Passwords - 64 Characters, Changed Daily?

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

Cost of Passwords vs. Cost of Incursion

[G4from128k]

At what point in time do employees spend more time (= money) creating, remembering and retreiving inscutable passwords than they spend recovering from hacker incursions. An employee's ability to handle rapidily changing, complex passwords is fixed by evolution whereas, hackers abilities to break or phish passwords is only going to increase. At some point the curves will cross and organizations will spend more to keep things locked than they lose with leaky passwords.

Normal users

[Skiron]

In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.

They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.

Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.

Re:Use a CueCat

[the_mad_poster]

Heh heh... ironically, the CueCat wasn't exactly the height of security back in the day, and most Slashdotters who have one have probably long since removed the eeprom that transmitted the cat's real unique id.

makemeapassword.com

[mgkimsal2]

Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.

makemeapassword.com [makemeapassword.com]

Re:Just do what I do

[fastfingers55]

Our system requires that the new password have at least 3 characters different from the previous one. So that scheme would not work. Nor would password001 password002... The idea of using an abreviation for the month falls apart too. For example: passwordjun passwordjul passwordaug all do not change enough.

Re:Biometrics

[molafson]

If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.

That is why it is better to use both: a good pass-phrase that you change from time to time, which is hashed together with your retinal scan, finger print, etc.

Something you know, you have, and you are

[jncook]

To quote Bruce Perens, if security really matters, you should base it on three things:

* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)

This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)

Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.

For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.

James

Moores law needn't require longer passwords...

[sanermind]

As computers get faster, simply use more difficult and time consuming algorithims to verify passwords. If you use a verification step that takes 256 times a long [even for the same old 6-character password], when computers get eight times faster, they are worse off then they were before in trying to brute-force the password.

Tracking Usage as Verification

[__aaitqo8496]

has anyone thought of comparing the current use to statistical past use? for example, as i sit here typing on my workstation, there are certain keyboard commands i consistently use. there are certain words i consistently misspell, and even how i fix the mistakes. do i backspace all the way? do i highlight the typo, delete, then correct, or do i highlight and correct. there are many nuances that could be tracked, which might include simple thigns like using an application to open a file vs. using a file system browser (i prefer the latter).

tracking this sort of statistical information could be useful in verifying that the current user is who they should be. there is no password to remember or forget. after the computer is statistically "sure" that the user isn't who it should be, there are several steps that could be taken. one of such would be to simply notify an admin. another would be to immediately lock the user out. or, what i think is the best idea - offer a challange question: "What month were you born in?" If they cannot answer the question correctly with a fair amount of rapidness, lock them out.

I think this sort of toll could be the ubercool way to ensure the user is who they say they are. Of course the possible downsides to this is not being able to have someone login and check something for you (maybe a good thing?)

Has this been tried, developed, or thought of? If not, I call prior art on anyone who patents it ;)

Re:Just do what I do

[Pharmboy]

What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.

Re:Just do what I do

[Javagator]

I work at a company where I have to access about 10 different accounts or networks, all with different password polices. I just write the passwords down on stickies (cleverly disguised as real memos) and paste them on my monitor. I work in a building with guards and badges, so we don't get a lot of bad guys wandering around. If someone has physical access to your computer, you are hosed anyway. I don't keep my love letters or anything on my work computer anyway, its just boring company stuff.

Re:Just do what I do

[Megor1]

Since password cracking relies on having access to the password hash, simply make the hashes an order of magnitude longer to calculate.

Re:Exponential growth problem

[einhverfr]

You are probably reasonably right on the basic probabilistic mathematics of this approach. However, I still take issue with your conclusions because:

1) Trojan back-doors could be used to covertly do a distributed crack on a password. Thus you have to deal both with the exponential growth in processor power *and* the exponential growth of the internet. So Moore's law gets beat.

2) I find that about 8 characters is the best for my general security. If use 8 character passwords, I use a lot of mnemonic devices. An 8 character password can then contain shortened versions of two strings which are far longer and are more likely to contain non-alphanumeric characters (!,@, &, #, etc). If I get longer passwords, I tend to write out the phrases which although they tend to be in obscure languages still allow for an avenue of dictionary attack which might be otherwise difficult if I am using contractions.

