Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Encryption Security IT

Deloitte: Use a Longer Password In 2013. Seriously. 538

Posted by timothy
from the you're-gonna-need-a-bigger-post-it dept.
clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."
This discussion has been archived. No new comments can be posted.

Deloitte: Use a Longer Password In 2013. Seriously.

Comments Filter:
  • Re:I Got It! (Score:2, Insightful)

    by Anonymous Coward on Thursday February 07, 2013 @04:10PM (#42824463)

    awful password, only 4 symbols long

  • by eksith (2776419) on Thursday February 07, 2013 @04:10PM (#42824467) Homepage
    I used my online banking today and they limit to 8 characters EXACTLY... even though they demand a non alpha-numeric character and mixed case. I keep thinking, these idiots still don't get it. Also, obligatory [xkcd.com].
  • by pwnies (1034518) <j@jjcm.org> on Thursday February 07, 2013 @04:12PM (#42824505) Homepage Journal
    Don't use a longer password, just use two factor authentication.
  • by wiredlogic (135348) on Thursday February 07, 2013 @04:13PM (#42824523)

    We should have legislation prohibiting cleartext and unsalted password storage. At least for any site that handles money. That will help quite a bit to inhibit the sort of casual database cracking that goes on today.

  • I love old news. (Score:5, Insightful)

    by mcmonkey (96054) on Thursday February 07, 2013 @04:15PM (#42824561) Homepage

    The relationship between password length and password strength is old news.

    But don't tell users, tell the programmers and system admins. I regularly encounter systems where max password length is 12 or fewer characters. For some reason there are also systems that don't allow characters other than letters and numbers in passwords.

    Let us make longer, more secure passwords. Let us use special characters, unicode, tabs and spaces!

  • by Secret Agent Man (915574) on Thursday February 07, 2013 @04:16PM (#42824577) Homepage
    • Minimum lengths? Sounds good.
    • Require a non-alphanumeric symbol? Sounds good.
    • Must have at least one lowercase letter, capital letter, punctuation, number? Uh...
    • Max length of 12 characters. Wat?

    Some password requirements are perfectly acceptable, even encouraged. There exist plenty, however, that just make one scratch one's head. Why would a maximum length any lower than several hundred characters ever be necessary? More egregious limitations include requiring an insanely complex number of symbol/letter/number combinations (easy for AI, hard for humans, as XKCD eloquently points out) and, of course, passwords restricted to numbers only. Sadly financial institutions seem to be fond of this one, possibly under the mentality that a PIN is just as good as a password, and customers won't forget that!

  • by LordLucless (582312) on Thursday February 07, 2013 @04:20PM (#42824637)

    Probably not. I can type my mis-spelt Shakespeare quote of a passphrase faster than I can type an obtuse non-alphanumeric-laden password, because I'm far better at typing English sentences than I am weird symbol sequences.

  • by Wonko the Sane (25252) * on Thursday February 07, 2013 @04:20PM (#42824645) Journal

    Because a lot of websites, especially financial sites, have stupid limitations on password length and/or complexity.

  • by swilde23 (874551) on Thursday February 07, 2013 @04:21PM (#42824651) Journal

    As long as it's actual two-factor authentication. None of the fake crap that people call two-factor.

    For the record, asking me to pick a picture isn't a second form. Something you know, something you have, etc...

  • Re:I Got It! (Score:5, Insightful)

    by LoRdTAW (99712) on Thursday February 07, 2013 @04:23PM (#42824711)

    A better question would be, what system would allow 1000 password guesses per second to be authenticated? Most systems lock you out after 3 to 5 unsuccessful attempts. And I would hope that smart developers would put a time delay between how fast a user can reattempt to authenticate. So a computer sending authentication attempts in less than one second would be immediately blacklisted as a automated attack. Inserting a second or two delay between attempts would guarantee that. Assuming a computer could brute force a password by trying all possible strings, what system could that possibly be effective against? I can see that it could be useful against an encrypted file but an online banking site or other eCommerce site sounds impractical. anyone care to elaborate?

  • by Anonymous Coward on Thursday February 07, 2013 @04:25PM (#42824745)

    From the point of view of an remotely-accessible device, biometrics and passwords are identical. Any device can send a bit string and claim to have obtained it from a biometric scan, even if the bio in question is not present. As a result, they do not solve the problem of verifying the identity of a user.

    Even worse, you end up using essentially the same password for everything, it can never be changed, and you carry it around everywhere you go on your face or hands.

  • no solution (Score:5, Insightful)

    by Tom (822) on Thursday February 07, 2013 @04:25PM (#42824747) Homepage Journal

    Password length matters to brute force attacks - and if your application allows a brute force attack to happen, it is broken already, insecure by design.

    Enforcing longer passwords will not improve security for real-life cases. Enforcing more cryptic passwords will actually reduce security for real-life cases. Why? Because people will need to type slower, making shoulder-surfing easier. People will start to write passwords down, and they will re-use passwords more often.

    You can't solve this issue with simple solutions like "use longer passwords". The only thing that will do is make "password1234" the new standard instead of just "password".

