Forgot your password?
typodupeerror
Security

Applying Pavlovian Psychology to Password Management 288

Posted by timothy
from the risk-versus-reward-baby dept.
Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt: "For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."
This discussion has been archived. No new comments can be posted.

Applying Pavlovian Psychology to Password Management

Comments Filter:
  • ObXKCD: Passphrases (Score:5, Interesting)

    by tepples (727027) <tepples AT gmail DOT com> on Sunday May 04, 2014 @10:36PM (#46916403) Homepage Journal
    From the article: "Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters." And sites like Phil's Hobby Shop [philshobbyshop.com] have lowered "complexity" requirements for sufficiently long passwords. I'm glad the passphrase concept is catching on. To what extent can xkcd be credited [xkcd.com] with awareness of passphrases?
    • Re: (Score:3, Insightful)

      by Anonymous Coward
      Not a great extent. Most of us knew the math already, but it only works well when you really select randomly from a dictionary instead of making grammatically correct sentences or even personally chosen set of "random" words (from a limited vocabulary). Mixing passphrases and complex passwords works best. battery horse correct staJ&%v1ple
      • As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.
        • by Mashiki (184564) <mashiki&gmail,com> on Monday May 05, 2014 @12:14AM (#46916801) Homepage

          As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.

          Bingo. Funny enough, I just finished doing a security job out in western canada(provincial government office) and moved them to passphrases. Funny how the number of "passes written on post-it-notes" dropped from "everywhere" to nowhere except the firebox safe. The safe of course is in it's own room, and requires two keys to open besides the combination. This of course also cut down on the intrusions into the network, because people simply "walking in" couldn't glean passwords that were posted in the open anymore.

        • by pjt33 (739471)

          I think you're in violent agreement with the post you're replying to. If you tell someone "Use a phrase rather than a word", they will come up with a grammatically correct sentence, which probably even makes sense at a semantic level. Tell them to use Diceware, and they're selecting randomly from a dictionary.

          • by geekmux (1040042)

            I think you're in violent agreement with the post you're replying to. If you tell someone "Use a phrase rather than a word", they will come up with a grammatically correct sentence, which probably even makes sense at a semantic level. Tell them to use Diceware, and they're selecting randomly from a dictionary.

            If you tell 95% of people "Use a phrase rather than a word", they will come up with a grammatically incorrect sentence, which probably doesn't even makes sense at an elementary level.

            There we go, FTFY...we seem to have a strong assumption about spelling and grammar skills here. Sadly, it has probably helped, since "passwerd wun" is probably more secure than "password one".

        • by AmiMoJo (196126) * <mojo@NOspAm.world3.net> on Monday May 05, 2014 @05:15AM (#46917551) Homepage

          The problem is that password crackers can now crack strings of words [arstechnica.com] relatively easily. On page three of the article it even mentions that comic specifically as an example of what crackers can now break.

          Two factor authentication is the solution. If you can't use that then a long, random password stored in a password safe app is the best bet. Anything you can remember is crackable.

      • by sFurbo (1361249)

        "To what extent can xkcd be credited?" Not a great extent. Most of us knew the math already

        There is a difference between knowing the math and applying it. A nice, easy to remember story can make that difference.

        but it only works well when you really select randomly from a dictionary instead of making grammatically correct sentences

        Grammatically correct is not that much of a reduction in key space. I would imagine that "Adjective" "Noun" "Transitive verb" "Adjective" "Noun" yields a larger keyphrase than four random words, and it is probably easier to remember than "Noun" "Noun" "Adjective" "Noun", even for rare words.

    • I have wondered if the best way to measure password complexity is with an arithmetic compressor. Train it with a good dictionary, including words in various languages and any cracked passwords from hacked servers. The compressed size is the complexity measurement.
  • Why not? (Score:5, Funny)

    by msauve (701917) on Sunday May 04, 2014 @10:37PM (#46916407)

    all passwords in this post don't include the beginning and ending quotation marks

    Include the quotes, and be even more secure!

