Forgot your password?
typodupeerror
Security IT

Password Security Not Easy 674

Posted by michael
from the duh dept.
mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...
This discussion has been archived. No new comments can be posted.

Password Security Not Easy

Comments Filter:
  • by stecoop (759508) * on Friday December 10, 2004 @02:45PM (#11053751) Journal
    required dongle is a note under your keyboard

    There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

    A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

    The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.
    • by wfberg (24378) on Friday December 10, 2004 @02:54PM (#11053873)
      The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

      The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

      My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.
    • ... I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

      SecurID's are not limited to a 4 digit PIN. I have to use them to log into various client machines and my PINs are always 7+ chars that are alpha/numeric. You type in the PIN - which is really a password at this point - and follow it with the 6 digit number on the SecurID.

    • Your example has to be the worst use of SecurID (if you're referring to the RSA product) imaginable. Whoever paid for that equipment and implemented it so poorly should be fired for spending money and achieving no benefit.

      The whole point to SecurIDs is that they provide you with easily manageable two-factor security, including for legacy applications without needing a hardware re-outfit of biometrics, smart cards, redesigning custom prompts, readers, etc. They have agents for most popular things you'll i
    • by jdfox (74524) on Friday December 10, 2004 @04:15PM (#11054790)
      I used to be on the networks team at a very large corporation, where we implemented SecurID and PIN for offsite dial-in.

      We did everything right, got the clock sync working, got all the managers to buy lots of pricey SecurID cards, found and forcibly removed insecure dial-in boxes scattered around, did all the right audit and test of firewalls, etc.

      But the sales group had a bunch of pooled laptops, which sales people used to take out to customer sites. So they would store a SecurID card in the bag, along with a yellow PostIt note showing the PIN code for that SecurID.

      That way, not only was the SecurID compromised, but since they were effectively using shared SecurIDs and PINs, we wouldn't even know which idjit sales droid had compromised it.
      Doooo, ya stupid idjit rabbit! [barbneal.com]

      State-of-the art tech is no match for the apparently limitless stupidity of users.

      In the end, we did the only sensible thing, and revoked offsite dial-in for that group.
  • by xyeeyx (839193) on Friday December 10, 2004 @02:46PM (#11053757)
    2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?
    • I have 5, now. Each time I rotate passwords (once per year, usually), the highest security one moves down a notch, and everything below it gets bumped down by one.
    • by ifdef (450739) on Friday December 10, 2004 @02:51PM (#11053832)
      I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.
      • by Anonymous Coward
        Tell me about it, just the other day I rooted some guy who used aaaaaaaa and goatse911 for everything. Poor sucker probably doesn't even realize he's been rooted yet.
      • We have a similar policy at work... and it is applied (with random expire times) on over 40 different server boxes.

        Since our dev environment is on a Windows platform, I use Password Safe [sourceforge.net] and have it generate/store new passwords for me for all of the production machines.

        Sure, it is a pain because I have to fire it up and put in my one secure password to get to the other passwords. But, at least it limits my security exposure to one bastion host (the shared drive on the LAN, so my encrypted password da
      • by Lumpy (12016)
        no kidding....

        the IT gurus that pide themselves at security at the HQ were bragging that most of our company users were using good passwords.

        I suggested they let me have a crack at it.

        I broke over 40% of the passwords by simply adding the YYMM as in last 2 digits of the year and the month as digits to the end of every password tried from the dictionary.

        they were suprised and I said, "your fault for forcing 30 day password expiration on the domain."

        this was 1 year ago.

        they still have not changed their
      • I once worked for a company where the insane CEO (dotcom era) decided to get serious about security by requiring daily password changes.
        The cool thing was that they never implemented any restriction on what the passwords could be.
        I think the most common passwords that resulted were Monday, Tuesday, Wednesday etc.
    • Yes. :)

      I have two different sets. One specifically for online site like PayPal, my bank, etc. The other is for generic internet thing.

      The important stuff set is then further split into one of two passwords, chosen depending upon how "important" the site is. So my Amazon account won't use the same as my bank, and such.

