Too Many Passwords 516
LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"
Can't remember already... (Score:3, Interesting)
Crap, what was the password to view
Better than post-it notes (Score:5, Interesting)
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr
I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password
kwallet (Score:5, Interesting)
I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...
Don't forget (Score:5, Interesting)
IT requiring password changes (Score:5, Interesting)
I work in web hosting... (Score:2, Interesting)
Prime example. When a customer wants to cancel their account, we direct them to an online form which asks for their registration # or domain name and their password to verify their identity. Invariably, the customer forgets their password and when we respond that we can't cancel their account without that information, they ALWAYS ask, "can you tell me my password?"
I am not joking. People call in all the time wanting their login information without being able to verify a thing. By the way, when this happens, there are two options - the "forgot password" form which mails the info to the admin address on record, or providing the billing CC# (you pay the bill, you get the key)
But I digress. Ultimately, the general public couldn't care less about passwords because they don't truly understand their function other than "it gets me where I need to be"
I'm suprised that nobody has mentioned..... (Score:3, Interesting)
App on my Palm Pilot (Score:2, Interesting)
I tried reasoning with the IT people (Score:3, Interesting)
Say, I choose an easily dictionary attacked password with just 5 lowercase letters. Whammo -- I'm told I can use that password for 3 days. So I make a 20 character, non-dictionary password with a mix of letters, numbers, random symbols, etc and I'm told I can keep it for a year.
Seems to me that's a reasonable approach: reward people for better passwords.
Suffice to say, I was told: "No way, we like it as it is"
Biometrics not the solution (Score:4, Interesting)
My System for Passwords (Score:3, Interesting)
I write my passwords down. (Score:4, Interesting)
I have offloaded Internet security into Material security.
I use a separate password for every forum I care about. My passwords on my personal computers are changed regularly. I can do this, because of my password book. Without it, this would be implausible.
It is conceivable that someone will get my password by taking my book from me, and snapping pictures of the password pages with their cell phone. Very well then, let someone make the $500 airplane trip over here, come into the office, find my book, and then start snapping pictures. Or maybe find me on the streets if it's lunch time, and rip the book out of my backpack. Conceivable.
But I think this is prohibitively expensive for most people. It would be cheaper to hack a website, and get some other guy's password, and see where else the password might be usable.
I think it is less risky to keep a watchful eye on my password book, than to use only a finite number of passwords.
If someone thinks this is wrong, tell me what you do, and tell me why it is more secure. Not what you can imagine doing; Rather, tell me what you really do.
Re:IT requiring password changes (Score:3, Interesting)
Simple, elegant solution (Score:3, Interesting)
You have a single password. This password is combined with the domain name and then processed with an appropriate mechanism (e.g. MD5) to produce a unique password for an individual site.
I think that's a great solution and think it should be incorporated into all open source web browsers. The user doesn't even have to know it is happening. Much more practical than biometric solutions.
Use tokens, and let users pick their passwords (Score:3, Interesting)
Re:Better than post-it notes (Score:5, Interesting)
One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.
I changed my password this morning (Score:4, Interesting)
Total cost of the password change? Maybe a manhour's worth of time (between myself and waiting on the teks, and the teks stoping their work to fix my account). So maybe a hundred dollars or so. But we have 800+ employees in 5 branches. That's a lot of password change headaches.
-Rick
Opposite problem at my work (Score:2, Interesting)
The password for the passwords (Score:2, Interesting)
As a general security measure, I use different passwords for all the Internet services I use. I simply do not trust the random forum and service owners I use enough; not because I distrust any concrete service like say Slashdot, but because it only takes one dishonest service owner to look up my password in order to have them all if I were to use the same one everywhere. Instead, I have a very long, huge text-file with all my password which is stored on my bestcrypt http://www.jetico.com/ [jetico.com] partition. The system works great for me. Alright, I have to look up the service and password every time, but as I always have that file open in kate since I use it frequently it is not a big deal. This works fine for me and I recommend it. This way I only have to remember the actual sentence I use as a password for my bestcrypt drive, and nobody can use the password on one service to guess my password on another since they are all random garbage like we4kBoc3fis...
So I think that a "a master password" IS the solution. Every employee can easily have their own personal master password where they keep a record of all their passwords, and this allows every employee to have a random password that only works for them assigned for each service they use.
Password expiring (Score:3, Interesting)
Then IT thinks its good to change passwords every 30 days on some sites, password management alone takes 1-2 hours a week, not counting the times I have to change passwords for other people.
If anyone knows a opensource robotron replacement that works in both IE and Firefox, reply. As for password safe, been trying a new opensource one called Keepass [sourceforge.net] that looks pretty nice, and ported to multiple platforms.
Re:Better than post-it notes (Score:4, Interesting)
Re:Information Security (Score:5, Interesting)
Biometrics is a bad idea, if for no other reason than thieves will chop off body parts: Malaysia car thieves steal finger [bbc.co.uk]
Re:Better than post-it notes (Score:3, Interesting)
Re:Better than post-it notes (Score:3, Interesting)
1. you got to evilsite.com, and enter your public key
2. evilsite.com automatically connects to bank.com, and enters your public key
3. bank.com encryptes some string, and sends it to evilsite.com
4. evilsite.com sends the encrypted password to you
5. you decrypt the data, and enter that info to evilsite.com
6. evilsite.com forwards the data to bank.com
Now, while you play on evilsite.com, evilsite.com empties your bank account. Not likely? What if you went to evilsite.com by following a link in an email that looks like it came from bank.com, and where you have a bank account? And don't think like someone who knows better. Think like your grandmother.
