Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Enforcing Crytographically Strong Passwords 429

Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"
This discussion has been archived. No new comments can be posted.

Enforcing Crytographically Strong Passwords

Comments Filter:
  • by account_deleted ( 4530225 ) on Sunday April 24, 2005 @05:30AM (#12327943)
    Comment removed based on user account deletion
  • by markh1967 ( 315861 ) on Sunday April 24, 2005 @05:32AM (#12327950)
    We faced the same problem when generating random passwords for users and decided that the best method was to generate two short (4-6 characters) english words with a number at the end. This creates passwords such as swimeasy12, turnright62, sidedoor81, etc. These proved to be very easy to rememeber and we only had one complaint: A secretary had her random password set to fatgirl13 and was really not happy, even after we expained the random process.
    • by Anonymous Coward

      Interesting.

      On an unrelated note, where do you work?

    • by imsabbel ( 611519 ) on Sunday April 24, 2005 @05:44AM (#12327988)
      The problem is that this is even LESS secure than than just no convention.
      Sure, you get rid of idiots using "password" or something, but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...
      • by Anonymous Coward on Sunday April 24, 2005 @05:51AM (#12328008)

        but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...

        Perhaps, but if he gets you to spell the words for him, the dictionary attack won't work.
      • I find that it's easy to remember passwords if you take a sentence and use the first letters of the words, and any numbers as the digits themselves.

        ie: one man takes two steps down the hall: 1mt2sdth
      • by EmbeddedJanitor ( 597831 ) on Sunday April 24, 2005 @06:52AM (#12328160)
        No wonder people write down their passwords on postit notes stuck on their monitors.
      • Actually, password12 is a completely possible password using their scheme.
      • by 1u3hr ( 530656 ) on Sunday April 24, 2005 @07:35AM (#12328266)
        but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...

        Easy, but still much better than the usual girl's name/birthday style. Consider there are at least 10.000 words in the average person's vocabulary. So two words gives you 100 million possible passwords, add two digits and you have 10 billion. Actually, this is the system I personally use, I feel comfortable with it. It's not invulnerable but safer than most.

        • 10 billion won't take long to crack, though. Someone could easily pre-generate the hashed password list so they're just doing a bunch of string comparisons later. Also, PCs are pretty cheap, and it would be trivial for someone to cluster 10 or so machines together to parallelize the cracking process.

          Anyway, with a random combination of letters and numbers (including shifted values), you can get over 139 billion combinations with just 6 characters, and over 722 trillion with 8 characters. 10 characters give
    • A good password must:
      1. Be at least 8 characters long.
      2. Contain lowercase and uppercase letters.
      3. Contain numbers.
      4. Contain no dictionary words.
      5. Contain non-alpabatical characters. ....
      2943768. Only one password satisfies all the rules above, so it also can't be used.
  • "Force"? (Score:5, Interesting)

    by chrysrobyn ( 106763 ) on Sunday April 24, 2005 @05:33AM (#12327952)

    I'm just a *nix and Windows luser. After struggling with tens of passwords for years, keeping them (relatively) secure, difficult to guess, etc., my employer is starting to press hard on even more regulations and ended up changing my password cycles. I can't keep up any more. I've had to get passwords reset monthly for about 6 months so far because I get locked out due to bad password entries. I just had to ask for advice on keeping them straight.

    Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.

    • Re:"Force"? (Score:5, Insightful)

      by sfcat ( 872532 ) on Sunday April 24, 2005 @06:02AM (#12328034)
      Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.

      First mistake, having an IT policy that forces users to remember dozens of passwords. Second mistake, telling a user to put their passwords in a plaintext file on the desktop. Third mistake, posting that fact on /. without posting as AC.

      I'm not making fun of you, but I feel for those admin b/c nobody would make such a policy unless forced by the higher ups.

      Security is based upon three types of authorization: 1) something you know (password) 2) something you are (biometrics) 3) something you have 3) a key of sometype. Assuming that security is this important to your org, maybe you should get some type of thumb drive with a security credential and then you could use weak passwords safely. Or biometric fingerprint ids (now available from IBM) plus weak passwords. But the policy your network has in place is probably weaker (b/c I'll bet many people have these plaintext files) than a much slower password cycle.

      • A USB thumb drive key thing that goes into USB ports, which I believe most computers pretty much have.

