Users feel Password Rage 388
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
Anonymous Coward (Score:2, Funny)
USB keys (Score:5, Interesting)
This is definitely the handiest way to replace multiple passwords.
Re:USB keys (Score:2)
Personally, I use 5 passwds, 8 chars long, alpha + numeric + non-alphanumeric. The more sensitive the information being protected, the less frequently a particular passwd gets used.
I haven't been cracked yet.
That I know of. :)
Re:USB keys (Score:4, Interesting)
one guy i used to know had a system (5-7years ago?) of cycling passwords on his computer, so that if somebody find out one of the passwords it didn't really help the thief shit, banks use this type of system frequently.
Re:USB keys (Score:4, Interesting)
Keyring for PalmOS (Score:5, Informative)
Re:USB keys (Score:3, Informative)
http://www.zetetic.net/
Re:USB keys (Score:3, Insightful)
Re:USB keys (Score:5, Interesting)
The only thing that comes to mind that's even remotely sophisticated is an "intelligent" USB stick, so to speak. It contains your private key and never gives that out to anything. Instead, it gets fed a challenge, encrypts it using the key and sends it back to the computer where the corresponding public key is stored.
Is anyone using something like this on a regular basis (for his home server/desktop)?
Re:USB keys (Score:5, Informative)
Re:USB keys (Score:3, Funny)
Re:USB keys (Score:3, Interesting)
Using a device with computation power and storage can increase the security, because it can perform computations which a person either couldn't perform or couldn't remember the information for. Of course, a human could use a challenge/response system (challenge: page, pa
Re:USB keys (Score:3, Funny)
I not only store my PGP and SSH keys on them, I also store my USB keys, that way I don't have to drag them around. Of course it collapses on itself and leaves a little black hole, but I just use it to dump cans and candy wrappers.
Re:USB keys (Score:5, Insightful)
Problem solved!
You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise.
For example, I post on slashdot. I need a password, so pranky kids don't post under my name, saying rude things. Fine. Now let's say I wrote the password on a piece of paper, taped to my monitor.
Who sees my monitor? The custodian. I know Bernadette - she is a nice lady and isn't going to hack my slashdot account. My colleagues? They haven't the slightest interest in doing such a thing, nor do they have the time.
There are also low-stakes passwords. If my net-flix password got out, you all could ADD AND DELETE MOVIES FROM MY QUEUE! Oh the horror! If someone wanted my net-flix password, they could break into my office and find it in a
Obviously, I am careful with my bank password, etc. But otherwise, I don't see why it's so bad to have low-security when high-security is unwarrented.
Re:USB keys (Score:3, Interesting)
I don't see why it's so bad to have low-security when high-security is unwarrented.
Personally, I think it's bad to have high-security where only low-security is warranted. I have systems where the computer name is the same as the user name is the same as the password, writ large on the keyboard. Part of effective security is limiting exposure as much as possible. For high-security, you want the minimum expos
Wallet (Score:5, Interesting)
Store then in your wallet like Bruce Schneier [counterpane.com] does.
Note: I don't store mine in my wallet, so keep your hands to yourself!
Re:Wallet (Score:5, Interesting)
And check his reasons for doing it: A wallet is a secure container for things you don't want to lose or have stolen. If I lost my wallet, the handful of medium-high importance passwords I would compromise would be among the least of my worries.
Using the same passwords for multiple different services is much more dangerous, and no-one could possibly memorise unrelated secure passwords for everything needed. I need about 20 just to do my work, and I'm usually required to change one or two of them every week.
The worst was my office voicemail. I rarely used it, and the required password change frequency was set so high that it demanded a new password every single time I tried to pick up a message. The end result was I turned the fscking thing off as it wasn't worth the effort to use.
Password rage? Try password-phobia. (Score:5, Interesting)
Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.
Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).
People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...
And then, of course, the techs (us!) would get blamed.
But where do you draw the line? (Score:5, Informative)
Now THAT gives me password-rage.
Re:But where do you draw the line? (Score:2, Interesting)
What bothers me is when users use passwords like "sophia" or "pears" or "1952" and then expect ME to safeguard their accounts... AND to make matters worse they have zero clue about the risks they are placing OTHER accounts in by doing so.