      The generic set is split into three, or occassionally four, also based on importance.

      The rare fourth is my root password, the third my normal login, second for general web usage, and las
    • My luggage is 1, 2, 3, 4, 5. Probably your luggage too.

      Actually, I have my luggage combination written in sharpie on the outsize, right next to the lock. It's 0-0-0-0. That's so the TSA can open it up if the numbers happen to get bumped away from 0-0-0-0.

      Online I have an easy password, which is used everywhere unimportant; a medium password, which is used on sites that I would not want to lose the account for; a hard password used on sites with sensitive and personal information; and a secure password whi
    • by 99BottlesOfBeerInMyF (813746) on Friday December 10, 2004 @02:59PM (#11053953)

      anyone else have a few standard passwords?

      For low security operations, like your online accounts, using a standard password is not too unreasonable. With just a hair more effort, however, you can use a standard password scheme. For example, instead of using "8dogs8food" as your password for all of the random online accounts you have, prepend or append the first letter of the web site you are accessing. For Amazon.com you can have "a8dogs8food" and for slashdot you can have "s8dogs8food." This gives you a better idea if your password is leaked, and keeps insiders from using your userid/passwd on other consumer sites. I think that a password scheme like this strikes a good balance of security and ease of use.

    • I have about 10-20 wierd "words" I munge and cycle through for passwords. Policy is now 90 day passwords. Yeesh. Too burdensome as far as I'm concerned but you gotta do what you gotta do. I am waiting with bated breath for the day when computers are smart enough to recognise you by sight, sound and scent. "I'm sorry Bob, please run around the building twice and then attempt to log in again, your scent levels are too low for a positive id."
  • by danielrm26 (567852) * on Friday December 10, 2004 @02:46PM (#11053762) Homepage
    Asking users to learn to create and manage complex passwords is not realistic; user education and/or "awareness" just isn't all that viable. The way the password problem is going to be solved is very simple - they aren't going to be used anymore.

    Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.
    • Jane: 1111
      John: 0000

      If there is a easy way they will take it.
    • Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.

      Biometric identification is the way to go. No passwords. The only time you need administrative support is if you've been in a horrible accident and lost your eyes/fingers/vocal cords/etc.

  • by 0racle (667029) on Friday December 10, 2004 @02:46PM (#11053765)
    I hate people that put their password under their keyboard. Like damn people, on the underside of the desk, is that so much to ask.
  • by Omniscientist (806841) <matt AT badecho DOT com> on Friday December 10, 2004 @02:47PM (#11053768) Homepage
    No matter how complex our security systems get, no matter how secure we can encrypt passwords to prevent brute force cracking of them, there will always be that human element of weakness. There will always be that one person who can be easily tricked over the phone to give out a password. There will always be that one person who will use their first name and last initial (ahem...half life 2 forum admin) as their password. So we really can't get top notch security without excellent education to these people on what to do in these situations.
  • by Anonymous Coward on Friday December 10, 2004 @02:47PM (#11053769)
    I can't remember how may IT admins thought by requiring a password with special characters and numbers would make the system more secure. Sure it will add an extra 12 hours on a brute force attack, but if you don't notice a 8 hour running brute force attack you really are not a good admin.
    • Note that not all brute force attacks take place against the online system. Through a bug in some service, a poorly configured database, or a single compromised username (plus a privalege escalation) an attacker may be able to send the passwd (hopefully shadow) file to another machine where they can brute force at their leisure. Much smaller chance of detection this way.

