Please Do Not Change Your Password 497
cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."
The best password is: (Score:5, Funny)
hunter2
Re:The best password is: (Score:5, Funny)
Re:The best password is: (Score:5, Informative)
Re: (Score:3, Funny)
For those of you who didn't know where the hunter2 joke was from, get off mah interwebs.
Re: (Score:3, Funny)
I get tired of changing passwords because I tend to forget the new one. I'd rather just keep it. For crucial things like banking or stocks, then I'll use a separate unique PASS and then lock it in a safe for future referral.
I know.
Re: (Score:3, Funny)
Oh great. Now that you've revealed your password, anybody will be able to post as Anonymous Coward.
Please let me use the same password (Score:5, Insightful)
We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.
Re:Please let me use the same password (Score:5, Insightful)
Re: (Score:2, Funny)
Re:Please let me use the same password (Score:5, Insightful)
There are two sides to a risk analysis, the probabilities and the values being risked. People will play the lottery even when they don't have a reasonable chance, because the thing being risked is not that valuable. But they are not willing to risk their life savings when the odds are slightly in their favor, because they can't repeat the bet 100 times to try and come out ahead on average.
If I'm the owner of a business, and I'm paying my employees X time the minimum wage, and a breach costs me Y dollars, I can live with the math. But if there's even a small chance that a breach will cause the death of my business, then I'm willing to have my employees spend "more than it's worth".
Username: TheFonz (Score:5, Funny)
Re:Please let me use the same password (Score:5, Informative)
And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.
Indeed. Similar to the Enigma: http://en.wikipedia.org/wiki/Enigma_machine [wikipedia.org]
Where a misguided decision was taken to never let a character be encoded to itself. This actually weakened the cypher: http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma [wikipedia.org]
Re:Please let me use the same password (Score:5, Interesting)
Actually the Enigma is a good example of how a system is weakened by its users. Yes the cipher had weaknesses such as never encoding a character to itself and that the rotors were in alphabetic order rather than randomized. But the main weakness was the users and the Allies exploited that.
The machine itself had a number of settings. With all these settings, the Enigma messages could have daily and message specific settings. For the Army and Luftwaffe, it was left up to the operator to set them. Unfortunately, some operators were lazy and re-used settings. Also the German military had a habit of re-sending the same messages again and again for propaganda, morale, etc.
The German Navy was much more disciplined. They issued code books that specified many of the settings per day. These settings were much more randomized. These code books were printed on specialized paper that would disintegrate in contact with water. This system was much more secure until the Allies captured some code books when they captured a German vessel. The procedure was the captain was to destroy the code books by tossing them into sea. The captain of a disabled vessel abandoned it only to return to retrieve his personal effects rather than destroy the books.
Re:Please let me use the same password (Score:5, Insightful)
My favorite is "password may be no longer than X characters" - why arbitrarily limit the length of them? It's especially great when X is something small like 4 (pin #s) or 8.
Re: (Score:3, Insightful)
The thing that worries me most about that is that it seems to indicate that they're storing the passwords plain text rather than hashing them, so they're limited to whatever field width the DB designer pulled out of his ass that day.
Re: (Score:3, Informative)
Even if it is a hash, the old UNIX crypt(3C) function only hashed the first 8 characters. So you could have what you thought was an arbitrarily-long password, but an attacker only needed to go after the first 8 characters.
If you were using the presumed length to use an English phrase (for example), you could wind up with a very weak password. "passwordisreallylongsoimsafe" would be unlocked with "password", which is fairly early in the dictionary attacks I've seen.
I normally think it's acceptable to trade
Re:Please let me use the same password (Score:5, Insightful)
We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.
Password rotation doesn't help with hackers, but it helps when a coworker learns what your password is.
Re: (Score:3, Insightful)
Mod this up - this is especially relevant when it's a former coworker.
Re:Please let me use the same password (Score:5, Funny)
Or ex-wife.
Re: (Score:3, Informative)
So you are safe, unless the former coworker is quick enough to do his damage before the password expires. Fortunately, he wouldn't know when that is. Oh wait...he would.
The question should be asked: *How* did that former coworker get the password? From a sticky note on someone's computer because they kept forgetting their latest password, perhaps?
Re:Please let me use the same password (Score:5, Insightful)
What is might do is limit exposure. Suppose someone guesses a password. They are not a hacker and even having guess a password they perhaps lack priviliges to make any systemic changes given them a back door. Having a rotation policy ensures they are only reading your CEO's e-mail for 90 days rather than years undetected.