        Additionally, start building keyboards with biometric fingerprint pads you could use.

        The USB thumb drive key thing would have a list of all of one's passwords. But to unlock it, it would not only require your fingerprints (biometrics), but it would also require let's say an 8 to 16 character typed password when attempting to unlock it.

        This way, it's as simple as plugging the USB thumb drive key thing int
    • Get a palm pilot and download a copy of YAPS [msbsoftware.ch] (Yet Another Password Safe). Create a very strong password that you don't change. Nobody can snoop or keylog your login (without installing to it), because it is happening on a palm pilot. I recommend using a random series of letters that you can recreate by dragging the pen across the keyboard. My password is over 30 characters long, and enterable in about 2 seconds.

      Keep all of your passwords in YAPS. Whenever you need to login, you can look back at YAPS.
    • This is exactly right. Most models of good password creation ignore the problem of good password handling, and security gets massively compromised.

      I find that using SSH keys wherever possible, with the local accounts actually having their passwords locked and forced to use SSH keys, works quite well. The trick then is to force the user to passphrase the SSH key, which is helped by using tools like keychain that allow them to use the password once and use it anywhere.

      Kerberos has a similar approach but req
    • Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user.

      A common problem. One pet peeve of mine is expiring passwords. There are some good arguments for having them: a compromised password will only work for a certain amount of time (unless the hacker changes it), and if passwords do not change very often, a brute force attack will have more time to find a valid password. H

  • Don't (Score:4, Insightful)

    by kristopher ( 723047 ) <gedekran@gmail.com> on Sunday April 24, 2005 @05:34AM (#12327956) Homepage
    Yes, I have a suggestion. Don't force people to use stronger passwords. If they choose to use a weak one then when it is cracked, that'll be their fault. In either case, how many of us actually have to worry about someone breaking our passwords?
    The whole point of passwords are to deter regular joe from from gaining access. Yet anyone with enough time and commitment can and will break any password or encryption method ever created.
  • I always use one word, or more shorter words cat together, or a word+number, and so on, but all of them written in l33t. This, combined with an occasional small/caps letters IMO is a good way. You avoid dictionary words, but still can think out stuff you can remember easily. Then again "easily" is not the same for everyone. My ones are usually quite scrambled pieces, but I never had trouble memorizing them (around 10 different, used for dozens of places, boxes, sites, servers, etc.).

  • password (Score:5, Funny)

    by DarkHelmet ( 120004 ) * <<ten.elcychtneves> <ta> <kram>> on Sunday April 24, 2005 @05:36AM (#12327960) Homepage
    from the nd3knsdkh238979103dsw dept

    Stop posting my password on Slashdot, Zonk!

  • And that is to hire a bunch of Goons to threaten to break the users kneecaps if they don't , short of that nothing will change the way the average user will choose passwords.
    People like the easy life , and they hate passwords they can never remember(think they can never remember).
    Pass-ages would be better like for example "This is Grettas house , it has 100 cats in it. They like milk and beer and when you stroke them they go "Meow"
    Easy to remember , though a tad long .
  • Single Sign On (Score:4, Interesting)

    by SnapShot ( 171582 ) on Sunday April 24, 2005 @05:39AM (#12327974)
    Either use single sign on or an honest assessment of whether or not every f-ing application and web site in the intranet needs it's own f-ing password. Some things are just not so important that they need a password especially if they are already relatively safe within the corporate intranet.

    To use the example above, I'd be more than willing to think up and use a long, randomized password if it was the only one I had to remember to do my job and I only had to change it once every 90 days or so.
    • Mod parent up (Score:3, Informative)

      by Colin Smith ( 2679 )
      Single sign on and single login are very important if you are going to attempt to enforce strong passwords. People will simply write their multiple strong passwords down along with helpful hints on what they are for.

      The corollary of this is that if you do have single sign on and/or single login then you should be enforcing strong passwords as a weak password provides access to everything.

      BTW, at the moment, the closest thing to single sign on is Kerberos.

  • Use Password Safe (Score:2, Interesting)

    by kotku ( 249450 )
    I use password safe [sourceforge.net] to keep all my passwords. I used to have password overload and ended up using the same password for tons of sites. I eventually came to the decision this was a really dumb idea and shopped around for a solution. Now I just use password safe to generate proper random passwords for all my web sites and accounts. All you have to remember is one master password.

