Forgot your password?
typodupeerror
Security

Are Often-Changed Long Passwords Really Secure? 233

Posted by Cliff
from the as-long-as-you-don't-write-the-on-stickies dept.
Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?"
"I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
This discussion has been archived. No new comments can be posted.

Are Often-Changed Long Passwords Really Secure?

Comments Filter:
  • My password is password. (keep it quiet!)
    • That does meet the 8 character requirement but not the alphanumeric one so you should change it to p455w0rd to be totally secure.
    • by queenb**ch (446380) on Tuesday February 01, 2005 @08:02PM (#11546273) Homepage Journal
      While in theory this will work, the only thing I've ever known it to do is to cause a rainbow-colored explosion of sticky notes with user name and password information on them to be applied to the upper right corner. It makes the cube farm look like a paririe after a rain - all the little flowers blossoming....

      2 cents,

      Queen B
    • passwords.... (Score:5, Insightful)

      by DarKry (847943) <<darkry> <at> <darkry.net>> on Wednesday February 02, 2005 @04:30AM (#11548676) Homepage Journal
      Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)
      • Re:passwords.... (Score:5, Interesting)

        by BlueTooth (102363) on Thursday February 03, 2005 @07:46PM (#11567926) Homepage
        I compartmentalize my passwords. And I rotate what password fits into any given compartment.

        So the compartments, from most to least secure:
        -root on a machine (different for every account)
        -user accounts (for the Windows and *NIX machines I log onto)
        -email systems
        -financial sites
        -shopping sites (i.e. that store credit cards)
        -forums, etc... (sites for which I assume the jow schmoe admin can see my password in cleartext)

        I generally rotate in a new password every year or two. So even if you r00t me, you still can't get into my bank account...for that you need to r00t my bank ;)
      • Re:passwords.... (Score:3, Interesting)

        by smeenz (652345)
        I would only ever use the same password on systems that have the same administrator running them.. ie, I'll never use my email password for my bank, or my netware password for unix boxes. That's not to say that I *do* use the same password on all those systems.

        Common sense, I would have thought.

  • This is the reason (Score:5, Interesting)

    by popeyethesailor (325796) on Tuesday February 01, 2005 @08:10AM (#11538756)
    things like SecurID [rsasecurity.com] were invented.. 2-factor authentification eliminates most of these special requirements.
    • I went googling for thumb scanners and the like but didn't come up with anything concrete (besides people's blogs where they relate their SF dreams of bypassing a thumb scanner and breaking into the Pentagon). Does anyone have a link to a body part scanner (thumb or finger is HIGHLY preferable to um, other things) that they have used successfully and is available on the open market?
      • by Westley (99238)
        The Microsoft keyboard I'm typing at now has a thumb scanner. Admittedly I don't use it, because it won't let me log into domains, but the recognition stuff does seem to work. How security it is is another matter.
      • by Anonymous Coward
        Try googling for "bum scanner". Bum scanners are much more accurate than thumb scanners, because of the larger size of the inspected area.

        NEW! Now it comes with extra sneak-peak functions to record female employees, erm, significantly identify-able parts!


        It's a joke, laugh.
    • by hey! (33014) on Tuesday February 01, 2005 @10:14AM (#11539558) Homepage Journal
      Amen.

      This whole password thing has got to the point where it's ridiculous. It was Ok when you were on a mini computer with a few hundred users, but it is so inadequate and there is so much at stake, it's absurd that we're still using this dark ages technology.

      Two factor security with strong cryptographic keys on devices that don't have to give up their secrets to any host -- that's the way to go.
    • by Bastian (66383) on Tuesday February 01, 2005 @01:09PM (#11541561)
      I hacked my own together with a USB key containing an encrypted keychain and encrypted copies of my SSH key files. (Granted, I have no idea if a PC equivalent exists - my office lives in Mac-and-Unix-Land.) The keychain is backed up to another secure location every time I add or change a password, because the passwords I use look like what you get when you fall asleep on the keyboard. The USB key comes with me when I leave the computer, and the keychain get's locked automatically after 10 minutes in case I forget.

