Passwords - 64 Characters, Changed Daily?

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

Just do what I do

[thammoud]

password1 password2 password3 password4 based on the month that you are in.

Re:Just do what I do

[Anonymous Coward]

just checked, you don't do that.

Re:Just do what I do

[kv9]

in soviet russia passwords change *you*.

Re:Just do what I do

[geekoid]

IN comedy, it is well know that something can become funny again.

BTW, not everyone shares YOUR sense of humor.

In Soviet Russia, nostalgia jokes you.

Here goes my Karma....

[lewko]

Note to mods...these 'In Soviet Russia' remarks are never, ever funny. Even if you remember a time

In Soviet Russia, time remembers you!

Re:Just do what I do

[dtfinch]

I've noticed that a lot of people like to get their posts on top by replying to the first reply of the first reply ... of the first post.

Seems like the perfect place to advertise my open source Strong Password Generator [mytsoftware.com].

Re:Just do what I do

[gotacap]

You know, I had a strong password generator on my website for a while, but then I realized that most people paranoid enough to use a generator would be paranoid that I would be logging all strong password requests and then trying the results to get into the machines I found in my server logs... It's still there, I use it myself, but I don't tell my users where it is anymore.

Re:Just do what I do

[lcsjk]

My comments do not necessarily reflect my own opinions.

Re:Just do what I do

[Abcd1234]

This should be modded insightful. These kind of forced password-change policies do one thing only: encourage people to choose easy-to-remember (and hence, likely easy-to-crack) passwords. Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process.

Re:Just do what I do

[Antique Geekmeister]

What you are describing encourages universal passwords. Unfortunately, it's not merely password cracking that is a real risk. It's password sniffing, via keyboard monitoring or packet sniffing over unencrypted protocols like FTP, POP3 or IMAP or HTTP without SSL turned on, etc. People are terrible about changing them, and they do tend to rotate them among a very small number of passwords to deal with this.

Universal sign-on systems such as Kerberos can help this, by encorcing decent password selection and then making it available everywhere without permitting re-use of that small set of passwords. But it's a bear to set up in a small or mixed environment.

Also, for the original article's point: the difficulty of cracking passwords goes up nominally as the exponent of the password length, the complexity of verifying them or encrypting with keys goes up linearly or maybe as N*logN with the length of the key. Selecting a long enough password, and system keys, to defeat this kind of brute force cracking is quite trivial to do. But getting it adopted, especially in the face of federal policies that prohibit the export of encryption technologies as a "material of war", has crippled encryption techniques for years.

Get the federal government out of that line of regulation and hardware based encryption to protect your logins from man-in-the-middle password sniffing will be quite cheap, even possible to incorporate as a part of common motherboards and network cards. Until then, though, we're going to have a real risk of people using the same password for years and having it sniffed and used by crackers.

Re:Just do what I do

[arminw]

Some systems do not allow any more tries at logging in after a few unsuccessful attempts. After an hour or so, the systems resets and gives the user another chance to try to get in. If that also fails, the user must call the system admin. This process goes a long way toward thwarting multiple access atempts.

None of this helps of course if the user's system is breached and some sort of keyboard sniffer is active.

Re:Just do what I do

[robosmurf]

The problem with a strict lock-out policy is that it leaves you vulnerable to a denial-of-service attack. All an attacker needs to do is guess your password a few times to cause a lot of trouble.

Re:Just do what I do

[JWSmythe]

APC masterswitches do that. Well, it locks you out after x attempts for x minutes.

It became a pain in the ass when some winner started trying to password scan one of the masterswitches. A machine went down, and everyone was locked out from it. They had just left the scanner running, so after the lockout time, it would get locked out again.

We moved them to a private network, and voila, everything works fine now. :)

People try to brute force so many various passwords, this seems like a really

Re:Just do what I do

[Drachemorder]

"On one occasion I chose 123456"

That's amazing! I have the same combination on my luggage!

Re:Just do what I do

[Blastrogath]

This should be modded insightful. These kind of forced password-change policies do one thing only: encourage people to choose easy-to-remember (and hence, likely easy-to-crack) passwords. Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, mor

Re:Just do what I do

[Harald Paulsen]

The problem isn't having a policy, or having a boss tell you to use safe password. The problem is that the boss somehow feels he should be exempt from the password policy. Ironically enough, the people in command that wears a suit usually has the simplest password. They also have access to most of the sensitive information.