    The only problem is that it is not very portable in that if I am not on my own computer I don't have access to the password data ba
  • random passwords (Score:4, Insightful)

    by janek78 ( 861508 ) on Sunday April 24, 2005 @05:40AM (#12327978) Homepage
    For the more important stuff (like my credit card details) I use a random generated password 10 characters long, mixing normal letters, capitals and numbers. But if I had to use several of these, I would have to start writing them down (I am in my mid twenties, recently graduated from a medical school, so I like to think my memory is quite good).

    Forcing an average user to use a difficult random password is like asking them to write it down on their monitor (I've seen this done more often than I can remember - and don't forget my memory is good :)

    Wouldn't a non-random but still difficult to guess password be more secure?

    Using the method mentioned in the article (e.g. t7p4i0t1 for combining a phrase a and a number) is OK until you are forced to change the password too often. Was it "pearl in the river" and my birthay or was that last time and now it is "lorem ipsum dolor" and my wife's birthday?

    Seems to me that forcing too secure passwords unto yours users is bound to be insecure in the end.
  • Won't work (Score:4, Insightful)

    by m50d ( 797211 ) on Sunday April 24, 2005 @05:41AM (#12327979) Homepage Journal
    If you make passwords the users can't remember they will just write them down. If they're pronounceable that helps, but only so much. Lists like this help, but ultimately you just have to tell your users to use the best passwords they can and hope that's good enough. Making them use passwords too "secure" will hurt you more.
    • Re:Won't work (Score:3, Insightful)

      by Jesus_666 ( 702802 )
      1.) Turn the workstations into a cluster every night
      2.) Use the cluster to attack the users' passwords
      3.) Bing! You've got a way to isolate the users with insecure passwords without annoying everyone else by bugging them about their (already secure) passwords. After one or two talks about how to create strong but memorizable passwords most users should get the trick
      4.) Set modest password lifetimes. Every user may provide his/her own password, but after 90 or so days the password will be (temporarily?) a
  • by SilverSun ( 114725 ) on Sunday April 24, 2005 @05:44AM (#12327989) Homepage
    I thought this discussion is long over. Everybode knows that there are two possible solutions to theis problem.

    A) Either use a passsentence instead of just a word, most modern systems allow for rather long passwords. Since the sentence makes sense it is easy to remember. Since the sentence has many characters, it is pretty hard to crack with current tools. Dictionary tools may change this, put place a few strange names or made-up words in the sentence and you are much saver as any 8 char password today.

    B) If stuck with old systems, I usually recommend the secretaries to write their passwords down. YES! Comparing the risk that one of the ~250 daily stupid attemps to guess passwords from random idiots succeeds is MUCH larger if people are told to remember their passwords. They'll automatically choose simple ones. I guess about two or three passwords in our own system per week. If they choose a very complicated passwd and write it down, then an attacker needs to be physically in the office to steel it. If the guy is physically in the secretaries office, he has no problem getting everywehere anyway and we have much bigger problems.

    Cheers
    • "...use a passsentence instead of just a word..."

      I propose a library which automatically selects a pass-sentence randomly from an unreferenced disk sector. The calling program presents this sentence to the user and gets him/her/it to type the first character of each word of the sentence. If he/she/it gets it right, that is their new password, and the program calls erase_sentence() to overwrite the sentence in the unreferenced disk sector with zeroes.

      int find_sentence() : Read a random sentence on the unre
    • My experience with pass-sentences is that even a moderately long pass-sentence is difficult to type error-free, blind, more than 30-40% of the time.
  • Advice (Score:4, Insightful)

    by datajack ( 17285 ) on Sunday April 24, 2005 @05:44AM (#12327990)
    AFAIK, the current thinking among those to have to enforce strict security is to use phrases
    Most modern password systems allow an almost arbitrary length password, and randomly generated passwords are not working - people simply write them down in order to remember them.

    Take a phrase that is meaningful to the user, say, 'My car is a red Ford' and add some simpleobfuscation 'My c@r is a red-F0rd!', and you have a phrase that is not only easy to remember, but is going to take a lot of effort to brute-force.
  • People can invent stories to go with even totally random strings of uncommon words, like what you get from http://www.diceware.com.