      Not perfect, but it's better than post-it notes, and it does implement its own version of the "something you have and something you know" philosophy.
    • by Ararat (716144) on Wednesday February 02, 2005 @06:01AM (#11549039)
      Well, one of the reasons. Two-factor authentication was defined (as I recall, by the US Bureau of Standards in the mid-70s) as any AAA system that requires presentation of two of the three factors (something held, something known, something one is), but there was originally an additional requirement: one of those factors must be resistant to replay, dynamic.

      Sniff and replay were then, and in many places still are today, a prominent security threat -- and that threat grew exponentially with the evolution of local nets, and then exploded in scale and volume with the Internet.
      The SecurID, or any One-time Password (OTP) used to provide "strong authentication," does indeed obviate the need for all the Draconian rules now used to buttress the static reusable password or passphrase. In '87, however, as the SecurID was first brought to market, we never thought the static password would survive, no matter how complex it became, because it had none of the inherent resistance to eavesdroppers provided by a dynamic password.

      We never dreamed that -- to save, per user, the price of a keyboard -- the corporate bean counters would stay committed to static reusable passwords for another 20 years, using these increasingly painful routines to make those passwords more resistant to guessing, dictionary, and now pre-computed hash attacks. Nor did we expect that the market would consistantly undervalue one of the token's core virtues: its resistance to sniff and replay.

      We thought it was obvious that a password, however strong, could never be enough.
  • Desk (Score:5, Insightful)

    by maeka (518272) on Tuesday February 01, 2005 @08:14AM (#11538769) Journal
    As long as they don't check the post-it note under your desk - the password is secure!

    But seriously, does a policy like this do anything but encourace people to write down their passwords?
    • But seriously, does a policy like this do anything but encourace people to write down their passwords?

      Yes. Plain and simple: Yes.

      People simply can't/won't remember difficult passwords.

    • by Atrax (249401)
      I don't have mine written down, but it IS visible, in print, somewhere in my house (in a non-L33t-ised form). Find it if you come round for a beer one day.

      it's 16-22 characters dependent on how I vary it and gets changed (strictly speaking varied by 1-5 characters) once every 60 days. So far no problem remembering it or typing it. I'd have trouble telling it to someone, but that's not what it's for anyway....

    • by Kosi (589267)
      Yes, it encourages them to change it like this:

      MyPetsName1
      MyPetsName2
      MyPetsName3
      MyPetsNam e4

      I must admit that I've come to a similar method, I have several base passwords like t/E2.p?aFhBO that I alter in one or two positions when forced to change.
    • Re:Desk (Score:4, Insightful)

      by Mr.Ned (79679) on Tuesday February 01, 2005 @08:39AM (#11538868)
      "But seriously, does a policy like this do anything but encourace people to write down their passwords?"

      It depends where you write it down. If you write it down in some sort of password safe that's encrypted, and keep that only on your hard disk and PDA, that's a heck of a lot safer than the post-it note, and I'd go so far as to call that secure - provided you make sure to keep the encrypted copies in your posession and keyed with a "good" password (longer than 8 characters, who is the story poster kidding).

      Seriously, if you're in IT, don't you already have a bunch of passwords you need to keep track of? Do you really expect to keep those in memory? Why *don't* you have some sort of password vault by now?

    • The company I work for has such a policy. Beside proliferating bad habits (writing down passwords, "trading" passwords between colleagues, etc), it is in a way nonsensical. Why not leave it at "passwords must be over 10 and under 255 characters"? that way, easily remembered phrases can replace unwieldy 8 chars things.
    • I see someone has been playing Blue Chairs recently.
    • But seriously, does a policy like this do anything but encourace people to write down their passwords?

      It does have that effect. But there's a logical reason to want passwords to be tougher and non-permanent. They're obviously reacting to recent reports of security breaches due to stolen passwords. Slashdotters will recall a recent story about identity thieves that were able to steal data for thousands of people using a single stolen password.

