Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

Can't remember already...

[richdun]

Nothing for you to see here. Please move along.

Crap, what was the password to view /. stories?

Better than post-it notes

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

kwallet

[DarkProphet]

I find that kwallet works well for this in KDE, but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)

I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...

Don't forget

[GWBasic]

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

IT requiring password changes

[ChrisF79]

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.

I work in web hosting...

[Skadet]

In the (California-based!) tech support center. You might be shocked at the number of people who have no idea how security works.

Prime example. When a customer wants to cancel their account, we direct them to an online form which asks for their registration # or domain name and their password to verify their identity. Invariably, the customer forgets their password and when we respond that we can't cancel their account without that information, they ALWAYS ask, "can you tell me my password?"

I am not joking. People call in all the time wanting their login information without being able to verify a thing. By the way, when this happens, there are two options - the "forgot password" form which mails the info to the admin address on record, or providing the billing CC# (you pay the bill, you get the key)

But I digress. Ultimately, the general public couldn't care less about passwords because they don't truly understand their function other than "it gets me where I need to be"

I'm suprised that nobody has mentioned.....

[8127972]

..... Single Sign-On Manager by RSA. [rsasecurity.com] The IT manager then has the choice of using an RSA SecurID Authenticator, RSA Smart Card, RSA USB Authenticator, a biometric or (god forbid) a password.

App on my Palm Pilot

[f_g_goss]

I have two apps on my Palm: one generates passwords, another stores them in a "vault" with a master password. Works well especially the password generator. I just select upper/lower/mixed case, alpha characters and how long to make the password string. Copy-paste into the password vault. Done.

I tried reasoning with the IT people

[TomorrowPlusX]

I made the argument, some time ago, that instead of forcing us to make new passwords every 45 days ( which is basically a solid way to guarantee weak, easily dictionary-attacked passwords stuck on the monitor ) they should allow us to keep our passwords longer the more complicated they are.

Say, I choose an easily dictionary attacked password with just 5 lowercase letters. Whammo -- I'm told I can use that password for 3 days. So I make a 20 character, non-dictionary password with a mix of letters, numbers, random symbols, etc and I'm told I can keep it for a year.

Seems to me that's a reasonable approach: reward people for better passwords.

Suffice to say, I was told: "No way, we like it as it is"

Biometrics not the solution

[millermj]

There's a way to exploit just about anything. It's guaranteed someone is going to invent a way to fake a fingerprint or a retina to gain access. At least a password can be changed once guessed. I'd like to see you try changing your fingerprints.

My System for Passwords

[under_score]

I have three "good" passwords upon which I create variants. The three basic passwords all have a pseudo random combination of caps, lowercase, numbers, and punctuation. Then, when I have to change a password due to corporate policy, I simply change a single character so that my password gradually evolves... and stays very memorable. Admittedly, remembering the base passwords in the first place was a bit painful. But so far that I know of in over ten years of use, I have never had a password compromised, including passwords on servers that are publicly accessible. In my own experience, most tech users who are not technically inclined do indeed have very poor passwords: sometimes just their names even. I try to educate people on it but it is hard going. Most people just don't feel that it is worth the bother... and probably from their own perspective, a risk analysis would show they are correct.

I write my passwords down.

[LionKimbro]

I write my passwords down in a special location in a special book.

• You can't look at my password over the Internet.
• You can't (for at least 30 years) make a robot that will find my passwords.
• If a server that stores my password is compromised, then it is only that password that is compromised.

I have offloaded Internet security into Material security.

I use a separate password for every forum I care about. My passwords on my personal computers are changed regularly. I can do this, because of my password book. Without it, this would be implausible.

It is conceivable that someone will get my password by taking my book from me, and snapping pictures of the password pages with their cell phone. Very well then, let someone make the $500 airplane trip over here, come into the office, find my book, and then start snapping pictures. Or maybe find me on the streets if it's lunch time, and rip the book out of my backpack. Conceivable.

But I think this is prohibitively expensive for most people. It would be cheaper to hack a website, and get some other guy's password, and see where else the password might be usable.

I think it is less risky to keep a watchful eye on my password book, than to use only a finite number of passwords.

