Please Do Not Change Your Password 497
cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."
Re:Please let me use the same password (Score:1, Informative)
Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.
Re:Password aging isn't in touch with the real wor (Score:3, Informative)
Dupe! (Score:3, Informative)
Less than a month ago. http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational [slashdot.org]
Kudos to the /. editors for cutting way down on the number of dupes and summary-contradicts-article stories over the past couple of years, but they're certainly not eradicated. Maybe dupe-checking should be part of slashcode--an automatic search for links and link titles that the editor (or submitter?) has to at least scroll past to post.
Re:Please let me use the same password (Score:2, Informative)
find a scheme
like if it is October 2010 make your password
11Nov2010Ber!!
If it is December
12Dec2010Ber!! ect
Passwords that have rationale behind them are very easy to remember, can be very complex and sometimes easy to type.
Re:Subject-verb agreement (Score:3, Informative)
It's called singular they [wikipedia.org], and its usage is debated. Shakespeare and Jane Austin can't be that wrong.
Re:The best password is: (Score:5, Informative)
Re:Benefits? (Score:1, Informative)
Well here, let me explain it to you.
If I steal a big password file full of hashes, it is going to take me quite awhile to break them assuming some strong security measures are in place. In fact, you can calculate how long it will take to break a user's password. Most NTLM hashes of a reasonable length take at least several days, if not weeks, to crack. Now, if the password never changes, an attacker can wait as long as he needs until Cain or John breaks the password, and when it does, he's good to go. If you force a user to change his password before the attacker can crack it, it doesn't matter if he breaks the hash or not. The goal of the good guys is to make it so that the password expiration timer is short enough that an attacker has a small probability of cracking the password before it needs to be changed.
This policy is not in place for when a password is stolen, it is in place for when a hash is stolen. Letting a password persist forever isn't terribly bright.
Hope this cleared things up.
Re:Subject-verb agreement (Score:3, Informative)
Perhaps you should take your own advice, and find out what "subject-verb agreement" means? Neither "user" nor "they" is a verb or a subject, so I'm not sure how subject-verb agreement could be relevant here.
If you meant "pronoun agreement," you're still wrong. "They" agrees perfectly with a singular noun of indeterminate gender.
Re:Please let me use the same password (Score:5, Informative)
And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.
Indeed. Similar to the Enigma: http://en.wikipedia.org/wiki/Enigma_machine [wikipedia.org]
Where a misguided decision was taken to never let a character be encoded to itself. This actually weakened the cypher: http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma [wikipedia.org]
Re:Please let me use the same password (Score:5, Informative)
Password aging and "Shared" accounts (Score:3, Informative)
One of my reporting users had direct SQL access to a replicated and sanitized (no sensitive data) copy of our Database. He is an advanced user with plenty of reporting knowledge and we required ad-hoc reporting that did not damage/slow production.
during a security audit, I was required to expire his password.
the next day we had 9 tickets from 9 different users: "My access was taken away"
Re:It's a design problem. (Score:1, Informative)
We used to at Sun. Employee badge was a smart card that you could use in any SunRay in any Sun office worldwide
as well as use to enter said offices.
Re:Bad argument (Score:3, Informative)
Ah, but people inevitably give their password to a co-worker who then gets fired. The 2 month rule takes care of that situation.
Annoying 100% of your workforce with stupid rules that hurt security more than they help it, is an excellent way to shore up failing internal procedures. I'm equally sure most people who get fired will wait a month on average before doing something rash in a fit of anger.
Actually, the reasoning behind most password aging rules is pretty sad. To quote http://rusecure.rutgers.edu/content/password-aging [rutgers.edu] (Rutgers uni) on password aging reasons:
"So why do people suggest aging passwords? Because they have nothing else they can suggest! Password aging is a feel good response to threats you have no control over. Unfortunately it annoys the users and often make them select passwords which are far easier to compromise. You are better off forcing your users to choose a very complex password (or better yet a pass phrase) of at least 12 characters which includes 3 character classes. That pretty much eliminates the guessing problem and makes voluntary sharing a little less convenient."
I wholeheartedly agree with that.
Re:Please let me use the same password (Score:3, Informative)
There are 22 printable symbols on a standard keyboard, not 12: `~!@#$%^&*()-_=+[{]}\|;:'",<.>/?
Also, there should be 74^16 (8.09 * 10^29) combinations with 12 symbols (not 76^16), or 84^16 (6.14 * 10^33) using all symbols. Still far more than anyone could expect to test, of course—though other weaknesses could save an attacker the trouble of brute-forcing every single combination. For example, many common systems use hashes much weaker than MD5.
Re:Post-it Note passwords (Score:3, Informative)
There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.
Bruce Schneier* disagrees with you. [schneier.com] (About writing down passwords in general, not post-it notes in particular.)
We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Re:Please let me use the same password (Score:3, Informative)
Even if it is a hash, the old UNIX crypt(3C) function only hashed the first 8 characters. So you could have what you thought was an arbitrarily-long password, but an attacker only needed to go after the first 8 characters.
If you were using the presumed length to use an English phrase (for example), you could wind up with a very weak password. "passwordisreallylongsoimsafe" would be unlocked with "password", which is fairly early in the dictionary attacks I've seen.
I normally think it's acceptable to trade entropy density for memorability: English is fairly low entropy, but I can remember a 12-word passphrase without too much trouble, so the total entropy is OK compared to a line-noise 8 character string. But that requires the hashing functions work with the complete input; so on systems which still use crypt(3C) or something like it, I go with the line-noise.
Re:Please let me use the same password (Score:3, Informative)
So you are safe, unless the former coworker is quick enough to do his damage before the password expires. Fortunately, he wouldn't know when that is. Oh wait...he would.
The question should be asked: *How* did that former coworker get the password? From a sticky note on someone's computer because they kept forgetting their latest password, perhaps?
Re:Please let me use the same password (Score:5, Informative)
Amusingly enough, they learned quickly not to bother with rank and file employees. Most of those folks were aware that they would be out the door if they were stupid enough to hand over a login and password to a voice on the phone, but managers always seemed to think they were too important to be fired, so too important to have to pay attention to minor issues like security policies.