Re: (Score:2)
Agreed. Show me one user who will memorize even two strong passwords for you. The more often you force them to change it, the more simplistic they will change it to. Is this what you want?
If you're lucky, they'll just append something to the end of the old one, thus making the change pointless.
Re:Please let me use the same password (Score:5, Informative)
Re: (Score:3, Interesting)
Re: (Score:2)
It depends on where you are and what level of security you need.
Expiring passwords make sense - IF you are in a situation where you run a regular risk of passwords being exposed.
A worse problem is the fact that people use the same password for everything - bank account, hotmail, gmail, work, etc. One of them gets compromised by someone and all of a sudden their whole life is exposed.
Of course, the best way to get a user to be properly educated about securing their information is to have their identity stole
Re: (Score:2)
When a user changes their password, a post-it note goes on their monitor for weeks.
If a user picks only one password and keeps it forever, they will typically pick a stronger password, protecting against brute force dictionary attacks.
However, keeping the same password does not protect against malicious ex-employees. I know companies that do not change admin passwords, and although they are complex, previous administrators still have access to certain info if they wish.
Re: (Score:2, Informative)
find a scheme
like if it is October 2010 make your password
11Nov2010Ber!!
If it is December
12Dec2010Ber!! ect
Passwords that have rationale behind them are very easy to remember, can be very complex and sometimes easy to type.
Re:Please let me use the same password (Score:5, Insightful)
There is a flip-side to this. No matter how careful you think you are, you will one day expose your password in the clear. Once that happens you have no way of knowing if anyone was watching.
Typing a password in the wrong terminal, typing a password in the wrong web field and having it autosearch google for your password. Typing your password over a bluetooth wireless keyboard with unknown encryption. Using a telnet session, etc. Logging in using a friend or co-workers PC that may have been compromised, etc.
Because of all this, it's still a good policy to change passwords on an annual basis, with an immediate password change if you know it's been leaked.
I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.
Or having to change a password on a system you only login to once every 6 months, every time you login. I hate that. :)
Unfortunately, it doesn't always work out because one centralized password means you trust one department of a company with access to everything (there are workarounds for this, but still company politics gets in the way)
Re:Please let me use the same password (Score:5, Insightful)
I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.
Single sign-on for a single company is a great idea.
Having your work password, gmail, hotmail, bank password all be the same? BAD idea.
Re:Please let me use the same password (Score:5, Insightful)
Yes, In 2008 AD you can do granular password policies, and yes this works VERY well. Not only do I have a pile of users with 15+ characters, I have users who WANT to use these passwords.
I find that when you give the users a choice and work with them, security goes much smoother. users will always take the easiest way out, every time.
Re: (Score:3, Funny)
"(dramatic voice)
Welcome to the world of tomorrow!"
You forgot:
"Brought to you Today!"
Re: (Score:2)
From TFA:
Security professionals have no scientific
Re: (Score:3, Insightful)
> It goes into the password expiration paradigm as well, pointing out that if
> someone steals your house key, they're not going to give you time to change
> the locks; they're breaking in immediately.
Not likely. Perhaps if they pick it out of my pocket as I am getting in the car to go to work they will walk straight up to the house and let themselves in (BTW it isn't breaking if they have a key). Far more likely, though, it will take days or weeks to figure out what the key fits, get it into the h
Re: (Score:2)
Depending on how its implemented... If it's using the default options built in to active directory for instance, then the password policy only really pays lip service to security while still being extremely weak...
You might be required to use mixed case letters and numbers, and change your password every month or so... But it still doesn't stop you having weak passwords, for instance "Password1" is perfectly valid under every implementation i've seen, and when it forces you to change your password "Password
Re: (Score:3)
How to guess someone's password, in three easy steps:
1. Find out the name of their youngest non-estranged child. If there is a tie, pick the one with the shorter name. (e.g. Cody)
2. Take today's date, and subtract from it the lesser of the employee's start date, or the implementation of the password expiration policy (Apr 13th 2010 - Apr 1st 2009 = 12 months)
3. Divide the result of step 2 by the password expiration window (say 3 months)
The password is cody4
Re:Please let me use the same password (Score:5, Funny)
Re: (Score:3, Insightful)
I was under the impression that the -vast- majority of compromised passwords were due to either social engineering (Hey, this is "Bill from IT", I need your password to fix that "performance issue" you're having) or sheer neglect on the part of the the user (password on a post-it on the monitor). Am I mistaken?
