Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Password Security: Why the Horse Battery Staple Is Not Correct 549

First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
This discussion has been archived. No new comments can be posted.

Password Security: Why the Horse Battery Staple Is Not Correct

Comments Filter:
  • Oh great (Score:5, Interesting)

    by Falos ( 2905315 ) on Monday October 13, 2014 @03:36PM (#48134191)
    > asserting that a single point of ultimate failure is the most important technology
    Yeah, it's important all right. Critical, even.

    We're being awfully slow about teaching people to adopt passphrases. Simple, no number no symbol nonsense.

    "rrrybgdts" is a nursery rhyme. It doesn't even have to be written on a sticky.
    • by Anonymous Coward

      Yes please force increased security requirements. I love having upper, lower, minimum length, numbers, punctuation, and a fecal sample all in a password for one of the billion websites that require accounts.

    • Re: (Score:2, Interesting)

      by rwa2 ( 4391 ) *

      This. Yes, merely changing the word "password" to "passphrase" already gets people to use better options.

      And for all of the silly ways to come up with half-decent passphrases that are both easy to remember and hard to attack with both dictionary and brute-force attacks, I like the nursery rhyme / song lyric approach. So think of some poetry you like, and assemble your passphrase from bits and pieces of it like so:

      "Love is beautiful, like birds that sing.
      Love is not ugly, like rats in a puddle of vomit."

      • Re:Oh great (Score:4, Insightful)

        by BradMajors ( 995624 ) on Monday October 13, 2014 @03:50PM (#48134329)

        "Love is beautiful, like birds that sing." is more secure than "Lib,lbts". Why are you making your password less secure?

        • Re: (Score:2, Informative)

          by Anonymous Coward

          In theory it is, but in practice "Love is beautiful, like birds that sing." is more likely to show up in a dictionary attack than a random string of gibberish. Just because it's nearly impossible to brute force doesn't mean it's necessarily a good password. Popular pharses, lyrics, Bible verses, etc can be substituted in a guessing algorithm just like using "$" instead of "S". Here's an interesting article about some of that:
          http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-you

          • Re:Oh great (Score:5, Interesting)

            by roc97007 ( 608802 ) on Monday October 13, 2014 @04:50PM (#48134993) Journal

            In theory it is, but in practice "Love is beautiful, like birds that sing." is more likely to show up in a dictionary attack than a random string of gibberish. Just because it's nearly impossible to brute force doesn't mean it's necessarily a good password. Popular pharses, lyrics, Bible verses, etc can be substituted in a guessing algorithm just like using "$" instead of "S". Here's an interesting article about some of that:
            http://arstechnica.com/securit... [arstechnica.com]

            Perhaps, but I think that's why the xkcd comic stipulated four random words. It's the human mind's ability to see patterns or visualizations in words ("It's a battery staple!" "Correct!") that makes such phrases easy to remember.

            I agree that common phrases may not be good choices. But I'm pretty sure that "gopher banana rim plunger" would be fairly immune to attack, although perhaps unpleasant to visualize.

          • In theory it is, but in practice "Love is beautiful, like birds that sing." is more likely to show up in a dictionary attack than a random string of gibberish.

            Since the suggested alternative was to use the first letter from each word in the phrase, it's only more likely if the people maintaining the dictionary are idiots. Anyone actually targeting pass phrases with a dictionary would maintain a dictionary of the abbreviated versions as well, because they're likely to be aware of dumb debates like this.

        • Lib,lbts is a fantastic work password, unles OPs job is to activate the nuclear football [wikipedia.org]. Who cares it's less secure than a seven-word sentance? I have to type my password 100+ times a day. I can touch-type, but one typo usually means I have to delete it all and start over. Security is important but more-so is doing your job.
        • by skids ( 119237 )

          Because gen mobile needs to be able to type it on their crummy laggy error-prone on-screen touch keypads, preferably without ever shifting keypad state.

      • "Locks keep your friends out; your enemies have pick tools".

        You can make anything up you want, but changing them frequently is the key to killing their usefulness when there are bulk thefts of passwords. These things go undetected for months. If you'd changed already, you're good-- unless the crack gets the deltas, too, which is unlikely.

