Forgot your password?
typodupeerror
Security IT

The Case For Lousy Passwords 343

Posted by CmdrTaco
from the love-for-the-lousy dept.
itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."
This discussion has been archived. No new comments can be posted.

The Case For Lousy Passwords

Comments Filter:
  • Bad usernames too (Score:5, Interesting)

    by alphatel (1450715) * on Thursday December 16, 2010 @10:39AM (#34573232)
    Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
    It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.
    • by Anonymous Coward on Thursday December 16, 2010 @10:47AM (#34573330)

      Anytime I visit a site that wants a signup, I don't bother signing up.

      • But what if you want to participate on a discussion board? (And don't worry, I'll wait 10 minutes until you're allowed to post your response AC).
      • Personally, I keep an extra gmail account to sign up for websites that is only used for that purpose. My real email address is never entered into a signup form, only my spamtarget address.

        I don't share passwords between my spam target email or accounts and my real life email and accounts.

        But yes, the day I (sign up for and) am worried about a useless account like gawker getting cracked is the day I know that I truly have no life.
    • Re:Bad usernames too (Score:4, Informative)

      by zwei2stein (782480) on Thursday December 16, 2010 @10:48AM (#34573340) Homepage

      Ever heard of http://www.bugmenot.com/ [bugmenot.com] ?

      It's nifty, use that instead ...

      • IMHO bugmenot is pretty much useless since (a) permitting websites to opt themselves out and (b) webmasters got savvy and started banning accounts listed on bugmenot.

      • by sideslash (1865434) on Thursday December 16, 2010 @12:13PM (#34574568)
        Yeah, bugmenot is cool. I use it for my online banking.
    • There are several tools you can use to make the whole "required registration for everything" a little less annoying:

      http://www.bugmenot.com/ [bugmenot.com] has usernames and passwords that people have submitted for a bunch of sites. Very handy when you want to read something in a web forum (or other site, but I've found forums to be the worst) that has really obnoxious registration requirements.

      http://mytrashmail.com/ [mytrashmail.com] is an anonymous email service that lets you use a temporary email address, without requiring registrat

      • ...use a password manager... I don't have any idea what most of my passwords are.

        To me that's unacceptable. What happens when a bad update or a hardware failure renders your passwords inaccessible? But I guess most people are so dull they have no choice -- it's software or 123456, otherwise their pitiful little brains will be overwhelmed. No doubt this laziness and apathy is precisely why everyone will be chipped soon.

        • What happens when a bad update or a hardware failure renders your passwords inaccessible?

          That's what backups are for...

        • I have terrible memory, you insensitive clod. It has nothing to do with being lazy.

          But I don't use password managers, I use an algorithm based password generator. I can recreate any password with a SHA-1 hasher.

          Of course, I still have about 9 or 10 memorized passwords for important stuff (root accounts, bank, etc), but it would be completely impossible for me to remember the dozens of passwords for every random website that requires me to register.

        • by mjeffers (61490)

          It's not laziness, it's that the password system of authentication is fundamentally broken. You tell a person that they have to remember a long, unique, random string of characters that has no connection to anything they've done or anything about them in real life. They have to use a different one of these for each place they go to that requires a password and they have to change them frequently every few weeks/months. If you've got 10 sites you belong to and you change your password every month that's 120

      • by horatio (127595)

        Finally, if you use a password manager (I've been using KeePassX, it's pretty good and cross-platform), then you don't have to remember passwords anymore, so there's no reason to use a weak password for anything. I don't have any idea what most of my passwords are.

        Yep. I use 1Password and have the encrypted file synced through dropbox to my iPhone and other systems. I really don't know what most of my passwords are anymore.

    • by mcgrew (92797) *

      Yes, and it depends on the site as well. I use 111111 for newspaper sites, I have a strong password for slashdot simply because I like my user name and have excellent karma. I have an even stronger password for my computers.

  • by Joe The Dragon (967727) on Thursday December 16, 2010 @10:41AM (#34573248)

    hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

    • by Tim C (15259)

      There's nothing wrong with writing down important passwords, as long as you protect the bit of paper.

      For example, if I write down my password for my domain account at work and put the piece of paper in my wallet, the password would be the least of my worries if my wallet went missing.

  • by alen (225700) on Thursday December 16, 2010 @10:44AM (#34573286)

    one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security

    • by hey! (33014) on Thursday December 16, 2010 @10:55AM (#34573436) Homepage Journal

      Actually having a hard password and writing it down is not such a bad idea. It's leaving the password under the keyboard that's a bad idea.

      Look at this this way. That guy driving a Ferrari around town unlocks it with a key that *anyone* can use. It's reasonably safe, however, because he keeps the key in his pocket.

