Forgot your password?
typodupeerror
Security

Strong Passwords Not As Good As You Think 553

Posted by CmdrTaco
from the still-better-than-'password' dept.
Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.
This discussion has been archived. No new comments can be posted.

Strong Passwords Not As Good As You Think

Comments Filter:
  • News at 11 (Score:5, Insightful)

    by sweatyboatman (457800) <sweatyboatman AT hotmail DOT com> on Monday July 13, 2009 @10:45AM (#28676251) Homepage Journal

    If your computer is hacked than you're boned.

    Seems to me that the solution is to have a strong password and keep your computer free of malware.

    Is that really so hard?

    • Re:News at 11 (Score:5, Interesting)

      by DrLang21 (900992) on Monday July 13, 2009 @10:48AM (#28676293)
      There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.
      • Re:News at 11 (Score:5, Insightful)

        by Tridus (79566) on Monday July 13, 2009 @10:51AM (#28676325) Homepage

        Yeah, this.

        "Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.

        Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you're actively making the situation worse.

        • Re:News at 11 (Score:5, Insightful)

          by Allicorn (175921) on Monday July 13, 2009 @10:56AM (#28676409) Homepage

          So write it down and put it in your wallet with your credit card.

          Unless - of course - you routinely tack your credit card to your cubicle wall. No? Didn't think so.

          • Re:News at 11 (Score:5, Insightful)

            by Talennor (612270) on Monday July 13, 2009 @11:02AM (#28676555) Journal

            Do you have to enter your credit card number every time you want to access your computer? No? Well that's why it's in your wallet and not more easily accessible.

        • Re:News at 11 (Score:4, Insightful)

          by quangdog (1002624) <quangdog AT gmail DOT com> on Monday July 13, 2009 @10:58AM (#28676463)

          normal users simply can't deal with them. The result is sticky noted passwords.

          This gets especially problematic when the janitorial staff comes through one night and decides all those pesky post-its (and, indeed, most every paper/seeming clutter on every desk) needs to get cleaned up and thrown out.

          Really happened where I worked, once.

          But just once.

          • Even Better (Score:3, Funny)

            by Zygamorph (917923)
            Years ago one of my co-workers was asked by management to do a global password change on the systems (s)he supported. It was to be done late Friday afternoon for the "usual" reasons. The systems were such that you couldn't just expire them so they were individually reset to new ones. (S)He did this and then put post-its on everyone's monitor to let them know what their new password was when they came in on Monday. Shortly thereafter there was a new global password change.
        • Re:News at 11 (Score:5, Insightful)

          by ArhcAngel (247594) on Monday July 13, 2009 @11:06AM (#28676639)

          Agreed, but what I find even more mind numbing is the places that require you to have a password that is between 6 to 10 characters in length (6 for a "strong" password and 10 because their system can't handle passwords any bigger) and must have at least two numbers in them as well as one upper case or some such. If the person/group trying to crack your system know about these requirements (which isn't hard to find out if you plaster it on the logon screen) it greatly reduces the number of permutations they even have to try. You have basically handed them a filter and said Don't bother looking for anything that doesn't contain the following.....

          • Re:News at 11 (Score:5, Insightful)

            by the_one(2) (1117139) on Monday July 13, 2009 @11:45AM (#28677329)

            If one assumes that the users are lazy and will only do the bare minimum that would mean (in order): 1 upper case letter, 3 lower case letters and 2 numbers. This would translate to 26 ^ 4 * 10 ^ 2 = 45697600 permutations. That wouldn't be very hard to crack. And that is without using dictionaries!

          • Re: (Score:3, Insightful)

            by Mr. DOS (1276020)

            Directly related item [thedailywtf.com] on The Daily WTF [thedailywtf.com].

            The more fine-grained the requirements you can punch into your brute forcer, the faster the hash goes down...

                  --- Mr. DOS

        • Re:News at 11 (Score:5, Interesting)

          by bbernard (930130) on Monday July 13, 2009 @11:09AM (#28676683)

          This kind of thinking is, well, disappointing. Yes, it would be "easier" for you the user to not need such a strong password. That would be one way of looking at it. I think it would be easier, too, if I didn't need to look both ways for pedestrians while backing out of my driveway every day. What are the chances that I'm going to hit a pedestrian? Pretty small, but I need to look for them anyway.

          There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools.

          1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc.