      Also note that requiring special characters does far more than add "an extra 12 hours". In most cases the brute force attack would be m
  • by FreeUser (11483) on Friday December 10, 2004 @02:47PM (#11053774)
    ... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

    It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.
    • by nizo (81281) on Friday December 10, 2004 @03:19PM (#11054199) Homepage Journal
      Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:
      a E9 b ?p c &m
      d 6K e aY f eP
      g !S h gn i D=
      j Hd k vw l Cb
      m W5 n 4$ o R3
      p x% q 7M r NF
      s +2 t s* u Ay
      v fL w zG x Zu
      y cX z Qr
      I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
      Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).
  • Yes. (Score:2, Insightful)

    by captnitro (160231)
    Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

    Absolutely it is. This is one of those examples of culture clash: the tech-inclined, and not. Absolutely it's too much to ask, just like asking mom or dad to "just open the command line.. it's so easy!" Yeah, it is too much.
    • I was going to moderate this post but I think I'd rather respond. SARCASM YOU FOOL! The sentence you quote obviosly implies that this is absolutely too much to ask.
      • Yah, I know. :) But I've actually heard it before, and even the different password mnemonics (memorize a sentence, use first letter from each) are too much. When entire pages can be written on "password strategy", it's gotten out of control.

        Computing's biggest hurdle in the coming years is going to be disappearing entirely. By which I mean, if computers really are a magical black box that makes our lives easier, then things like security shouldn't be taking up chunks of my life. They should take care of th
      • I thought it was sarcasm at first too. But when it was part of a link on how to create a good 8 digit password, I wasn't sure.
    • Re:Yes. (Score:3, Insightful)

      by Spudley (171066)
      Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

      Absolutely it is. Just like asking mom or dad to "just open the command line.."

      I've got to agree with you there. It is the non-techies that have the most problems with this, but how old is the internet culture among non-techies? Five years? Maybe less? The point is that until the internet made everything accessible from a single computer, you didn't need a dozen different passwords. Before that, the only peop
  • by Anonymous Coward
    ... to 'passphrase'.

    Then tell your users to think of a phrase like 'my son's name is Jim', and get them to use it as their password.

    Putting in pucntuation makes it harder to crack too. Although it still won't stop social engineering.
  • My Password (Score:4, Funny)

    by Greenisus (262784) <michael@@@mayotech...com> on Friday December 10, 2004 @02:48PM (#11053793) Homepage
    My password is weu@$9JKcpw34.

    No one has ever guessed it.
  • Passwords are always going to be flawed. Biometrics are the wave of the near future/present.
    • Re:Biometrics (Score:4, Insightful)

      by wfberg (24378) on Friday December 10, 2004 @02:57PM (#11053931)
      Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

      Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.

      You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).

      Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.

      (As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)
    • Re:Biometrics (Score:5, Insightful)

      by Jucius Maximus (229128) <zyrbmf5j4x@snRED ... com minus distro> on Friday December 10, 2004 @03:00PM (#11053963) Homepage Journal
      "Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

      There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

    • Re:Biometrics (Score:3, Insightful)

      by Haydn Fenton (752330)
      We will still need passwords even if we have biometrics.
      Fingers can be cut off (ok, new ones are supposed to detect if there's blood circulating), or you could leave your fingerprint on something, then someone comes along and takes it, wouldn't be too hard to make fake fingertips which you could use. Your retina 'metrics' would be harder to steal, maybe contact lenses, I dunno. But whatever technology we can come up with, crackers can find a way to break or exploit it. Biometrics by themselves are probably
  • Here are some good techniques for picking a strong password. It helped me out. http://www.macosxhints.com/article.php?story=20040 920120520528/ [macosxhints.com]
  • by vivin (671928) <vivin.paliath@gmaiLIONl.com minus cat> on Friday December 10, 2004 @02:49PM (#11053816) Homepage Journal
    Best password/pin ever:

    [King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
    King Roland: One.
    Dark Helmet: One.
    Colonel Sandurz: One.
    King Roland: Two.
    Dark Helmet: Two.
    Colonel Sandurz: Two.
    King Roland: Three.
    Dark Helmet: Three.
    Colonel Sandurz: Three.
    King Roland: Four.
    Dark Helmet: Four.
    Colonel Sandurz: Four.
    King Roland: Five.
    Dark Helmet: Five.
    Colonel Sandurz: Five.
    Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!
  • by oexeo (816786) on Friday December 10, 2004 @02:49PM (#11053817)
    (Disclaimer: Please don't play this game!)