      Of course, wallets get stolen. So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket. You choose a memorable six character password and keep it in your head. Then concatenate the two to form your working password. That's poor man's two factor security.

  • by fahlenkp (1939942) on Thursday December 16, 2010 @10:47AM (#34573336)
    Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?
    • by Culture20 (968837) on Thursday December 16, 2010 @10:57AM (#34573472)

      The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

      I'm sure you've noticed from your logs that brute force attempts are made from botnets now too? A lot harder to block.

      • by gparent (1242548)
        Yeah, they've been trying to bruteforce my RSA key for a while now. Oops.
      • by Z00L00K (682162)

        Sure, but many of the bots are running the same password list, and if you block an IP address after a certain number of connections you will make it harder to penetrate your server.

      • by fahlenkp (1939942)
        A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 second
    • Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

      You missed the point of using rainbow tables in the first place. It's not about brute force guessing a password - any system that's still vulnerable to that sort of attack should have the admin taken out and shot. It's in the case where an attacker get hold of the file containing *hashed* passwords, and want to work out what passwords correspond to those hashes (which is what happened in this case).

      Windows, Linux, whatever - if a file of hashed passwords can be obtained, and those hashes aren't salted, th

      • The problem is rainbow tables quickly get too large to be of practical use, and take too long to generate. This fast cracking is again people banging on about old LM passwords. The old 3com/MS LanMan OS used a really weak hashing system. Passwords were limited to 14 characters in length, and were case insensitive. Further, they were stored as 2 7 character hashes. Windows versions prior to Vista stored these LM hashes by default unless you changed the security settings or used a password longer than 14 char

    • Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

      Right, but the issue is, they weren't cracking over an IP. They made off with a hash file. This is why system-level security is more important than user-level security. The problem isn't that the users had weak passwords, it's that Gawker's servers were compromised. Now the hackers don't have to worry about IP auth denial.

      A hacker making off with a hash file is like a thief making off with your portable safe. Sure, it's fire proof and has a padlock, but he has all the time in the world now, in a safe envir

    • by jimicus (737525)

      Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

      Any attacker worth their salt won't carry out the attack directly themselves, they'll instruct a botnet of 20,000 PCs to make 3 attempts each and log any that come back as working.

  • by GreatBunzinni (642500) on Thursday December 16, 2010 @10:52AM (#34573394)

    The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.

    • by Xenna (37238)

      That was a rainbow table attack. A way of cracking password hashes by having all possible character combinations and their corresponding hashes in a huge precomputed table. You need access to the password hashes for that and the security system needs to be badly designed. Rainbow tables are easily defeated by using large salt values that would require the rainbow tables to be not simply huge but impossibly huge.

      http://en.wikipedia.org/wiki/Rainbow_table [wikipedia.org]

    • In addition to salting the password, I design my systems to sleep for one second after each failed password attempt, and for 3 seconds before booting the guy off. That should take care of brute force attacks.

    • by anegg (1390659)

      Hash table-based password attacks depend on having access to the hashed password value; they are not used in a brute-force front-door attack. The article should have been clear about this, as it is essentially pointing out that passwords aren't safe from discovery if the password database itself has been taken, even though the password values are hashed.

      From a belt-and-suspenders security viewpoint, it is reasonable to want the database of hashed password values to be secure against "reversing" the hash t

    • Which is extremely weak. Now I'll grant you it could be an issue: If someone gets access to your system and your SAM file and if you are running XP or earlier and if your password is 14 characters or less then there will be an LM hash. Vista or 7? No LM hash by default. Longer password? No LM hash (as LM is limited to 14 characters).

      So let's say this password was on 7 instead. Ok so it is 13 characters and uses upper, lower and numeric. Surf over to Ophcrack's site and... no tables that could get it. Their

    • The recent Gawker hack where the entire username/password table was leaked is exactly the kind of "unrealistic attack" that you're calling "practically impossible to pull off". You don't need physical access to the system with the passwords, you just need a copy of the encypted passwords from the system to be moved onto a system that you have physical access to.
  • by betterunixthanunix (980855) on Thursday December 16, 2010 @10:53AM (#34573400)
    Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.
    • And cheap.

    • Human brains just do not generate or remember random strings very well,

      If you keep your password in your brain by remembering a random string, you're either a genius or you're doing it wrong.

      The brain is bad a remembering random strings, but it's excellent at remembering sequences of movements, like the one necessary to type those random strings. If you wanted to know one of my passwords, I'd have to ask you for a keyboard first.

      • A sequence of movements is great until you're required to change your password every 30-60 days. At which point by the time I get the sequence down so I don't need to remember the password it's changed and I have to learn a new one.

