

Sure, management is ultimately responsible for everything. But often, IT can also be blamed for not being informative enough. In the case of security, you should ideally have made a comparison between the security mechanisms and offer your boss a clear choice:
- Passwords without enforcement/whining = little security + easy for users
- Passwords with user enforcement = some security + hard on users
- Chopping off a finger for every bad login attempt = good security + lawsuits
- etc...

Spell it out and get management to agree what your job is, what others should do and what things can still happen. Of course, then management can still be unfair, but you will be happy knowing that you are being professional.

Re:quepasa

[bcrowell]

Also

4. Encryption software tends to be hard to use, and to use it, you have to understand quite a bit about encryption. (What's a keychain? What's a public key? A private key? What do I do if my private key is compromised?)

Personally I use a GPG-encrypted file, but quepasa does sound like a neat idea. My only misgiving about it is that it still requires users to have a clue, and the point of the article seems to be that having a clue (or caring enough to make an effort) is the limiting factor.

Mnemonic passwords hard to remember?

[pedantic bore]

4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords.

Is this a typo, or is there a new meaning of "mnemonic"? The whole point of mnemonic passwords is that they're easy to remember. That's what mnemonic means.

Use a "password wallet"

[tentimestwenty]

If you have a lot of passwords, use a program to store them in encrypted form and have one good rotating password to open them all up. Ultimately I guess one of these could be cracked but it's a distant chance and thus a good compromise for someone who's got a lot to keep track of.

Re:The best security

[Anonymous Coward]

It's that fucking attitude that makes my life miserable. ALL computers are desireable. MOST attacks are automated. they have nothing against YOU personally.

Re:Consonant-Vowel Method

[aphor]

Making this kind of argument is valid only if it is practical for people to use passwords from a maximum-entropy pool of acceptable passwords. Think about this for a second: what you are talking about, strictly speaking, is a cryptographic key. However, we keep using the term password. The difference is subtle but significant, and it is the crux of the issue in the article (RTFA). Passwords are a kind of word, used as a cryptographic key in this case. So, they are the intersection of the set of things that can be words and the set of things that can be cryptographic keys. If you get too strict with the definition of either of the two sets, you risk shrinking the intersection to a cryptographically insigificant number of brute-force attempts.

Rules like this do *not* make brute-forcing simpler. What we need is more like them. Instead of forcing people to use a selection of truly random numbers as passwords, we should have a cornucopia of different mnemmonic password generation algorithms with different inputs that are likely to differ greatly (in two dimensions) from person to person and over time. The total brute force guesses would be the UNION of all of those sets, and they would also meet human factors requirements. The way to improve cryptographic security of passwords is to *increase* freedom, and to discourage conformity. Specifically ruling out different password mnemmonics actually shrinks your pool of brute-force possibilities and thus weakens your scheme. It is acceptable for some people to use dictionary-weak passwords sometimes as long as there is a much greater likelihood at any one time that they will not.

The bigger the dictionary, the closer the attack comes to brute-force keyspace searching. GROW the dictionary to obtuse proportions!

That article is so old it's grown whiskers ...

[Dark$ide]

I've been citing that article as a good study of password quality for about six or seven years.

This is hardly new research.

Re:Why should passwords be difficult to guess?

[Anonymous Coward]

Remember about password hashes - you steal them and break them (brute force on YOUR system). For example, on the web hashes may appear in URLs or cookies, SQL injection attacks may often get you these hashes (or even passwords at once, if script author is so clueless..) etc.

Re:Consonant-Vowel Method

[damiam]

Any password system is inherently "security through obscurity". It only works if the cracker doesn't know the password. Security through obscurity is bad only if the obscurity is weak.

Re:Random Passwords aren't the problem

[the chao goes mu]

Worse, irregular password change schedule ( different cycles on different machines, some with longer or shorter periods) and different password policies on each machine. (No fewer than 8 chars, no more than 8 chars, must have a numeric, cannot begin with a numeric, can't contain certain characters... )

Re:Getting users to comply with password policy.

[droid_rage]

I don't know how this got modded insightful.
Response to #1: L0phtcrack and several other cracking tools have had character substitution methods for years. This method no longer works as a security measure.
Response to #2 and #6: Breeding fear and paranoia through alarmist propaganda is a really bad idea, because there will always be enough people in that office who will know better, and it's better to have those people on your side rather than in contempt of you.
Response to #3: These tools are not scripts, but rather auditing tools which still require some training to use correctly. For example, LANguard, just like Nessus and ISS Internet Scanner (which I've also used) can crash systems if you're not careful, and tends to return a substantial amount of false-positives, in my testing at least. BTW, 'cracking' the network with Yet Another Password Safe? Might be a little tough.