          2. Teach yourself an easy way to create complex passwords. Use the first letter of each word in a silly phrase like "Snoopy Prefers @nchovies 0n his 8rick Oven pizza." (SP@0h8Op) Or pick some other way of remembering these things.

          3. Or, install a backup camera so you don't need to look around for those pedestrians.

          Just my 2 cents.

          • Re:News at 11 (Score:5, Insightful)

            by Mr. Underbridge (666784) on Monday July 13, 2009 @12:11PM (#28677787)

            There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools. 1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc

            Spoken like an ivory-tower admin with people skills worse than an angry badger. Some problems with that attitude:

            1. While you think your system is special, it's not to us. Yours is one of many systems for which we have to remember passwords.

            2. Systems that require such moronically complex passwords also require them to be changed. They also use slightly different rules so that passwords can't be exactly re-used. End result is that I've got about 40 passwords or their variants in recent use. No way I'm remembering that, and I'm smart. You can forget about the secretary.

            3. Admins that set up such systems generally forbid the use of password keychains.

            End result? At work, I have to remember passwords for about 8-10 systems, all with different rules and password expiration schedules. Naturally, each will lock you out after 3 tries. So what I generally have to do is, each time I've gone more than a week without using a particular system, I get the IT guy to reset the password. Only because I'm one of the good guys, I don't write them down. But I've been sorely tempted.

            You can either learn to work with people, or you can keep making unusable edicts that make it impossible for people to follow them. Just know that once you cross the "sticky note" threshold - and you appear to be well over it - your system is far more easily compromised than if you had implemented a sensible security policy in the first place.

            What admins usually forget is that security is inherently practical, not theoretical. Hackers will always focus on the weakest part of any secure system, not the strongest. Making it take 100 days instead of 10 to crack a password file doesn't accomplish anything, because they'll move on to another exploit. All you'll do is piss off your users and make it a lot more likely that passwords get written down. As Mitnick showed, the weakest link is usually human, and your approach makes that link far weaker.

        • by grumpyman (849537) on Monday July 13, 2009 @11:09AM (#28676685)
          "Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.

          .... while sys admin uses "admin" as password on servers/switches without the need to change, ever?

        • by vadim_t (324782)

          Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you're actively making the situation worse.

          No, not really.

          If people at your office can be trusted, you don't really take a huge risk by having a postit with the password. The complicated password, however, makes it much harder to brute force from the outside, or to brute force a compromised hashed password DB.

          A few years back somebody managed to grab the Second Life password data

          • Re: (Score:3, Informative)

            by Bigjeff5 (1143585)

            If people at your office can be trusted, you don't really take a huge risk by having a postit with the password.

            Ahh, I see, so you hang out with the housekeeping staff and fully trust them too. You know, the ones who do the shitty job, are thoroughly underpaid but are easily smart enough to realize that somebody "out there" might find confidential information on your system very, very valuable? Same with the building owners your company leases to, right? You know, 16+ gig flash drives are very cheap and hold a lot of confidential information. Hell, if they're a little more technical than that they'll find a troja

        • Re: (Score:3, Insightful)

          by bitslinger_42 (598584)

          Do you remember your mother's birthday? Your anniversary? Who won the last 5 World Series? The name of the first girl you had a crush on? What I'd mean if I were to say "Ni!" to an old woman? While you might not know all of them (I have no clue who won the most recent World Series, nor do I care), I'm sure you know all sorts of similarly esoteric information.

          People can remember all sorts of information, if it is important enough to them. People look at passwords as inconveniences at best.

          If you can't m

          • Re:News at 11 (Score:4, Insightful)

            by eyrieowl (881195) on Monday July 13, 2009 @11:43AM (#28677303)

            Strawmen. Those data points don't change every six months to something relatively arbitrary. Even the last world series question (the only one of your questions which EVER changes) has a very finite set of possible correct answers. Even more problematic, the many different systems with passwords usually have different schedules on which passwords need to be changed, and different ways of defining "strong" passwords, so you can't use the same "strong" password across multiple systems. I don't have post-its for my passwords, but the only way I've been able to escape that is by coming up with a system for my passwords which allows me to make minor, memorable variations each time I have to change one of my passwords. If it were just one password, well, okay, but voicemail and multiple system logins each with different password requirements and change-schedules? Some of which I only use intermittently? I'm sorry, but at some point these requirements become completely counterproductive.