        Stupid passwords will still be stupid, but no use to go to incredible lengths unless your keys are extremely valuable-- then go to a Yubikey or another secondary auth. Key

      • Re:Oh great (Score:4, Insightful)

        by OS24Ever ( 245667 ) * <trekkie@nomorestars.com> on Monday October 13, 2014 @04:04PM (#48134495) Homepage Journal

        and half the banking and finance websites don't allow the symbols, and it's too long

      • I've been doing this for the better part of a decade. Except, I know I'll be repeating this phrase to myself every day, so I take it as an opportunity to engage in a little self programming. It makes the passphrase personal instead of generic, and useful instead of burdensome.

        "I don't like drinking with my buddies till 3 because it makes me feel rotten the next day" = "Idldwmbt3bimmfrtnd"

        Now when my buddies ask me to stay out drinking on Thursday night, I'll hear "I don't like drinking with my buddies til

      • Steve Gibson (yes, Steve Gibson) did a podcast [grc.com] on why 'clever' tricks to choose memorable passwords, might not be such a good idea.

        Short version: the bad guys know all the little tricks like replacing 'a' by '@'. Whether this is particular trick would be more resistant, I'm not sure.

    • Re:Oh great (Score:5, Insightful)

      by vidnet ( 580068 ) on Monday October 13, 2014 @03:49PM (#48134315) Homepage

      "rrrybgdts" is a nursery rhyme. It doesn't even have to be written on a sticky.

      This is a really bad way of choosing passwords.

      The number of verses of songs, nursery rhymes, poems and paragraphs that people would tend to think of probably number less than a million.

      Your particular example has 946 hits on Google.

    • Re:Oh great (Score:5, Informative)

      by rnturn ( 11092 ) on Monday October 13, 2014 @03:55PM (#48134409)

      ``We're being awfully slow about teaching people to adopt passphrases''

      Maybe because there's so many websites out there that still limit your password/passphrase to a fairly short maximum number of characters. If I wanted to use something like `correcthorsebatterystaple' I'm usually not allowed to. Especially when using commercial sites, you are, all too often, limited you to a short -- and often numeric-only -- password (PIN, actually).

      • That's a problem with that website, but there's no way to help that. You can still use "correcthorsebatterystaple" in websites with sensible password requirements. Different sites having different password requirements is only really a problem if you're reusing passwords, which you're kind of not supposed to do anyhow.

      • by houghi ( 78078 )

        Also there are so many places where you need to enter a password that it becomes unusable for the majority of people.

        All to often what I see is that IT people do not factor in the weakest link: humans. They do not factor in that their system is not the only system that needs protection.

        At work I am forced to change my password every month. As I want to be able to work, I use the same one (and thus have more issues remembering my logins than my password.)

        Next to that I have systems at home. I have ones on my

    • The hash of "rrrybgdts" is going to be cracked in half a second with the right ruleset. Passphrases don't help the root problem, that "memorable" implies low-entropy.

  • by LWATCDR ( 28044 ) on Monday October 13, 2014 @03:37PM (#48134205) Homepage Journal

    For example I am not worried that someone might get my Slashdot password.
    Email, shopping and banking passwords are the ones I worry about.

    • by Shortguy881 ( 2883333 ) on Monday October 13, 2014 @03:45PM (#48134281)
      Posted by AC posing as LWATCDR
    • by aardvarkjoe ( 156801 ) on Monday October 13, 2014 @03:50PM (#48134327)

      The thing is, with a good password manager, there's no reason to have a weak password, even for the sites that you aren't worried about.

      Most non-technical people (the ones who we're most concerned about in terms of password security) aren't very good at figuring out where security is and isn't important. For instance, I can't count the number of times I've heard statements along the lines of "I don't care about my e-mail password, because I don't care if a hacker could read my e-mail." Better to create tools methods to make sure that people can conveniently create secure passwords across the board, rather than hoping that people will make the correct decisions related to security.

      • I just had an excellent counter-argument today: Work uses one password to log into their benefits site and into the handheld scanner used on the floor. The handheld scanner has a keyboard of less than 20 keys - numbers are easy, letters are hard, capital letters are really hard, and special characters are impossible. And there's no other input.

        My login to my benefits is now controlled by the password I can type into what's basically a telephone keypad. Because that's where I need to type it a couple of t

      • by LWATCDR ( 28044 )

        Email is important because you use that for password recovery. I have a special email account that use just for password recovery.
        I also use Lastpass to keep passwords but some like Slashdot I use a password I made up that I keep in my head as well as in Lastpass.