IMO, the future of security is in public key authentication. In this model, you will carry with you a key AND have to provide somesort of passcode to unencrypt the key. This passcode could be biometric, passphrase-based, etc. They key can be lengthened transparently to the user so that they don't have to be aware of it, or replaced when lost.

Re:Moores law needn't require longer passwords...

[Anonymous Coward]

Dude. There's an AC post [slashdot.org] in this exact story that gives Anderson's formula, and discussion. And yet this vague rambling about Moore's law gets a +5? WTF, moderators? I guess you only read AC posts as followups, and give them -1 Troll automatically? The other post is actually insightful. This post is merely "getting warmer", without presenting a formula or analysis.

sweet someone should tell my company

[BeerSlurpy]

Where to begin?

First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.

Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.

Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).

Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.

And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?

Re:Just do what I do

[Pharmboy]

And who said I am *NOT* that smart person? ;)

Smart people are also the ones who ask questions like "Why are we doing this", while the dumb one say "Because we have always done it this way". Just because a smart person suggests something, that doesn't guarantee its a smart thing to do.

Forcing changes in passwords that guarantee that users will write the new password on post it notes on their monitors is not smart either. I know, I see it all the time, and the users simply do NOT get why this is dangerous. They don't even care, if the system is screwed, they will just bitch until its back up again. There is no *PRICE* for their ignorance, so they don't learn.

This is why I try to put a price on it. When users do stupid things, it always causes the firewall to go down. (hint hint) You installed a screensaver? It made the firewall go down, you cant get on the net for a day. You launched an attachment? It messed up the firewall, your station cant get on the net for a day until I fix it. You installed a game on your system? Man, that may take a couple days to fix the firewall then... Don't even think about using your own mouse, keyboard, or software programs. That will probably crash the computer, and it will be down for a week. Shitty, yes, but as an admin, its easier to generate fe3r from idiots than it is to educate them, and it certainly requires less work on my part.

I am a self professed asshole admin. Its only a small part of my job description, so I can't spend all day fixing things. I should write a journal on this, I can make BOFH look like a freaking sweetheart, except mine isn't fiction. And yes, it works wonderfully.

Re: Or what I do

[E_elven]

I need to start cut-n-pasting this. There should be a topic for Passwords.

Use visual passwords rather than mnemonic ones. My standard-prescribed solution is to teach this to all new users; I set them next to a computer and give them some strips of coloured paper (not necessary but helpful with complete newbs). They'll get the gist fast and be able to be pretty savvy shortly -and changing a password is exceedingly easy.

1. Pick a letter. Any letter will do but to start with you may want to take the first letter of your name.
2. On the bottom row of the keyboard, pick any key from Z to M.
3. Using the paper strips, draw your letter on the keyboard so that you start from your starting key (Z to M)
4. Look at the keys under your strip. That's your password.

Here's a visualization for the letter A starting from the key V:

= 1 2 3 4 5 6 * 8 9 0 - = \
== q w e r t * * i o p [ ]
=== a s d f * * * k l ; '
==== z x c * b n * , . /

The plain password is: vgy7ujmh
Using alternate shift: VgY7UjMh or vGy&uJmH

This can easily be expanded to even more secure ones by adding more letters. A good scheme for variant passwords is to use something that identifies with the realm -for example for Slashdot, a password could be made from letters 'slash' (on a dvorak here, sorry):

qJkU.#4%kUp$xBjUy^fDbIxBmHf^7*xIy%mHg&f

Variation made easy. Try it.

USB key.

[PzyCrow]

Why not have a pgp processor storing a private-key in a non readable register?
Put the processor in a USB device and have some biometrics verification on the device.

Re:Just do what I do

[dtfinch]

I've noticed that a lot of people like to get their posts on top by replying to the first reply of the first reply ... of the first post.

Seems like the perfect place to advertise my open source Strong Password Generator [mytsoftware.com].

Re:makemeapassword.com

[ubertopf]

I usually do:

'dd if=/dev/urandom bs=6 count=1 |mmencode'

to get a new passwd if I cant think of one and store it in a gpg encrypted file on a (rather) secure location until I can remember it ..

Crypticide -

[Anonymous Coward]

Alec Muffett [crypticide.com], author of Crack, the password cracker [crypticide.com] has an ongoing project [crypticide.com] to document & educate why reusable passwords are bad [crypticide.com].