If someone thinks this is wrong, tell me what you do, and tell me why it is more secure. Not what you can imagine doing; Rather, tell me what you really do.

Re:IT requiring password changes

[alan_dershowitz]

Where I work (which shall remain nameless) people get around this password restriction by making their password "SOME STRING"1, then when they have to change it in a few weeks, "SOME STRING"2, and so on. I can't believe this is any sort of superior "security", badgering people into choosing terribly predictable passwords.

Simple, elegant solution

[pubjames]

I saw on a web site somewhere (sorry can't remember where) a simple, elegant solution to this problem, at least when it concerns logging on to web sites.

You have a single password. This password is combined with the domain name and then processed with an appropriate mechanism (e.g. MD5) to produce a unique password for an individual site.

I think that's a great solution and think it should be incorporated into all open source web browsers. The user doesn't even have to know it is happening. Much more practical than biometric solutions.

Use tokens, and let users pick their passwords

[m50d]

If you try and force users to use stronger passwords than they can remember or change them too frequently you'll just get post-its and helpdesk. If their passwords aren't secure enough, get them to use etokens or something similar.

Re:Better than post-it notes

[shis-ka-bob]

The whole point is that you can can be using 'hard' passwords that look like Jibberish(TM), but are easy to remember. You can even do things like build a seperate cheat card for each month and then keep the same mnomonic but have the password change. (This has its own drawbacks - you need to keep 'last month's' card around long enough to change all of your passwords.) It isn't hard to remember 'a few' passwords, but it gets pretty hard when dozens of groups want you to have passwords and everybody warns you that is it bad form to use a single password more than once.

One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.

I changed my password this morning

[RingDev]

And I had some app running in the background (something FF related?) that kept trying to auto apply my original password (yes I cleared password from inside FF). After the 6th lock out of the day, I got my network tek's to let me reset my password.

Total cost of the password change? Maybe a manhour's worth of time (between myself and waiting on the teks, and the teks stoping their work to fix my account). So maybe a hundred dollars or so. But we have 800+ employees in 5 branches. That's a lot of password change headaches.

-Rick

Opposite problem at my work

[fak3r]

This is a problem, however at my work (and a few other gigs) I've seen Password deficiency in the workplace [fak3r.com]. Too many projects headed up by non-technical people that don't understand the importance of passwords. Obviously a unified solution (NFS or the like) would help tremdously, but for things like servers, getting to a root acount woudln't be a good use, so I think it'd need to be a biometrics (fingerprints) solution, with a "sudo like" funtionality on the server. ie- the user with this fingerprint can do these things, etc.

The password for the passwords

[xiando]

I use Another Password Generator for all my passwords. http://www.adel.nursat.kz/apg/ [nursat.kz]

As a general security measure, I use different passwords for all the Internet services I use. I simply do not trust the random forum and service owners I use enough; not because I distrust any concrete service like say Slashdot, but because it only takes one dishonest service owner to look up my password in order to have them all if I were to use the same one everywhere. Instead, I have a very long, huge text-file with all my password which is stored on my bestcrypt http://www.jetico.com/ [jetico.com] partition. The system works great for me. Alright, I have to look up the service and password every time, but as I always have that file open in kate since I use it frequently it is not a big deal. This works fine for me and I recommend it. This way I only have to remember the actual sentence I use as a password for my bestcrypt drive, and nobody can use the password on one service to guess my password on another since they are all random garbage like we4kBoc3fis...

So I think that a "a master password" IS the solution. Every employee can easily have their own personal master password where they keep a record of all their passwords, and this allows every employee to have a random password that only works for them assigned for each service they use.

Password expiring

[BrookHarty]

I started using robotron, way too many passwords to type in daily. I have password safe with over 300 passwords, from sites, servers or applications. Crazy.

Then IT thinks its good to change passwords every 30 days on some sites, password management alone takes 1-2 hours a week, not counting the times I have to change passwords for other people.

If anyone knows a opensource robotron replacement that works in both IE and Firefox, reply. As for password safe, been trying a new opensource one called Keepass [sourceforge.net] that looks pretty nice, and ported to multiple platforms.