    • Mod parent up. (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday October 13, 2014 @03:53PM (#48134367)

      The core problem is that security has many different approaches.

      A password manager is great ... as long as it is available to you on all the devices that you use to login from. Which makes it vulnerable to being cracked when one of those devices is cracked.

      And that isn't even addressing things like the recent rash of credit card cracks being reported. Even if you keep YOUR password secured the attackers can still attack the system when you use the secure information.

      Instead, the focus should be on the knowledge that you will, eventually, be cracked. At least partially. So be prepared to mitigate the damage done at that point.

      Too many people have too much access to your information without the personal incentive to keep it secure. Or the knowledge of how to secure it. Password managers are an improvement in many scenarios. But so is writing your passwords in a book that you keep at home.

      • Re:Mod parent up. (Score:5, Insightful)

        by rainmaestro ( 996549 ) on Monday October 13, 2014 @04:15PM (#48134611)

        Not having the manager available is a big problem. I redid all my passwords after the Heartbleed issue, and pretty much maxed out the password for each of my important accounts. Was great on my PCs where I had KeePassX, but the first time I had to enter a 24-character randomly generated password with special characters on my cellphone to log in, I realized why it will never work for the average person. Big, long complex passwords are great until you have to type them in on a tiny ass keyboard.

    • Totally true - and programs like slashdot should insist people use simple passwords.

      The equivalent of putting a luggage lock on your luggage, as opposed to a real lock.

      Among other things, it will discourage people from reusing a slashdot password for something that matters.

  • ... and multiple-step authentication, as well.

    And, for secret questions, sites should warn to lie, lie, lie (but remember).

    Until these steps have been completed according to best practice, the user should not be allowed to progress any further.

  • Wrong (Score:4, Interesting)

    by StripedCow ( 776465 ) on Monday October 13, 2014 @03:39PM (#48134225)

    1) Choosing a password should be something you do very infrequently

    Wrong. Once your password is compromised (e.g. by use of a keylogger or otherwise), hackers can use it over and over again.
    It is much better to use One-Time-Passwords (OTPs) such as the ones generated by two-factor authentication systems.

    • Re: (Score:3, Insightful)

      by CaptainJeff ( 731782 )
      There's a subtle difference here.
      It is absolutely better to use One Time Passwords (like most 2-factor auth solutions these days with a random number either generated by an app or token or something or supplied to you via an out-of-band channel like an SMS message).
      It is not better to choose One Time Passwords, as the user experience hit is horrible and can you imagine the horrible passwords one would come up with if they needed to come up with a new one on every login action?.

      Basically, users are bad
  • by Matt Steelblade ( 1458189 ) on Monday October 13, 2014 @03:42PM (#48134251)
    Just because the author asserts that the password system is broken doesn't make Randall Munroe's point about passwords incorrect. "At least one security researcher rejects that theory." What theory does he reject? It's simple math that shows that Munroe's method is better for creating stronger passwords (at least for the average user), but that has nothing to do with relying on password managers...
    • by Dadoo ( 899435 )

      Just because the author asserts that the password system is broken doesn't make Randall Munroe's point about passwords incorrect.

      That was the first thing I thought of, but I still thought the author made a few good points - especially the part about wanting to get rid of passwords, entirely - and I wanted to see what other Slashdotters thought.

    • I think that the author of that "rebuttal" completely missed the point of Munroe's idea:

      What is there to prevent “letmeinfacebook” from being the new most common four word password for Facebook accounts?

      To me, it always seemed that Munroe's method was designed for (already security-conscious) people who want a secure password, and to be more specific, who want the most secure password with the minimum memory load necessary. That seems like a completely different issue from what he's addressing. Plus, I have yet to see an OS or device login that allows you to use a password manager. :-p That alone creates a market for pa

    • by suutar ( 1860506 )

      What he's rejecting appears to be user-selected passwords (which really are pretty crappy on average), which is not what XKCD was talking about (it advocated, as I recall, random selection of each of the 4 words).

      Where he goes from it, however, is not the randomly selected passphrase of XKCD but directly to key managers, and eventually to two-factor auth.

    • by QRDeNameland ( 873957 ) on Monday October 13, 2014 @05:27PM (#48135313)

      Just because the author asserts that the password system is broken doesn't make Randall Munroe's point about passwords incorrect. "At least one security researcher rejects that theory." What theory does he reject? It's simple math that shows that Munroe's method is better for creating stronger passwords (at least for the average user), but that has nothing to do with relying on password managers...