            • Re: (Score:3, Interesting)

              by bitslinger_42 (598584)

              Glad to see you read the first paragraph of my post. Did you happen to see the end, where I said that I agreed with the paper, increasing password complexity doesn't solve the problems that we face today, and that I'm engaging my management with an eye towards changing our password policy?

              But, since you brought it up, sure those don't change, but we have all sorts of information that we learn every day. If you're a programmer, you might have to learn a new technique, the parameters for a new method invoca

              • Re: (Score:3, Insightful)

                by AK Marc (707885)
                The password itself doesn't change for six months (in the parent's example), so while the first few days or so are a pain, it is possible to learn one new eight character "word" twice a year.

                For one, changing passwords do not improve security. At best, they limit the time when a system is compromised, but almost never improve the security (the only exception is if someone managed to get a hold of an encrypted password file and it takes 7 months to crack a 6 month rotation, but that takes an already compr
        • Re: (Score:3, Informative)

          by ShieldW0lf (601553)

          So, use an acronym for your password, but write down the full sentence.

          Use the password "Dftpu2jomaw!" and write yourself a note that says "Don't forget to pick up 2 jugs of milk after work!"

      • Re: (Score:3, Informative)

        There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.

        We have this policy on our timekeeping system. I re-use the same password with a number f

      • Re:News at 11 (Score:5, Insightful)

        by tie_guy_matt (176397) on Monday July 13, 2009 @11:05AM (#28676615)

        Another problem with password rules that rotate too fast and have too many rules is that you end up with many users who are locked out of their accounts. I imagine if the helpless desk gets 100 requests a day to reset account passwords then after a while they become less careful to ensure that the person requesting a password reset is actually the person that owns the account. Personally the more stupid password rules I encounter the more likely I am to try to come up with a password that is easy to guess (since I will be the one guessing the password in a little while.)

      • by wjh31 (1372867)
        What is the point in changing a password atall. If someone has discovered your password i imageing they would be unlikely to wait to use it. "oh damn i waited 3 months and now the password doesnt work". If your account has been compromised, you need a new password (and to figure how it happened to prevent it), if you account is safe, its safe.
      • by Zerth (26112)

        An example password for such situations

        [i1!][a@]m[l1!][e3][e3][t7]

        that gives you 144 combinations if your system just requires a mix of letters and not letters, not counting upper-vs-lower, or something like half if your password require letters, numbers, and symbols every time.

        Can't remember which you've used recently? Write down past choices using just the letter A for letters, S for numbers, and D for symbols in place of the actual character.

        E.g. ADASSSA for i@m133t

        That way someone won't mistake it for

      • by Deadstick (535032) on Monday July 13, 2009 @11:26AM (#28677025)
        on my cubical wall

        Most of mine are planar...

        rj

      • Re: (Score:3, Insightful)

        by Inda (580031)
        Same as that! Me too! OK, OK!

        This month's password is: July2009. It has numbers and capitals. Great!

        Next month's password will be: August2009. It has numbers and capitals. Great!

        Don't be scared of the rules man. They are there to help you ;p
    • If your computer is hacked than you're boned.

      So am I if my computer is boned?

  • Woo hoo! (Score:2, Funny)

    by BobSixtyFour (967533)

    Yes! Now i can change my password back to password!

  • c'mon (Score:4, Funny)

    by greebowarrior (961561) on Monday July 13, 2009 @10:46AM (#28676265) Homepage
    surely we should all be changing our passwords back to "Joshua"?
    • surely we should all be changing our passwords back to "Joshua"?

      Yeah? You want to play a game, mothafucka???

      Hang up your punk-ass modem and step down. She-it.

      (Okay, I probably need to stop watching The Wire before I go to work.)

  • by damn_registrars (1103043) <damn.registrars@gmail.com> on Monday July 13, 2009 @10:48AM (#28676287) Homepage Journal
    I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging. However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.
  • by kinabrew (1053930) on Monday July 13, 2009 @10:48AM (#28676289) Journal

    I advise people to use unusual sentences as passwords.

    For example, look at the previous sentence.

    I advise people to use unusual sentences as passwords.

    It contains uppercase letters, lowercase letters, spaces and punctuation.

    It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.

    And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.