Oh, and no, I'm not Alec, just a friend [csamuel.org] who happens to agree that they're well passed their use by date.

Re:Just do what I do

[eric76]

... easy-to-remember (and hence, likely easy-to-crack) passwords

Those two are not necessarily related.

You can have easy to remember, well, relatively easy to remember, passwords that would be tough to crack.

My favorite approach is to create nonsense type phrases with some odd punctuation.

For example, something like:

I borrowed all the books from the library! and read them both.

or

An ultranet in a test tube is truly a fine thing to behold?

Or you could also take a favorite quote and modify it somewhat.

For example, instead of

The pen is of no avail against the sword, but the pen and the sword will always prevail over the sword alone.

by Albert Camus, how about

The cat is of no avail against the skunk, but the cat and the skunk will always prevail over the skunk alone.

Of course, you don't want to have to enter passwords like that too often.

it encourages people to write their passwords down and store them in what is probably a very insecure location!

Writing a password down is not that much of a problem. Most people will achieve greater security if they use a password complex enough that they really do need to write it down than if they choose an easy to remember password that they can easily remember.

But your point about the secure location is valid.

Re:Just do what I do

[Inda]

We had a change of policy here not so long back. Dictionary words and proper names were disallowed. Of course I was the only one that read the email about this.

The boss's secretary was presented with the change password dialog one morning. It would not accept any of her desired new passwords.

I said "You can't use your son's name anymore". The look on her face was priceless. I was amazed too; I thought this sort of thing only happened on the TV.

The really sad thing is that a cleverly crafted spoofed email from me is all it would take to gain half of the passwords in here. People already know I spoof emails using the webserver. I've told them how easy it is to do. They would still hit that reply button and tell me their password.

Still amazes me to this day.

Is complex better than long?

[NameOfTheDragon]

Robert Hensing (MS Security Response) has an interesting article on this in his newly-created blog. His basic assertion is that we should all forget password complexity and just go for something long but simple to type. The spacebar opens a whole new dimension in uncrackable passwords, apparently. Robert's blog is at http://blogs.msdn.com/robert_hensing/ [msdn.com]

Complex passwords for Simple Users

[routerwhore]

I have been thinking of a way to deal with complex passwords for simple users lately and it has lead me to keyboard patterns. For instance, if you look at the password 12qwas!@QWAS, it is a 12 character password that includes 2 numbers, 4 lowercase letters, 4 uppercase letters and two punctuation. It would take forever and a day to break it...but look how easy it is to type.

This leads me to the conclusion though that there are probably much fewer intuituve keyboard patterns then there are characters in the passwords. If someone created a dictionary based on keyboard patterns, I expect that it would be a significant way to overcome a lot of complex passwords.

Re:Just do what I do

[Jim_Maryland]

The policy we follow here is for system administrators to keep a sealed envelope with the root/administrator passwords. Each password is in it's own envelope with the systems it belongs too written on the outside of the envelope. These envelopes are then stored in a secure environment (a safe for example) to ensure that access can be restored if absolutely necessary. A small group of people (not necessarily system administrators) have access to these envelopes and they must follow a strict policy (including setting a new password) on handling these documents. Implimenting this sort of policy prevents the problem you indicated where you have a system without the root/administrator password.

Re:decent compromise between security and convenie

[RetroGeek]

First of all, they could put their passwords on post-its in the locking drawers most desks have. Almost as convenient, but MUCH more secure.

You mean those locking drawers where the key number is stamped on the lock?

I usually place a sticky note with a ramdom number of characters under my keyboard. It looks like a password, and may even BE someones password.

But it is not MY password and is it not close to my password. This entertains whoever is trying to break into my computer for hours....

Live example

[bolix]

Recent research [cam.ac.uk] supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.

Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:

* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously

In addition we encourage users to pick strong passwords:

Good Passwords contain:

* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!

Bad Passwords contain:

* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen

I recently conducted an audit using the excellent @stake LC5 [atstake.com]. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.

It got many "strong passwords" chosen using the above methodology which is similar to the previous post [makemeapassword.com]. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.

The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.

I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer [itconversations.com] and evidently vindictive successive OSX disclosure [securityfocus.com] campaign.