Re:Please let me use the same password (Score:5, Funny)
Am I mistaken?
Please provide me with your social security number, birthday and mailing address so that I may answer your question.
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
I was under the impression that the -vast- majority of compromised passwords were due to either social engineering (Hey, this is "Bill from IT", I need your password to fix that "performance issue" you're having) or sheer neglect on the part of the the user (password on a post-it on the monitor). Am I mistaken?
Scenarios like stealing passwords from post-its are certainly possible, but I'd guess as a percentage of all stolen passwords it's insignificant to being at the point of near zero. Most people don't have access to the physical space of the person they're trying to hack. I'd argue most successful password stealing is done remotely, against victims the target doesn't even know.
The big ones are going to be things like dictionary attacks against a login page where it can guess stupendously stupid/common pass
Re:Please let me use the same password (Score:5, Informative)
Amusingly enough, they learned quickly not to bother with rank and file employees. Most of those folks were aware that they would be out the door if they were stupid enough to hand over a login and password to a voice on the phone, but managers always seemed to think they were too important to be fired, so too important to have to pay attention to minor issues like security policies.
Bad argument (Score:5, Insightful)
Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.
That is an incorrect argument made by somebody who knows nothing about statistics.
First, if the time taken to crack a password is two months, and you change your passwords every two months, then there's a 50% chance of cracking the password in the first attempt, and a 100% chance of cracking the password the second attempt. So your example doesn't work.
Now, suppose a cracker has a, say 1% chance of guessing a password per month of attempts, and is attacking, say, 10,000 accounts. On the average, the cracker will have a ten hits every month, but he will only break your account, on the average, once every 8 years. Still, that's a 12 percent chance of you getting compromised in a year, and a 6 percent chance you'll get hit in six months. So, can you reduce that 6 percent chance by changing your password every 2 months? NO. The chance that your change password moves into the window of passwords that the cracker is going to try next month is exactly equal to the chance that the password change moves the password out of the window the cracker is trying. The odds of the cracking succeeding does not change at all by password changing.
The number of passwords that the cracker guesses per month does not change.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Ah, but people inevitably give their password to a co-worker who then gets fired. The 2 month rule takes care of that situation.
Annoying 100% of your workforce with stupid rules that hurt security more than they help it, is an excellent way to shore up failing internal procedures. I'm equally sure most people who get fired will wait a month on average before doing something rash in a fit of anger.
Actually, the reasoning behind most password aging rules is pretty sad. To quote http://rusecure.rutgers.edu/content/password-aging [rutgers.edu] (Rutgers uni) on password aging reasons:
"So why do people suggest aging passwords? Because they have nothing
Re:Please let me use the same password (Score:5, Insightful)
Pretend that if an attempt to log into his account fails three times, his account is locked and requires a new password.
Or pretend that your security system notes what IP address such failures comes from, and disables all access from that IP. Or it scores various IP connections, giving more trust to IP addresses that are successful.
Whenever I see the onus forced on users, I see people who haven't learned the wisdom of the following quote:
"I object to doing things that computers can do." - Olin Shivers
Re:Please let me use the same password (Score:4, Insightful)
A 16 character password with symbols (12), numbers (10), lowercase letters (26) and uppercase letters (26) would have 76^16 combinations. This is approximately 1.24 * 10^30th.
An MD5 hash takes 256 clock cycles in the best-case scenario (search for 256) [freepatentsonline.com], assuming no overhead. That means that we have 3.17*10^32 number of clock cycles that must be ran through in order to compute/crack every possible password in that range.
Two months is approximately (365.242199 days/year)(2/12)(24hours/day)(3600seconds/hour) = 5259488 = 5.26*10^6 seconds.
In that time, a "computer or cluster" would have to run at (3.17*10^32 cycles)/(5.26*10^6 seconds) = 6.03 * 10^25 Hz. That's 6.03 * 10^16 GHz, or 60.3 yottahertz.
Currently, the world's fastest supercomputer is the Cray Jaguar. It has 224256 opteron cores clocked at 3.2Ghz. That means it's total processing speed (again, assuming no overhead here) is 7.18*10^14 Hz. Your pretend "computer or cluster" is 84027852100 times as fast as the worlds fastest supercomputer. 84 billion times as fast.
Using the same architecture as the Cray Jaguar, the world GDP couldn't afford to buy that computer. The world's power grids couldn't power it. This is
Re: (Score:3, Informative)
There are 22 printable symbols on a standard keyboard, not 12: `~!@#$%^&*()-_=+[{]}\|;:'",<.>/?