    • Unless the developers have taken a belt-and-suspenders approach to guarding against cross-site scripting and Bobby Tables attacks [explainxkcd.com] by not only using parameterized statements but also stripping any punctuation characters that may have special meaning in HTML or in SQL. Angle brackets, ampersands, and quotation marks become an underscore, which is a more common (that is, less entropy) character in passwords.
  • by sinij (911942) on Sunday May 04, 2014 @10:45PM (#46916451) Journal
    Sure, implement this and watch most of your userbase write passwords down and keep them on the side of the monitor or under the keyboard.
    • Bruce Schneier considers writing down passwords to be acceptably secure [schneier.com]. Carrying around a card with your passwords on it isn't really any less secure than carrying around a piece of plastic with your credit card number embossed on it.
      • It is one of the few things where I simply don't agree with Bruce. While it is no less secure than your CC, I consider the CC already a horrible security problem.

        What you do when you write down your password is that you turn "something you know" into "something you know OR something you have". And while security improves if you make it dependent on "something you know AND something you have" (as in ATM card+code), the OR there lowers your security.

        • You may have missed his point. Writing down the passwords means you can use stronger passwords that you don't have to struggle to remember. The threat from brute forcing stolen hashes is much greater than the threat of having your wallet stolen by someone who is going to know what to do with the passwords.
    • Having a hint or reminder to your password is OK, I'd think, as long as it's clear to you, but obscure to anybody else. As an example, my laptop is named after a planet used in an SF series I like. Even if somebody guessed that, there are enough places, people and things in that series to keep the hint from being any help to anybody except me.
  • by wisnoskij (1206448) on Sunday May 04, 2014 @10:50PM (#46916469) Homepage

    Because all you are going to get is users deciding that they they cannot come up with a 10th password that year and just going picking "123456".

    "I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few)"
    What a joke. If every site used this method I, and many other people, would need to change multiple passwords every single day of the year. The entire system would break down and become completely unmanageable

    • I think the idea is you'd let the user know. "This password would take approximately 4.5 days to crack. For your security, you will be required to change this password after 3 days. Alternatively, you may pick a longer, more secure password to lengthen this interval (for example, a 16 character password will only require a change after XX years)." Or something.
      • Re: (Score:3, Insightful)

        by Mr. Slippery (47854)

        I think the idea is you'd let the user know. "This password would take approximately 4.5 days to crack....

        ..."if we are incompetent enough to divulge your encrypted password." So, how about you don't divulge my encrypted password, then?

      • by AmiMoJo (196126) *

        That will just make people use the same password for everything, or need to use the password reminder function a lot.

        When most people need 20+ passwords (email, multiple PCs, forums, subscription sites, NetFlix, dozens of shopping sites, bank sites etc.) in their life the only conclusion is that passwords are not a good system. If we could get everyone to use a password safe it might help, but despite having been available for free for decades hardly anyone does.

    • Years ago, I worked for an ISP. Once they realized that they were able to put expiration dates on employee's passwords, they did so. Not just for things that we could access from home, but for services on the internal LAN that couldn't be reached unless you were physically on site. My response was to make them as rude and vulgar as I could, both as an expression of what I thought of the policy and because I knew that this would make them easier to remember. And, of course, a little bit of creative spell
    • by AudioEfex (637163)

      Precisely.

      Some of the replies to you say "well, that just forces people to make more complex passwords" so they last longer, but that's just the same-old. And anyone that deals with this from a business standpoint will tell you that the real problem with requiring customers/users to have more complex passwords is the more complex you make them, not only the more frustrated the customers get - but you also have to make it even easier for them to reset their passwords.

      Just anecdotally, I know of one med

  • I just say 'generate' to PasswordSafe (right now my tool of choice) and have a 8-character pile of gibberish that I can't pronounce and never read. If someone points a gun to my head (the NSA?) and asks for my online banking password, I can only - truthfully- say that I have no idea.


    BTW, pavlovian to me implies egg whites and sugar, mixed and then baked. Then cream.
    • Someone can still point a wrench [xkcd.com] to your head and ask for your PasswordSafe master password. What would be your truthful answer to the following question: "Do you know your online banking password, or any other password that can be used to retrieve your online banking password?"
    • And tropical fruits.

      Mmmmm.