    • by damn_registrars (1103043) <damn.registrars@gmail.com> on Monday July 13, 2009 @10:55AM (#28676387) Homepage Journal
      Sentences as passwords are only applicable in environments that allow such things. Sure, they are very strong for hacker-resistance but you should realize how many systems don't allow:
      • spaces
      • passwords longer than 16 characters

      In particular many *NIX environments still don't natively allow spaces in passwords, so that approach would fail there.

      • by MrMr (219533) on Monday July 13, 2009 @11:07AM (#28676643)
        In particular many *NIX environments
        I have used passwords with spaces since the 1990's on AIX,IRIX,HPUX, Solaris and Linux and have only seen that happen on poorly written sql code (deliberatily put there by some ignorant web-developer).
        Which environment would that be?
      • I tend to use sentences, but instead of using a sentence like: "This sentence would make a crappy password."

        I'd reduce it as follows: "Tswmacp." Capital letters where capital letters would be in the sentence, include punctuation, and there you go.

        The biggest problem with it is that, in the english language, certain letters are unlikely to ever start a word, so it reduces the frequency a bit, and also, there aren't many numbers, even if you transliterate words like "to" to "2".

        So I pull out quotations from b

      • Re: (Score:3, Informative)

        by Rob Riggs (6418)
        The biggest problem of all is that there is no standard to what should be allowed in a password. I have had banks tell me that punctuation is not allowed in passwords.

        Some require uppercase, lowercase and numbers.
        Some require specific complexity; most do not
        Some require a symbol.
        Some don't allow a symbol.
        Some require at least 8 characters.
        Some allow at most 8 characters.

        Really, it's just stupid. Until some standards body issues requirements in internet password practices that financial institutions

    • by s7uar7 (746699)
      At least read the summary, if to TFA! How will that help against phishing and keyloggers?
    • by Nerdfest (867930) on Monday July 13, 2009 @10:55AM (#28676403)
      Slashdot is an excellent source of many of these sentences, as with spelling mistakes they're even harder to brute-force.
    • by Looce (1062620) *

      So, uh... passphrases?

    • They'd also have to be a pretty good typist, since they can't see what they've typed. Plus, the password box doesn't visibly change to reflect the extra keystrokes after it's full, so you can't tell if you hit an extra letter. If you only get 3 tries before your account locks out, this might not be a very good idea.

      Then of course most passwords can't be longer than a certain length, which the other reply already mentioned.

    • by goombah99 (560566)

      I agree, except to improve upon this, you can just use the first few letters of each word, or even just the first letter.

      this keeps the passwords reasonably short which is good both for typing quickly (and from just finger muscle memory) as well as being better in cases where passwords are truncated by the system inuse.

      moreover, beyond the first few letters the entropy added by the remaining letters is dropping swiftly so they add less protection if someone know you are using whole words.

      Additionally if you

    • by furby076 (1461805)
      1) The application can only handle X amount of characters where X is less then the sentence
      2) You need to have symbols in there (e.g. '*')
      3) You need to change this once per month
      4) You have multiple systems which require passwords
      5) Passwords may not be repeated

      All of this = reasons why your password method may not be the best.

      There is a reason why ma-bell made phone numbers seven digits long and it's not because ma-bell anticipated the need to use every 10 million number combinations...it's beca
    • You should set your password to,

      I am a pedophile and this encrypted partition contains my child pornography.

      That way, if a court orders you to reveal your password, you can plead the 5th Amendment.

        -- 77IM

      PS. I am not a pedophile, and my encrypted partition no child pornography, just pirated movies and TV shows.

  • Simple solution (Score:4, Insightful)

    by L4t3r4lu5 (1216702) on Monday July 13, 2009 @10:49AM (#28676301)
    Biometric authentication.

    No problems there! [bbc.co.uk]
    • by HogGeek (456673)

      I've often thought about this, and my only concern would be:

      If one works with, or has access to "truly useful" (read highly "valuable") data, then one is subjecting ones self to losing a digit (or eye, or something) :-)

    • Re:Simple solution (Score:4, Insightful)

      by Itninja (937614) on Monday July 13, 2009 @11:13AM (#28676763) Homepage
      Biometrics are not as bullet-proof as many people think. With many fingerprint scanners, for example, one can fool them with little more than a xerox copy of the needed fingerprint. I am more of an advocate of three factor security, instead of just trading one single-factor method for another.