      The problem here is not that the security people are stupid. I

    • Depends on who you want to keep your stuff secure from. A collegue and me keep some of our passwords to computers on a sheet of paper posted on our cubical wall. The kicker is this. Most of the computers are accesible only by modem (and the #'s are not there) or are on our VPN (the VPN IPs are listed, though). These machines are not mission critical. The only people we have to worry about stealing the passwords are other employees or people who can get access into the building (hint: not many). Our ma
  • Password Safe (Score:5, Interesting)

    by MaccaUK (761566) on Tuesday February 01, 2005 @08:17AM (#11538781) Homepage
    Funnily enough, the use of a password safe - an app that keeps track of multiple passwords, similar to Apple's Keychain - is available (even encouraged) in that blue company :-)

    Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...

  • by MikeyToo (527303) on Tuesday February 01, 2005 @08:18AM (#11538790)
    verify me.
  • And the answer is... (Score:5, Informative)

    by It doesn't come easy (695416) * on Tuesday February 01, 2005 @08:21AM (#11538803) Journal
    No, the requirement does not make for more security.

    I, like everyone else on the planet, work to make things easier for me and to hell with security. A new password every 90 days means people will design a password that passes the requirements but is easy to remember when you have to change it. For example, my last job required at least an 8 character password with at least two numbers and one case change, and you could not reuse passwords for at least 5 changes. So my first password was Th1s1smE. Anyone want to guess what my next password was after the first 90 days?

    Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough.

    My opinion: It would be better to provide a tool that would allow a user to rate a password which would let them come up with a password that passes a minimum quality requirement, a password that they could remember without writing it down, and then require it to be changed less frequently (like once per year). And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).

    Beside, my experience with gaming a requirement like this is that users tend to mess up their password frequently and end up with their password set back to a known default (assuming the admins provide such a default, which in of itself is a very bad security decision). And so sometimes a policy like this will actually provide less security, because at any given time there will be a relatively high percentage of user accounts which are set to a known password. Years ago, I personally demonstrated this situation with one of the VP's of the company I worked for by going through the ID's of the senior managers until we found one using the default password.

    So, long story short, changing passwords frequently does not automatically mean better security. But we all knew that, right?

    • It's easy to create a program that pounds through the first few stages of a brute force algorithm to see which passwords might be susceptible; however, it's difficult to create a program that will rate the human guessability of a user's password, such as incorporating information like maiden names, birthdates, or anniversaries. Though difficult to brute force, guessable passwords like those are a security risk to the individual sitting down at a terminal and making guesses, especially if they have a calenda
    • And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).

      I wholehearly second this. I've been long enough in the computer business to see lots of good and bad password (or equivalent) schemes. From th standard "lower/upper case, one digit, one special char, at least 6 chars long, non-repeating, checking

    • "Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough."

      How would those of us with the other half do?

    • So, long story short, changing passwords frequently does not automatically mean better security. But we all knew that, right?

      Then why in the name of the god of goat cheese does every network that pretends to be secure have these silly ridiculous password rules and once you have fulfilled the rules to get a _good password_ they make you change them?

      I never make my user's change their passwords. In fact, only in Wargames and at some ISPs where people have chosen easy to guess passwords like their username
    • For example, my last job required at least an 8 character password with at least two numbers and one case change, and you could not reuse passwords for at least 5 changes.

      Oh, this is an easy one:

      Quarter105
      Quarter205
      Quarter305
      Quarter405
      Quarter106
      etc.
  • by Fatchap (752787) on Tuesday February 01, 2005 @08:26AM (#11538825)
    Is the problem not that your password has very strict complexity requirements but that there are too many of them?

    I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love /. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
    The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.
  • Long passwords (Score:5, Interesting)

    by Masa (74401) on Tuesday February 01, 2005 @08:32AM (#11538843) Journal
    "A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*"

    So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.

    I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.

    To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).
    • Q276304 - Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords

      A Microsoft Windows error message as reported by comp.risks 21.37
    • I don't think this is actually more secure. They also have that same 30-day change-over and can't be same as the last 10 ones password policy at my company. But do you know what happens? People just append an incrementing numeric at the end of their password because they have to change it so often. So "password" becomes "password1" then "password2" ad infinitum. I don't think this is anymore secure than having a single long password.