Re:Just do what I do

[Inda]

We had a change of policy here not so long back. Dictionary words and proper names were disallowed. Of course I was the only one that read the email about this.

The boss's secretary was presented with the change password dialog one morning. It would not accept any of her desired new passwords.

I said "You can't use your son's name anymore". The look on her face was priceless. I was amazed too; I thought this sort of thing only happened on the TV.

The really sad thing is that a cleverly crafted spoofed email

Re:Just do what I do

[Chess_the_cat]

Are you trying to say that that is an easy to guess password? Because I'd never have tried it. A better story would have been that his password was "drew" or "dean" or "password". All I'm trying to say is that "dddrewww" is nowhere near "the simplest password."

Re:Just do what I do

[Pharmboy]

What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.

Re:Just do what I do

[ghettoboy22]

What if the logs are forged? What if they got some hash of your password and they're locally trying to decrypt it?

Re:Just do what I do

[FireFury03]

What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

Yep, I don't think there is a need to change passwords until someone uses one to compromise your system: if you change passwords every 6 months, what are the chances that someone cracking it coincides with you changing it. If someone cracks your password they're going to use it immediately, not wait 6 months until you chan

Re:Just do what I do

[Pharmboy]

The point is that a moving target is harder to hit.

Stastically, that is false for a one time event. If someone today is trying to break your 14 character password, it doesn't matter when you changed it.

And vacation? I check my servers every day on vacation. Only takes a few minutes to ssh in. Yes, its vacation, but I would rather check the logs for 5 minutes a day, than spend 7 days recovering from a fatal problem that might have been averted.

Re:Just do what I do

[Bronster]

Consider the number guessing game, where you pick a number and some tries to guess it. The game would be much harder if you were allowed to change the number. In fact the game would become impossible to lose.

I was with you until the bold bit.

If you're allowed to change the number after the guess, then sure - it's impossible to guess. Otherwise if you've only allowed to change it between guesses, then the fact that I guess 517 right after you chose it means I win - regardless of how long it took to get

Re:Just do what I do

[Pharmboy]

And who said I am *NOT* that smart person? ;)

Smart people are also the ones who ask questions like "Why are we doing this", while the dumb one say "Because we have always done it this way". Just because a smart person suggests something, that doesn't guarantee its a smart thing to do.

Forcing changes in passwords that guarantee that users will write the new password on post it notes on their monitors is not smart either. I know, I see it all the time, and the users simply do NOT get why this is dangerous

decent compromise between security and convenience

[pwarf]

First of all, they could put their passwords on post-its in the locking drawers most desks have. Almost as convenient, but MUCH more secure.

Also, there are plenty of ways to have greater security than completely out-in-the-open Post-It notes with passwords. For guys, keeping the password list in a wallet, purse, or at least desk drawer that could be locked would at least add some physical security.

Actually, keeping the passwords on the monitor wouldn't be too bad if the passwords were obscured some way.

Re:decent compromise between security and convenie

[RetroGeek]

First of all, they could put their passwords on post-its in the locking drawers most desks have. Almost as convenient, but MUCH more secure.

You mean those locking drawers where the key number is stamped on the lock?

I usually place a sticky note with a ramdom number of characters under my keyboard. It looks like a password, and may even BE someones password.

But it is not MY password and is it not close to my password. This entertains whoever is trying to break into my computer for hours....

Re:Just do what I do

[Megor1]

Since password cracking relies on having access to the password hash, simply make the hashes an order of magnitude longer to calculate.

Re:Just do what I do

[rsmith-mac]

This is only good against dynamically calculated hashes; if you pre-hash the english dictionary or something like that, then once everyone has the hash table, we're back to square one when it comes to poor passwords.

Re:Just do what I do

[eric76]

... easy-to-remember (and hence, likely easy-to-crack) passwords

Those two are not necessarily related.

You can have easy to remember, well, relatively easy to remember, passwords that would be tough to crack.

My favorite approach is to create nonsense type phrases with some odd punctuation.

For example, something like:

I borrowed all the books from the library! and read them both.

or

An ultranet in a test tube is truly a fine thing to behold?

Or you could also take a favorite quote and modify it somewhat

How about pass phrases?