    I keep wanting to write a variant on Diceware that builds grammatical sentences by taking a valid syntax and plugging in random verbs, nouns and adjectives in the right places.
  • My technique. (Score:5, Interesting)

    by Heem ( 448667 ) on Sunday April 24, 2005 @05:49AM (#12328003) Homepage Journal
    I like to pick a pattern on the keyboard, and then use that, alternating shift. If you were to ask me what my password is, I really wouldnt know unless I'm sitting at the keyboard.

    Now, this is NOT my password, but it may have been at some point, but for example :LKPOI)(*890iopkl;

    As you can see, that password would be difficult to guess and crack, since it contains number, symbols, upper and lower case, 18 characters, and has no dictionary words in it.

    Try and type that password and you'll see how easy it is to remember.
  • Two suggestions (Score:3, Informative)

    by BillsPetMonkey ( 654200 ) on Sunday April 24, 2005 @05:50AM (#12328005)
    1. Wasn't there a thread about two factor authentication replacing passwords a short while back?

    2. Microsoft Research came up with an inkblot authentication scheme [microsoft.com] which appears to have solved this problem.
    • mod parent up informative !

      That's a very cunning thing, really - and I'm no Microsoft fan, but I must admit that's really good R&D. I'd use their system anyday if I could.

  • by tomstdenis ( 446163 ) <{moc.liamg} {ta} {sinedtsmot}> on Sunday April 24, 2005 @05:51AM (#12328007) Homepage
    Mag strips!

    Put 32 random bytes on a magstrip and hand it to your user. Oh but Tom, what if they lose the card or it's stolen? Yeah simple plan for that.

    USER: "Yeah hello sysadmin? I lost my card."

    ADMIN: "Ok. Your account has been temporarily deactivated please pick up a new card."

    If you're a company/group/etc that is worried about security you can afford a keyboard with a magstrip reader (they're not that expensive).

    Tom
    • I use mag strips where I work. For a while, I tried to enforce it on everyone, but now I only enforce it on people with any kinds of admin privledges.

      People will always report a loss immediately, because they cannot log into a computer and cannot clock in, and hence cannot get paid without it.

      The problem with the regular users was they would lose it constantly, forcing me to issue several cards every day, and it just got to be too much hassle when they have generic system privledges anyways.

      I wanted to
  • Cut n Paste! (Score:3, Interesting)

    by Amoeba ( 55277 ) on Sunday April 24, 2005 @05:51AM (#12328011)
    This subject comes up a lot. It's been on /. in various forms in the past. In fact, I think I'll just cut n paste a previous comment of mine :)

    ----

    I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious, no randomization/separation of key sequences) but things like !@()ZX>? or QW./>?wq

    Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.

    Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?

    It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?
  • Tactile memory (Score:2, Interesting)

    My passwords are typically 10-12 characters (a-z,A-Z,0-9) long randomly generated strings. I don't learn or remember them in the sense that I could write them on paper or spell them out. Instead, my fingers learn them. Each password has a specific feel, rhythm or a sequence of finger movements to it and as long as I can remember which sequence belonged to which account, there's no problem.
  • The best password is gibberish! [igo-incognito.com]

    To paraphrase: pick a simple phrase that is silly, such as "green fruit stink" or "toadies are easy". Further "...a longer passphrase of a limited character set is stronger than a shorter passphrase of a larger character set...".

    Its secure, easy to remember and robust against dictionary attacks. Just takes a little longer to type. And if you are using old LM on NT where only the first 8 letters are used and this is useless, you deserve everything you get.

  • here's a start... (Score:3, Insightful)

    by jxyama ( 821091 ) on Sunday April 24, 2005 @06:00AM (#12328023)
    ...stop "forcing" periodic password updates. in doing so, more people are likely to develop bad habits, i.e. sequencing their "secure" password or recycling between several "secure" passwords since they can't invent/remember "secure" password every N days.

    isn't it about time we realize that if users do things like sequencing or recycling, the password is no more secure than if users were allowed to keep using the same original "secure" password to begin with?

  • I find that test/test works fine for my root login...
  • Forget passwords. (Score:5, Informative)

    by ezzzD55J ( 697465 ) <slashdot5@scum.org> on Sunday April 24, 2005 @06:09AM (#12328061) Homepage
    Ask Bruce Schneier. From his latest Crypto-Gram [schneier.com]:
    Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security, the era of passwords is over.
    • Actually, as someone mentioned, biometrics. Here's an idea, but do you think it would work?