Also, there should be 74^16 (8.09 * 10^29) combinations with 12 symbols (not 76^16), or 84^16 (6.14 * 10^33) using all symbols. Still far more than anyone could expect to test, of course—though other weaknesses could save an attacker the trouble of brute-forcing every single combination. For example, many common systems use hashes much weaker than MD5.
Re:and meanwhile in the Real World (Score:4, Interesting)
it would be a matter of a simple lookup since all the "grunt" work has been done already.
Not quite. There are no tables that exist, nor can they exist, that have 16 character passwords with the given qualifications. Assuming you could generate the tables, which as my comment above [slashdot.org] shows as being not possible, let's find out just how much space that table would require to store.
MD5 hashes are 128 bits. The corresponding password, assuming 8 bits per character, is also 16*8=128bits. Assuming no overhead, that means we have 256 bits, or 32 bytes per password. Using the calculation in my previous post, 16 character passwords with those qualifications have 1.24*10^30 combinations. That means 3.96*10^31 bytes would be required to store this. How much is that? Let's put it this way - SI prefixes don't go up that high. Why? Because it's such an astronomically large number that there is no reason (yet) to have naming conventions that high. The entire internet is estimated to have 5*10^20 bytes [guardian.co.uk]. The amount of hard drive storage in every computer ever made by man combined doesn't have the necessary storage to hold that rainbow table.
Re: (Score:3, Insightful)
If you're doing something very secure with passwords, you're doing it wrong anyway.
Totally in time. (Score:4, Funny)
"Change your passwords and be rooted." -- JIRA attackers.
Ironic Juxtaposition (Score:5, Interesting)
1. Apache Foundation Attacked, Passwords Stolen
2. Please Do Not Change Your Password
Slashdot is awesome today!
Re: (Score:2)
It must be teh alienz [slashdot.org]
Password aging isn't in touch with the real world (Score:5, Insightful)
Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:
(1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
(2) A lot more easy-to-guess passwords
(3) Incremented passwords (FuckTheSecurityGuys14)
This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.
Re: (Score:2)
Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.
You neglected one possibility: Your IT people are sadists who are sick of dealing with lusers ;)
Re: (Score:3, Insightful)
You neglected another possibility: your security restrictions were set by some dumbass in a state legislature who read some paper or book regarding "IT Security" and passed laws and regulations for government agencies...
Re: (Score:2)
Re: (Score:2)
I'm a little confused, "if" they deserve it???
Re: (Score:3, Informative)
Re:Password aging isn't in touch with the real wor (Score:5, Insightful)
And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..
Re: (Score:2)
(4) Users who actually come up with relatively easy-to-remember passwords that make sense to them and are difficult to guess.
But I guess, to make a point, one has to ignore the possible good outcome ;)
In general though, I agree that your #s 1-3 are going to be a lot more prevalent.
Re: (Score:3, Insightful)
Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
The stereotype is that computer geeks can't get a date or fit into social situations. Why? Because they don't understand human nature. And who is in charge of setting the password policy? The geekiest guy in the organization. I see a major issue.
Re:Password aging isn't in touch with the real wor (Score:4, Insightful)
Password aging made sense, once upon a time. When the biggest issue was resource theft, changing passwords every few months cleaned out the unintended access some people had, either nefariously or through chance (old unclosed account and what have you).
Now with the speed of automated hacking tools password rotation is less than useless as a defense.
Re: (Score:3, Interesting)
I've been doing columns of keys on they keyboard, It's going to be a long time before I run out, and meets most requirements. (Sometimes I hit a caps lock for the second set), Plus logging in takes almost no time at all.
1qaz2wsx
1qaz3edc
2wsx3edc
1qaz4rfv
2wsx4rfv
3edc4rfv
1qaz5tgb
Re:Password aging isn't in touch with the real wor (Score:4, Funny)
Then I remembered I'd messed the keys around to fuck with people who looked over my shoulder.
Re:Password aging isn't in touch with the real wor (Score:4, Funny)
Password aging and "Shared" accounts (Score:3, Informative)
One of my reporting users had direct SQL access to a replicated and sanitized (no sensitive data) copy of our Database. He is an advanced user with plenty of reporting knowledge and we required ad-hoc reporting that did not damage/slow production.
during a security audit, I was required to expire his password.
the next day we had 9 tickets from 9 different users: "My access was taken away"
Password aging does *not* help (Score:5, Insightful)
Re: (Score:3, Interesting)
Password aging and complexity = lists (Score:2, Interesting)
It makes strong passwords and lots and lots of password lists under keyboards, in text files, and on post-it notes.