      We should have biometrics, passwords, and proximity smartcards.
    • Re: (Score:3, Informative)

      by caseih (160668)

      In a word, no. Biometrics is only a part of identifying someone and controlling access. In essence, classic security thought says that there are three things to authorizing and authenticating a principal:
      1. Something you are
      2. Something you have
      3. Something you know

      So if biometrics provided #1, a smart card could be #2, and a password could be #3.

      I've known of several high-security installations that required all three things. A thumb print, the smart card, and a passphrase (or passcode) to go through a

  • by Anonymous Coward on Monday July 13, 2009 @10:49AM (#28676303)

    So because something that's good against brute-force attacks, but isn't against phishing and keyloggers, we should stop doing that? Phishing and keylogging are a result of strong passwords. So you need to implement adequate measures against those instead of saying strong passwords are useless.

    If users have a hard time remembering their passwords, train them in it. Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user, yet very hard to bruteforce because you can make them quite long easily.

    • by Anonymous Coward on Monday July 13, 2009 @10:52AM (#28676341)

      Exactly.

      the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers.

      It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors? Doesn't make sense either.

      • by maxume (22995) on Monday July 13, 2009 @10:58AM (#28676479)

        It's more like pointing out that a $25 lock is probably sufficient for a house with 25 glass windows (as opposed to a $100 lock).

      • by nelsonal (549144)
        I knew a guy with an old convertible soft top who generally left the top down, since if a thief wanted the radio/valuables in the glovebox etc, he was going to get it anyway and that saved him a slashed soft top (which aren't cheap to replace). You might want to leave your doors unlocked if you're regularly replacing windows that get broken.
      • by itsdapead (734413) on Monday July 13, 2009 @12:05PM (#28677663)

        It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors?

        More along the lines of: there ain't no sense in fitting a steel door if you live in a tent.

        The main purpose of most door locks is not to stop determined people getting in at all, but to ensure that they have to break something in order to do so and can't claim some innocent excuse.

        Its probably better to regard most user-level, non-banking passwords in much the same way, and concentrate on protecting the really sensitive stuff.

        Also, apart from the "long passwords encourage writing down" issue, long passwords + frequent forced changes = more forgotten passwords = more demands on support staff to reset passwords = less scrutiny of reset requests.

      • Re: (Score:3, Insightful)

        by tehdaemon (753808)

        If you have to break your own windows to get in about once a month - because your ridiculously complicated lock keeps locking you out - and it takes a week to replace those windows - then you probably need a simpler/less 'secure' lock. You might even be better off without a lock....

        T

  • News for who? (Score:2, Redundant)

    by wcrowe (94389)

    ...but are useless against phishing and keyloggers....

    No kidding. Here's another news flash for you, computers do not run on magic crystals.

  • Sounds dumb to me (Score:3, Insightful)

    by drinkypoo (153816) <martin.espinoza@gmail.com> on Monday July 13, 2009 @10:52AM (#28676343) Homepage Journal

    But maybe it's just the summary? I'll go RTFA right after this, or at least skim it. But since phishing and keyloggers are only two threats, and people can still guess passwords (or brute-force them) I think I'll keep using randomly generated passwords.

    "Wrote a piece" apparently means "wrote a sentence" because all Bruce said about the paper is that it was "Interesting", then he C&P'd the abstract. Why not link directly?

    Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place. However, this ignores the type of attack where a remote hole allows retrieval of a file, and that hole is used to retrieve the password list. There are also other attacks which would allow one to get ahold of your encrypted password, not least by sniffing, which can then be brute-forced without having to worry about three-strikes policies.

    In other words, keep your complicated passwords, they are still necessary to defeat dictionary attacks. Security is not something you can buy in the store, it is a mindset that you must adopt. The more factors of security, the better. If you can't memorize a complex password after using it twenty or thirty times, you should start playing memory games or something. Even I can do that and my memory is poor enough to be a liability (and always has been since childhood.) We're all different and excel in different ways, but you owe it to yourself to sharpen certain skills.

    I guess the bottom line is that I'd be concerned about employing someone who can't remember a password. You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes (or eat it, or whatever) when you no longer need it. It shouldn't be that difficult for a modern human who can understand how to operate a computer.

  • My password (Score:5, Funny)

    by Rik Sweeney (471717) on Monday July 13, 2009 @10:56AM (#28676421) Homepage

    I sometimes set my password to ******** It sounds stupid but it has two advantages:

    1. I know that I've typed in a * because I can see it

    and, most importantly

    2. When I have to repeat my password to confirm it, I can just copy and paste the previous field, saving me literally seconds of typing

  • The summary is missing an important point. The article suggests that weak passwords can be made secure by limiting the number of guesses allowed using a three strikes rule.

