Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security IT

Please Do Not Change Your Password 497

Posted by CmdrTaco
from the my-password-is-trustno1 dept.
cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."
This discussion has been archived. No new comments can be posted.

Please Do Not Change Your Password

Comments Filter:
  • by Hatta (162192) on Tuesday April 13, 2010 @12:13PM (#31834548) Journal

    We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

  • by oldspewey (1303305) on Tuesday April 13, 2010 @12:18PM (#31834630)
    And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.
  • by Skyshadow (508) * on Tuesday April 13, 2010 @12:20PM (#31834666) Homepage

    Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.

    Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:

    (1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
    (2) A lot more easy-to-guess passwords
    (3) Incremented passwords (FuckTheSecurityGuys14)

    This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.

  • by bradley13 (1118935) on Tuesday April 13, 2010 @12:20PM (#31834682) Homepage
    Password aging is not only irritating for users, it causes them to choose even worse passwords, or to write their passwords down. If you are lucky, and they do neither of these, then it is very likely that they will use "strong-password-1", "strong-password-2".
  • by r_jensen11 (598210) on Tuesday April 13, 2010 @12:21PM (#31834698)

    We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

    Password rotation doesn't help with hackers, but it helps when a coworker learns what your password is.

  • by Skarecrow77 (1714214) on Tuesday April 13, 2010 @12:22PM (#31834714)

    I was under the impression that the -vast- majority of compromised passwords were due to either social engineering (Hey, this is "Bill from IT", I need your password to fix that "performance issue" you're having) or sheer neglect on the part of the the user (password on a post-it on the monitor). Am I mistaken?

  • by Moryath (553296) on Tuesday April 13, 2010 @12:28PM (#31834856)

    You neglected another possibility: your security restrictions were set by some dumbass in a state legislature who read some paper or book regarding "IT Security" and passed laws and regulations for government agencies...

  • by Shotgun (30919) on Tuesday April 13, 2010 @12:29PM (#31834872)

    Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.

    The stereotype is that computer geeks can't get a date or fit into social situations. Why? Because they don't understand human nature. And who is in charge of setting the password policy? The geekiest guy in the organization. I see a major issue.

  • by tsalmark (1265778) on Tuesday April 13, 2010 @12:30PM (#31834914) Homepage
    Password aging does not prevent the cracking of passwords, it prevents against leaving compromised account around forever.

    Password aging made sense, once upon a time. When the biggest issue was resource theft, changing passwords every few months cleaned out the unintended access some people had, either nefariously or through chance (old unclosed account and what have you).

    Now with the speed of automated hacking tools password rotation is less than useless as a defense.

  • by whois (27479) on Tuesday April 13, 2010 @12:31PM (#31834928) Homepage

    There is a flip-side to this. No matter how careful you think you are, you will one day expose your password in the clear. Once that happens you have no way of knowing if anyone was watching.

    Typing a password in the wrong terminal, typing a password in the wrong web field and having it autosearch google for your password. Typing your password over a bluetooth wireless keyboard with unknown encryption. Using a telnet session, etc. Logging in using a friend or co-workers PC that may have been compromised, etc.

    Because of all this, it's still a good policy to change passwords on an annual basis, with an immediate password change if you know it's been leaked.

    I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

    Or having to change a password on a system you only login to once every 6 months, every time you login. I hate that. :)

    Unfortunately, it doesn't always work out because one centralized password means you trust one department of a company with access to everything (there are workarounds for this, but still company politics gets in the way)

  • by Moryath (553296) on Tuesday April 13, 2010 @12:34PM (#31834974)

    I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

    Single sign-on for a single company is a great idea.

    Having your work password, gmail, hotmail, bank password all be the same? BAD idea.

  • by b0bby (201198) on Tuesday April 13, 2010 @12:34PM (#31834986) Homepage

    Mod this up - this is especially relevant when it's a former coworker.