Re:But where do you draw the line? (Score:4, Funny)
Re:But where do you draw the line? (Score:2)
But didn't you just say:
A janitor sticking his mail password on his monitor might not be so disastrous, but, as you say, stepping stone ...
If peo
Re:But where do you draw the line? (Score:4, Flamebait)
Fascist password policies annoy the living fuck out of me for two reasons. First, they give petty power pushers an ever-so-delightful way of punishing their users. Second, they don't freaking work because nobody can remember the passwords and they simply write them down and post them to the monitor. I'm as security-aware as anyone here, and I've done that before with irritatingly difficult passwords, only I keep them in my wallet instead of on my monitor.
I have a number of web-based email accounts and message board aliases, and for most of them I use the same password, easily guessable by Jack the Ripper or equivalent. It would give your average BSD admin a shitfit, but you know what? Fuck 'em. I have better things to do than pleasing anal-retentive system administrators. Been there, done that, didn't keep the trial issue or the free gift.
Re:But where do you draw the line? (Score:3, Insightful)
At some point that's going to be counter productive: they are narrowing the password space so much that a brute force attack will become effective, if it knows the rules. (Quite simply there are so many passwords not allowed that the 'available' list is small enough to search.)
Personally, most of my passwords are quite easy to gue
Re:Password rage? Try password-phobia. (Score:3, Insightful)
I just have some photos of my cat there.
I've found that the best argument to this is to say that it does not matter what can be taken from you, but what can be done in your name by breaking the password. If the account is compromised anyone could send mail in your name or use your account to store illegal material.
Trying to explain about root access and such things will be met by a blank stare, It's more effective to talk about the drawbacks of being discovered with someone else's child pornography in
Re:Password rage? Try password-phobia. (Score:2)
Re:Password rage? Try password-phobia. (Score:3, Insightful)
If your password is good and you haven't given it out to anyone, what is the point of changing it? I mean, if the password is non-crackable via dictionary attack why change it to a different non-crackable password?
Re:Password rage? Try password-phobia. (Score:5, Informative)
If it's possible to crack your password in 7 months but you change it every 6, then the cracked password is useless. If you never change your password it can always be cracked.
Re:Password rage? Try password-phobia. (Score:3, Insightful)
In the first case, if the encrypted password can't be obtained in the first place, what does the attacker have to work with?
In the second case the only way I see for the attack to be successful is if access to the software is given such that a brute force attack is
Re:Password rage? Try password-phobia. (Score:3, Insightful)
Let's pretend you have a password for a system and a cracker gets ahold of the encrypted password. The cracker has to spend x time decrypting the password. If you change you password halfway through, then the password the cracker gets is now invalid.
Re:Password rage? Try password-phobia. (Score:3, Insightful)
As time goes by, the probability the password has been compromised increases: The password was shared with a coworker who needed access, the storage location of the plaintext password (the place you wrote it down) was compromised, et cetera.
Re:Password rage? Try password-phobia. (Score:3, Informative)
The book gets into details of the 'bad things' that could happen.
Some quick answers:
"Why would anyone want my account I just post pictures of my cat"
"Becouse some people are jerks, Some people hate cats, Some people hate FTP and some people can "make better use" of your account by distributing illegal or imortal matereal such as pirated software, MP3s, child porn or plans for bombs.
Then you take the blame."
"It's just an FTP account what could anyone possably do with that?"
"B
Re: 'Caching' passwords (Score:3, Interesting)
Solution? As with computers, the human brain is an interesting device; and there are always ways around things. I, therefore, propose using a proxy for storing passwords: the motoric memory.
I always use 10-16 character passwords, rule is at le
There's help for this... sorta (Score:5, Funny)
Re:There's help for this... sorta (Score:3)
It only takes one keylogger that snaps your passphrase, and then a malicions person will have access to all your stored passwords.
Password managers reduce the security of all your systems to one single point of failure, and if that point is a Windows machine, your passwords are not safe enough.