    • by brunes69 (86786)

      Yes, and that works perfect when you need to generate your password on your phone and later use it on your PC. Or generate your password at your office (where you are not allowed to install software), and then use it on your tablet at home.

      Password generators are a giant fail. They work in a very small subset of conditions but are not useable in the situations most consumers find themselves day to day. I am so sick of geeks like myself trotting out password managers as a solution - they are not. The soluti

  • The computer will tase the users if they forget to change their passwords at the prescribed time. If they do remember, give them a biscuit, with a glass of milk if it's a strong password.

  • I'd like to see sites develop password policies that reflect the value of information the passwords are guarding.

    For example. if a password unlocks access to a bank account, it's reasonable for the bank to require more secure forms of access: including ones that are better than mere passwords, themselves.

    However if all a website visitor has at risk is comments about stories. Comments that can be, and often are, as banal as I lik [sic] catz then even a 1 character password seems like overkill. As it is, t

  • The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques.

    If you're assuming your hashed password file is public or you allow unlimited login attempts without shuttering the connections, then this makes some sense. But if your pw file is public you need to force a change far before the average crack time (like 2 stddev), which probably means hours on an average of 3 days to crack.

    But if your pw file isn't supposed to be public, t

    • by tepples (727027) <tepples AT gmail DOT com> on Sunday May 04, 2014 @11:20PM (#46916603) Homepage Journal
      Yes, we're assuming that the hashed password file has a substantial probability of getting leaked, just as it was in several other high-profile breaches (Sony, Target, etc.). If it's impossible for an inside job to leak the password file, then how can the system 1. use the password file to authenticate users and 2. back up the password file in case of hardware failure?
    • by TubeSteak (669689)

      But if your pw file isn't supposed to be public, then you're setting a policy assuming your system has been cracked and are passing bad math onto the users as annoyance.

      Dude, the first step to good security is to assume you've been compromised and then construct your defenses based on that assumption.
      It's called a defense in depth [wikipedia.org].

      Or to look at it from another angle: we all have locks on our homes, but you still wouldn't leave $10,000 in cash just sitting on the kitchen table, would you?
      Of course not, you'd hide it, preferably in a safe that's bolted to the floor.

      • by bugnuts (94678)

        Dude, the first step to good security is to assume you've been compromised and then construct your defenses based on that assumption.

        Not so much. The first step is figuring out what you're protecting.
        The next step is figuring out what the fallout is if you're compromised.
        The 3rd step is figuring out the likelihood of being compromised, and potential avenues of attack.
        Only at that point do you construct your defenses.

        Contingency plans are based on assuming the worst has happened. Security plans are not. An

  • We should increase password strength rules!

    Right now, at most sites, the strength rules are such that they disallow a significant portion of the unconstrained search space.

    If we keep increasing the number of constraints, we will further reduce the search space.

    Eventually, we will get to the point where I only have to remember one password, because it's the only password I, or anyone else, is allowed to have.

  • For those interested in the kind of stuff that people do.. here is the top 100 list of passswords from the 130million that Adobe lost last year: http://stricture-group.com/fil... [stricture-group.com]

    The thing that amuses me (or terrifies) is that nearly 2million of the people had "123456" as their password..

    nearly another million had one of these: "123456789" "12345678" "1234567", and "1234567890" ...345,000~ chose "password" as their password (good going adobe.. why is that even allowed?)

    i like the people who chose "photoshop"

  • by EmperorOfCanada (1332175) on Sunday May 04, 2014 @11:43PM (#46916687)
    A very simple problem opened up by making users rapidly change their passwords is that they will frequently forget what they just changed them to. They will change it last minute on Friday to something genius and on Monday scratch their heads and go, "Crap". So now they are going to call tech support who will walk them through some crude verifications and give them a new password.

    A perfect example of this is a relative of mine who works for government. He was complaining about the frequent password changes he has to do. So I bet him that we could look under everyone's keyboard and find some passwords. Two of his people put them on post it notes under the keyboard, and another guy just had 30 passwords written on the bottom of his keyboard, which oddly provided some security as I couldn't guess which one was the newest.