        That method works well with some things, like phone numbers. I can't remember my wife's cell number so I have an excuse not to give it out to people, but I can still dial it when I have to call her.
        • by HappyHead (11389)

          I use a movement sequence, and change my starting key when I need to change my password on a "schedule". All I need to remember is what key to start on. I have six different movement sequences that I use depending on what account it is, and have never had trouble keeping them separate. Then again, I also remember all phone numbers as movement sequences, and need to look at a keypad to tell people what my own phone number is.

          Also, it makes using the ipod screen-keyboard to log into anything really annoyin

      • Likewise. Back before I started using a password generation/management tool, I produced and memorized my passwords by trying "1337" variations of misspelled words (ones that wouldn't be in a dictionary) with some special characters mixed in somewhat randomly until I found a sequence that was easy to type and "felt" right as I typed it. I'd then toss in camel-cased capitalization based on when it was natural for my hands to hit the Shift key, rather than picking them arbitrarily. There were a few legitimate
    • PIN number for debit cards are only 4 digits and they work pretty well. The problem doesn't seem to be the password but the system that allows too many automatic tries. There's a problem with denial of service, but there are solutions for that....

    • by MobyDisk (75490)

      Agreed. Passphrases solve these problems, and cost nothing to implement. Yet most systems still insist on passwords 10 characters or some other such nonsense.

    • by Haedrian (1676506)

      A good way of generating a random string...

      Is to think of a sentence that has letters and numbers - and then take the first letter of each word and all the numbers.

      Ex: My best friend Joseph was born on the 15th of December = MbfJwbot15oD. Mixed letters and numbers of different cases - and its pretty easy to remember.
      -
      What you could also try I guess is to get some sort of hash+salt - type in your password, and use that hash of the password as your password (which will also get rehashed). Bit hard on computer

  • the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker

    I've noticed that some websites will lock you out for 5, 10 or 15 minutes if you get the password wrong too many times in a row. That might slightly deter the hacker.

    Although they might simply start hacking other accounts and simply cycle through them...

  • by RivenAleem (1590553) on Thursday December 16, 2010 @10:57AM (#34573466)

    12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!

    I'd also like to add that I'm a giant douche and a poopy-head!

  • by ron_ivi (607351) <.moc.secivedxelpmocpaehc. .ta. .ontods.> on Thursday December 16, 2010 @10:59AM (#34573486)

    This was one of the best password articles I've seen.

    I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.

    Someone who uses:
          mysecr1tword4gawker.com
    for fun and
          mysecr1tword4mybank.com
    for their bank isn't that much safer than if they had just used the same password for both.

    Much better to use throwaway ones for sites like gawker; and truly random ones for banking.

    IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.

    • by pnuema (523776)
      Why is that algorithm a bad idea? It is certainly safer than using the same password for both. Bonus points if you add other algorithmic goodness (capitalize the 2nd vowel in the site name, replace the third letter with a number, etc...). Look, I need a password to log into my bank. My newspaper. My email. My blog. My kid's school. I actively use dozens of passwords. Algorithms like this are certainly no worse than writing everything down, and are certainly better than using the same password for everythin
  • by junglebeast (1497399) on Thursday December 16, 2010 @10:59AM (#34573492)

    To quote the referenced article,

    "Why is Ophcrack so fast? Because it uses Rainbow Tables. ....If you've salted your password hashes, an attacker can't use a rainbow table attack against you-"

    In other words, any service with 1/10 of a brain will salt their passwords and be immune. They are also only vulnerable if they let their system get hacked and database stolen.

    In other words its the same classic trade off as ever: you have to trust the person who runs the service to know what they are doing with your password. But if they do know what they are doing, then you shouldn't have to worry.

  • Ophcrack (Score:4, Insightful)

    by Kiaser Zohsay (20134) on Thursday December 16, 2010 @11:03AM (#34573528)

    If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.

  • Lastpass (Score:5, Informative)

    by defaria (741527) <Andrew@DeFaria.com> on Thursday December 16, 2010 @11:07AM (#34573600) Homepage
    In a word - Lastpass. 'Nuff said.
    • by gsmalleus (886346)
      Absolutely! A co-worker of mine has been using it and stated that it worked well for him. After these recent break-ins, I decided to sign up for LastPass. I wen through all the websites I use on a regular basis and used LastPass' password generator to generate secure passwords for each. I feel much safer now knowing all my passwords are extremely strong. While the free service should suffice most of your needs, I signed up for the premium service ($12/year) to get the mobile app for my phone.
    • I use Keepass to maintain all of my passwords. It's open-source and encrypted using AES 256. I save the password database on Dropbox, which keeps an updated copy available on all of my computers. The only problem is that I cannot login to the websites on public computers, but I think that's an added security bonus. I have my Blackberry with me to check my email, which is what I really need to check on the road.