      USB thumb drive key, since most computers seem to have a USB port. It would store a list of passwords, and the passwords could be incredibly complex, like a kilobyte for a single password.

      Next, we need to encourage keyboard makers to make a biometric fingerprint ID thing on them.

      To unlock the USb thumb drive key thing, just use your fingerprint in combination with an 8 character password. Now, is a fingerprint comp
      • Hell, just remove passwords completely. Just let the device store your RSA private key or something and authenticate using that. Or even easier, have it store your Diffie-Hellman private key, and use the agreed key to encrypt your connection to the sites.

        Even without the biometric ID on it, it's still secure, at least as much as ATM cards. They only requiere a card and a 4 digit pin.
    • I'm getting a bit tied of Schneier. Its easy to be a critic and say everything is insecure. You always know what he's going to say. In fact I've noticed:

      Schneier just don't work anymore. As computers have gotten faster, Schneier guessing has gotten easier. Ever-more-complicated Schneier are required to evade Schneier-guessing software. At the same time, there's an upper limit to how complex a Schneier users can be expected to remember. About five years ago, these two lines crossed: It is no longer reas

  • Are there any projects / discussions regarding password expirations linked to password complexities?

    If I chose a password of "random", the computer could reject it and now allow me to use it.

    If I chose a password of "r4nd0m11" it may allow me to use it for a month due to it being complex.

    If a chose a password of "1tst00b4dth4t1c4ntyp3l33tsp3aks0w311", it may allow me to use it for 3 months.

    All of this could be controlled by a policy created/configured by the system administrator and could include things
  • Password Overload (Score:5, Insightful)

    by SoupIsGood Food ( 1179 ) on Sunday April 24, 2005 @06:25AM (#12328098)
    Weak passwords are a reality. In my current job, I've got eleven different systems that require a password. If you think I'm going to selct and memorize a cryptograhically correct password for each and every one of them every three months when the passwords are set to expire, you're insane.

    The more important and sensitive systems get strong passwords. The web-based tool I use to diagnore hardware issues in equipment that isn't even online? It gets something easy to remember.

    For non-technical users, the situation is worse. If you get too psychotic in your password policies, they're just going to write them down on a post-it they stick to the underside of their mousepad if they're bing circumspect, and right to the monitor if they're not.

    If you're dumb enough to run a system so braindamaged that it allows brute-force attacks and so insecure that running a decrypt on a password file gives the bad guys the keys to your palace, you need a strong password policy. You will also deserve to be mocked when a soceng hack allows someone into the building to look closely at any monitors bearing post-it notes.

    Password security is the last refuge of the incompetent sysadmin or web developer. Careful separation of user roles and discouraging escalation of priveleges is more important than someone using gpe~9u?bi4 as their password for this week.

    SoupIsGood Food
  • In a lot of cases, cryptographically strong passwords are not really required.

    It's always amused me that online access to my credit card account requires an unmemorable 8 digit number, a username and a password. However, the *worst* thing anyone gaining access to that account could do (apart from see how I've been spending my money) is to pay my bills for me. I really don't think much protection is required to stop people doing that.

    Most of the things that I might reasonably want to protect are in my hous
    • However, the *worst* thing anyone gaining access to that account could do (apart from see how I've been spending my money) is to pay my bills for me.

      And what exactly is stopping them from paying a bill to their own account?

  • by mmThe1 ( 213136 ) on Sunday April 24, 2005 @06:34AM (#12328121) Homepage
    I still say that using one's spouse's name as the password is best.

    If you think it's a weak policy for your organization, then your employees aren't changing their spouses fast enough....
  • One way for computer-generated strong password to be used is to have the computer generate maybe 5 - and have the user select the one he (ok - or she) finds most appealing.

    For what it's worth, after you are assigned passwords on a few systems this way, it can be almost impossible to keep them straight in your head. If you're only dealing with users with accounts on one system - this isn't too bad.

    Other options include things like (radius?)server systems - where you carry a dongle around which always spit
  • The best (only good) thing about AOL is the charming combination of random words they print on the back of their trial CDs for activation.

    TYPE-BORDER anyone?