Re:Better than post-it notes

[TheRaven64]

Rather than a PGP key, why not a personal SSL client certificate? Support is already integrated into most browsers, and organisations such as CACert issue them for free.

Re:Information Security

[darrylo]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Biometrics is a bad idea, if for no other reason than thieves will chop off body parts: Malaysia car thieves steal finger [bbc.co.uk]

Re:Better than post-it notes

[shis-ka-bob]

It is certainly true that the vulnerablity of this is that sombody that has your cheat sheet only has to guess 'dictionary' words (and start with common 3-5 letters ones first). The drawback of yours is that a 'bad guy' that convinces you set up a password on his site will be able to look at your password and he might figure out what your rule is. ( e.g., if one were to use C@5tits on a porn site, a shady porn site operator could simply read the password and guess the rule.) He can then do the dictionary attack against anyone else that you have an account with.

Re:Better than post-it notes

[Anonymous Coward]

Evil sites *could* still cause harm. Think about a man in the middle attack:

1. you got to evilsite.com, and enter your public key
2. evilsite.com automatically connects to bank.com, and enters your public key
3. bank.com encryptes some string, and sends it to evilsite.com
4. evilsite.com sends the encrypted password to you
5. you decrypt the data, and enter that info to evilsite.com
6. evilsite.com forwards the data to bank.com

Now, while you play on evilsite.com, evilsite.com empties your bank account. Not likely? What if you went to evilsite.com by following a link in an email that looks like it came from bank.com, and where you have a bank account? And don't think like someone who knows better. Think like your grandmother.

Re:Better than post-it notes

[pcraven]

Too slow.

Use a phrase, like: SlashDot Keeps Posting The Same Thing Over And Over
Use the first letters: sdkptstoao
Modify it a bit: SDkptst0a0

You just remember the phrase and you are good to go!

Argghhh, fer crisakes

[Usquebaugh]

Identity 2.0 it's nearly been blogged to death.

Take a look at this really cool presentation, even if you find the subject matter boring the presentation is sharp, http://www.identity20.com/media/OSCON2005/ [identity20.com] /. news for the lazy and ignorant

SHA1 and a piece of paper

[The Chaotician]

Here's my solution: I keep one good password in my head. On a piece of paper (or two - no need to keep it private, you can write it in the sky if you want), I write a "hint" for each password I need to remember. For instance, my yahoo hint is "yahoo". My ebay hint is "ebay".

The actual password for each site is the first 8 chars of the SHA1 hash of my memorized password concatenated with the hint (sha1(passwordyahoo), sha1(passwordebay) etc).

I keep a gdesklet applet open on my desktop to generate passwords when needed. The SHA1 algorithm is freely available and already implemeted as libraries in many languages, so moving to a new computer or rebuilding the password generator is simple.

Re:Better than post-it notes

[TheRaven64]

I think you are missing the point. This doesn't need a Firefox plugin. It is already present in IE, Firefox and Safari (maybe Opera - I've not checked). All you need to do is add a client certificate. Then, the first time you establish an SSL connection to a server which requests it, they will get a copy of the signed data, which they can log. Any further attempt to use that site can do the same authentication, completely transparently.

Re:I know how it feels...

[Tony Hoyle]

There's always PwdHash [stanford.edu].. unfortunately:

- It only works on certain sites - javascript confuses it completely
- They keep changing the f***ing algorythm, so next time you install it none of your passwords work!
- If you're working on another machine you can't log in anywhere.

I gave up on it.. something like that shipped with the browser would probably work though.

Password safes considered unsafe

[hacksoncode]

The notion of having some master password that unlocks a "password safe" that stores all of your crazy passwords for different sites is a powerful one, but it has one huge hole that has bitten me more than once.

Windows (as would be any OS that attained broad use) and/or disk hardware are sufficiently unstable that I occasionally have to scrap my existing data and start over from scratch. Additionally, I use many different computers on different networks to access the same websites, etc. Backups are a pathetic workaround for this, and are themselves a vulnerability.

