Password Memorability and Securability 436
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
quepasa (Score:5, Interesting)
The combination means that I can always "recall" the password for any of my accounts using the quepasa application (all I remember is a single passphrase), and the passwords are not stored anywhere.
John.
Consonant-Vowel Method (Score:5, Interesting)
Sys admin and internal support (Score:3, Interesting)
Where I work the passwords are changed by internal support and logged into a database as well as entered into the system.
Despite requests to us strong passwords the internal support view is get as quiet a life as possible and just accept whatever password a user chooses.
The number of times I've seen summer1 is ridiculous.
Personally I think users should choose their own passwords and the system should limit them to >8 characters and a %age difference from their last 10 passwords. But I don't make up the policies.
Length vs randomness (Score:5, Interesting)
Then we can determine a good password policy that fits with the security model at the facility.
No passwords... (Score:3, Interesting)
On the other hand, I don't have a password retention policy either, so really if someone is in my employ for more than six months, there's a good chance of a password getting lost into the wrong hands. Yes, I know this is a bad idea.
a couple things i do (Score:5, Interesting)
1) On my servers te password changer forces them to not use dictionary words, has to have numbers, letters and nonnumeric characters, and they can't use their previous so many passwords
2) For my password I use a few things from my childhood that no one will ever come up with.
3) There is nothing like keeping up on your security patches.
like this? (Score:2, Interesting)
@vowels char(5),
@password varchar(255),
@length tinyint -- passed to sp
select @consonants = 'bcdfghjklmnpqrstvwyz',
@vowels = 'aeiou',
@length = 8 -- maximum of 254. any more will overflow
while (@length > 0)
begin
select @password = @password + substring(@consonants, convert(int, ( round (rand()*100/5, 0) )),1)
if (@length > 1)
begin
select @password = @password + substring(@vowels, convert(int, ( round (rand()*100/25, 0) )),1)
end
select @length = @length - 2
end
select @password
Re:The best security (Score:3, Interesting)
All your i286 are belong to us.
Phonetic Passwords (Score:5, Interesting)
Better than Nothing (Score:1, Interesting)
i.e. Rover8Kitty!
It's not great, but better than Mary2.
Re:Consonant-Vowel Method (Score:5, Interesting)
My applications rarely force complexity (sometimes they require numbers or other non-alpha characters). The instructions are always there, but users rarely ever follow them.
One of my not-so-critical applications (a web messageboard!) from a while back stored the passwords as plaintext in the DB (I now use hashing, thank you very much). I once looked at the password list just to see how complex people chose their passwords:
~60% had one word passwords of about 5 or 6 letters, no numbers
10% used their username (which has since been prohibited)
10% had complex passwords - stuff that made no sense to me and used numbers, non-alphanumeric characters, etc.
The rest (a little more than 20%) had a word + a number, or something around those lines.
I did ask them all about password security, and I got two basic responses: My password is secure, or What does it matter?
Keyboard patterns? (Score:5, Interesting)
Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?
It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?
Amoeba
Teach People the Drums (Score:5, Interesting)
1) Put both hands on our friend, QWERTY
2) Move fingers into a natural, systematic position
3) Bang out a pattern using all fingers
4) Randomly include the shift key and those keys at the top, including the Back Space
5) Keep hitting some keys even after you've hit Enter; Then hold the Back Space key (optional)
6) "Practice, practice, practice!" so it can be typed very fast
Results?
* I rarely mistype a password
* I don't know my own password
* I couldn't share my password with security unless a keyboard was around
* I type it in so fast, it would take a video recording to spy-capture it (me thinks)
Of course, nothing can help you with key logging
Message Boards (Score:5, Interesting)
If someone gets to post as Allen Zadr to slashdot, the worst that would happen is my karma would be burned. No big deal. I drop the account, start a new one, give Slashdot another 5 bucks.
The passwords I use on anything important, are far more secure.
For this reason, I would be far more suspicious of the 10% that use extremely complex passwords. Likelyhood is that those passwords will match their online banking account and work passwords.
My password technique (Score:3, Interesting)
It works like this. I choose a book at random from my work area, choose a page at random and then pick a line. I develop a mnemonic password from that line. If I need a hint, I write down the page and line number on a piece of paper, I can even stick it to my monitor if I need to. My average library of reference books at work is over 50 books. How big a hint to an atacker is 347 12? All I have to remember is what book I chose.
My last job, my boss couldn't remember any password that wasn't part of his name until I introduced him to mnemonic passwords.
Monthly password changes (Score:1, Interesting)
So finally I figured out a pattern of keyboard taps that would meet the rules no matter which key on the keyboard you started with. So now I memorize 1 pattern and effectively have a 1 character password for every system I deal with.
Is it secure? no clue. Since I type it 1 fingered, it is probably vulnerable to shoulder surfers, but other than that I don't see a problem with it. I only know one other person that uses this technique, so there are probably not any specific attacks for it.