  • Just use RSA SecurID and forget about it. Only problem is changing codes every thirty seconds is just too much time. I mean I can almost get all 20 numbers in just before it changes. Thats way too convenient.
  • Mnemonics (Score:3, Interesting)

    by spikesahead ( 111032 ) on Sunday April 24, 2005 @06:49AM (#12328153)
    Here's a little trick I've been using recently, I don't remember a password, I remember a phrase. Such as Ten and twenty blackbirds baked in a pie, boiled down to create 10&20bbb1@p. It looks pretty random to the average person, but a lot easier to remember than pure randomness.

    Perhaps instead of offering people simply randomly generated numbers and letters, or even pronounceable versions thereof, why not offer a variety of phrases along with the resulting hash after filtering it through 'leet' speek?

    By the way, I did not RTFA, so I apologize if this is -1 Redundant
  • The method I use (Score:2, Interesting)

    As an SF fan I just make up some race.
    ex: Kanarian
    Then add a few touches to "alien it up a bit"
    ex: !K@N@rI@n!
    Then when I need to change the password, I just make up a member to the race, and do the same changes to it.
    ex: !B@ThooS@n!
    Fairly easy to remember, and doesn't matter if the names are stupid, nobody's supposed to see them anyway.
  • Profanity! (Score:4, Interesting)

    by word_virus ( 838778 ) on Sunday April 24, 2005 @07:23AM (#12328230)
    I always recommend users consider a password comprised largely of profanity. This has proven to have several benefits: 1. It's makes passwords "sticky" and easier to remember, so you can make them arbitrarily long. It's easy for your password to be 1Mg\/\/v when it stands for "lick my gibbering whale vulva." 2. Because these passwords are potentially embarassing, users are much less likely to write them down in any conspicuous place (like the sticky note on the monitor). 3. An additional benefit of the embarassment factor, users are less likely to give their password out to others, thus protecting against social engineering attacks.
    • Re:Profanity! (Score:3, Interesting)

      by jc42 ( 318812 )
      a password comprised largely of profanity

      Some years back, I saw a fun example of the benefits of this. I worked in the computer center of a large university, where there was a big Univac mainframe used by many departments for heavy number crunching. One thing rather dubious about its security was that every file could have a pair of read/write passwords - and the admins could get a printout showing "rpwd/wpwd filename" for any user's files.

      The head of the computer center (let's call him "Bolton" to prot
  • Discover VMS (Score:3, Insightful)

    by pesc ( 147035 ) on Sunday April 24, 2005 @07:36AM (#12328269)
    The could look at VMS which has the command SET PASSWORD/GENERATE [hp.com].
    It works like this:
    $ set pass/gen
    Old password:

    marboake
    lumining
    olverag
    etreate
    detiteck

    Choose a password from this list, or press RETURN to get a new list
    New password:
    This has been in VMS since the mid 80-ies. The sysadmin can also mandate SET PASS/GEN and set a maximum password lifetime (after which the user has to set a new password before logging in).

    This concept could be easily modernized with non-alphabetical characters and longer passwords.
  • Let a machine within your premisses generate and issue certificates every so much time. Stop bothering people with these tasks. When more than one person needs to work on a certain machine then issue a certificate on a chip card and have people renew them once per xxx time by having them insert that card in a special issuer machine(s).
  • by grahamlee ( 522375 ) <grahamNO@SPAMiamleeg.com> on Sunday April 24, 2005 @07:45AM (#12328294) Homepage Journal
    That's such a good idea, it's already been done. One example is:

    Password Helper
    Use the Password Helper panel to pick a secure password.

    From mac os X 10.4.
  • by cahiha ( 873942 ) on Sunday April 24, 2005 @07:46AM (#12328301)
    "Cryptographically strong" refers to properties of functions (usually one-way functions) and makes a statement about how difficult certain computations involving them; it has nothing to do with the quality of passwords.

    You can try to force users to use "strong passwords" or "good passwords", but passwords can't be "cryptographically strong".
  • Okay. I'm a Security Engineer by day. I've seen a lot of ways to come up with strong passwords, but one of my favorite methods to come up with relatively strong passwords that are unlikely to be shared. Try the following algorithm...

    1. Come up with a phrase that is meaningful only to you -- not a quote from a book or movie. For example, lets say that your first dog's name was Samael and that you have never told anyone that you thought Samael was a reincarnation the infamous hell-hound Kerberos. Yes, h
  • Comment removed based on user account deletion
  • I can't see why cryptographers and security experts attempts, again and again, to higher the number of significant bits per character in passwords for humans, while human language naturally has a high redundancy. Why force people to remember random garbage like /56Ss4.,&XXy when they will just write it down? Why not allow humans to use human language?