    1) Take the following five passwords:

    - password
    - slashdot
    - 123456
    - password123
    - [Username]

    2) Attempt to login to as many slashdotters accounts as possible.

    3) Post incriminating/stupid/slanderous/troll comments on behalf of users you now 0wn.

    4) While the FBI are busy smashing down your door: Take a hammer to your hard-drive's plateaus, and run like a screaming idiot while you think about how stupid you where to follow my instructions.

    (Disclaimer: Please don't play this game!)

    P.S. If your password was listed above: Change it!
  • ...the Sarbanes-Oxley act. Many financial institutions required to follow these regulations also are liable for the FFIEC regs. I believe that the FFIEC regs. DO require alphanumeric, 8 digit passwords.

    Whether they do or not, the FDIC auditors emphasize this policy strongly. If it's not written in stone yet, it will be.

    To be honest, I approve such a measure. It disturbs me to think that our local bank's security policy might be more lax than Yahoo's.

    • The company I work for had to put in a new password policy in order to comply with Sarbanes-Oxley. They even pushed a global policy to the desktop making all workstations lock after 5 minutes of inactivity. 'Bout time.
    • Sarbanes-Oxley is not banking legislation. It is reform of Corporate Governance and SEC reporting reqirements, fraud, etc...and appliens to any corporation. Gramm/Leech/Bailey was the banking/insurance/brokerage bill.

      That being said, as the article pointed out, the password requirements are not legislated, they are merely developed by consultants as a "show of controls". In other words, they are there so a company can say, "See - we try and protect our data from fraud."

      Also, the FDIC does not audit ban
  • Yes.

    It is hard.

    When you work in an organization when you have 5-10 passwords for different applications such as the network domain (email), web apps, etc; each requiring complexe passwords that expire every 3 months it become VERY hard to keep track of all these passwords and think of something else to replace them all with.
    • The harder part is when you make a nice algorithm for generating complex and random passwords and gets as result one that coincides with your born date plus your nephew name, or take a easy to remember by you but no for anyone else phrase, i,e, "promise an aniversary so we own real dollars", take the initials of the words and realize that that was a very bad example. A safe way for generating passwords don't mean that it could be trivial to brute force attack it for that particular generated password.
  • Are seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

    yes. when you're forced to change them every 30 days, and you can't repeat any of the last five, you quickly run out of things you can easily remember early in the morning.
  • Seriously most uses see computer secuity an IT problem not thears. They just want to get there work done. All the education in the world and all the bickering will not stop them from making stupid easy to guess passwords. Now if IT had the power to fire people who account compimised the corprate system because some hacker guessed there passord and got in. Then maybe it would be different. But IT raily has that power. if 1234 logs them in then they will use it because it is easy to type. If it was up to
  • Password expiration (Score:3, Interesting)

    by crow (16139) on Friday December 10, 2004 @02:51PM (#11053841) Homepage Journal
    This goes along with my other pet peeve--password expiration. Here at work, the Windows passwords must be at least 8 characters, with mixed case and numerals. They expire after 90 days, but can't be changed for at least 10 days when new.

    My password is written on my whiteboard.

    For serious security, passwords shouldn't expire. They shouldn't even have to be that obscure. The security effort should go into making a brute force attempt impractical.

    And the IT department needs to recognize that once someone has physicall access to the network, there's not much left to secure, anyway.
    • A password that never expires means that the intruder has access for as long as that account exists, if the intrusion was never detected. That is not serious security. Password expiration IS for serious security, and passwords should expire very frequently. However, that is not very friendly to your users, so the admin has to weigh usability with security A 30-60 day policy seems resonable to me, but it might not to the next guy.

      Every organization other then the absolute smallest places should be expiring
  • (with numbers and mixed cases) really too much to ask?

    Yes. It is. I'm supposed to remember which password goes with which account/username on which one of 4 systems I may have to access at work, plus root and regular user on the home box? Then there are the user/pass combos for here, k5, husi, tnr, the atlantic, wash post, ny times, salon.com, and a couple of other ones.