But if someone makes me use a Dvorak Keyboard, I am SOL.
Why should _you_ get to choose? (Score:2, Interesting)
The problem here is giving the users the ability to choose their password.
ugh. Don't give users a choice. When their password expires, give them a new one. Let them hit the "re-generate" button until they are happy or tired.
What really bugs me is that most ERP vendors don't recognize this as a problem. Most use screens/forms that have to be significantly customized to remove the "enter bad password here" choice.
Passwords? More like words. (Score:5, Interesting)
Or use SHA2. Cause I don't have rainbow tables to crack that. Yet. For those of you who don't or cannot follow security, the new buzz is creating your own crack tables in a couple of weeks or months. There is more info at the project rainbowcrack [antsight.com] page.
The misconception that everyone has about passwords now (because we as sysadmins pushed it so hard in the late 90s, early 00s) is that alphanumeric is the way to go. With the advent of generating your own cracking tables, that is no longer the case anymore.
An alphanumeric md5 set of rainbow tables can be generated in about a weeks time with a 2.4 ghz processor. That's my rough estimate based on the couple days it took me to make the alphanumeric one for LM hashes.
I would highly suggest that if you want your users to come up with good passwords you have them make a "one-time" password, seed with a 20-character salt that looks like someone pounded the keyboard, and store it inside a SHA2 hash.
A good administrator is going to salt their passwords with a string of characters that already satisfies the "alpha-numeric-symbol" requirement. If there is any reason to do something other than the first name of your child it is to stop coworkers or friends or people that already know about you.
When using brute-force/guess method this is what I try first and my guess is that at least 1% of Slashdot fathers use this or a form of it as their pass. It's okay to be proud of your kid, but don't think you're honoring them by including them in your password.
passflt.dll (Score:3, Interesting)
Password Security from the other end. (Score:2, Interesting)
There are so many places online where i am required to use a password, and there are so many ways for those different accounts to be linked together with some form of datamining on the other end. What I am concerned about is malicious intent from the other end. How can i trust that insiders with access to these password databases don't use my password info to sign into other account i may have on the net (i.e. financial accounts)?
I try to used different passwords depending on the level of trust i have for a certain company. For example, all of my banking passwords are different than say a password i would use to log into /. or hotmail. The problem with this is trying to remember which passwords are for which sites.
Of course, i then run into the problem of accounts where i must change my password monthly or quarterly, and i can't use previous passwords. This seems to be another huge security risk (unless a strong form of hashing is used) as the system now has a list of all my previously used passwords, and once again i have more passwords to rememeber as i can no longer stick with the few i would like to.
I feel that my passwords are relatively random and reasonably strong, and wish i could keep them. Does anyone what to test this theory and post AS ME from this /. account?
Re:Physical tokens are better (Score:3, Interesting)
Re:Consonant-Vowel Method (Score:3, Interesting)
Re:quepasa (Score:5, Interesting)
Basically it assigns random chars/numbers/symbols to each letter of the alphabet. It tosses things like zero, one, and eight and letters O, H, I, J, L, B (upper or lower, depending on confusion with the aforementioned numbers). Now I print this nice little table and use it for passwords all over the place. For example I could just remember "slash" which maps to the password Z?+JTLZ?4&
Also, if someone gets that little peice of paper or sholder-surfs they don't get my passwords without at least a little effort. Oh and laminating it is a good idea, and an extra copy in a safe place wouldn't hurt too.
Combine random rubbish with memorable words. (Score:2, Interesting)
The password for a particular login is then the random rubbish for that login plus the memorable word. The memorable word can be the same for every login.
A brute force attack remains unfeasible without obtaining the piece of card; not perfect but it makes it a good deal harder as it requires the physical presence of the attacker. At the same time the user is more likely to obey your instruction not to write their word down as there is only one, easy to remember word to remember.
Stealing the password then requires both physical access to the bit of card and a brute force attack. That raises the bar quite a bit from needing only one of those two.
reusing old passwords (Score:3, Interesting)
I'll give you an example, a place I used to work required all the standard things: caps, non-alpha, 90 day expiration, etc. but what bugs me is that your new password can't be the same as any of your previous 6. Now, I have three or four good solid passwords that meet (or can be made to meet) all those requirements, but when I have to come up with 7 different ones, they start getting weaker and weaker near the end. I know that in most systems you can just run through half a dozen passwords in about two minutes and get your old one back, but they also instituted a minimum age so you couldn't do that.
All these things are generally considered good network security, at what point do you start doing more damage than good though? How many passwords does your system require, and does anyone else find themselves in the same situation I'm in?