  • by COMON$ (806135) on Tuesday April 13, 2010 @12:34PM (#31834988) Journal
    On our LAN I put rational policies in place. Essentially I look at the threat of an event and what it will take to mitigate it. If I am worried about a brute force attack I can solve that by password rotation or increasing complexity. I let the user choose which they are comfortable with. Some users dont want to use a passphrase so they have to change their password more often. Other people have realized that "I love my dog fluffy." is really easy to remember and since it meets my complexity and length requirements I make the password rotation much much longer.

    Yes, In 2008 AD you can do granular password policies, and yes this works VERY well. Not only do I have a pile of users with 15+ characters, I have users who WANT to use these passwords.

    I find that when you give the users a choice and work with them, security goes much smoother. users will always take the easiest way out, every time.

  • by ConceptJunkie (24823) on Tuesday April 13, 2010 @12:35PM (#31834990) Homepage Journal

    And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..

  • by Shakrai (717556) on Tuesday April 13, 2010 @12:36PM (#31835042) Journal

    Don't feed the trolls.

  • by John Hasler (414242) on Tuesday April 13, 2010 @12:39PM (#31835108) Homepage

    Please cite some incidents traceable to the writing down of passwords.

    IMHO users should be instructed to write their passwords down in a little black book and to keep that book in their wallets with their money and credit cards. The company should issue the book and teach the employees how to record passwords in it, how to keep it secure, and what to do if it is stolen or lost.

  • by DarkOx (621550) on Tuesday April 13, 2010 @12:41PM (#31835146) Journal

    What is might do is limit exposure. Suppose someone guesses a password. They are not a hacker and even having guess a password they perhaps lack priviliges to make any systemic changes given them a back door. Having a rotation policy ensures they are only reading your CEO's e-mail for 90 days rather than years undetected.

  • by MrCrassic (994046) <deprecated@ema . i l> on Tuesday April 13, 2010 @12:45PM (#31835240) Journal

    Increased security always decreases usability. Though now that I think about it, I'm wondering: why aren't smart cards used more in corporations? Wouldn't it be convenient for people to log in with the same ID they use to get into their workplace building or floor?

    Just a thought...

  • by MobyDisk (75490) on Tuesday April 13, 2010 @12:48PM (#31835290) Homepage

    My favorite is "password may be no longer than X characters" - why arbitrarily limit the length of them? It's especially great when X is something small like 4 (pin #s) or 8.

  • by John Hasler (414242) on Tuesday April 13, 2010 @12:49PM (#31835342) Homepage

    > It goes into the password expiration paradigm as well, pointing out that if
    > someone steals your house key, they're not going to give you time to change
    > the locks; they're breaking in immediately.

    Not likely. Perhaps if they pick it out of my pocket as I am getting in the car to go to work they will walk straight up to the house and let themselves in (BTW it isn't breaking if they have a key). Far more likely, though, it will take days or weeks to figure out what the key fits, get it into the hands of someone able (and willing) to try using it, and for me to be away from the house at night so that they have a safe opportunity.

    If your password is written down in a little black book in your wallet, your wallet is stolen, and you go to IT the next day, report it, and get a new password, it is very unlikely that it will have been used in the interim. In fact, it is very unlikely that the thief will ever attempt to use it or even figure out what it is.

  • by MobyDisk (75490) on Tuesday April 13, 2010 @12:49PM (#31835354) Homepage

    Amen! The concept of "password" is obsolete. Just never use it. Say "passphrase" and watch the light bulb go off as people realize it is easier to remember *and* more secure.

  • by ColdWetDog (752185) on Tuesday April 13, 2010 @12:58PM (#31835514) Homepage
    Yeah, and if they beat you over the head with a rubber hose, you will tell them what your password is anyway. The rotating character / shifted field approach may not be the best policy for nuclear weapons unlock codes but it's probably OK for 'generic' level stuff.

    If you're doing something very secure with passwords, you're doing it wrong anyway.
  • Define the problem (Score:2, Insightful)

    by minstrelmike (1602771) on Tuesday April 13, 2010 @01:26PM (#31836158)
    The problem with password rules, unlike rules passed by city councils or congress, is that we can use computers to completely enforce them.