[gad_zuki!]

>hoose easy-to-remember (and hence, likely easy-to-crack) passwords

Not necessarily. I mean depending on what the max character limit is he could be using pass-phrases. The password is becoming obselete and the pass-phrase will be the next step. That is if the next step isn't smart card keys, challenge response you can do on a PDA, etc.

Of course the pass-phrase has its flaws too like using famous quotes, but that could be screened out the same way common words are. There might be some side benefits to

Re:Just do what I do

[FireFury03]

Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process.

I agree with this, although the people enforcing the passwords should really be asking what level of security do they need. Forcing people to have the most complex passwords possible all the time encourag

Wallet = secure

[IncohereD]

Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

Someone I work with asked about how he should protect a key to a secured area, and the response was "How often do you lose your car or house keys? Keep it with those." I'd say the same applies to your wallet and keeping passwords in it, if worse comes to worse and you can't remember them.

Considering I've never lost my wall

Re:Just do what I do

[nanojath]

Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location!

Hold on, are you saying that the post-it note labled "network password" on my cubicle wall is insecure?

Re:Just do what I do

[OptimizedPrime]

If you want to use a sticky note, contaminate it with lsd and put the password behind it, covered by the note. Net admins can be told to wear gloves...

Re:Just do what I do

[mnmn]

Well for us admins at our company, all admin accounts have the same password. Theyre changed when someone high profile is fired or resigns, and changed across the board. The passwords are always chosen to be complex, but when you have to enter them 20 times a day on various systems, you'll remember them.

Much long ago, we had different passwords everywhere, which we forgot when IT guys were changed, and at least one ancient ERP system is still running with us not knowing the admin password. Its used for ref

Re:Just do what I do

[Jim_Maryland]

The policy we follow here is for system administrators to keep a sealed envelope with the root/administrator passwords. Each password is in it's own envelope with the systems it belongs too written on the outside of the envelope. These envelopes are then stored in a secure environment (a safe for example) to ensure that access can be restored if absolutely necessary. A small group of people (not necessarily system administrators) have access to these envelopes and they must follow a strict policy (includ

Re: Or what I do

[E_elven]

I need to start cut-n-pasting this. There should be a topic for Passwords.

Use visual passwords rather than mnemonic ones. My standard-prescribed solution is to teach this to all new users; I set them next to a computer and give them some strips of coloured paper (not necessary but helpful with complete newbs). They'll get the gist fast and be able to be pretty savvy shortly -and changing a password is exceedingly easy.

1. Pick a letter. Any letter will do but to start with you may want to take the first letter of your name.
2. On the bottom row of the keyboard, pick any key from Z to M.
3. Using the paper strips, draw your letter on the keyboard so that you start from your starting key (Z to M)
4. Look at the keys under your strip. That's your password.

Here's a visualization for the letter A starting from the key V:

= 1 2 3 4 5 6 * 8 9 0 - = \
== q w e r t * * i o p [ ]
=== a s d f * * * k l ; '
==== z x c * b n * , . /

The plain password is: vgy7ujmh
Using alternate shift: VgY7UjMh or vGy&uJmH

This can easily be expanded to even more secure ones by adding more letters. A good scheme for variant passwords is to use something that identifies with the realm -for example for Slashdot, a password could be made from letters 'slash' (on a dvorak here, sorry):

qJkU.#4%kUp$xBjUy^fDbIxBmHf^7*xIy%mHg&f

Variation made easy. Try it.

Good news for hacker

[usefool]

Wasn't there a joke that if users are required to change password every second, hackers just need to keep on trying the same password until users themselves changed to match the hacker's password?

Re:Good news for hacker

[ryanvm]

Wasn't there a joke that if users are required to change password every second, hackers just need to keep on trying the same password until users themselves changed to match the hacker's password?

I doubt it - jokes are supposed to be funny.

Biometrics

[Jorkapp]

One day we'll have Biometrics, so we won't have to remember our passwords.

Re:Biometrics

[wkitchen]

Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".

Re:Biometrics

[crackshoe]

well, you can synthesize finger and palm prints, so the whole finger-choppy bit isn't necesary. but who doesn't want to keep eyeballs around in jars, eh?

Re:Biometrics

[Roofus]

Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".

Holy great hell, I'd love to see the social engineer that can convince somebody to chop off a finger voluntarily. They would put Mitnick to shame!