    But the best part was that I bet that with my relatives wallet and his most recent pay stub that I could talk IT into resetting his password. So I called them up and they promptly walked me through resetting his password; but they didn't ask me a single question. So in the end I asked them how they knew I was me (him) and they said, it was because of what phone I was calling from. I asked what they would have asked had I been home and they said, birthday, maybe the office's postal code.

    So it wouldn't have mattered what genius password scheme they were using as the more genius it was the worse their social hacking problem would become.

    A different relative who works for a different branch of government could even log in without her key fob as all she had to do was phone IT and whine until they let her in from home.

    Now you might just wave your hand and say, no problem just bolster the security by telling them not to be nitwits. But those guys weren't being nitwits. In government or any large organization if you piss the wrong person off you will lose your job far faster than if someone hacks the system. So maybe for Sally secretary they might not be so persuaded but in the case of where I phoned in a forgotten password the person who should have been sitting at that desk could have an IT person's head very quickly. As could the other relative who whined past the need for a key fob.
  • by RevWaldo (1186281) on Monday May 05, 2014 @12:10AM (#46916783)
    One day Pavlov walked into a bar and ordered a cognac. He was about to take a sip when the barkeep rang him up. He dropped his glass and shouted "Shit! I've got to feed the dogs!" and ran out.

    .
  • I really dislike any authentication system that rejects MY chosen password. It's my security, not yours, that I'm gambling on if I want a easy to type password. And the ones that make you change it x number of days are even worse.

    This is outright stupid. You can't force people to choose a decent password, they either will or they won't and no 'system' is going to force it upon them. At best, you're just creating a support irritation as people forget the password they were forced into changing.

    Just dumb,

  • ...let me give them an electric shock (say, through the keyboard) with voltage inversely proportional to password strength. That ought to encourage the use of something stronger.
  • ... i should change them weekly as well?
    To whoever was talking about the Adobe password hack. I don't think anyone cared about that password. It was forced on them by Adobe for one marketing reason or another. Or because of the idiotic cloud suite thingy.
    Now the passwords that really are important to me... those are hard to crack, don't worry.

  • Is the duty for password complexity correctly placed on the users shoulder? I think not...

    The users has two jobs:

    1. Select a password he can remember
    2. Choosing a password someone else does not associate with him

    Raising password complexity requirements makes those two jobs harder. In my observation, with rising password complexity, the users tend to re-use passwords more often (which is more detrimental to security than a less complex password).

    For password complexity to matter, the service provider must ha

  • If someone can 'offline' crack your password, then that means: he has the password database/file.
    In other words the complete system is already compromised!

  • by GauteL (29207) on Monday May 05, 2014 @04:05AM (#46917345)

    This should be the first thing you tell your mother or Aunt Tilly [tm].

    If you do the occasional shopping, email and Facebook usage you only really need to know one password; your email account. The others can be stored in your browser/app or reset if you ever forget. Having to do a password reset before doing your "once-a-year" ordering of photo-books is a minor inconvenience compared to having to remember loads of different passwords or worse; using the same password for all sites.

    Teach Aunt Tilly [tm] the typical password-reset procedure and tell her that she doesn't have to remember these passwords, so there's no need for the password to be simple.Shopping sites really should move away from using passwords anyway. They can store a token in your browser and perform a reset using your email address if you're using a browser without the token. They can also do periodic resets of the token.

    Just make sure that Aunt Tilly [tm] knows that there is one password that needs to be GOOD and she needs some way of remembering it; her email account. Having access to your email account would give criminals many great ways of screwing you over, since they can reset nearly all your passwords that way.

    If she really can't remember a complicated password, then writing it down on a piece of paper in her house is much less likely to cause her trouble than using "mathilda" or "whiskers" as her password.

  • People who choose "correct horse battery staple" would always choose good passwords, would not reuse the same passwords for all their accounts. People who choose 12345, if forced to choose "correct horse battery staple", would write it on a post it note and very cleverly tape it to the underside of their keyboards instead of the monitor and congratulate themselves on their devious ingenuity.
  • "Your password must contain at least one Eskimo word, one bizarre foreign character, and oh, can't match any of the last 42 passwords you've used."

    "In other news, click here for great partner discounts on Secret Server [thycotic.com] ... "

    (The above is a joke, not a commercial or referrer link of any kind.)

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...