  • I saw the same memo. I am not looking forward to this. What we really need to do is implement a secure single sign on solution like ActivCard that utilizes a smart card and/or biometrics.

    There was an internal badging initiative about a year ago that was looking at moving away from mag stripes for door access. If we bought the right cards for physical access we could leverage that investment for logical.

  • Less secure (Score:5, Insightful)

    by tod_miller (792541) on Tuesday February 01, 2005 @08:44AM (#11538889) Journal
    Longer harder to remember passwords require more human intervention (IT helpdesk reset passwords to 'monday' when you forget it).

    You also are tempted to write them down, or use consequtive patterns as passwords:

    qwer789456123
    0ok9ij8uh

    Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.

    Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant. :-)
    • You also are tempted to write them down, or use consequtive patterns as passwords:

      At the IT orientation at my current job, we were told to use consecutive passwords! The genius "security head" explained the rules (long, complex passwords, 60 day life), everyone groaned and he said "Don't worry -- you can do something like..." and described a trivially guessable series of passwords.

  • by tod_miller (792541) on Tuesday February 01, 2005 @08:51AM (#11538930) Journal
    Is silly, if you stop brute force... with intrusion detection systems, if a password does get lost, why give yourself a 45 day (average) allowance? so it is ok for someone to have a password for 45 days, but not longer.

    Also, the root password for my laptop is 'swordfish' (oh halle... I love your baps, but when the line 'it isn't just a multi-monitor system' comes up, I really have to kill nearby carbon based lifeforms.) but noone has hacked it yet for 3 reasons:

    1: It is linux, therefore unhackable, even with r00t password
    2: It has no networking capability
    3: It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...

    So have some auditing and heuristic behaviour analysis. Use one time passwords, rigorously check all intrusions based on internal/external. Follow up a failed pssword attempt with a human call (SOMETIMES computers can be the weak link in security) ;-)
    • It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...

      Good thing you don't have one of those new Powerbooks!

  • A few points (Score:5, Informative)

    by v1z (126905) on Tuesday February 01, 2005 @08:51AM (#11538932)
    1.
    Changing passwords is ofcourse to reduce impact when a password is stolen/cracked. 90 days sounds a bit long -- is this policy based on evaluating what's *needed* or just based on vague assumptions ?

    If it is expected that keyloggers, bruteforcing or some other form of password-theft is likely, 30 days might be more apropriate.

    2.
    According to various textbooks on computer security, forming a password from 1st (or some'th) letter in a sentence forms passwords which in general terms are as hard to brute-force as "truly" random passwords:

    madly typing at keyboard: 32nfia.-!

    I once saw four naked girls dancing in the moonlight: I1s4ngditm!

    The latter form *may* be slightly more open to guessing the frequency of letters -- but bruteforcing a password with 12 alpha-numeric characters takes a *lot* of effort.

    The main point is that passwords "generated" like that is *much* easier to remember. They may also be more "random" than just typing at the keyboard...

    Some punctation and variations in capitalization should be encouraged/enforced.

    3.
    If you are authenticating against Active Directory -- just use pass phrases. Harder to bruteforce -- and prevents the ntlm-hash (16 chars, one case) being accepted by some braindead system.

    4.
    I personally think single-sign on is an important part of a good security strategy because it allows for more frequently changing of passwords -- admins would typically still need 2-3 accounts (normal user, admin role, testing role), but more managble than 10+

    5.
    Just because a password is written down does *not* mean it's compromised! If security really is so important that everyone needs 5 or more 8 letter "random" and uniqe passwords, I would *strongly* recommend that arangements be made for all passwords to be kept in escrow in a safe.

    That way employees won't have an excuse to keep the password somewhere insecure. Everyone should be able to get their password during work-hours easily (for instance the receptionist that either knows everyone, or is instructed to _demand_ id, could have access to the safe).