Re:Biometrics

[shadow_slicer]

Why chop off fingers or pluck eyeballs when
"Scraped up my fingers this weekend in a bicycle accident, and the stupid scanner doesn't recognize me. Can you open the door for me?"
or
"'Contacts have been irritating my eyes lately so the damn machine won't validate, can you buzz me in?"
work just as well?

Re:Biometrics

[Coryoth]

Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".

No need for that. I saw a presentation at AsiaCrypt a couple of years ago where a guy sucessfully managed to create an artificial fingerprint good enough to fool pretty much all the commercial fingerprint scanners tested using only a fingerprint left begind on a glass, and pretty much commodity hardware (he did use one somewhat obscure device but that was still only a couple thousa

Re:Biometrics

[Blastrogath]

If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.

Re:Biometrics

[molafson]

If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.

That is why it is better to use both: a good pass-phrase that you change from time to time, which is hashed together with your retinal scan, finger print, etc.

Re:Biometrics...only two thumbs

[farrellj]

Biometrics are a nice idea, but what happens when someone compromises your account? You have to start using your other thumb...and if that is compromised?

No, we need multi-element authentication systems that challenge users on more fronts. Tools like the ACE server, where you need you login, password and token number from a frob is a start. More work needs to be done on this problem, though.

ttyl
Farrell

Yeah right...

[imsabbel]

Biometrix is just like passwords, just you cant change your fingerprint/iris scan/voice pattern after someone has exploided/stolen/copied yours.
Great.

One time use?

[slykens]

SecurID and its like are your friends.

While you maintain a reasonably secure password you're not logging in without the token.

Use a CueCat

[Safety Cap]

, as each one has a unique serial number encoded into its output. When you're ready to log in, plug in your :Cat, and use it to scan that barcode that only you know is the right one.

Even if some one steals your :Cat, they can't get in, and if someone steals your copy of "Learning the VI Editor" that you've used for the barcode without stealing your :Cat, again they can't get in.

Re:Use a CueCat

[the_mad_poster]

Heh heh... ironically, the CueCat wasn't exactly the height of security back in the day, and most Slashdotters who have one have probably long since removed the eeprom that transmitted the cat's real unique id.

Re:Use a CueCat

[omicronish]

What happens if you lose your CueCat?

Length & Considerations

[Oculus Habent]

I could see a password of substantial length made of a phrase. Say, 64+ characters, changed every two weeks might be fine. Especially if you have a well-read workforce, which might enjoy making note of significant passages.

You might want to [optionally] be able to use the first letter of each word as a "shorthand" password for re-verification moments, because typing in a 64+ character phrase everytime you lock your station could become tedious if you are away from your desk often.

Alternately, if you have a number of services at work that should have different password, some sort of secure password comparison tool could be employed to at least ensure that employees aren't using the same password for everything. Not sure about an architecture for that, though.

Pointless

[jolyonr]

The harder a password is to remember, and the more frequently it is changed, the more likely people are going to forget it, and resort to insecure tricks such as writing it on a post-it note stuck to their monitor.

I can't see any good reason to change passwords frequently, other than to limit the damage done from a succesful intrusion. And then, is one month any worse than three months? All your data is 0wned regardless.

Re:Yes and No...Better solution:Assign the passwor

[slash.dt]

There is a MUCH better way to do this. First off, instead of letting users choose their own passwords, assign them for each person. This lets you, the administrator to be entirely in control of all passwords on the system. With this control, you can maintain a master list of all users and passwords securely in either encrypted/secure files (with no permissions to anyone but root). This also allows you to force good passwords onto users. They do not need to be impossible, but something like 2 three letter words or partial words (chosen at random) with 2 other ASCII characters are usually not too hard for people to remember, but are still tough enough to make it hard to guess with password word lists.

There is so many things wrong with this that it is hard to know where to start. I'll just chose a couple.

First, forcing passwords on users is dumb. What might be an easy combination of words and number s for you to remember might be completely impossible for me to remember if the word means nothing to me. And if I can't remember I am going to write it down. It is much better to allow people to chose their own passwords to that they can make a combination that they can remember.

Second, accountability for your password goes out the window when someone else knows and controls the password. If the adminstrator knows all the passwords, they can logon as the user without the user knowing. Alternatively, the user can suggest that the administrator did the action which the user is being accused of.