In fact, any scheme that relies on a password safe resident on one machine will always be susceptible to catastropic lossage, and is a pain to use on other machines. And any scheme that relies on 3rd party storage of the passwords is vulnerable to attacks on that storage and is inherently harder to maintain.

Personally, I think the only thing that will eventually solve this problem is a single password plus a smartcard-like system (with automated backup to some other local storage). We're not going to get there easily, though. And it's not a panacea either, because smart cards can be lost, stolen or fried just as easily.

Ironically, this problem is essentially another variant of the fundamental issue surrounding identity theft: in an information society, it's absolutely crucial that we be able to reliably uniquely identify every person, but anything we use to do that will end up being abused just like SSNs.

effective strategy

[Anonymous Coward]

I have a strategy that has worked out very well for me. Well worth implementing, if I do say so myself!

(1) For any site or "thing" that makes you set up a password, first consider whether or not it needs to be secure in your own judgment. For example, I don't give a rat's ass of somebody figures out my NY Times login or my TitanTV login, but I'd rather they don't get my bank login!

(2) For "unimportant" logins, choose an UNUSUAL login name (so that you don't find that it's already been claimed on more popular web sites), and a password of 6-8 characters, that you use for ALL of them.

(3) For "important" logins, have one part that is a "master" password, maybe 5 characters. Then, for each site, choose a few additional characters that you tack on to the beginning or the end of it, which remind you (in some obscure way) of the service it's a password for. Personally, I have adopted a simple cipher. So, if the password is for Bob's Skate Shop, I might choose bss. Supposing my cipher is "1 letter later in the alphabet", that becomes ctt.

In my opinion, this creates an ideal balance between usability and security. If somebody finds out my password to Bob's Skate Shop, they would still need to know my cipher, and figure out which part of the password is "standard", before they could log into my credit card account.

Re:Biometrics not the solution

[SydShamino]

Yes, fake fingerprints or retina are a problem for biometrics.

But, a bigger problem (for now) is someone cracking your database of biometric data, and being able to retrieve the information you store to identify people. This is why there is research into Replaceable Biometrics [computerworld.com].

If the stored database cannot be related to the person, then again a criminal is forced to go directly to the source (you) to copy or steal the finger or retina. Ideally, they would then be stopped by not knowing your password, or not having your key. If a criminal has all three, such as by kidnapping your children and forcing you to retrieve the data yourself, then there is still a fourth identification option:

* Something you do (i.e. something out of the ordinary that draws attention to yourself)

If you walk in and say "Hello Bob" to the security guard every day, and today you say "Hello Jim", maybe he will know something is up and alert the police. Or, maybe the security guard simply notices that you are sweating or looking very nervous, and investigates without you intentinally alerting him at all.

Re:I know how it feels...

[Martin Blank]

Imagine if Google implemented GooglePass, though. Everyone would jump on it as the best thing ever!

Of course, it would probably also be done a lot better, but it would still have the issues of a hidden method of implementation and central storage of credentials. The latter part of that sentence would be ignored by a lot of people, though.

Mobile phones?

[Trejkaz]

I don't work for sun, but I think that the mobile phone makes a pretty good store for passwords encrypted by a master password.

The PC is obviously out of the question if you use different operating systems... for instance, my home PC is primarily a KDE desktop, so its wallet app is used for storing all passwords. But I have no simple way to access that wallet from the Winblows machine I have to use at work.

Phones, however, usually have this "code memo" feature these days, which lets you wrap any information you want in crypto, and seems to be quite useful for password storage.

Of course, the same master password problems apply... if you lose that one password, you lose them all. And if someone steals that one password (and the phone) they steal all your passwords. But it's better than a simple text file on disk somewhere, and much better than the post-it notes.

Security versus the ability to work

[gdav]

Where I work (a university) we used to have a fairly fierce password regime. Change it every four weeks, no re-using of old passwords, minimum eight characters including mixed case, numerals and punctuation - that kind of thing.

Later on, we learned better, and adopted a much more relaxed regime, in which we specifically didn't force expiry or insist on passwords like tH1s#0n£3&@ for most of the users (we were stricter with people who could order goods or edit the payroll!).

The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.