    The downside with any kind of escrow, is ofcourse, that one is forced to trust the few people with access to all passwords completly. This is a tradeoff -- but so are all security decisions.

    6.
    You mention bios boot passwords. Is that truly neccessary ? Bios configuration password sounds more reasonable to me. But either one is of rather limited use, unless you are using some form of fortified pc case.

    If you do mean configuration passwords, that is a primary candidate for writing down, and locking in a safe IMHO. Normally all admins would have access to this, so that seems reasonable.
    • You mention bios boot passwords. Is that truly neccessary ? Bios configuration password sounds more reasonable to me. But either one is of rather limited use, unless you are using some form of fortified pc case.

      They're of pretty limited use even then. Almost every major BIOS manufacturer includes a standard back-door password so support guys can get into a locked machine. I know most of them, and I suspect my friend Mr Google would soon tell me any others I needed. Kinda defeats the point, doesn't it?

  • Kerberos (Score:2, Interesting)

    by Trevelyan (535381)
    Isn't this the point of things like kerberos. ie to provide single sign on in you network. so you don't have to remember lists of passwords.

    integrate it with pam, and then you'll get a ticket when you log in, that will be used to authenticate you when you access things like ftp or mail server.

    Ofcourse this wont help with off site login, but at the point you use them you have access to the already mentioned password safes or security managers (eg mozilla's psm or kde's wallet)

    as to the oringinal poi
    • Kerberos is half-heartedly implemented where I am currently. Everything and every service, portal, and daemon is Kerberized but not a single one of them actually talks to, or communicates information with, any other one.

      i.e. there is no "single sign on", there's repeated typing of the same account credentials over and over again to access various distribution nodes, services, accounts, machine resources, etc.

      Having to type the same "single sign on" password 4-5 times in any given session to get anything d
  • by Kris_J (10111) * on Tuesday February 01, 2005 @09:11AM (#11539050) Journal
    Policies like this typically result in more people breaking the rules and writing down their passwords, which in turn reduces security.
  • Security D'ohLTs (Score:4, Interesting)

    by paol (461811) on Tuesday February 01, 2005 @09:12AM (#11539057)
    Bruce Tognazzini has covered this kind of stupidity before.

    "I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
    (...)
    My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"

    Read it: http://asktog.com/columns/058SecurityD'ohlts.html [asktog.com]. Better yet, have the people who are implementing this policy read it. Point out it's by one of the leading usability experts in the world. Odds are it won't change anything, but hey at least you tried...

  • by museumpeace (735109) on Tuesday February 01, 2005 @09:20AM (#11539097) Journal
    My company just upped the ante for anyone trying to guess one of our passwords...min of 10 characters of which at least one each of UPPER CASE , special, numeric and lowercase are required...Its hard to produce a memorable password under these conditions. I have about a dozen passwords to remember between the various OSes, LAN security, Mail, and then there is my firewall and systems at home.
    One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.
  • Translation (Score:5, Funny)

    by skinfitz (564041) on Tuesday February 01, 2005 @09:20AM (#11539098) Journal
    Is there any research to support whether such requirements actually increase security?

    Translation: I can't be bothered changing my password and am too dumb to come up with arguments against this policy to give to my boss on my own.
  • Where I work, that's been the requirement for years. Users are used to it, so it's not a big deal. You don't find stickies lying on the desk either (well, you do, but only passwords for additional systems -- we don't have SSO yet). Actually, our requirements are harsher because you can't reuse a password that's less that two years old. Also, they run a password cracker against everyone's passwords every once in a while, just to make sure people really are making good passwords.

    I like to use mathematical fo
  • Absolutely (Score:3, Interesting)

    by bryanp (160522) on Tuesday February 01, 2005 @09:31AM (#11539165)
    Every 90 days has been the standard everywhere I've worked. For us Sysadmin types it's every 30 days. I can keep up with it, but many end users with the 90 day restriction do exactly as you describe. They write them down, they use the same repetitive patterns, whatever. One user I used to support had a page of passwords in a little notepad he kept in his desk.

