Please Do Not Change Your Password

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

The best password is:

[Anonymous Coward]

hunter2

Totally in time.

[Anonymous Coward]

"Change your passwords and be rooted." -- JIRA attackers.

Re:Please let me use the same password

[oldspewey]

What a waste of a perfectly good pretend. No thanks, I'm going to pretend I'm on a white sand beach in Thailand, gentle waves lapping at the nearby shoreline, while I sip gin tonics and a dainty masseuse massages my pale white calves.

Re:Please let me use the same password

[ColdWetDog]

Here's a nice argument to beat the Password Police over the head with (from TFA):

In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It's a high hurdle to clear.

Hey, I make more than double the minimum wage! Yeah, no more passwords for me!!!!

Oops. I'm salaried. Shit.

i need an example

[fattmatt]

Could someone post an actual stong password you have in use?

Re:The best password is:

[bluefoxlucid]

Yeah, when you type it you'll see 'hunter2', and when I copy/paste it you'll see 'hunter2', but all I see is *******

Re:Please let me use the same password

[Shakrai]

Am I mistaken?

Please provide me with your social security number, birthday and mailing address so that I may answer your question.

Re:Post-it Note passwords

[cheeks5965]

uhh... an exponential curve keeps going up. there's no maximum, no dropping down to zero. Perhaps you're thinking of a bell curve? Feel free to mod this comment down because it provides no useful content and is just kind of snarky. In fact, I should just hit the cancel button instead of the preview/submit buttons. oops...

Re:Password aging isn't in touch with the real wor

[Starteck81]

I often tell people at work I'll be adding a squirrel noise requirement to the password policy next month. I always expect them to laugh but they usually just have a horrified look on their face that reads something like 'you can do that?'. I then have to clam them down and tell them I'm only kidding.

Username: TheFonz

[poptones]

Password: Aaaaaayyy

Re:Password aging isn't in touch with the real wor

[NeoSkandranon]

Man, I just looked down at my kb thinking you had a good idea, then was REALLY confused for a minute.

Then I remembered I'd messed the keys around to fuck with people who looked over my shoulder.

Re:Please fix your systems!

[Benzido]

Better yet, change your password to "do you have a pen?" and then call your IT person to say that you've forgotten what your password is.

Re:Please let me use the same password

[FictionPimp]

Todd Davis 457-55-5462 .....

Re:Please let me use the same password

[Real1tyCzech]

"(dramatic voice)
Welcome to the world of tomorrow!"

You forgot:

"Brought to you Today!"

Re:Please let me use the same password

[PPH]

Or ex-wife.

Complex and expiring passwords are a GOOD thing

[_bug_]

The biggest problem with password security is user education.

USER. EDUCATION.

Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.

Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.

It produces a complex, easy to remember password.

Re:Password aging does *not* help

[Anonymous Coward]

OK, but if you wanted a really strong password you wouldn't truncate the decimals.

Re:The best password is:

[Anonymous Coward]

Oh great. Now that you've revealed your password, anybody will be able to post as Anonymous Coward.

On password aging...

[know1]

As somebody whose girlfriend recently changed her password, let me say it does have an effect.

Re:i need an example

[Cro Magnon]

My password is ********

Re:Post-it Note passwords

[UnknowingFool]

I used to work a government facility that had really steep requirements:

"Passwords must be at least 15 characters long and be a combination of lowercase, uppercase, numerals, special characters, and at least one hieroglyph from the following languages: Aztec, Egyptian, or Mayan."

I would have written down my passwords but I can't draw that well. "Is this a stork, Anubis, or a hippo?"

They also had armed security guards wandering the halls. You had 3 chances to get the password right or they would send in the guards to blindfold you and take you away to be "liberated."

Re:The best password is:

[billcopc]

For those of you who didn't know where the hunter2 joke was from, get off mah interwebs.

Hilarious

[richozer]

The very next story on Slashdot is "Apache Foundation Attacked, Passwords Stolen". I think the answer is "yes", password aging makes lots of sense.

Re:ROFL

[Anonymous Coward]

Depending on who you believe (in), the Pope might need the refresher.

Re:The best password is:

[dudpixel]

I get tired of changing passwords because I tend to forget the new one. I'd rather just keep it. For crucial things like banking or stocks, then I'll use a separate unique PASS and then lock it in a safe for future referral.

I know.