  • by swillden (191260) <shawn-ds@willden.org> on Thursday February 07, 2013 @04:37PM (#42824929) Homepage Journal

    As long as it's actual two-factor authentication. None of the fake crap that people call two-factor.

    No kidding. My bank (I really need to change) uses two factor authentication. To log in you have to know both the username and the password! In order to make this more secure, they apply password quality requirements to both. Yes, that's right, your username must be mixed case and contain alphabetic and numeric characters, and must be at least 8 characters in length. Symbols are not allowed, however, since that would just be weird.

    For the record, asking me to pick a picture isn't a second form.

    Most places that use a picture aren't using it as a second authentication factor. It's an anti-phishing countermeasure. The idea is that you pick a picture when you set up your account and then every time you log in you should see your picture. If you don't see your picture, then you know you aren't really looking at your bank's (or whatever) web site, but an attack site. Of course it's not an effective countermeasure against attack sites that use your credentials to connect to the real bank site in the background, get the picture from the bank and then show you what you expected to see. But it does prevent some phishing.

  • Re:I Got It! (Score:4, Insightful)

    by kiddygrinder (605598) on Thursday February 07, 2013 @04:55PM (#42825249)
    4 symbols, about 180k common words in the english language = 1,049,760,000,000,000,000,000 unique passwords. this thing [arstechnica.com] can do 350 billion password attempts a second, and unless my math is wrong (which it most likely is) it would take 95 years to try all of those combinations.
  • Re:I Got It! (Score:5, Insightful)

    by dgatwood (11270) on Thursday February 07, 2013 @05:10PM (#42825521) Journal

    Your definition of "common words" is off by about an order of magnitude from reality, though. A typical person only uses about 10,000–25,000 words on a regular basis, depending on their level of education.

    Even assuming the upper end of that, nearly all people would typically choose from about 3 * 10^17 possibilities, which at 350 billion attempts per second, would take only around ten days to crack. On the lower end, a sizable percentage of people would choose from about 1 * 10^16, which would take about eight hours to crack.

  • Re:I Got It! (Score:5, Insightful)

    by Anonymous Coward on Thursday February 07, 2013 @05:32PM (#42825923)

    Password too long, please enter 8-12 characters.

  • by AmiMoJo (196126) * <[ten.3dlrow] [ta] [ojom]> on Thursday February 07, 2013 @05:41PM (#42826081) Homepage

    Apologies for picking on you, but I'm getting fed up with deliberately unverifiable anecdotes on Slashdot. You could easily say which bank with no risk to yourself or the bank, simultaneously allowing us to confirm what you say and avoid said bank ourselves. But no, you deliberately keep it vague and avoid mentioning the name.

    I'm willing to give you the benefit of the doubt here. You probably aren't karma whoring with a make-up anecdote that is sure to please the Slashdot masses. A lot of posters clearly are being deliberately non-specific to make their made-up story impossible to disprove though.

  • Re:I Got It! (Score:5, Insightful)

    by SethJohnson (112166) on Thursday February 07, 2013 @05:57PM (#42826313) Homepage Journal
    Beardo, This is a great mechanism for me to abuse to lock all your users out of the system.

    Great thinking, there.

    Seth
  • Re:I Got It! (Score:5, Insightful)

    by vux984 (928602) on Thursday February 07, 2013 @06:22PM (#42826649)

    An NFC enabled phone would be ideal. Store passwords on the phone.

    Meanwhile police around the country are facing an epidemic of cell phone thefts.

    everything is stored in one place that you always have access to.

    Well, you have access to it unless it was stolen.

    Or you dropped and it now its broken.
    Or the battery is dead.
    Or ...

  • Re:I Got It! (Score:5, Insightful)

    by Luckyo (1726890) on Thursday February 07, 2013 @06:41PM (#42826867)

    No. But it makes good headlines and sells whatever "security expert of the day" happens to be peddling.

    On most of the web, a good secure 8 random character password that you don't reuse on other sites is about a few orders of magnitude too secure for hackers to even bother thinking about cracking. The "account hacks" are usually about people managing to steal a list of user names and passwords from some shitty forum that has old version of BBS software, and then trying those combinations of user names and passwords on other sites. Pretty much all brute force methods require direct access to database that is badly encrypted (perhaps behind a weak password that they intend to crack?).

    Other then these scenarios, vast majority of "your password is too short and as a result not secure" is scaremongering bullshit.

    Full disclosure: I have several battle.net accounts, a LoL account and countless other similar game accounts that are very much wanted in hack and sell world, all under the same email. I get absolutely hammered by "your account is being closed for hacking, click here to fix" phishing emails and other similar bullshit on that email address. My WoW account was very valuable for a couple of years (very good server, easily within top 0.1% of people in terms of wealth and in top 1% in terms of rare items and progression, legendary and so on). Didn't get hacked a single time. Several guildies and countless people I know had their accounts hacked during this time, some more then once. I used, and still use a short UNIQUE password for each account. Not a single account breach.

    Why? Because no one sane brute forces remote passwords when doing actual hacking for profit. It's bloody stupid to even bother trying. There are far more profitable and easier methods, that actually work.

There must be more to life than having everything. -- Maurice Sendak

Working...