This doesn't mean that password managers are bad in general, but they have to be a bi
No problem for me. (Score:5, Funny)
Keychain (Score:3, Informative)
Re:Keychain (Score:2)
Or you can encrypt all your passwords with pgp for free. Works fin for me on at least 5 OSes: Linux, Windows, Mac, Unix and BSD.
Password Safe is free (Score:4, Informative)
One such application for Windows is Password Safe [sourceforge.net]. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).
I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.
P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.
Old Problem (Score:4, Interesting)
Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]
I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.
And BTW - everyone on site, even the IT dept., did it the way I did.
Re:Old Problem (Score:4, Insightful)
People who make the rules need to think a little more sometimes.
Re:Old Problem (Score:2, Interesting)
Re:Old Problem (Score:2)
You weren't the only one who treated it like you describe. I think many people used their basic password, followed by a two-digit number - often the month of the year.
The end result was that for many users a minimum password length of, say, 8 characters became a 6-character password, with a trivially-guessable two-digit suffix.
So the IT rules being enforced actually made things less secure.
Re:Old Problem (Score:2)
This is precisely why at one of my former clients, where security was really tight, sysadmins were forbidden from using password expiry options. The reasoning was that if people have to remember too many passwords and renew them every month, they're too
use a token (Score:5, Interesting)
This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.
Re:use a token (Score:2)
Re:use a token (Score:2)
Re:use a token (Score:4, Interesting)
Furthermore, until it gets firmly implanted in my tactile memory, I just have to remember "Heretics of Dune" rather than a long ugly string of numbers. Things aren't nearly as easy for an attacker, though. Any attacker looking to get my password would have to first know that it is a book they're looking for, then go through every single book I own, typing in likely numbers (not only the ISBN, but also the barcode, and any other likely numbers; for example, I might work the price in there somehow).
Also, an attacker would have to have physical access to my home for a good long time to even know what books, CDs and other things I own. The set of all possible passwords, although restricted compared to a truly random string, is still incredibly massive and would take a long time to crack with a dictionary attack. Assuming I change the password every 2 to 3 months, the attacker would be better off looking for exploits to bypass the password mechanism entirely.
Why are biometrics taking so long? (Score:3, Informative)
Until biometrics become more mainstream people should check out those cheap USB key chain mini drives. They work okay, but I still find them a pain to use.
Re:Why are biometrics taking so long? (Score:3, Insightful)
If your password is LSKdfSLJ, if you get it wrong, it's human error until you type it right. If you use a fingerprint scan, it has to do more work to figure out that your finger isn't perfectly aligned with the picture. Just like OCR.
Yeah, most people have many fingers and toes, but until it becomes infalable, getting locked out of your work machine on a daily basis, or 10% of the time, would make your workday a lot longer. Think of the time you waste on slashdot d
Make Password Open Source! (Score:5, Funny)
The Open Source developers would also be granted much quicker access and approval to systems that they deemed important to their project work. This would improve fund generation and IP (Intellectual Property) sharing which are some of the stumbling blocks in current academic circles.
Only when we improve the texture-layer vortex shading in the Matrox drivers can be unleash the full potential of quad-monitor Parphelia configuration.
Which is nice.
A few thoughts (Score:5, Interesting)
Biometrics (Score:3, Interesting)
Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboard
I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.
Biometrics on it's own is weak authentication (Score:5, Interesting)
- something you have (such as a token) or
- something you know (such as a password or pin
It's a relative scale, though (Score:3, Insightful)
Biometrics still have a lot of basic advantages over passwords.
Today:
[Informed cracker dials front desk]
Cracker: Hi, this is John in Support. We're having a problem with your account, could you just confirm the ID and password you use to log in so I can fix it up?
Clueless front desker: Sure, I type johndoe and the password is "reindeer flotilla".
Cracker: Great, thanks. I'll fix your account up right now, and you shouldn't see any difference from usual once it's done.
Next year:
[Informed cracker
Silly... (Score:5, Interesting)
Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"
Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.
Re:Silly... (Score:5, Interesting)
Now if you are cleaver you can change things just enough, or say put in letters of two langages. But most people just pick something stupid and go with it.