    If I remember correctly, human language has about two bits of information per character at average. So if you want a cryptographically strong 128bit passw
  • Studies have shown that when you FORCE joe user to use a random alpha numeric with special charachters password and in some places change it every 90 days requiring that it be different by 3 charachters you get the following.

    1. Stickies with passwords attached to monitors, underneath keyboards ect...

    2. The SAME password used everywhere (web, work..ect..).

    Passwords have finally reached the end of their life. Smart Cards, SecurID's....biometric are a MUCH better choice.
  • maybe taken from a comedy, or a series of names of people in a certain order, or perhaps a quotation from a movie.
    of course this won't have to be repeated every few minutes, but could work as a "master password" to unlock all the other password a user need.
    in cases where only short passwords can be used, let the computer chose one, and save it into the password keyring.

    just my .2 eurocents
  • If you have a process that locks an account when it is not logged into sucessfully more than n times.

    The arguement for having strong passwords almost always goes: "There are 200,000 words in the english language. A computer can test all of those words within seconds: Therefore it is necessary to have strong passwords."

    Then we get recommendations on how to make a password secure (and yet, it's not to use a secure ID token with it). To avoid a brute force attack make the minimum size of passwords over 7.
  • I work for a large ISP, and if I log into one of our authentication servers and run something like this:

    SELECT COUNT(*) AS numof, password FROM users GROUP BY password ORDER BY numof DESC LIMIT 100 ...to get our top 100 passwords, you tend to find that the most popular password (letmein) is used by about 5% of the users.

    The rest of the top 100 are mostly kids or pets names or soccer teams. The most prominent are ones like 'harry', 'katie', 'arsenal', 'david' or, one of the all-time l8m3r passwords like 'c
  • If people could use sentences instead of words, dictionary attacks would become obsolete.

    Like with PGP.

    Just require a minimum number of blanks and a minimum number of characters to assure that a sentence-like construction is being used.
  • by wk633 ( 442820 ) on Sunday April 24, 2005 @11:05AM (#12329347)
    They can be written down.

    The same password can be used on a secure system, and some trojan web site.

    They can be collected with keyloggers.

    They can be told to other people.

    They are less memorable, which means more password resets. Password resets will always be a weak point in the system.

    For high security AND a large number of users, you HAVE to have two factor authentication.

  • by erth64net ( 47842 ) on Sunday April 24, 2005 @11:46AM (#12329643) Homepage
    Strong passwords will be a necessary evil for the forseeable future. How many phones, public/coffee terminals, and home computers have biometric authentication gadgets? How many of these gimicks work together? My users need the ability to access nearly everything on our systems, from anywhere. This includes our WAP portal, email from their phone, our various web-apps, SSH/terminal servers, and their IMAP/SMTP email clients. How many of these systems could even possibly function with anything but passwords. Take the IMAP/SMTP system for example, how would you tie biometic authentication into standard SMTP AUTH? How about a web app - how is a fingerprint entered there? Or consider our WAP gateway, how are users going to enter a fingerprint on their phones?

    We cant just mandate users access our systems from "approved" sources - that flys in the face of what management is asking for: A system accessible anywhere, with reasonable security percautions in effect.

    Though centralized authentiation schemes like LDAP are working well for us, "legacy systems" (ie: accounting, payroll, and factory/inventory management) dont integrate with central authentication systems. Meaning that's yet another password to remember...

    With users accessing our systems from so many sources, strong and frequently changed (90-180 days) passwords are a necessity. Though they need the ability to save them:
    1) How important is the data in your wallet/purse. Why not just write the passwords down, store them in your wallet/purse, and then manage that. After-all, if your wallet/purse has been stolen or rumaged through, there's a good chance you'll know.
    2) Consider this two-factor authentication system:
    Something you have: cell phone
    Something you know: password to program

    How many folks now have MIDP/Java enabled phones. Why not provide them with an app to securely save their passwords on their phone? With a tool like FreeSafe [sourceforge.net] They could not only store all their passwords on their cell phone, they can generate both random new passwords, and One Time Password hashes.

    Now if FreeSafe could only store notes, and have some sort of backup capability (which the developer says he's working on)...

"If value corrupts then absolute value corrupts absolutely."

Working...