    That's something like 16-20 user/password combos. Fortunately I can use the same username across multiple sites. But I use differ

  • PasswordSafe, from Bruce Schneier's outfit Conterpane Security, is a great help. I can have multiple passwords to different things stored in it; I can even have "secure" machine-generated ones, and I don't have to remember any of them. All I have to remember is one good, solid password - the password to PasswordSafe. (If you will, it's my "root" password.)
  • by Ars-Fartsica (166957) on Friday December 10, 2004 @02:53PM (#11053861)
    My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

    Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

    Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

    High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

    • I have a similar system... But I generate random passwords and keep them in an encrypted file on my Palm.

      I don't really understand the noise with memorizable passwords. A random 8 characters password with mixed cased and numbers takes me about 4-5 times (number of time I have to enter it) to memorize it.

      For those I don't use very often... then my little Palm app will help me remember them.
  • From the article (read yesterday in the dead tree edition), one poor woman was required to type 8 passwords to log into the things that she needed to log into. Each password a combination of letters and numbers, and each having to change every 3 months. So that is 32 passwords a year.

    Frankly if my work was so dumb - I'd write them down too - or come up with a script that would do all of the logging in after the initial password. This is an IT staff problem, not a user problem... Please, one password is

  • So, we get issued key fobs for RSA authentication via Cisco VPN and guess what happens: three users have already taped their PIN to the back of the fob so they won't need to remember it. One wrote it with a metallic silver Sharpie!

  • by lukewarmfusion (726141) on Friday December 10, 2004 @02:55PM (#11053903) Homepage Journal
    ...just put them all in an Excel spreadsheet, keep a copy printed out and stored in your filing cabinet under a folder labeled "Passwords" and don't lock the cabinet.

    I gave my two weeks' notice and this was the first thing my bosses wanted me to do: write down all the passwords for them so they could keep everything on file.

    Fantastic.
  • Breaks down into 3 realms

    Something you have, something you know, something you are.

    The best systems incorporate a little of each.
    For a phone banking application:
    A unique transaction number out of a booklet your bank sent you. (something you have)
    A voice sample of you saying the numbers (something you are)
    Your birthday (something you know)

    Even though each of these individually is 95-97% secure at best, the combination is highly secure.
  • by GillBates0 (664202) on Friday December 10, 2004 @02:56PM (#11053912) Homepage Journal
    Get someone to kick you in the nuts everytime you forget your password.

    You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

    For added effect, construct horribly complex and impossible to remember passwords a few times every day. Over time, basic survival instincts and the urge to avoid the inevitable kick in the balls will overcome the limitations posed by your poor memory.

    • You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

      It sounds like you have personal knowledge of this? Hope you've had all the kids you want!

    • I thought our help-desk guy might have been the original BOFH, but I was wrong. Even he wouldn't have thought of that. Man, you are harsh.

      [Suddenly the phone rings, disturbing the BOFH's game of Half-Life]

      [random_user]Hello Help Desk? I forgot my password. I have to print a powerpoint document for a briefing I am giving in 5 minutes so I need my password reset right now!

      [BOFH] Oh....let me check...we can only reset passwords once a day between 6AM & 7AM because it affects the user settings and w
  • Telling people to not use whole words as passwords because they might be included in dictionary searches seems like it might be a good idea, but the problem is that you usually wind up giving people an algorithm for password generation that might actually yield an even worse password. Where I work at, for example, the suggested practice is to use acronyms followed by numbers. You remember a pet phrase and extract out the acronym. "Eagles Will Beat the Cowboys on Sunday" might become ewbtcos42, some rando
    • Expand the policy a little further and tell people not to use common sayings to form an acronym. For example, instead of using something common like Thank God It's Friday, use something that nobody would think of, like I Drive A Porsche (especially effective if you don't drive a Porsche). Add some numbers and punctuation after that, and there's no way anybody is guessing it without a brute force character-by-character attack.
  • by Slick_Snake (693760) on Friday December 10, 2004 @02:57PM (#11053925) Journal
    Current security models require passwords to be changed every three months or so. On top of that the password cannot be one last 5 or so used. On top of that it must be different than the last password by x number of characters. On top of that the user must remember x number of passwords of which he/she only uses one on a regular basis. To complicate matters the passwords must contain numbers, letters (upper and lower case), and sometimes special characters (but only certain ones). The expectations placed on the worker are unrealistic and that is what leads to poor password management. Simple password with dongle (smart card, usb device, RFID chip, etc...) is a better solution.
  • by bitslinger_42 (598584) on Friday December 10, 2004 @02:57PM (#11053929)