    However, this solution has some problems. If any old password is allowed, there are 10-20 passwords which are most commonly chosen by all users. These are still likely to be guessed by an automated guessing system.

    Also, the three strikes rule can be circumvented by using a botnet based attack. A botnet of 50,000 nodes would be allowed 150

  • by Lendrick (314723) on Monday July 13, 2009 @10:57AM (#28676439) Homepage Journal

    I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it. So I append a '1' on the end to satisfy the filter, and click submit again. I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter. Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.

    It would be really nice if they'd just turn those damn filters off. This forum site isn't a bank. I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway. Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses. Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1."

    [/rant]

    • Re: (Score:3, Insightful)

      by tehdaemon (753808)
      You may not care if you account is compromised, but the forum may not want the flood of spam/crap that could result. I can't say for sure - but I wouldn't be surprised if this was the logic behind it.

      T

  • Like the paper says userids aren't secrets but non-secret userids make spam easier. Many companies use initial + last name as the user id: eg jsmith. If they also added a random 4 digit number: eg jsmith1234. It would make guessing userids harder for spam. And make unauthorized login attempts harder.

  • When a company makes the requirements so difficult. For example: Symbol, plus one caps, plus one lowercase, plus one number, and at least 8 characters, changed every month and never being able to repeat. Then this policy is applied to every system, which if they are not all AD (active directory) controlled means someone has to remember multiple passwords each month.

    What happens? People WILL use post-it-notes with their passwords. Security can bitch and moan all they want about this but the alternative
  • Defense-in-depth (Score:3, Interesting)

    by Rennt (582550) on Monday July 13, 2009 @11:00AM (#28676519)
    From the article:

    Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.

    This may be statistically true, but isn't it missing the point of defense-in-depth? Why rely on three-strikes to catch brute force attempts, when you can also have a password that resists brute force in the first place.

  • Really, your password has to be two things: unguessable and unique. Unguessable in that no one can read a quick bio of you and start hammering out children's names or birthplaces and unique in that you're not sharing the same password across multiple hosts. That being said, I use the PC Tools Password [pctools.com] tool to generate my passwords. However, this introduces a whole new problem as I now have to maintain and secure a file containing all of these impossible-to-remember passwords that represents the keys to m
  • Best Practices (Score:5, Insightful)

    by Rob the Bold (788862) on Monday July 13, 2009 @11:03AM (#28676565)

    According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of ïnancial fraud and identity theft, and most ïnancial institutions have security sections on their web-sites which oïer advice on detecting fraud and good password practices. As to password practices traditionally users have been advised to . . . "

    -Choose strong passwords

    -Change their passwords frequently

    -Never write their passwords down

    I would suggest that this is a case for the popular quip: "Pick two".

  • Well, if I'm signing up for a forum or some free email account somewhere, I don't need industrial-grade uncrackable password. Actually, if my password gets cracked, big deal. It's just come crappy account somewhere. I just love signing up for something because I want to ask a question, and the system refuses my password because it doesn't have two symbols, a mix of uppercase and lowercase, and two different numbers. Oh, Jip*4&nv4X isn't a good password, nix on that! And by the way, here's a brand-n
  • A strong password is a good thing to protect your front door. Of course it is useless if you tell it everybody (phishing) or if you install password logging tools to tell the password a special group of people. But that has nothing to do with the password, it has to do with human behavior. A strong password is good, but it is useless without other security measures. This is no surprise. I hear the loud noise of a rice sack falling over. If I am not mistaken, it comes form China.

  • by Opportunist (166417) on Monday July 13, 2009 @11:25AM (#28676999)

    Nobody brute forces anymore. Nobody. Any sensible password challenge/response system (I doubt there is such a thing if it relies only on that, but I ramble...) will lock you out and disable the account after so many tries, and usually the amount of tries is far lower than the threshold where guessing yields a meaningful chance to succeed. If it doesn't, steer clear of such a system altogether, if it doesn't come up with one of the simplest security "features", it probably is hellish insecure altogether.

    Take, just for example, various game account or freemail system that let you retry infinitly, because their support would be flooded if they locked you out after 3 tries. Yes, you could keep guessing. And probably it is done. So a "strong" password means more security. Usually, no. Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even easier to defeat than the password guessing game.