Re:Better than post-it notes (Score:4, Interesting)
Use a phrase, like: SlashDot Keeps Posting The Same Thing Over And Over
Use the first letters: sdkptstoao
Modify it a bit: SDkptst0a0
You just remember the phrase and you are good to go!
Argghhh, fer crisakes (Score:3, Interesting)
Take a look at this really cool presentation, even if you find the subject matter boring the presentation is sharp, http://www.identity20.com/media/OSCON2005/ [identity20.com]
SHA1 and a piece of paper (Score:2, Interesting)
The actual password for each site is the first 8 chars of the SHA1 hash of my memorized password concatenated with the hint (sha1(passwordyahoo), sha1(passwordebay) etc).
I keep a gdesklet applet open on my desktop to generate passwords when needed. The SHA1 algorithm is freely available and already implemeted as libraries in many languages, so moving to a new computer or rebuilding the password generator is simple.
Re:Better than post-it notes (Score:3, Interesting)
Re:I know how it feels... (Score:3, Interesting)
- It only works on certain sites - javascript confuses it completely
- They keep changing the f***ing algorythm, so next time you install it none of your passwords work!
- If you're working on another machine you can't log in anywhere.
I gave up on it.. something like that shipped with the browser would probably work though.
Password safes considered unsafe (Score:3, Interesting)
Windows (as would be any OS that attained broad use) and/or disk hardware are sufficiently unstable that I occasionally have to scrap my existing data and start over from scratch. Additionally, I use many different computers on different networks to access the same websites, etc. Backups are a pathetic workaround for this, and are themselves a vulnerability.
In fact, any scheme that relies on a password safe resident on one machine will always be susceptible to catastropic lossage, and is a pain to use on other machines. And any scheme that relies on 3rd party storage of the passwords is vulnerable to attacks on that storage and is inherently harder to maintain.
Personally, I think the only thing that will eventually solve this problem is a single password plus a smartcard-like system (with automated backup to some other local storage). We're not going to get there easily, though. And it's not a panacea either, because smart cards can be lost, stolen or fried just as easily.
Ironically, this problem is essentially another variant of the fundamental issue surrounding identity theft: in an information society, it's absolutely crucial that we be able to reliably uniquely identify every person, but anything we use to do that will end up being abused just like SSNs.
effective strategy (Score:1, Interesting)
(1) For any site or "thing" that makes you set up a password, first consider whether or not it needs to be secure in your own judgment. For example, I don't give a rat's ass of somebody figures out my NY Times login or my TitanTV login, but I'd rather they don't get my bank login!
(2) For "unimportant" logins, choose an UNUSUAL login name (so that you don't find that it's already been claimed on more popular web sites), and a password of 6-8 characters, that you use for ALL of them.
(3) For "important" logins, have one part that is a "master" password, maybe 5 characters. Then, for each site, choose a few additional characters that you tack on to the beginning or the end of it, which remind you (in some obscure way) of the service it's a password for. Personally, I have adopted a simple cipher. So, if the password is for Bob's Skate Shop, I might choose bss. Supposing my cipher is "1 letter later in the alphabet", that becomes ctt.
In my opinion, this creates an ideal balance between usability and security. If somebody finds out my password to Bob's Skate Shop, they would still need to know my cipher, and figure out which part of the password is "standard", before they could log into my credit card account.
Re:Biometrics not the solution (Score:3, Interesting)
But, a bigger problem (for now) is someone cracking your database of biometric data, and being able to retrieve the information you store to identify people. This is why there is research into Replaceable Biometrics [computerworld.com].
If the stored database cannot be related to the person, then again a criminal is forced to go directly to the source (you) to copy or steal the finger or retina. Ideally, they would then be stopped by not knowing your password, or not having your key. If a criminal has all three, such as by kidnapping your children and forcing you to retrieve the data yourself, then there is still a fourth identification option:
* Something you do (i.e. something out of the ordinary that draws attention to yourself)
If you walk in and say "Hello Bob" to the security guard every day, and today you say "Hello Jim", maybe he will know something is up and alert the police. Or, maybe the security guard simply notices that you are sweating or looking very nervous, and investigates without you intentinally alerting him at all.
Re:I know how it feels... (Score:3, Interesting)
Of course, it would probably also be done a lot better, but it would still have the issues of a hidden method of implementation and central storage of credentials. The latter part of that sentence would be ignored by a lot of people, though.
Mobile phones? (Score:3, Interesting)
I don't work for sun, but I think that the mobile phone makes a pretty good store for passwords encrypted by a master password.
The PC is obviously out of the question if you use different operating systems... for instance, my home PC is primarily a KDE desktop, so its wallet app is used for storing all passwords. But I have no simple way to access that wallet from the Winblows machine I have to use at work.
Phones, however, usually have this "code memo" feature these days, which lets you wrap any information you want in crypto, and seems to be quite useful for password storage.
Of course, the same master password problems apply... if you lose that one password, you lose them all. And if someone steals that one password (and the phone) they steal all your passwords. But it's better than a simple text file on disk somewhere, and much better than the post-it notes.
Security versus the ability to work (Score:5, Interesting)
Later on, we learned better, and adopted a much more relaxed regime, in which we specifically didn't force expiry or insist on passwords like tH1s#0n£3&@ for most of the users (we were stricter with people who could order goods or edit the payroll!).
The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.