I will admit to having a throw away password, that I use when I need a password for something I don't care about.
Experts (Score:2, Funny)
I never thought I'd hear that on Slashdot.
Sometimes your hands are tied (Score:2, Informative)
I imagine it's a long process of finger pointing all over the corporate world, though. The bottom line is that this just mi
Spreadsheet (Score:4, Funny)
Re:Spreadsheet (Score:2, Informative)
Yeah, the password list can be handy sometimes
Have a Palm? (Score:2, Informative)
VoiceMail is the biggest piss off! (Score:3, Funny)
First off... the damned thing expires every 3 weeks, secondly, it remembers your last 10 or so entries and wont allow you to repeat them. Also, the damned thing does pattern recognition... Ironically, the most secure thing I have is my phone at work right now!
Its gotten so bad, probrably half the phones at work have their voicemail password sticky noted to the phone. Weakest link is always the user, eh?
Weakest link is always the user, eh? (Score:2, Interesting)
Perhaps a discussion of boycott will motivate web designers and other developers to consider picture matching and other forms of authentication and help do away with the over-passwording...
Then the end user will stop supporting poor interface design, and cease to be the (second) weakest link.
Remembering passwords... (Score:5, Funny)
Two Words... (Score:2, Informative)
Now I only have to remember 2 or 3 different passwords. Keychain does the rest of the thinking for me.
What's so hard about remembering passwords? (Score:4, Insightful)
Inherently difficult problem (Score:3, Insightful)
Part of the problem is that by putting passwords on too many things you are requiring people to do something that most people simply can't do. Think about it, a good password has to be essentially random, at least eight characters long, and only used once. And then the passwords should be changed monthly. Seriously, how many of you can remeber %Fhe#jhx*, $%SDh!@l, (*^GKk32vc and sd)hdf@m? Studies done by various phone companies show that people tend to only be able to memorize about seven numbers at a time..
And think how many passwords you end up using: your account password on 3-4 computers, various root passwords, passwords to hotmail, your Amazon.com and eBay accounts, your ATM PINs, your credit card PINs, the access to your wireless router at home, and all the access codes to various subscription websites (hot asian teens and whatnot :) )?
Faced with this deluge of things to remember (which most people simply do not have the neurons to do), what do we do? Either use only one password, use something easy to remember, or write it down on a piece of paper kept in ones wallet. All of which are security no-nos. But security people have to face reality - passwords are only good security when used judiciously!
Biometric Encryption Thingamajigs (BET) (Score:2)
Each credit card company will require you use theirs, each business/agency/... and maybe departments will require that only theirs be used for this da-dumb location/job, you banks do not want to use the same BETs as your brokerages, the city/county
Diceware (Score:2, Informative)
Re:Diceware (Score:2)
Unfortunately, a lot of systems require passwords. A strong Diceware passphrase is about 5 words long, with maybe four to six characters per word (including spaces). So what do you do when you're at a Novell-enabled Windows 2000 machine (which limits you to 14 characters)?
Generate a weak (~3 word) Diceware passphrase, generate a cryptic and hard-to-remember password, or just use "password" itself.
I Don't Get It (Score:3, Insightful)
Seriously, though, not everyone thinks like your average computer geek. For most of us, passwords and other alphanumeric sequences are simple to memorize. For many other people, even phone numbers can be very difficult. Not that geeks are necessarily better (okay, we are, but that's beside the point), we're just skilled at soaking up random information. Other people have skills in other areas. We shouldn't really expect everyone to think like us.
what i do (Score:3, Insightful)
lets say i have 10 machines. for each of them, i just memorize an easy to remember 8 letter password. there's also one nasty long password stub that i have thats like 12 characters. i remember just one of those, and after i do the first 8 of the machine specific, simple password, i append the big nasty one, and that's the password for the machine. if someone gets one of them, i know i have however long it takes to brute force crack an 8 letter password to get the other machines.
not that i see what the big deal is -- isnt a password of "i like to eat pumpkin pie" just as strong a password as "sj34##@dj3"? (roughly; dont do the actual math as i know they are different. all i mean is that they're both good enough most of the time)
Password change policies (Score:5, Insightful)
The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.
Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.
Re:Password change policies (Score:3, Insightful)
1) Tight password rules and users get instructions on how to ceate good passwords but only need to change say every 6 months.
vs.
2) Real world where passwords must be changed every 30 days but there is little or no emphasis on quality of the password, how they're kept by users, etc.
At the moment someone at work has decided to start reminding people that their password needs to be changed 15 days before it expires on a 30 day
OpenBSD Overkill (Score:2)
So anyway, we locked down the main server and set up an admin-only login server, running OpenBSD. Previously, my password had been (backwords name of a person + two numerals), which
Damn it! (Score:2)
I don't have this problem (Score:2)
It doesn't matter what password you use... (Score:5, Funny)
---
A woman is helping her computer-illiterate husband set up his computer, and tells him that he will now need to choose and enter a password that he wants to use when logging on. The husband, thinking he'll be oh-so-manly, types in the following letters when prompted for his desired password by the computer... m - y - p - e - n - i - s His wife rolls her eyes. Then she nearly falls off her chair howling with laughter when the computer replies: PASSWORD REJECTED. NOT LONG ENOUGH
single sign-on??? (Score:2)
Thinkgeek has something for this.. (Score:3, Interesting)
http://www.thinkgeek.com/gadgets/security/5a60/
Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.
Why not public key? (Score:2)
What about Username Rage? (Score:2)
Sharpfang
Sharpfng
shrpfng
sharp_fang
sharp . fang
sharp-fang
shrpfang
sfang
sharpf
sharpy
sharp
Yahoo claims all of the above are already in use.
Do you believe them?
That's one of the reasons why I stopped using Netscape Mail, my original account name was deleted (supposedly it conflicted with someone when Netscape joined its all services. I really doubt so), and I couldn't come up with anything nearly decent. More and more our usernames start to resemble really good passw
Look out! (Score:2)
Biometrics are hated by real security geeks. (Score:5, Insightful)
Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.
Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.
In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.
Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.
Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.
Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.
Another professional security geek: I disagree. (Score:3, Informative)
No problem. Do what Citibank's been doing for the last few years; put ATM keypads at each teller window. To authenticate yourself, swipe your ATM card and enter your PIN. Poof. While this isn
Re:Biometrics are hated by real security geeks. (Score:3, Insightful)
That's why biometrics should only be used in an environment with physical security of the client-side hardware (airports, factories, etc. And maybe even ATMs).
However, another critical failure of biometric IDs is that they are yet another form of "security through obscurity". With a good security system, you could recover from a tota
Re:Biometrics are hated by real security geeks. (Score:3, Interesting)
Yes, you're right in saying that it's partially because they are so sexy and that millions of development dollars are going into them...and there is quite a lot at stake. Biometric companies have to make sure that people trust their products for the job at hand, and they're putting their money to that task.
People really do not understand security issues...they seem to think of security as a very basic transaction. If you click the link in my
Biometrics (Score:2)
What kind of "security expert" would reccomend fixed, unchangable biometric "passwords" in place of text passwords? They have their place in some situations, but for general use they're as bad as putting the same password on every account and never changing it even if you know that it's been compromised.
Mac Keychain (Score:3, Insightful)
Anyway, what prompted this was Schneier saying, "Don't let Web browsers store passwords for you." [counterpane.com] Sometimes, the browser is as secure as anything else on your computer, as in the case with Safari + Keychain.
fingerprint, retina scan, access card (Score:3, Interesting)
Three things that would be a nice replacement for passwords in every day life. Of the three, the easiest/nicest would probably have to be access card. We are beginning to use them in the military - our new IDs act as our access card. The biometric data on the card need not be intrusive (certainly less so than military ID cards) for common use. States could standardize on using a common driver's license with a chip on it with no more information stored in it than is on a normal driver's license. This and a single pin number would suffice.