More intelligent password checking rules is a much simpler and more effective solution.

frequency and plausable deniability

[spoonyfork]

How about a password that you don't know and changes every 60 seconds? [rsasecurity.com]

Delays

[bobintetley]

just because a computer can crack a 32 char password in 10 seconds

And will all software in the future not have any kind of delay to prevent this sort of attack? Even now, we have login/ssh services that delay a couple of seconds between failed attempts.

Exponential growth problem

[Kufat]

Every time you add another character onto an alphanumeric, case-sensitive password, the total number of possibilities is multiplied by 62. CPU throughput takes a very long time to increase 62-fold. So going from 8 to 10 characters increases the passwordspace 3844 times, and that's assuming only uppercase, lowercase, and numbers.

There's nothing to worry about until quantum computers can handle problems like this AND are available by someone you don't want accessing your data.

Re:Exponential growth problem

[einhverfr]

You are probably reasonably right on the basic probabilistic mathematics of this approach. However, I still take issue with your conclusions because:

1) Trojan back-doors could be used to covertly do a distributed crack on a password. Thus you have to deal both with the exponential growth in processor power *and* the exponential growth of the internet. So Moore's law gets beat.

2) I find that about 8 characters is the best for my general security. If use 8 character passwords, I use a lot of mnemonic devices. An 8 character password can then contain shortened versions of two strings which are far longer and are more likely to contain non-alphanumeric characters (!,@, &, #, etc). If I get longer passwords, I tend to write out the phrases which although they tend to be in obscure languages still allow for an avenue of dictionary attack which might be otherwise difficult if I am using contractions.

IMO, the future of security is in public key authentication. In this model, you will carry with you a key AND have to provide somesort of passcode to unencrypt the key. This passcode could be biometric, passphrase-based, etc. They key can be lengthened transparently to the user so that they don't have to be aware of it, or replaced when lost.

Re:Exponential growth problem

[vondo]

Umm, 2e72 seconds is 6.3e64 years, some 1e54 times the lifetime of the universe. And 6 millenia is the same (roughly) as 62 centuries.

In any case, a truly random 8 character password is nearly impossible to guess. The problem is, most people don't pick passwords that just look like line noise. To crack yours, I might try 8 letter passwords, then 7 letters plus one symbol, etc. Still a daunting problem, but not *that* daunting.

What's the problem?

[Jugalator]

Just pick a long easy to remember password...?

It's much harder to brute force crack a 11 character password than a 10 character and so on, so I don't really see the problem.

A good way to make it easy to remember without restorting to mangled ASCII is to pick the first letter in a sentence you know (or the two first... you get the idea). You can end it with some other code you know since before, and you're set.

Bad assumption

[Phexro]

You're assuming we won't have a better, harder-to-crack hashing mechanism by then.

This has been a process of incremental improvements - first crypt(), then shadow passwords, then MD5 hashes, and so on. We will certainly have something harder to crack in the future.

Re:Bad assumption

[grumbel]

Shadow passwords aren't a hashing mechanism, all they do is store the hashes in a file that the users can't read. Just Unix permissiosn, pretty trivial after all.

About crypt() vs MD5, I don't think that they make much different when it comes to cracking actual passwords, all MD5 does is allow you to use longer passwords, it doesn't enforce it by any means. If your password is in a dictonary, no matter what hashing algo you use, I can brute force it in a few seconds.

The only advantage a good hashing algorithm provides is that it ensures that you can't from a given hash calculate back the original password by other means than brute force. Brute force, however, will always work, no matter what algorithm you use. The only way to make a more secure password, is to use a better password, a better hash algo won't help a damn.

SecureID

[D3]

Our company uses tokens that change every 60 seconds. Try and guess that one with your computer. Password length is a minimum of 11 characters.

It isn't that hard.

Duh

[Admiral Llama]

How about a (some large number)-bit DSA key on one of those USB thumbdisk thingamabobbers? Sun has those smart cards that get used for authentication, I'm sure one of those might come in handy too.

As for passwords your average Joe six-pack/soccer mom is going to remember... they're easily cracked anyway, I fail to see what difference the future will bring.

Non-user-dependent security

[scowling]

It strikes me that if you have to require your end users to constantly change their passwords in order to prevent them from being cracked, that's your entire problem.