    All I can really do is tell them the truth: If anyone gets on the network with their credentials they will be held responsible for what happens. It's hard enough just getting people to lock their screens when they go to lunch. One user got reamed out pretty badly when someone used her email account to send a scathing note to the CEO. The only reason she didn't get fired is that she was at lunch with several people who could vouch for her whereabouts at the moment the email was sent.

  • by hankwang (413283) * on Tuesday February 01, 2005 @09:31AM (#11539167) Homepage
    I have stored all my passwords encrypted, with a script to easily access them... The essential part is:
    stty -echo
    read pw
    stty echo
    echo $pw |
    gpg --no-secmem-warning --decrypt --passphrase-fd 0 $pwf.gpg |
    perl -ne "if (/^$1/)"' { s|\[([^ ]+)\]|[\033[40;30m$1\033[0m]|; print; }' |
    less -r
    The passwords are enclosed in [] and the script displays the password in "black-on-black", so that you can copy-paste it without anybody looking over your shoulders seeing it, or you remembering it.

    And the master password to this file hasn't ever changed... heh

  • by smahesh (845383) on Tuesday February 01, 2005 @09:35AM (#11539202) Homepage

    Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.

    The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.

  • by Dammital (220641) on Tuesday February 01, 2005 @09:59AM (#11539425)
    Expirations and complex rules for passwords are lame and work at cross-purposes. So here's what you do: allow your employees to assign any password they like, with the understanding that you are going to try to crack 'em. If you are successful, then they're fired.

    Just. Like. That.

    • Can you do that? Fire your own boss or another tenured employee for choosing a weak password?
      • Sure, if they understood the rules to begin with. Make them sign at the same time that they sign your Acceptable Use Policy. (You do have an AUP, right?)

        "Your job REQUIRES access to our computer systems. If you are unable to select passwords that are resistant to automated attacks, then you are unable to fulfill the requirements of your job and are subject to immediate dismissal."

        I take your point that the Boss or his Son is hard to fire, whatever their levels of stupidity.

  • At MyCorp we tend to move haltingly and staggeringly towards greater security and inconvenience. [No, we're not quite up to military standards where no security policy, no matter how stupid and ineffective, would ever be rejected on the grounds that it caused inconvenience:)]

    There's a well-known tradeoff between security and convenience, but it's possible to not be on the maximum locus of that curve: i.e., it's possible to have incredibly inconvenient security policies that provide very little actual secur

  • "Help me!" (Score:4, Funny)

    by dtfinch (661405) * on Tuesday February 01, 2005 @10:20AM (#11539625) Journal
    "I forgot my password! It changes too often."

    You've gotta do what everyone else does and write it down. Stick a copy in your wallet, under your keyboard, on the side of your monitor, etc. Now I'll just use my admin login to reset your password and you'll be on your way.
  • by RoboRay (735839) on Tuesday February 01, 2005 @10:38AM (#11539789)
    I'm actually not allowed to use two consecutive letters in my password to one government system. Every letter must be followed by a number. It also must be 8 characters, no more, no less, and can't contain any punctuation or special symbols. It changes every 90 days. And you can't reuse old passwords, either. Ever.

    So, my first password was A1A1A1A1. Guess what my next one was?
  • Ultimately (Score:5, Insightful)

    by dtfinch (661405) * on Tuesday February 01, 2005 @10:56AM (#11539995) Journal
    There is always a bigger risk. 8 character random alphanumeric is a around 40-48 bits of protection, depending on if you mix upper and lowercase (harder to remember). I've written a strong password generator here [mytsoftware.com]. While 8 character alphanumeric is breakable, especially at 40 bits, it's unlikely you'll encounter such perserverance. A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days, and limit their time to take advantage of a broken password, but beyond that it's just going to ensure that more users will write down their passwords. There is no set amount of time needed to break a random password. They could break it in a day or never. A rotation isn't going to have the effect of making them start over or anything.