Re:NOT secure

[John Newman]

I dunno, this kind of simple encryption doesn't seem too bad. Aside from social engineering, your two main worries are remote brute-force attacks and local unauthorized logins, right? The simple encryption makes any kind of brute-force dictionary attack very unlikely to succeed. Meanwhile, even with the chart in front of them, no one can just walk up and log on to his terminal. It's unlikely an attacker will sit in his chair for an hour and work out possible passwords.

The only potential problem is if someone walks up to his desk, swipes or photocopies the chart, then uses the code in a remote brute-force attempt (assuming he also knows the poster's log-in). Again, doesn't seem likely, and is anyway solved by the poster printing out a new chart once a month - much more painless for him than picking out a new password.

Re: Remembering frequently-changing passwords

[some guy I know]

At work they make me change them every 30 days! There's no way I can memorize a good password that frequently.

It's very simple.
Take a song that you like, and use the first letters of each line as your password.
If your password requires numbers or special characters, use the line number of the song, plus its shifted equivalent.
If it requires both upper and lower case, use one upper-case letter, the same position each time.

For example:
A long long time ago,
I can still remember
How that music used to make me smile.

Month 1: aLlta1!
Month 2: iCsr2@
Month 3: hTmutmms3#
etc.

Each year, pick a new song.

Writing down passwords != bad security

[Anonymous Coward]

It may sometimes = bad security but it isn't necessarily bad.

The assumption of many many posters is that the chief threat is someone poking around a worker's desk and getting the password that way.

RTFA

The problem is not choosing a good password, and social engineering (and that is all in the summary).

I had through the results were entirely intuitive and the original poster didn't know what he was talking about, but so many miss the point that maybe I'm wrong.

Or maybe there are a lot of 'post first, think never' people on Slashdot......Nahhhhh.

Writing down passwords isn't bad in itself. I write mine down and keep them in a locked drawer. Security keeps out everyone who doesn't have business in the building, and you'd have to know a lot to be able to guess that I wrote down passwords and where they might be, and which it might be. And my work-group is 24x7. So it is no problem. Oh, and my coworkers all have the same access as I do. So is it bad I wrote down my passwords? Nope. Could it be bad in some circumstances? Yep, but to rail against a good password policy because someone might (horror of horrors!) write down a password down is pretty stupid.

Re:Getting users to comply with password policy.

[krgallagher]

IMHO here is the most important part of the article:

Compliance is the most critical issue. In systems where users can only put themselves at risk, it may be prudent to leave them to their own devices. In that case, it must be expected that about 10% will choose weak passwords despite the instruction given. In systems where a user's negligence can impact other users too (e.g., in systems where an intruder who gets a single user account can rapidly become root using well known and widely available techniques), consideration should be given to enforcing password quality by system mechanisms.

Some people will never understand security. Don't let these people be a security hole. Let them be unsecure, but keep them off critical systems. The recptionists account should not be able to gain root access on your unix systems. It should not be a member of Domain Administrators on your Windows network. You should be able to withstand having an average users account being completely compromised without any risk to the network.

Re:Freaking PDF files.

[Minna Kirai]

the real usefulness of PDFs is that they are portable. I have a document, I can email it or FTP it or network-share it to any user on any platform and it will look exactly the same.

I would argue that you have just mentioned why PDFs are not portable.

Because the document always looks "exactly the same", that means that in some viewing environments it will be much harder to read, or even flat-out illegible. If the recipient has a tiny PDA screen, or has impaired vision, then an HTML file (or even a Microsoft Word DOC) can be reformatted on the client-side to have 30-pt text or unified columns, or whatever else is needed (including speech synthesis for the totally blind)

Why, PDFs aren't even portable between the USA and Europe! (because paper comes in different sizes across the Atlantic).

Re:forced password changes

[julesh]

You're missing the reason "because passwords can be cracked by brute force, but this generally takes some time to achieve".

Re:Random Passwords aren't the problem

[harmlessdrudge]

The moral of the story is that there are such things a physical tokens, smartcards, etc that can provide keys to authentiate people to access computer systems. I hate to break it to you, but username/password schemes only authenticate usernames and passwords.

Hello? Physical tokens authenticate physical tokens--unless combined with something known only to the authorized user (two factor authentication).

Everyone has their own way of tracking passwords;

[krinsh]

and everyone seems to have their own way of generating them. I know one person that uses license plate numbers he memorizes while on the highway. I use Cloak on my Palm to keep the 40 or so that I have to use to get my job done - yes, I said 40. I'm of the firm belief that none of these practices are secure at all. If it's a password; it will be broken eventually. Where I can use passphrases; I do. Even those can be broken given time. When they come up with reliable, inexpensive biometrics; and combine them with digital certificates or encryption keys (pick your flavor) - I think we'll be far more secure. I know that privacy can be an issue with biometrics but what if you encrypt the biometric data itself and don't make any of it personally identifiable except to its owner?