Instead, you should be securing your system to prevent password lists being downloaded and to prevent multiple subsequent incorrect logins.

Secure your own system. Don't expect your users to do it for you.

Slow down, cowboy!

[Jetson]

I really don't want [...] some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

In order to crack a password you need to know the hashing formula and the expected result. If either is unknown then the only way to perform an attack (dictionary or otherwise) is to ask the protected service to validate each attempt. In that case, a simple time delay in the authentication procedure would stop most brute-force attacks. In *nix

Complex ever-changing passwords are easy

[Rosco P. Coltrane]

I have my own system here: instead of learning one or more passwords, I've learned a small formula that I made up, that use the first 5 letters in a hostname and the date, and spews out a alphanumerical string.

On my main box, where I log in often, the script never updates my password and the date is always set to the epoch, so I always use the same password. On boxes on which I log in infrequently, I have a small program to change the password every day, and I have to recalculate the password for the day.

The problem is the input device, not pass length

[GuyFawkes]

typing
kGNisksUI725K-{P#~iuiILl896&Tui@'p;p'HHP O~9yu* *(

is going to be a pain in the ass for anyone if the input method is always going to be a qwerty keyboard...

on the other hand a 20 dollar mongrel dog that I feed every day will never mistake me for anyone else...

_electronic_ based biometrics however will completely suck

Cost of Passwords vs. Cost of Incursion

[G4from128k]

At what point in time do employees spend more time (= money) creating, remembering and retreiving inscutable passwords than they spend recovering from hacker incursions. An employee's ability to handle rapidily changing, complex passwords is fixed by evolution whereas, hackers abilities to break or phish passwords is only going to increase. At some point the curves will cross and organizations will spend more to keep things locked than they lose with leaky passwords.

Re:Cost of Passwords vs. Cost of Incursion

[LostCluster]

I used a security failure at my office last week to make exactly this point...

No, nobody broke into the place. It's just that at 8am in the morning (when everybody's supposed to have shown up for work) stood myself (at that time, too new to have been issued keys) the summer intern (who will be never issued keys) and the sales rep (who thought he had been issued keys to open both the building and suite doors, but turns out to have been handed two building keys instead)... it'd fourty-five minutes before the

Normal users

[Skiron]

In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.

They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.

Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.

Anderson's formula.

[Anonymous Coward]

How long does it take? Use Anderson's formula to figure it out.

T = N/(PG)

In this:

1. T: The time units needed to guess the password
2. G: The guess rate, or the number of attempts to guess the password in a single time unit
3. P: The probability you want that the password is guessed. (Or use '1-P' to go the other direction.
4. N: The number of possible passwords, usually A^l, where
   1. A: Alphabet used for passwords. E.g., There are 96 printable ascii characters often used in passwords. Or maybe its case insensitive, so subtract 26.
   2. l: The number of characters in the minimum password.

So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly. :)

Read more on Anderson's formula by googling. :)

who uses passwords?

[spoonist]

who uses passwords to crack into systems?

there are SO DAMNED MANY easy exploits that will get you root or admin, that you don't usually need passwords to crack into systems...

that said, there is still a balance to maintain. passwords like "password" are just lame and too easy... a good 6-8 character password with letters, numbers, other will keep anyone from guessing passwords at random.

but you still have to lock down your systems to keep out those pesky remote sploits.

(also, the best password in the w

Where I work...

[Liquidrage]

You can tell how long a person has been with the department by the numbers at the end of thier password.

myLittlePony24 They've been there at least 4 years

darthVaderRulez4 Newbie


What I don't like about all the new password rules like miniumum of 8 characters, must have a special character and a number, change ever X days, etc... is:
They ignore the social engineering aspect.

Walk around where I work after hours and after fun logging in as other people simply by reading the post-it notes stuck on

Moore's Law?

[einer]

I think Moore's law only makes a difference when the attacker has a copy your password shadow file. What is stopping me from changing what is stored in that file into something much more difficult to attack (a stronger hash)? Moore's law doesn't attack password strength, it attacks the strength of the algorithm that turns your password into the hash in shadow.

i prefer thumbdrives

[prockcore]

I prefer the concept of storing a large key on your thumbdrive, which you then need to plug in in order to log into your machine.