      In addition, he seems to miss a rather key point about the xkcd method. He goes on about "users should not be choosing passwords" (which is correct), but note that the xkcd comic says 'four random common words'. In other words, in order to follow this method, the user would not be arbitrarily choosing a password but having it generated instead, by for instance using the Diceware method [std.com]. The core idea is that a human being can much more easily memorize a randomly generated 4-5 word passphrase, as evidenced by the fact that we all seem to remember 'correct horse battery staple'. Yes, password managers are a great tool to handle the ever-growing array of passwords we must manage in our digital lives, but that doesn't preclude the idea that for those 5% of passwords he concedes must be memorized that Munroe's method is not a superior method in those cases, especially since he seems to fundamentally misunderstand it.

  • Negative (Score:5, Insightful)

    by mseeger ( 40923 ) on Monday October 13, 2014 @03:43PM (#48134255)

    Good, bad & ugly - Your password

    PASSWORD REQUIREMENTS

    A good password must have two properties:

    1) It has been memorized by the user
    2) It is difficult to guess for a third person (even if he/she knows the user well)

    But in most cases another requirement is thrown into the mix:

    3) The password shell be complex (have a high entropy)
    Usually the requirements take the form of a password policy like this:

    The password must be at least 8 characters long
    The password must contain upper- and lower-case letters
    The password must contain a number
    The password must contain a non-alphanumeric character

    You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.

    THREATS TO PASSWORDS

    Let us take look at how the security of password can be compromised:

    - The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)

    - The password has been re-used by the user in a different context where the attacker has access to it

    - The attacker gained access to the encrypted storage of password and managed to extract it from there

    - The password has been guessed by the attacker

    How does having a complex password help you against these attacks?

    In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.

    If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.

    In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).

    One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).

    Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.

    DECRYPTING PASSWORDS

    To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.

    When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.

    But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker.

    Does this case justify all the negative impact?

    I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.

    Remark: I did not specifically address the issue of an attacker

  • XKCD is correct (Score:3, Informative)

    by Archangel Michael ( 180766 ) on Monday October 13, 2014 @03:44PM (#48134265) Journal

    Entropy is key to a good Password. Increasing the password length is one of the easiest ways to increase entropy in a password. Very few people can remember a password like "Xl5xX8lB4XI5" which would take a single computer about 25 thousand years*

    However, using long words "alligatorterrorizesnewyorkcity" would take 22 septillion years*

    * according to https://howsecureismypassword.... [howsecurei...ssword.net]

    That being said, I also agree that generating new passwords should be done with a Password Manager, however the first password is always the hardest. Which is why three long seemingly random words is much easier and safer, IMHO.

    • I don't think there is any reasonable simple definition of entropy that makes it a guarantor of hard-to-guess-ness.

      According to that website the password KimKardashian would take 161,000 years to crack.

  • This means that instead of a password strength meter you should be ensuring that there is no skew in the distribution of passwords. If each password is guaranteed to be unique, the advantage of a statistical guessing attack is greatly reduced.

    OK, guys, now I just need all of you to tell me your passwords so that I could pick a different one.

  • by arielCo ( 995647 ) on Monday October 13, 2014 @03:47PM (#48134299)

    Even if we entertained the XKCD comic and started training users to select four random words instead of a complex single-word password, I argue that it would not amount to a significant increase in security.

    People are not very creative and tend to think the same way when choosing passwords. This would lead to the exact same problem we have now, where a few passwords such as "password123" become very common. What is there to prevent “letmeinfacebook” from being the new most common four word password for Facebook accounts?

    Umm, how would they "think" of random words? I think "random" means something like: you pick a dictionary, close your eyes, open it on a random page and put your finger; repeat as needed.

  • The summary quotes the article's own summary, but the headline and intro cause it to be misleading.

    The article doesn't claim that "correct horse battery staple" is wrong, as in a bad way to choose a high-entropy password. It is a good way to choose a high-entropy password. The article argues (quite accurately) instead that users should not be choosing passwords at all because they will choose weak ones, even if you give them a fairly good heuristic (like the one from XKCD), or try to help them estimate th

  • 1) Choosing a password should be something you do very infrequently.