    That immediately points out exactly how useful real-life rulez are, too but I won't get into that except to say that civilization creates laws, laws do not create civilization. As proof, look at any political revolution.

    Getting back to passwords, the rules have very little to do with desired goals--no break-ins.
    Seriously, how many accounts are hacked by guessing passwords? Brute force guessing is stopped by a 3 and out system rule for bad pwds. Continued access from a compromised pwd is a serious issue but 1) the account first has to be hacked and 2) continual access from different machines can be monitored by the sys admins without user involvement.

    Just a modicum of analysis shows that if you implement no reuse and a 45-day timeout, then each user has to come up with 8-10 hard-to-remember passwords each year. FOR EACH ACCOUNT.

    The rule is as silly as Citibank's warning on the envelope they send me that a paper trail is an identity thief's best friend. How many of those crimes occur via paper and how many occur electronically? They just want to make their jobs easier and more cost-effective.
  • Bad argument (Score:5, Insightful)

    by Geoffrey.landis (926948) on Tuesday April 13, 2010 @01:29PM (#31836222) Homepage

    Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.

    That is an incorrect argument made by somebody who knows nothing about statistics.

    First, if the time taken to crack a password is two months, and you change your passwords every two months, then there's a 50% chance of cracking the password in the first attempt, and a 100% chance of cracking the password the second attempt. So your example doesn't work.

    Now, suppose a cracker has a, say 1% chance of guessing a password per month of attempts, and is attacking, say, 10,000 accounts. On the average, the cracker will have a ten hits every month, but he will only break your account, on the average, once every 8 years. Still, that's a 12 percent chance of you getting compromised in a year, and a 6 percent chance you'll get hit in six months. So, can you reduce that 6 percent chance by changing your password every 2 months? NO. The chance that your change password moves into the window of passwords that the cracker is going to try next month is exactly equal to the chance that the password change moves the password out of the window the cracker is trying. The odds of the cracking succeeding does not change at all by password changing.

    The number of passwords that the cracker guesses per month does not change.

  • by blair1q (305137) on Tuesday April 13, 2010 @01:32PM (#31836276) Journal

    So what you're saying is, you hamstrung 100% of employees to still leave 10% of your employees vulnerable, when no doubt it only takes one opening for anyone to get to any information that matters on your network...

  • Re:Bad argument (Score:3, Insightful)

    by PRMan (959735) on Tuesday April 13, 2010 @01:46PM (#31836526)
    Ah, but people inevitably give their password to a co-worker who then gets fired. The 2 month rule takes care of that situation.
  • by eth1 (94901) on Tuesday April 13, 2010 @01:47PM (#31836566)

    The thing that worries me most about that is that it seems to indicate that they're storing the passwords plain text rather than hashing them, so they're limited to whatever field width the DB designer pulled out of his ass that day.

  • ROFL (Score:0, Insightful)

    by Anonymous Coward on Tuesday April 13, 2010 @01:50PM (#31836618)

    Explaining that joke on /. is like explaining who Jesus was to the Pope.

    You should be ashamed.

  • by Tomy (34647) on Tuesday April 13, 2010 @02:00PM (#31836826)

    Pretend that if an attempt to log into his account fails three times, his account is locked and requires a new password.

    Or pretend that your security system notes what IP address such failures comes from, and disables all access from that IP. Or it scores various IP connections, giving more trust to IP addresses that are successful.