Re:Random Passwords aren't the problem (Score:2, Interesting)
Great tactic for encouraging good passwords (Score:5, Interesting)
It works well because many people (myself included) just didn't get how easy it is to crack simple passwords until someone does it. If it's your friendly sysadmin, a normal desire to appear less idiotic is a sufficient motivator to choose a strong password.
Re:Multiword Passwords? (Score:3, Interesting)
I've seen [dictionary word][non-alphanumeric character][dictionary word] (e.g. chrome=turnip) or even [dictionary word][dictionary word] (e.g. purplegearbox), where the concatenated words do not form a dictionary word. Googlewhackers could have fun generating (in)secure passwords along these lines.
Re:The #1 cause of poor passwords (Score:3, Interesting)
a
1
12
123
1234
12345
123456
1234567
12
123456789
1234567890
A few others use the name of the site and the word "password".
They don't care. That is true.
Re:Consonant-Vowel Method (Score:4, Interesting)
At least you aren't l33tifying plain dictionary words,
I recommend any sysadmins to download software like 'crack' or 'john the ripper' just to get an idea of the techniques used to break passwords. e.g. the fact that 'dictionaries' in the case of password cracking also include things likes lists of anime and cartoon characters, actors, actresses, scientists, etc. And, of course, the aforementioned leet pattern replacements like s/ate/8/ and s/e/3/.
my scheme (Score:2, Interesting)
grab a simple equation:
4+6=10
spell out one or two words
4+six=ten
bingo. easy to remember, hard to guess.
Re:Random Passwords aren't the problem (Score:3, Interesting)
Reading this article I remember a time -when I was still an application-manager for a large hospital- when I went to a small department to instruct a group in using the application.
It went something like this:
- Me: "What are your usernumbers? "
- Women of the group: "xxxx, yyyy, zzzz, dddd, ffff"
- Women: "Do you want our passwords too?"
- Me: "No, I just need your login-info so I can fill in the necesarry forms."
- Women: "It's okay, we all share the same password, you can have it."
- Me [frowns]: "You shouldn't do that, and I don't want to know what your password is. If I don't know your passwords I cannot be blamed for anything that goes wrong when one of your accounts is used"
- Woman: "No, it's okay, the password is 'fill-in-a-simple-4-letter-word"
- Me: flabbergasted. Surrenders. Gets on with instruction.
Before I left that place I should have written a simple script that processed through all accounts trying just a few (not more than 10) password like diskette, floppy, computer, etc. etc. It would have probably hit 25% of users. It wasn't part of my job though and would have probably led to me being suspected of cracking-activity.
luckily there were also other security-measures in place....
Siggy.Re:Teach People the Drums (Score:3, Interesting)
Ooh! Hack login.c to do a random keyboard remap just before the password gets typed, then reverse-map the result before hashing it. A software keylogger that looks at characters after scancode conversion will be hopelessly confused. A hardware keylogger will still work, but you'd have to do some work to put one in my laptop.
I'd advise against that... (Score:1, Interesting)
The problem is, that you're sometimes too tired and hurried to log in, that you don't notice that the cursor is still in the login field when you type your password. This happens especially when your login failed, because then you're out of your usual "login
In those cases, it is very important that your password is NOT pronounceable. I've regularly seen glympses of the passwords of people sitting next to me in front of the computer. When the passwords were not pronounceable, like "i4H62qBr", you couldn't possibly remember in the second or two time you're given, because users get a shock reaction when they see their own password on the screen, and backspace it frenetically.
But, of course, if your password is "IfHydrovia", people are able to read and memorise it instantly, if they want it or not.
I can give another useful tip though, especially for Europeans: if you have to use both QWERTY and AZERTY keyboards, pick a password that is entered the same way on both. This will mean that you won't enter your password incorrectly because of the different keyboard layout. And in most casees, it's when you have to log in again that people accidently use the wrong field to type their password.
Re:my scheme (Score:3, Interesting)
I used to use e=mc2!! but it's easy to see that even a simple equation could be written in many different ways: e=mc^2, $e=mc^{2}$, etc etc with caps and all, or rot(13) or whatever.
Of course, long variants of astrophysical fluid dynamics are advised for length...
Re:Keyboard patterns? (Score:2, Interesting)
I used to use a little Tcl/Tk script that I hacked up to "train" myself on them until the muscle memory for the password kicked in. The script is available here [oakden.org] in case anyone is interested.
Nowadays I switched to using PasswordSafe [sf.net] to store a whole bunch of passwords, and now rely on its random generation instead (I keep meaning to modify my pwdrill.tcl script to allow me to enter the "random" password to train on manually, to minimise the number of times I have to look the PW up in passwordsafe before the muscle memory kicks in.)
forced password changes (Score:3, Interesting)
When it comes to forced password changes, it's "Because the password may be compromised".
So the next question is, if it 'may' be compromised, then how long are you willing to live with it compromised?