    No. Passwords need to be rotated for all kinds of reasons. It results in the account being effectively disabled when account policies fail (forgotten service accounts etc). It ensures that if the password store has leaked and its not discovered strong passwords remain safe (can't be cracked in the rotation time) and that access to accounts with weak passwords is at least detected at some point. Passwords should be used uniquely person/organization for the most part, finer grains in some cases; most peop

  • Reading TFA, this guy just reinvented public/private key infrastructure where your password manager acts as your keystore.

    In any case where a so called "password manager" could be used, we would be better off using a keystore. You loose ease of logging in from different devices in either case. One needs to carry around its password/key database in both scenario or store it in a centralized database.

  • by Amtrak ( 2430376 ) on Monday October 13, 2014 @03:53PM (#48134371)
    While I agree with the researchers point that dictionary attacks are the biggest risk for passwords and that you shouldn't use the same password for every account you have I don't think that a password manager is required for all situations. For example I use the same password for Slashdot, Engadget, Toms Hardware and a few other entertainment accounts. None of these accounts can really cost me money so who cares if someone gets the password? I can just make a new one. So I don't think that sharing passwords in this case is bad. I call this password my "Insecure" password. Now for other services such as my bank, email, windows log in, work password. All of these passwords are unique but I don't have many of them so it isn't hard to remember them.
  • by mjm1231 ( 751545 ) on Monday October 13, 2014 @03:54PM (#48134391)

    Password manager tools are only useful when you are logging in from your own device. What do you do when you need to hop on a friend's computer, or the one at the public library? Or are there cloud based password managers out there (and if so... that just raises further questions).

  • My banking websites would be much more secure if they disallowed any access from Eastern Europe.

  • by KozmoStevnNaut ( 630146 ) <henrikstevn&gmail,com> on Monday October 13, 2014 @03:56PM (#48134413)

    I've used Keepass for a long time, but I recently moved to Lastpass because getting Keepass to sync reliably is a major hassle, plus Lastpass works really well on Android, even for apps. I have a strong master password, which is easy to change regularly because I only have to remember that one password. I also have 2-factor authentication enabled through Google Authenticator. Every other password is randomly generated, I don't even know them.

  • I disagree (Score:4, Insightful)

    by nine-times ( 778537 ) <nine.times@gmail.com> on Monday October 13, 2014 @03:57PM (#48134429) Homepage

    Password managers don't really solve the problem. Many of them aren't really cross platform (by which I mean, they sync with and are accessible by all your programs/browsers for all of your devices), and as he recognizes, there will be some passwords that you can't store in the manager (e.g. the password to the manager itself, and for the devices that access your password manager). Beyond that, I didn't see any recognition anywhere that there are at least some services that you might want to access somewhere where you don't have access to a password manager. For example, the selling point of both webmail and services like Dropbox are that you can access your data on another person's computer. Are you going to want to download, install, and sign into a password manager on another person's computer.

    So yes, password actually do need to be both memorable and strong.

    However, I'd agree with him that really, passwords need to die. Or not actually die completely, but most sites should not require their own password. What we really need is some kind of standardized identity management system-- like you know how you can sign onto various sites using either your Facebook or Google+ sign-on? Like that, but standardized. We need a true single-sign-on solution that is easy to manage, hard to screw up and lose your identity permanently, and usable everywhere.

    This has been obvious for well over a decade, but we can't do it because we don't create standards anymore. For any solution, Microsoft wants to have their solution, Facebook wants theirs, Google wants to do it their own way, and Apple wants to do something different from all the rest. Each company pretty much wants a solution that will benefit themselves and screw over their competitors. None are really focused on creating the best solution for social/economic/computing progress, and if they were, it would still be impossible to get others on board. So that's the real problem. Unwillingness to create standards.

    • Re:I disagree (Score:4, Interesting)

      by Dynedain ( 141758 ) <slashdot2@NOSPAm.anthonymclin.com> on Monday October 13, 2014 @04:39PM (#48134865) Homepage

      We do, it's called Open ID, which is what Google leverages for their single-signon (not sure if FB is their own solution or not). It was a really popular thing about 5-10 years ago and got a ton of attention. I think even MS enabled it.

      The problem with it is this: everyone was willing to let open their servers be the authenticating source for OpenID, but no one was willing to trust a 3rd party's servers to do the same.