    Whenever I see the onus forced on users, I see people who haven't learned the wisdom of the following quote:

    "I object to doing things that computers can do." - Olin Shivers

  • by jbengt (874751) on Tuesday April 13, 2010 @02:02PM (#31836880)
    Sounds like a bad application of math to me. (I admit, though that I only skimmed through the report, so I could be wrong)
    There are two sides to a risk analysis, the probabilities and the values being risked. People will play the lottery even when they don't have a reasonable chance, because the thing being risked is not that valuable. But they are not willing to risk their life savings when the odds are slightly in their favor, because they can't repeat the bet 100 times to try and come out ahead on average.
    If I'm the owner of a business, and I'm paying my employees X time the minimum wage, and a breach costs me Y dollars, I can live with the math. But if there's even a small chance that a breach will cause the death of my business, then I'm willing to have my employees spend "more than it's worth".
  • by commodore64_love (1445365) on Tuesday April 13, 2010 @02:05PM (#31836930) Journal

    hunter2 is "very good" according to my password strength meter. Add a "$" and then it will be strong. (Supposedly)

    I get tired of changing passwords because I tend to forget the new one. I'd rather just keep it. For crucial things like banking or stocks, then I'll use a separate unique PASS and then lock it in a safe for future referral.

  • by Quirkz (1206400) on Tuesday April 13, 2010 @02:42PM (#31837606) Homepage

    I was under the impression that the -vast- majority of compromised passwords were due to either social engineering (Hey, this is "Bill from IT", I need your password to fix that "performance issue" you're having) or sheer neglect on the part of the the user (password on a post-it on the monitor). Am I mistaken?

    Scenarios like stealing passwords from post-its are certainly possible, but I'd guess as a percentage of all stolen passwords it's insignificant to being at the point of near zero. Most people don't have access to the physical space of the person they're trying to hack. I'd argue most successful password stealing is done remotely, against victims the target doesn't even know.

    The big ones are going to be things like dictionary attacks against a login page where it can guess stupendously stupid/common passwords, or by exploiting a weakness in the system, or a virus/spyware with keylogger--all of these techniques bypassing the user entirely. If you count phishing as social engineering then that may be up there, but not the way you describe it.

    Now, if you have a specific account you want to break into, the things you suggest may be among your best bets to get into that one account. But if you want to steal a few million accounts, you're doing to be doing something a lot more automated. For every guy out there breaking into a co-worker's account because of a monitor stickie, there's a virus capturing thousands of usernames and passwords at once.

  • by pwnies (1034518) <j@jjcm.org> on Tuesday April 13, 2010 @02:47PM (#31837694) Homepage Journal
    Since we're pretending, let's pretend your imaginary computer cluster actually exists. Now let's find us the speed that said computer would have to run at to crack that password in 2 months.
    A 16 character password with symbols (12), numbers (10), lowercase letters (26) and uppercase letters (26) would have 76^16 combinations. This is approximately 1.24 * 10^30th.
    An MD5 hash takes 256 clock cycles in the best-case scenario (search for 256) [freepatentsonline.com], assuming no overhead. That means that we have 3.17*10^32 number of clock cycles that must be ran through in order to compute/crack every possible password in that range.
    Two months is approximately (365.242199 days/year)(2/12)(24hours/day)(3600seconds/hour) = 5259488 = 5.26*10^6 seconds.
    In that time, a "computer or cluster" would have to run at (3.17*10^32 cycles)/(5.26*10^6 seconds) = 6.03 * 10^25 Hz. That's 6.03 * 10^16 GHz, or 60.3 yottahertz.
    Currently, the world's fastest supercomputer is the Cray Jaguar. It has 224256 opteron cores clocked at 3.2Ghz. That means it's total processing speed (again, assuming no overhead here) is 7.18*10^14 Hz. Your pretend "computer or cluster" is 84027852100 times as fast as the worlds fastest supercomputer. 84 billion times as fast.
    Using the same architecture as the Cray Jaguar, the world GDP couldn't afford to buy that computer. The world's power grids couldn't power it. This is /., know the math behind your arguments before you post.
  • by timnbron (1166139) on Tuesday April 13, 2010 @07:50PM (#31840784)

    Correct. For special effect, if someone was watching, I would type my password, randomly hit a few keys, and then thump the keyboard four times. Then press Enter, and get logged in. It usually got quite a stunned expression from anybody nearby.

No one gets sick on Wednesdays.

Working...