I gave a little talk [gorrie.org] at a Toorcon [toorcon.org] event a couple years ago where I included some pictures of password lists found in the wild.
I think everyone competent knows about these things, they just choose not to say anything about it becaus
Re: (Score:3, Insightful)
Please cite some incidents traceable to the writing down of passwords.
IMHO users should be instructed to write their passwords down in a little black book and to keep that book in their wallets with their money and credit cards. The company should issue the book and teach the employees how to record passwords in it, how to keep it secure, and what to do if it is stolen or lost.
Dupe! (Score:3, Informative)
Less than a month ago. http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational [slashdot.org]
Kudos to the /. editors for cutting way down on the number of dupes and summary-contradicts-article stories over the past couple of years, but they're certainly not eradicated. Maybe dupe-checking should be part of slashcode--an automatic search for links and link titles that the editor (or submitter?) has to at least scroll past to post.
Insane restrictions (Score:2)
I understand the whole point behind having a secure, random password with a limited life. At the same time, I also have a piss-poor memory for random strings of ASCII characters. I don't work for a government agency, or a company with classified or even proprietary works, yet, even my mindlessly boring personal email account requires an 8 character random string with alpha and numerical characters, no runs, no common words, and no repeats. I don't use that account for ANYTHING secure or private, and if it w
i need an example (Score:3, Funny)
Re: (Score:3, Interesting)
Could someone post an actual stong password you have in use?
I'll volunteer: 11111. I figure it's such a terrible password that brute-force software, giving humanity the benefit of the doubt, will have removed it as an option for the purposes of optimization. Thus it is the strongest password.
Re: (Score:2)
1...2...3...4...5.
Re: (Score:2)
Compl1ant
Re: (Score:2)
Re: (Score:3, Funny)
My password is ********
Benefits? (Score:2)
The real problem with password expiration is that the benefit is not clearly understood.
What does it combat?
Once someone HAS the password, you are faced with closing the barn door scenario. Anything that could have been taken or accessed, likely already was. Granted you may prevent them from acquiring additional information or access, but you can't be sure that they haven't made any backdoors, even if those backdoors aren't even related to your system. With your email, I could easily construct a spear ph
Post-it Note passwords (Score:5, Interesting)
There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.
I see password security as an exponential curve, on a graph, reaching a certain peak and then dropping to zero. That dropping point is where the password rules become so complicated that most people would rather write the password down than try to remember it. That piece of paper suddenly became your weak point in the security model. For this reason you password policies need to focus on something that is sufficiently secure, but not so secure that it is in effect insecure.
Re: (Score:2, Funny)
Re: (Score:3, Interesting)
Re:Post-it Note passwords (Score:4, Funny)
I used to work a government facility that had really steep requirements:
"Passwords must be at least 15 characters long and be a combination of lowercase, uppercase, numerals, special characters, and at least one hieroglyph from the following languages: Aztec, Egyptian, or Mayan."
I would have written down my passwords but I can't draw that well. "Is this a stork, Anubis, or a hippo?"
They also had armed security guards wandering the halls. You had 3 chances to get the password right or they would send in the guards to blindfold you and take you away to be "liberated."
Re: (Score:3, Informative)
There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.
Bruce Schneier* disagrees with you. [schneier.com] (About writing down passwords in general, not post-it notes in particular.)
We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Rational Behavior (Score:2)
The author makes a good point- users see the time cost of missing assignments as more damaging to their career than the benefits of following security protocol to the letter. They're probably right.
What's interesting, I believe, is that the security employee is being fairly rational by implementing every possible security mechanism, eg CYA-type behavior. Security people tend to get a lot of stick-motivation when there's a problem but very little carrot-motivation for minimizing the intrusiveness/timewasti
Please fix your systems! (Score:5, Interesting)
How many times have you seen "the password must be between x and y characters in length and must contain blah blah"?
I want to enter a full sentence. Like "this is my password and you won't be able to guess it, you idiot". You aren't making this possible, because you're thinking like geek programmers who use randomly-generated strings of 8-12 characters by the dozens.
I write code and do inter-office support for my apps. Do you know how many times someone told me "I forgotz my password, halp!!11" after they were instructed to use a full sentence with a minimum of twenty-five characters? Zero. Nobody ever forgot it.
Re:Please fix your systems! (Score:5, Insightful)
Amen! The concept of "password" is obsolete. Just never use it. Say "passphrase" and watch the light bulb go off as people realize it is easier to remember *and* more secure.