Quicker and/or easier...computers come with a card reader and you can just purchase or get a dedicated access card when you get a new computer/reader. Each card could simply contain some generic, unique data in it that combined with a pin is all you need. If using a standard card/data system then all corporations, schools, etc, could adopt it. One card, or just a few, no more onerous than carrying around several credit cards, insurance cards, etc. The only thing you need to memorize is one or two pins. Tied to public key (no M$ DRM server-type nonsense), best to use PGP/GPG to keep it open and universal, and you are set.
Password Creation Panacea (not really) (Score:3, Informative)
1. Make up a phrase that you will remember - make it fairly long - at least 12 words, e.g:
night of the living dead zombies eat flesh for fun and kicks
2. Pick out key letters. A simple key is to use is just the first letters of each word - you can get more complex by alternating the first and the last letters or some number of letters, like alternating 1st and 3rd letters (on words smaller than 3 letters just use the last letter) etc. We will just use the simple method:
night of the living dead zombies eat flesh for fun and kicks
so we end up with:
notldzefffak
3. Make it even more difficult to break by inserting numbers and special characters in the password. Many password systems are set up to require numbers within passwords - so you may not have a choice in the matter; also, some systems will not let you use special characters - adjust as needed for your local conditions:
notl96dzefff%ak
And there you have it, a password that a normal dicationary lookup will not break - and yet one you can easily remember by recalling the original phrase, and applying your letter picking rule. No need to keep stickies on your computer, or in your desk drawer, or under your desk, or in a book, or in your wallet etc... (you would be amazed where you can find people's passwords just by examining their work area...lol).
Now, get out there and change your passwords!
Good luck!
Apple's Keychain (Score:5, Informative)
Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.
The keychain is basically a small, encrypted database with an accompanying API [apple.com] that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.
Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.
Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.
One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.
Strict password guidelines = easier to crack? (Score:3, Interesting)
Ever hear of kerberos? (Score:3, Informative)
Passport is a great example of such a system (obviously lacking in implementation, but the idea is great).
RAGE-mania (Score:3, Funny)
There was a story in the local paper here about a guy who woke up and fired his shotgun at a bunch of bass fishermen who zoomed by his camp in their speedboats. He was labeled the guy with "wake rage". I guess in a few months Pfizer will have some pill for this, accompanied by the "It's not your fault - it's a disease and it's treatable" drivel.
Excuse me, I think I may be getting Rage-Rage. Is there a pill for that?
Passwords and e-commerce sites. (Score:4, Insightful)
I admit that I know nothing about business, but it seems clear to me one of the primary goals should be to to make it as easy as possible to separate willing customers from their money. If people want to give you money, don't make them jump through hoops.
For example, an alarming number of sites I've visited require me to create an account to buy something. This is a turn-off.
For a first-time shopper who may never visit your site again, it's an extra, unnecessary step.
An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.
Creating an account means I have to supply a password. This means that I either make up a new password (which I will need to remember but won't should I ever return), or I re-use a password I've used elsewhere. In other words, that's either one more password I need to remember or one more place where someone can steal it.
I have no evidence of this, but I suspect at least 90% of people re-use passwords. As a consequence, I must ask myself: do I trust your site with my password? (It suddenly strikes me as odd that I would trust a site with my credit card number but not my password, but I do.) Even if the answer is yes, that's one more decision the customer who has already decided to buy something from you has to make; that's one more point where the customer can change his/her mind.
Please, don't require accounts. Provide them as a convenience to repeat customers, but don't make them a barrier to first-timers. Make the first- timers happy, build up trust, and they'll be more likely to come back.
(If you do use accounts, it would be reassuring to know if your site hashes or encrypts passwords before storing them.)
Re:Don't forget the admins.... (Score:2)
You don't, by any chance, insist that all passwords consist of a minimum of 27 characters, of which no more than 17 may be alphabetic (but those are case-sensitive) and 40% of the non-alphabetic characters must be punctuation rather than digits, and then make them change to a different hard-to-remember password every five minutes, do you? ;-)
Re:Don't forget the admins.... (Score:5, Funny)
User: I can't log in!
Tech: Your biometric data's become corrupted, we'll have to resample it
Tech pulls out meat cleaver
Tech: Now, are you left- or right-handed?
Re:passwords are easy to remember with this trick (Score:3, Insightful)