    Between Moore's Law and modern cracking techniques (dictionary attacks, hybrid attacks using both dictionary and brute force, and hash precalculation), nearly any 7-8 character password that will be easy for Joe User to remember is crackable in a very short period of time. Rather than blaming the users for security failure, we should be looking to improving the overall system.

    There are a number of things that can be done. First, and most importantly, eliminate the use of protocols that pass usable credentials (password, reversable password hashes, etc.) across the network in the clear. This means no longer using telnet and FTP (except for kerberized versions), doing something with/about Microsoft's NTLM/LanMan hashes, and probably using client certificates as well as server certs for encrypted web traffic.

    Beyond that, there are proven techniques that aren't too hard for users to understand. Time sequence tokens (i.e. RSA's SecurID) have been around for a long time and have yet to be broken except for when the attacker has access to the critical seed records. There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

    The point here is that unless we get rid of the users, we will never be able to educate all users all the time. The best way to get the security levels that appear to be needed is to take the human element out of the process as much as possible.

  • I always keep with the same convention; what's so hard?!

    1 2 3 4 ...

    Q W E R T Y ...

    A S D F G ...
  • For a workplace, there's no better solution than single-sign-on (Kerberos or the like) using a SmartCard. People understand how to keep something like a key safe, but keeping a bit of information safe, especially when it's something they have to keep in their head, is considerably more difficult.

    I think the best approach is something like a Sun Microsystems Sunray environment where you can stick your SmartCard into any Sunray and instantly pull up your session from the server. Instead of having to "log


  • Obligatory Spaceballs [imdb.com] reference goes here...
  • Good human pronouncable (thus easy to remember) passwords can be generated using tools like these [net-security.org] it is even a part of debian (apt-get install apg). try it out, the generated password are generally very good, mix of cases, numbers etc.
  • Picture Passwords (Score:5, Interesting)

    by spun (1352) <loverevolutionary@@@yahoo...com> on Friday December 10, 2004 @03:03PM (#11054007) Journal
    One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.
  • Here we just let users pluck a password out their asses and keep it forever when I started. It had been that way since the dawn of time at this company and nobody wanted to change it. Admittedly we don't have much in the way of truly sensitive information but it was pretty lax.

    Finally we said ok, this is going to have to change in some way and we instituted some basic requirements. Minimum number of characters, must contain at least one capital letter and at least one lower case letter. Very simple righ
  • The whole idea of computer and network security in today's world is fundamentally flawed. Everyone on Slashdot knows that the Internet was not designed to be secure. It was designed to collaborate, share data and to share computing resources.

    One cannot turn something into something it was never designed to be. One can only bend and twist the system so far... and the Internet, with all of its on-line commerece and banking, has been bent and twisted to the breaking point. Perhaps a total redesign is in orde
  • Don't forget that onerous password policies actually make your productivity and security go down. Scenario: New password policy requiring a new password every month and a password with 1 special character, 1 capital letter, 1 lower case letter, 1 number, at least 8 characters no duplicated characters, and not more than 75 percent similar to any of your last 10 passwords. Your salesman is out of the office on a regular basis and needs to download the new data sheet before a customer pitch and can't remembe
  • The fundamental maxim of security:

    Security is a process, not a product.
  • There was an interesting blog article by a Microsoft PSS employee [msdn.com] about his recommendation for choosing passphrases as opposed to passwords. Worth a read. The main problem is a number of online sites don't allow spaces in passwords or limit the password to a short number of characters. For example, I tried to create an iTunes account with a phrase from a Pavement [mtv.com] song but it wouldn't let me go over 32 characters or have any spaces in my password.
  • by BurritoJ (75275) on Friday December 10, 2004 @03:10PM (#11054080)
    My solution to secure passwords is to look around my office, at my bookshelf, at the documents/notes/references on my desk and pick an unusual set of words, hAx0r the spelling, and mix in some special chars *$&% as appropriate and out comes a secure password, with locational mnemonics if I forget it. If someone manages to brute force 3tt3r_4Tran77 then I have got lots of other problems. Fortran77 w/ Numerical Methods by Etter if you're curious, and no... it's not actually a password in use.
  • I implement database security for a large company, and work closely with the system adminstrators. We have, per corporate policy, implemented the usual stuff: regular password changes, alphabet-soup requirements, no shared passwords. Highly secure systems also use two or even three factor authentication. We also do password-cracking semi-continously, looking for weak passwords. It was nazi-land.

    Predictably, passwords were scrawled on post-it's and under keyboards. It had become a mess, and the users we

  • I use the open source PasswordSafe [sourceforge.net] The original was written by Bruce Schneier who worked on an AES finalist and runs CounterPane Security [counterpane.com] and writes the CryptoGram Newsletter [schneier.com]

    The program saves all your passwords in an encrypted file, which you then keep on your USB keychain. You only have to remember one password to open the safe, and then you can copy/paste your different username/passwords to the site that needs them. As long as you keep the data file on your keychain (and keep that with you) then yo
  • by Hank Reardon (534417) on Friday December 10, 2004 @03:21PM (#11054227) Homepage Journal

    What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

    For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

    I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

    The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

    What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

    I wish we'd switch to RADIUS.

    • Amen to that. Now, admittedly, having one password for all your services is kind of bad, since it's a single point of failure. But what's worse is the obscure requirements some websites have. Here's a list of the password requirements for all sites I use ona daily basis:
      • 6-8 characters, containing at least 1 number and 1 letter, the number must not be the first or last character. No special characters. Password cannot be the old one if you change it.
      • 4 character maximum, only letters and numbers.
      • 6 ch
    • No shit! (Score:3, Interesting)

      by lorcha (464930)
      I know the feeling. I just started a new job and I needed to come up with a login password. The password I wanted to choose was a pretty-much unguessable 'wkxudf1'.

      But nooooooo that was not acceptable. It needed a capital letter and a special character. By the time I was done fighting with the password change program, my password was 'Abcdef-1'. Take a wild guess what my password will be when I have to change it next month?

      Totally insecure, but at least I can fucking remember it. And if I ever for

  • by Chemisor (97276) on Friday December 10, 2004 @03:24PM (#11054262)
    Is it even possible to crack passwords any more? With shadow passwords, you simply can't get the password string to crack, and you can't just brute force at the login prompt, since it waits five seconds between tries. To get /etc/shadow you have to be root anyway, so what's the big deal with creating "non-guessable" passwords? It's not like any hacker would actually try more than a dozen at the login prompt. If he does, he'll just be locked out and reported. If you look at the descriptions of how computers are hacked these days, it's never by guessing passwords. It's usually done through a poorly written web page, where a buffer overflow can get you in (why don't they run the webserver on a chroot?).
  • My password is Pi (Score:3, Interesting)

    by Archangel Michael (180766) on Friday December 10, 2004 @05:47PM (#11055886) Journal
    I just won't tell you the starting offset. :D

    I always imagined that Pi or one of the other irrational numbers would be a great encryption hash. Easy to gererate, remember etc, but hard to hack, since we don't know the starting offset.

    It could be a nonrepeating hash or even a repeating one. All you would need to know is the starting offset, you could encrypt a very long document, with a singular and easy to remember hash point, ie Pi x 259313 r1024 would mean Pi hash starting at 259313 repeating 1024 numbers.

    I am sure that some pointy head math wizard will explain why this will not work.

A failure will not appear until a unit has passed final inspection.

Working...