    • by definate (876684)

      Best $12 a year service, and now they're doing Xmarks for $8 per year.

      Two of my favorite add on's to any browser!

      Now I audit my passwords regularly, and maintain passwords WAY stronger than necessary, which are different per login.

    • by rsborg (111459)

      In a word - Lastpass. 'Nuff said.

      Similarly, I use 1password (Win/Mac). Main benefit with 1password over Lastpass that I can see is that my keychain lives locally (but can be shared amongst users/computers uisng dropbox).

      A password manager is absolutely essential, IMHO and a graceful happy medium between usability and security.

  • TFS Fail... (Score:5, Interesting)

    by fuzzyfuzzyfungus (1223518) on Thursday December 16, 2010 @11:23AM (#34573812) Journal
    The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.

    Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.

    With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...
  • After Gawker got hacked I changed my duplicate passwords and made most of them unique or variants on a theme. So all of them stronger and over 10 chars in length. But I got to thinking that probably I should be bothering nearly as much about choosing password variants for throwaways because I'll never remember them all. I think for forums / chat boards it would suffice to just take the domain name (e.g. gawker) and append it to a fairly strong throwaway password shared everywhere. For example say my throwaw
  • by Plekto (1018050) on Thursday December 16, 2010 @12:58PM (#34575262)

    Having spent a few years working for a company that dealt with files from Asia on a daily basis, it strikes me as odd that more sites don't allow unicode characters. Adding a single Chinese or Arabic character to the password is enough to force most cracking utilities *even when you have the machine in your hands* to have to resort to brute-force measures that can take days. What's awful, though, is how sites restrict you to A-Z and 0-9 98% of the time, which defeats the entire reason for a password. I suspect that they want to be able to maybe crack it themselves in case they feel the need to do so. Because 10 characters max, with a simple 36 character ASCII limit is going to be cracked exactly as it was in the example.

    It's the old obscure OS trick. If you are using an operating system that the hackers commands mean nothing to, you are secure. I know of a few people who run email servers(as an example) that use very obscure and old operating systems that no botnet or hacker is designed or has the knowledge any more to deal with. One friend a few years ago was using an old A/UX Macintosh as a router, precisely because the ability to remotely hack the code was essentially zero.(while there were easy ways ten years ago, everyone has forgotten them by now) If you can find a book on how to program some of these obscure OSs, good luck to you. If you want to really go crazy, run OpenVMS on your mail server. And watch anyone who gets into the system have a fit trying to take over. (I suppose there are some people who can, but criminals are lazy and I suspect less than 1% of people here on slashdot even have used OpenVMS in their lifetime)

    While that's not usually workable, though, for modern computers, it IS easy to do with Unicode, since the latest version covers 109.000 characters. Figuring out what characters you used would probably take a cracker just to figure out a simple 2 character combination. It's just not something that the botnets are (currently) equipped to deal with.(though I suspect that they do check for simplified Chinese and Japanese and similar characters - the trick would be to pick something obscure like Sandscrit or another ancient language.

  • by SanityInAnarchy (655584) <ninja@slaphack.com> on Thursday December 16, 2010 @01:42PM (#34575960) Journal

    This is what public-key cryptography is for. Someone insists on a password?

    makepasswd --minchars 8 --maxchars 64

    If that doesn't work, replace maxchars with whatever's relevant for the site. That's already fairly secure, but if a site insists you use non-alphanumeric characters,

    makepasswd --minchars 8 --maxchars 64 --string 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789!@#$%^&*(){}?+[]/=;,.:'

    And that's assuming they don't allow Unicode. Most websites will let my browser save the password, and a few others, I can copy it from a text file. On the very rare occasions a website insists I type the password every time, and I'm too lazy to work around it, I do this:

    gpw

    Then, just add some numbers that mean something to me, though after a week or so, I'll have memorized them -- so the next time I need one, there'll be other relevant numbers.

    At this point, I never sign up for a new service with the same password I use anywhere else. I don't want to make it easy for someone else to crack my Slashdot account, for instance, but that's no reason to trust Slashdot with my PayPal password, or vice versa. TFA is moronic -- it's not about "lousy" passwords, it's about limiting the scope of passwords, and this isn't new. This time, the site in question didn't use salt. What if they'd actually been malicious?

  • by GrumpySteen (1250194) on Thursday December 16, 2010 @03:25PM (#34577930)

    I have a post-it note labled "passwords" with about a dozen random 12 character strings stuck to my monitor at work. None of them are actual passwords that are used anywhere.

    It's surprising how often I find my network login has been locked out.

In 1869 the waffle iron was invented for people who had wrinkled waffles.

Working...