And that is your password change rate. So, if you force password changes every 90 days, it means you're willing to live with passwords being compromised for 89 days.
So what, force them every day?
The real answer is that if you think your users' passwords are being compromised, then you need some other form of security. Forced password changes are changes for not reason.
Make it a game! (Score:1, Interesting)
Set up a dedicated machine like this and use it for your security awareness training. Dare users to come forward and try their best passwords.
Cubicle rats will do ANYTHING for that big chunk of swiss cheese!
Re: Remembering frequently-changing passwords (Score:3, Interesting)
Re:Freaking PDF files. (Score:3, Interesting)
Untrue. Adobe has intentionally omitted certain "security" data from their specification, and has directed the arrest of people who publish reverse-engineered descriptions.
In practice, this means that there are many PDFs on public websites that Free Software (like xpdf and ghostview) cannot view at all, because the author decided to set a "No Clipboard" flag when exporting from Acrobat.
I haven't seen any "Free" PDF viewer that's earned "high quality". "Servicable for most uses", but not "high quality".
PDF versions should be considered supplementary to the HTML ones.
Correct- but it's really sad that there is no intermediate format. HTML has no ability to describe pagination at all, while PDF encodes layout so explicitly it may as well be a scanned PNG of the document.
Word processing software allows smart, dynamic pagination, by storing entities like hard/soft page breaks, headers/footers, column connections, etc. That knowledge allows the document to be reformatted reasonably for whatever paper/font size the reader wants.
But unfortunately, there is effectively only 1 Word Processing file format today, and it's too proprietary to use as a web document standard. I wish the assorted "Free" word processors could step back from chasing "Word Document" all the time and come up with a good, common format that web browsers can (eventually) view directly.
Re:Keyboard patterns? (Score:2, Interesting)
mnbvcx (look at keyboard)
I'm not sure why the dictionary had it in there, but it did. Turned out, he also used it for his email as well. We had some fun. I checked recently, and apparently he still hasn't changed his password.
Moral of the story? Maybe enforcing a 90+ day password switch isn't all that bad, and if you're admin'ing a server with many users that you need to keep secure, run regular audits on your
Re:quepasa (Score:3, Interesting)
No good security software will accept a password passed on the command line. If they did, it would open more holes than just shell history- consider that most Linux systems allow all users to see every command line that any user is currently running.
ssh, for example, will only let you type a password in a separate interactive prompt. So
However, there is a file that might hold the passwords: the virtual memory "swap file". It's unlikely but not impossible that the just-typed password could be swapped from RAM to disk, and then left on disk a long while.
Re:pretty non-intuitive results? (Score:4, Interesting)
Yeah, but there's something that makes it worse: Every time you have to make up a password, your first try is rejected because it violates the rules of that software. So you keep trying until you stumble across something that is acceptable.
As a result, my file of passwords now has 68 entries, and that doesn't even include the half dozen logins that I use often enough to remember. I don't keep them on paper, of course. I keep them on my web site, so I can find them from anywhere.
Of course, the file has a misleading name, is hidden behind a number of index.html files, and has a name that starts with a dot so that the server doesn't give it out even during server changes when the index.html files are sometimes ignored for a short time. I know I should still be worried about the URL being intercepted in transit. But so far, this is the best solution I've found to what is a rather intractable problem.
The real problem is security dummies that impose such complex password rules on users that we are forced to resort to schemes like this to "remember" our passwords.
about damned time (Score:3, Interesting)
Its always confounded me as to why people have insisted on this folk belief. I, for one, have always insisted that mnemonic phrases are no less secure than random numbers. (Likewise for the memorability vs. single-phrase passwords.) I'm glad there's finally some proof so that I can get people to use sane passwords (neither easy to guess, nor difficult to remember).
Ok, real world time! (Score:3, Interesting)
The password police are constantly tightening the password rules. It used to be 90 days till a password expired. Now it's 60 days. It used to be 6 characters now it's 8 characters. You used to be able to re-use an old password, now you end up having to wait until it's 15 passwords old before you can re-use it. All passwords must contain 8 characters and include at least one number. You cannot set a password that is too similar to the old one. Many words have been outright banned from use as a password.
As an IT person with access to a lot of things, I have 28 different passwords just for work alone! There's about 8 mainframe ones, 4 PeopleSoft ones, 2 Windows Domain, etc., etc., etc. I actually set up an encrypted file on a USB pen drive that I unlock and reference when I need to see my password list. I have a couple of Mac's at home and I love the KeyChain solution!
The average user has about 5-10 passwords they have to worry about. User's write them down, come up with elaborate rotation schemes, etc. Mostly they just call the Help Desk repeatedly because they lock themselves out in the process of changing their password.
I am all for a smart-card or USB keychain along with a single sign-on system to everything. It would cut 600 calls to the help desk every month and it would make thousands of employee's very very happy.