      So I can create identity authentication galore at mydomain.example.com, but if Google isn't willing to trust mydomain.example.com, then it's not very useful as a unified login authenticator.

  • It seems to me the most likely machine to be compromised is probably a user desktop. Servers and web services can implement pretty effective countermeasures against brute force attacks (3 tries and you're done for an hour, 5 tries and you're done forever). Not to mention multi-factor authentication.

    Putting all of your passwords no matter how complex on a windows 7 desktop with a single (easy to remember, easy for computer to guess) password, which can be trivially retrieved with a keylogger seems like com

  • Two form authentication is the real solution. Given enough time and computing people will break your hashed password. Heck with the oncoming quantum computers who knows if they will be secure at all.

    Oh and heres an idea. Why don't we do a much better job of protecting the hashes in the first place. Encrypted the hash so a simple sql inject only returns even harder to see data. Put the data in another table. Use a stored procedures ( I know *GASP* ) to only allow one password hash to be retrieved at once. Us

  • by roc97007 ( 608802 ) on Monday October 13, 2014 @04:02PM (#48134483) Journal

    Even with the best password, memorized or securely stored doesn't protect you against a password recovery process that's improperly engineered. Often an institution, even a BANK, will give you as a recovery password a choice from perhaps six possibilities, any of which can be divined from publicly available information or a little social engineering. Your password may be q4ot38yhewa;okl, but your password recovery phrase will be the street you lived on in high school or the name of your first dog. This is not secure.

    And don't even get me STARTED about pin code security. When I set up my AmEx corporate card, the phone menu suggested strongly that I use digits that are easy to remember, like my mother's birthday. Ignoring the directions and entering a random code, I got rejected because my pin WASN'T A VALID DATE. I called tech support, told the tech monkey the error I was getting and he immediately said that I was to set it to my mother's birthday. I said I didn't want to use something that would so easily be discovered, and he seemed nonplussed. He had to consult with a supervisor. They eventually decided that I could use a random number, but I had to tell him the number over the phone so he could override the menu's requirements to use a valid date. This was AMEX!

    Back to the lost password process, I give random strings as answers to the challenge questions, but I figure eventually banks won't let me use strings that aren't a valid dog's name or a listed street name in my home town.

    I know why they do this -- it cuts down on service calls to require shlubs to use passwords that are easy for them to remember. But geeze... I foresee a time when we'll all be required to use the common name for an eating implement. Everyone will choose "spoon". The institution will be able to cut customer support back to one person in north-eastern Poland. Or perhaps they already have.

    (I use Poland not to denigrate the Poles, but because a company I do business with was quite proud of the low low DL price they got for customer support hotline personnel in eastern Poland. To cover North American accounts. Because that makes sense. Really.)

  • If 500 people each use the "correct horse battery staple" approach to generating pass phrases, then an attacker who wants to compromise 5 of those 500 accounts is going to have to break 5 passwords.

    If 500 people each use the same password manager, then an attacker who wants to compromise 5 of those 500 accounts needs to break just one security mechanism -- the password manager itself. In addition, that attacker may have help in doing so, from all the other attackers that want to compromise a different set o

  • by nimbius ( 983462 ) on Monday October 13, 2014 @04:05PM (#48134511) Homepage

    1) Choosing a password should be something you do very infrequently.

    horse battery type passwords encourage this by making the password relateable as well as affording excellent bruteforce protection. Bruteforce accounts for most password compromises outside of data breeches, which ultimately serve as a direct path toward and a source from which additional attacks can be performed.

    2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.

    yes but this is infrequent and has little to do with password structure. in the article the NSA is sighted, but thats not exactly how they work. Youre more likely to have a secret court order Google to cough up your data, not your password. Your computer password on the other hand would be demanded at penalty of spending the rest of your life in contempt of court or guilty by default. either way they win.

    3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password.

    I would argue the question is whether this password has ever been compromised or the breadth to which it is used online. more exposure means a greater chance of compromise. horse battery tries to get people to think creatively to avoid duplication however its not perfect.

    4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords.

    absolutely. this and two-factor, which is mentioned in the article, are critical steps in ensuring online services and applications encourage strong passwords. I think the attacks on horse-battery passwords are unmerited, and ultimately irrelevant once paired in a two-factor environment with a private or yubikey solution. intelligent service responses to bruteforce attempts, RBL's that blackhole compromised machines and subnets, and application support for longer than 8 character passwords are also important.