Re:Please fix your systems! (Score:5, Funny)
Better yet, change your password to "do you have a pen?" and then call your IT person to say that you've forgotten what your password is.
Free advice, bargain at twice the price - {G} (Score:2)
Password aging should automatically take into account the security of the password someone creates, via some algorithm that estimates 'guessability'
If it's a dictionary word and number, give it three months. If it's a dictionary word, number, and two symbols, give it six months. If it's a passphrase, all regular dictionary words but not a 'standard' phrase like 'lorem Ipsum" or "The quick brown fox' leave it alone for a couple years.
In other words - if someone is using a secure password, fuckin' reward them
It's a design problem. (Score:4, Insightful)
Increased security always decreases usability. Though now that I think about it, I'm wondering: why aren't smart cards used more in corporations? Wouldn't it be convenient for people to log in with the same ID they use to get into their workplace building or floor?
Just a thought...
Re: (Score:3, Interesting)
This is not true. How useable would Facebook be without requiring a password to log in? Yes it would be easier to get in, but you would lose any trust in the application as anyone could be posting as anyone else. A system should be as secure as the data you are trying to protect within it.
See the following:
Balancing usability and security is one of the toughest parts of designing a secure system; anyone that's had to even remotely consider security as a factor knows this. It still holds, however, that usability always suffers as security improves.
Facebook is a great example. Their authentication scheme was originally only passwords. However, they've had problems t
Complex and expiring passwords are a GOOD thing (Score:5, Funny)
The biggest problem with password security is user education.
USER. EDUCATION.
Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.
Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.
It produces a complex, easy to remember password.
This may not be the best political move (Score:4, Interesting)
but we just ran a cracker program on the passwd file )on Solaris at the time) and exposed about 50% of the passwords. Then we went to the affected users and said, "This is your password, right?" After the first shock passed we would say, "It's too easy. You need to change it. Next week we'll run the cracker program again." We also sent around a little tutorial on how to create good passwords by using initials of a memorized sentence (as some have suggested here) After about four runs we were down to less than 10%, and we called it good.
Re:This may not be the best political move (Score:4, Insightful)
So what you're saying is, you hamstrung 100% of employees to still leave 10% of your employees vulnerable, when no doubt it only takes one opening for anyone to get to any information that matters on your network...
Missing the point (Score:3, Interesting)
TechRepublic [com.com] covered this almost a month ago, though it still gets sidetracked (like the Boston article) in a way that exemplifies the bigger issue.
Particularly, the point is not about password ageing, which is merely one example of how controls are often ineffective at achieving the security objectives. The bigger problem is that the usual IT security industry mantra has total disregard for all the other IT objectives. The goal (the ultimate, parent objective) of IT is to assist the organisation in achieving its objectives. IT security is just one objective for achieving that goal, but all of them are important.
When evaluating implementing security controls do not simply consider security. You also have to consider things like productivity, expense, risk, or how it might make it harder for the company to respond to customer requirements. Failing to do this is why users’ rejection of the security advice they receive is entirely rational from an economic perspective: they are pursuing objectives and IT security appears little more than an obstacle.
password aging doesn't work (Score:5, Interesting)
As a long time sysadmin, my experience has been, the more onerous the password aging algorithm, the more likely that passwords will be on yellow stickies under the keyboard.
For instance, if your password expires monthly and you're required to pick a password with upper case, lower case, numbers and symbols, I guarantee that the majority of your users will write it down and stick it to something easily accessible.
If you get really draconian about keeping passwords on stickies on the monitor or under the keyboard, they'll keep it in their pocketbook or stuck to the back of their cell phone, which is difficult to track and actually a worse security hole (because the building at least has physical security).
My opinion is that password aging and password complexity rules are a managerial line item, not really a security strategy. A true security strategy is a combination of good logging, regular analysis, and tools like password breakers.
Hacker frustration (Score:3, Interesting)
Re: (Score:3, Informative)
It's called singular they [wikipedia.org], and its usage is debated. Shakespeare and Jane Austin can't be that wrong.
Re: (Score:3, Informative)
Perhaps you should take your own advice, and find out what "subject-verb agreement" means? Neither "user" nor "they" is a verb or a subject, so I'm not sure how subject-verb agreement could be relevant here.
If you meant "pronoun agreement," you're still wrong. "They" agrees perfectly with a singular noun of indeterminate gender.
Re: (Score:3, Insightful)
Don't feed the trolls.