    You can, essentially, really go back to "12345" style passwords. There are way more than three possible easy to remember passwords, from birthdays to loved ones' names to even your CC pin number, and three being the usual number of retries before lockout. And without lockouts, the average "guess-hacker" won't go for your password. They go for the other venues that are usually far easier to break.

    • Re: (Score:3, Insightful)

      But then if you allow trivially simple passwords, but have thousands of login names in your system, then you pick a single common password and try it with a dictionary attack against every user instead...
  • Multiple Systems (Score:3, Insightful)

    by woodchip (611770) on Monday July 13, 2009 @11:37AM (#28677227)
    An other hurdle to usability is when you have multiple systems at work place that require a rotating complex password where you can't remember what password belongs to what system. Where I use to work we would have a password for the NT/domain PC login, and a password for the UNIX terminal thing everyone had to log into do anything. And withing the software on the UNIX terminal they used, for certain subsystems there was "shared" passwords that never changed, while remembered, they was still semi-complex, e.g. real word that substitutes a couple numbers for letters. I counted once, I had to know 25 different passwords, two-personal, and two "shared" to do my job, and I wasn't even working in a IT or IT-like postion.
  • yup (Score:3, Interesting)

    by Thaelon (250687) on Monday July 13, 2009 @11:47AM (#28677367)

    They make things hard on users, but are useless against phishing and keyloggers.

    Forcing users to change passwords does nothing against keyloggers either. But it definitely makes it easier to tell when a user has changed their password.

    They'll type the current known password, then tab or click, then type some new cryptic garbage, then tab or click, then the same cryptic garbage.

    But the worst possible password constraint I can think of is limiting the maximum number of allowed characters. I can think of absolutely no good reason for this restriction, yet large companies, such as Cedar Point's online reservation system posses this restriction.

  • threat model (Score:4, Insightful)

    by Tom (822) on Monday July 13, 2009 @11:48AM (#28677381) Homepage Journal

    As all things in security, it's not black and white.

    What exactly does "strong" mean? That's the important password.

    In most circumstances, your threat model why you need a "strong" password is password guessing. It is rarely an actual brute-force attack, because most systems these days prevent a brute-force attack (e.g. they lock you out or reset your password to a random one that they send you per mail if you try it more than X times).

    If your threat model does not include brute-force attacks, what you need is a "difficult to guess" password. That means you don't use "password" or "secret" and you don't use your own name, the name of your significant other or dog, your birthday and so on.

    And that's all there is to it, really. All the bullshit about using numbers, special characters, etc. is just that - bullshit. It's defense against a threat that's not important anymore.

    IANAL, but I am a security professional. Most of my passwords contain no numbers, and where the systems enforce them, there's usually a single number at the end or beginning. But I can type all my passwords in about a second on a standard keyboard. That makes shoulder-surfing a lot more difficult. In fact, I can make fairly good guesses at most "hunt and peck" people's passwords when I watch them type it in from across a small room. And the more difficult it is, the longer it takes them to type it in, and the easier it is for me to spot it.

    So it all depends on your threat model, as always. Know what you need to defend against, and you'll have a pretty good idea of how you need to defend.

  • by Todd Knarr (15451) on Monday July 13, 2009 @11:53AM (#28677469) Homepage

    Conventional "strong" passwords protect against someone trying to guess or brute-force the password. They're really good at this.

    The problem is, few attackers try to guess or brute-force passwords anymore. It's too time-consuming and too readily detected. Most of them will try to get you to tell them the password by one means or another. Phishing e-mails, keyloggers, traffic sniffing, man-in-the-middle attacks, the whole point of all of them's to get your password directly without having to figure out what it is. And against that sort of attack, "secret" is precisely, exactly as secure as "wkL3jfo*Zle". To guard against those attacks you need to strengthen things other than the password itself. And part of what you have to harden against attack is the user themselves, which makes it unlikely you'll succeed.

  • you know (Score:3, Insightful)

    by nomadic (141991) <nomadicworld&gmail,com> on Monday July 13, 2009 @12:14PM (#28677847) Homepage
    What annoys me is when the security people demand passwords that are, in terms of strength, way out of proportion to the data they protect.

    My bank password? Yes, that should be strong. The forum where I go for auto repair advice? No, I shouldn't have to memorize an 8 character password with at least one upper case, one number, and one symbol character.

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Working...