  • I used "Correct Horse Battery Staple" as my credit union password and was hacked almost immediately. As was nearly every geek I know who works here. So clearly he's right.

  • 1) Choosing a password should be something you do very infrequently.

    Choosing a password should only need to be done once per site, not "infrequently".

    2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.

    Passwords are generally leaked because someone either got the list of passwords, tricked the user into entering the password on the wrong area (e.g as with any phishing site), .extracted them from a local store on the person's hardrive because Firef

  • I suggest that you use the initials of all the people that you had crushes on when you were in middle school. You won't forget them, and brute-force cracking software is unlikely to detect your password.

    For example, if you had crushes on Carly, Janis, Gina, Wanda, Jane, Janet, Joan, Julie, Sally, Cindy, Alice, and Farah, then your general password would be: cjgwjjjjscaf. Which is a wonderful password. [You can't help it: you're a hopeless romantic.]

    Unfortunately, nitwit system admins are requiring

  • yea no (Score:4, Insightful)

    by Charliemopps ( 1157495 ) on Monday October 13, 2014 @04:16PM (#48134621)

    Bullshit... this guy is working in some fantasy world separated from reality.
    Anecdotal example: I used to work for AT&T back in the 90s. They wanted to improve the security of an application so they changed the password requirements and had it require a 30 character pass phrase that included capitals, lower case, numbers, special symbols, no numbers could repeat, etc... The result? Everyone had a posit note with their password stuck to their monitor within a week.

    All of your security measures are meaningless if no-one follows them. There was no way in hell we were going to remember our 30 character password without writing it down.
    Password safe huh? And how do I log onto the computer in the first place? Or remember the password for the password safe? I need 2 passwords just to get into the safe! I have to pick a less secure password to protect the thing I keep all my passwords in?!?!

    6 to 8 characters
    make us change it every 90 days
    Special characters don't matter
    4 attempt lockout
    done

    If they can guess your password in 4 attempts, they know your god damned password.

  • by thetagger ( 1057066 ) on Monday October 13, 2014 @04:17PM (#48134627)

    So, which password manager do you use that is open source, safe, works on Linux, does not rely on or expose your secrets to a centralize party?

  • Anti-Captcha (Score:4, Insightful)

    by mbone ( 558574 ) on Monday October 13, 2014 @04:21PM (#48134655)

    There are now lists of millions of stolen passwords, and frankly none of them are safe. Why shouldn't someone set up a password security app (like captcha, but in reverse) so that a large web site could

    - download a large stolen password list (even 1 billion would only be a few GBytes)
    - checks (a salted hash) of your password against the list (say, salts changed every day or hour or...) and
    - if yours is on the list, tells you to do better

    It seems this would be much safer than just having some app that counts punctuation characters and tells you your password is strong if it has more than 3.

  • After Heartbleed I brought up my password manager and changed 140 passwords in a few hours. If it wasn't for my password manager I would have never even known I had 140 passwords to change.
    These things are amazing. Randomized passwords for all my accounts. In the event of a catastrophic failure all I have to do is remember three passwords to get everything back. My email password. my cloud password and the password to the encrypted db of passwords. As a person who deals every day with people who "don't even remember setting a password for that" I wish more people used these.

  • by Tablizer ( 95088 ) on Monday October 13, 2014 @05:10PM (#48135173) Journal

    1978:

      password

    1983: Rule: Don't use 'password', too common.

      passgas

    1990: Rule: Must contain at least one digit

      passgas7

    1995: Rule: Must contain mixed case

      Passgas7

    1999: Rule: Must contain at least one punctuation character

      Passgas7&

    2004: Rule: Must change every 2 months

      Passgas7& ... Passgas8* ... Passgas9( ... Passgas1! ...

    2015: Rule: Must be at least 20 characters long

      Passgas711111111111$ ... Passgas177777777777$ ...

    2017: Rule: Can't use any patterns guessable by AI

      Oh f$ck it, just hack me already, dammit @666

    (Courtesy c2 wiki)

  • Sorry (Score:5, Funny)

    by saikou ( 211301 ) on Monday October 13, 2014 @05:17PM (#48135245) Homepage

    "You can't use PasswordABC as your password, because user Smith15 already uses it as a password"
    Oh wait :P

1.79 x 10^12 furlongs per fortnight -- it's not just a good idea, it's the law!

Working...