It's all getting out of hand

[DeepDarkSky]

I mean, quite frankly, even as processing power increase, the human ability to remember password is not exactly getting better. There are techniques, such as mnemonics to help with remember long generally difficult to guess/remember passwords, but these techniques are already there. Typed in password formats themselves can't really change much anymore. Biometric authentication will probably have to be the way to go.

There's just no foreseeable way that existing password systems can be used to maintain

makemeapassword.com

[mgkimsal2]

Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.

makemeapassword.com [makemeapassword.com]

Forget biometrics and excessively long passwords

[marm]

a simpler solution would be to make the password hashing algorithm much more complex and CPU-intensive.

MD5 and SHA1 are just too fast. If a new hashing algorithm was used that took a second to compute rather than the microsecond or less that an MD5 hash takes, it would make brute-force or dictionary attacks on the password much much more difficult, but wouldn't really get in the way of people logging in - it's only a second.

Perhaps make it more user friendly..

[t_allardyce]

Windows XPs new password policy manager: "Im sorry, that password has already been taken by user john, please choose another"

I don't see the problem at all!

[termos]

Luckily I have Gator [gator.com] for remembering all my passwords!

Hmm

[Erwos]

I was reading a textbook about this very issue just a couple days ago at work (I was bored, and there it was in lost and found pile). Don't recall the name, but it was basically about biometrics for security purposes.

The book stated near the very beginning that, basically, passwords are useless because the really secure ones are hard to remember, and that little problem causes people to do other things that mostly destroy the security of a "secure" password anyways (such as the infamous post-it note on the monitor).

The book's solution was fairly common-sense: implement different layers of security. That is to say, a password on its own is bad, but a token+password (say, USB memory stick with accesss code) can actually be a lot better.

The best stated was "bio+token+password". Seems reasonable to me, at least.

-Erwos

crack ratio

[epine]

Good grief, people. The size of the password space determines the ratio of the time it takes to check the *entire* password space vs checking only the correct password (normal logon).

The *absolute* time taken to crack the password space is therefore a function of how long it takes to check a *single* password. This can be any length of time the password validation system wishes to implement (relative to a fixed processing resource).

There's no reason at all why passwords need to evolve to greater lengths as computers become faster. However, this inflation happens by default if the authentication system does not compensate by implementing constant time password validation as systems become faster.

A modern computer can validate a password in one microsecond that would have taken one millisecond back in the VAX days. This is one case where increased speed is not, in fact, a good thing.

Something you know, you have, and you are

[jncook]

To quote Bruce Perens, if security really matters, you should base it on three things:

* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)

This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)

Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.

For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.

James

Re:Something you know, you have, and you are

[fbform]

To quote Bruce Perens, if security really matters, you should base it on three things

Did you perhaps mean Bruce Schneier [schneier.com]? He would be more relevant to security than Bruce Perens [perens.com] is.

Moores law needn't require longer passwords...

[sanermind]

As computers get faster, simply use more difficult and time consuming algorithims to verify passwords. If you use a verification step that takes 256 times a long [even for the same old 6-character password], when computers get eight times faster, they are worse off then they were before in trying to brute-force the password.

sweet someone should tell my company

[BeerSlurpy]

Where to begin?

First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.

Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.

Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).

Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.

And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?

Physical keys, baby

[ecloud]

Every computer needs either a smart-card slot or an iButton reader, and by logging in with that, you ought to be able to do challenge-response or rolling-code authentication on every system to which you are allowed access, with the key doing the computations on board. Passwords ought to be obsolete by now, or supplementary in ultra-high-security systems only. Certainly by the time the sysadmins decide that they have to be so long and changed so often, that you haven't a prayer of remembering them, then it's high time to replace them with something else.

Complex passwords for Simple Users

[routerwhore]

I have been thinking of a way to deal with complex passwords for simple users lately and it has lead me to keyboard patterns. For instance, if you look at the password 12qwas!@QWAS, it is a 12 character password that includes 2 numbers, 4 lowercase letters, 4 uppercase letters and two punctuation. It would take forever and a day to break it...but look how easy it is to type.

This leads me to the conclusion though that there are probably much fewer intuituve keyboard patterns then there are characters in the passwords. If someone created a dictionary based on keyboard patterns, I expect that it would be a significant way to overcome a lot of complex passwords.

Live example

[bolix]

Recent research [cam.ac.uk] supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.

Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:

* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously

In addition we encourage users to pick strong passwords:

Good Passwords contain:

* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!

Bad Passwords contain:

* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen

I recently conducted an audit using the excellent @stake LC5 [atstake.com]. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.

It got many "strong passwords" chosen using the above methodology which is similar to the previous post [makemeapassword.com]. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.

The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.

I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer [itconversations.com] and evidently vindictive successive OSX disclosure [securityfocus.com] campaign.

Re:Simple...

[XaXXon]

Oops, except that's often now how the password is cracked. You don't try the password on the machine over and over, you get a hold of the encrypted password and check against that. This is much faster, as it involves no network activity for each try, only getting a hold of the encrypted password information.

The solution to the problem you are trying to solve is already in place on most systems, anyhow. When you fail to provide the correct password, you are punished by having to wait some amount of time (usually seems to be about 3 seconds). This way, instead of being able to test millions of combinations a minute, you can try 20. This way, your "friend" can't lock you out by typing your password wrong 3 times. Practical jokes are commonplace where I work.. don't need to make it easier on 'em..

Re:Simple...

[XaXXon]

oops, that 5th word was supposed to be "not" not "now".

Crap, I hate it when the typo is still correct English.. People read right through it and assume you're dumb instead of just not being able to type (or proofread).

Ah well.

Re:Simple...

[Anonymous Coward]

you get a hold of the encrypted password and check against that

The days when anyone on a system could just get all the encrypted passwords are long-gone. Getting encrypted passwords requires a root compromise these days. We not in the 90s anymore. :)

Re:Simple...

[gl4ss]

it's restricted on most/all systems already that way and besides the throughput limitations on bruteforcing a live system would prove quite troublesome.

generally you would sniff the datastream and try to crack that I imagine(because that's the only thing you could do).

(insecure software with flaws proves the biggest security problem for the foreseeable future anyways, there's always possibility of using single use passwords which are _already_ in use on sensitive/important systems)

Re:What about /etc/shadow?

[gregmac]

The only way hackers can check passwords quickly enough to matter is if they manage to obtain access to the file that contains the checksums for the users' passwords. In Linux, at least, this is /etc/shadow, which can only be accessed by root. If a hacker has access to the files owned by root then you have much bigger problems than a hacker trying to guess at users' passwords.

This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you ca

MOD THIS GUY UP!

[theLOUDroom]

This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you can cut off someone that's trying to brute force (ie, wrong password 3 times in a row). Then your length isn't going to matter as much.

That's the key here folks.

Passwords should only be used in circumstances where you can control the number of attempts.

If you CANNOT cut off access after N failed attempts, you should be using a full-fledged lots-of-bits crypto key. An example would be using PGP on an email.

A lot of people are looking at the situation in terms of Moore's law. Moore's law should have no effect on how many logins per minute you allow me to attempt. That is a config option.

In sort, it doesn't matter how fast your computer is. If ebay only lets you try 3 logins per minute, that's all you get.
If you're letting people try 1,000+ password per minute on your system, THAT's the problem, not that some guy only had a 6 character random password as opposed to 8.

So to sum up:
Passwords should not be used in case where somebody else is going to have >100 attempts to break it. At that point you should be using >1KB crypto keys.
This is not a password policy problem, it's human somewhere not understanding what passwords are good for.

Re:New (Bad) Idea

[Dave21212]

Bad idea because of the obvious exploit... an attacker could DOS the entire user base in a handful of minutes by trying/failing each ID.

Of course, any BOFH might enjoy the "lockout the boss" feature included.

Interestingly, Lotus Domino uses a feature where as each attempt fails, the password prompt is delayed by a number of seconds. The delay increases exponentially, but never completely locks the user out. After a set period (minutes), the delay goes away and you start again. VERY effective in bloc

Re:Times change; don't fear.

[WebMasterJoe]

Yes, passwords will become a thing of the past - in the future. Until that happens, I think we needn't worry, panic, and speculate.

Oh, I think we should at least worry and speculate. When something new comes out in the future, it will only be because someone worried and/or speculated about how the current system can be changed or replaced.

Who do you think will be behind that change? At some point, someone will come up with an idea that will be the start of this new system. It could be a slashdot reader