    There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.
    • A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days

      Funny. I thought that people started using encryption if they cared about security. I've heard that somewhere, I'm sure.
  • by Mozai (3547) on Tuesday February 01, 2005 @11:15AM (#11540170) Homepage
    I work at a medium, mango-hued company and we had to implement the same policy for "security reasons." I get about three calls a week asking for passwords to be reset.

    The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.

    Sucks, but c'est l'entreprise.
  • The bank I worked for implemented a "change your password every 60 days" rule the same year they handed us one of those motivational desktop calendars that had a word of the month like "teamwork", "integrity", and so on. The password checker would not let you repeat your previous passwords, but it did NOT check for dictionary words! So whenever it nagged me to change words I would just reach up to the desk calendar, flip over to the next month, and type in the word of the month. Certainly solved the "where can I write it down" problem. Anybody walking into my office would just think that I did not keep the calendar up to date.
  • stealth one time pad (Score:2, Interesting)

    by zogger (617870)
    just use a paperback book, change the book occassionaly. All you have to remember is the page number, paragraph number and line number, those are your random digits that preface or follow the letters. They refer to the phrase or sentence in that location, where you get your letters. Interposing can be your choice of course, straight ahead or rotating backwards to forwards, etc. Example page *237(insert first word)*, paragraph *5(insert first word)*, line *4(insert first word)*. Ton of variations on that the
  • My password currently is about 35 characters; it's a sentence with punctuation and all, but not ordered correctly. It's easy to remember and easier to type. And I'd give you a year with a handful of systems and you wouldn't brute-force it.

    IMO, 8 chars, complex, changed every 90 days is the absolute minimum for password strength for any system beyond generic webmail or /. accounts.

  • DOD mandate.
    And I work in the HMO world, but one of our customers does work for the DOD and thus we have to comply with the standard.
  • PDA password keepers (Score:2, Informative)

    by Weasel Boy (13855)
    are very handy. I have about 45 passwords stored in mine.

    My password app includes a utility to generate random but pronounceable passwords (which I don't generally use). My coworker told me one of these a year ago. I haven't used it in 9 months, and I still remember it. Oh $%^*, the system probably expired it. ;-)
  • Gnu Keyring (Score:4, Insightful)

    by kentborg (12732) on Tuesday February 01, 2005 @01:27PM (#11541801)
    I get *SO* pissed at these password fascists, particularly when their
    rules reduce my password security.

    I use secure, easy to type, and easy remember passwords (see
    http://ask.slashdot.org/comments.pl?sid=1323 27&cid =11054456 for
    details on that).

    I never reuse passwords except in a few rare circumstances (on
    different Linux computers I personally control I reuse some
    passwords).

    To keep track of all those passwords I bought a (relatively
    inexpensive) Palm Zire 31. On it I run Gnu Keyring
    (gnukeyring.sourceforge.net). I have one significantly secure
    password that I then use to encrypt all my other passwords. I backup
    this Palm using an SD card. I also back up to via IR to my Linux
    notebook where there is a client that can decrypt the data.

    I also have a Palm-based phone (Samsung i330) that can run Gnu
    Keyring--but I don't trust it. It makes mysterious 10-second data
    calls that bother a paranoid such as me. Yes, I don't have any good
    reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
    don't need to trust it so much.

    I recommend Gnu Keyring.

    -kb
  • Pick a certian book off your shelf.
    Third word down (left hand, first word) on page 51.

    Suppose the word is "broken". Capitalize first/last letter, and password is...

    B51roke3N

    All I have to remember is which book, page, how many words down. This is often easy, because you can remember what the page looks like, especially if you pick a page with pictures on it.

    Now return the book back to your shelf.
  • secstore (Score:3, Interesting)

    by DrSkwid (118965) on Tuesday February 01, 2005 @01:49PM (#11542083) Homepage Journal
    I use secstore [bell-labs.com], I don't have to remember my passwords and they can be as long and as random as I like.

    All I need is the password to secstore, which, in my case, is on the LAN.

    secstore client - man page [swtch.com] - for non-plan9 systems is now available as part of the Plan 9 from User Space [swtch.com] project.

  • Rainbow Tables (Score:4, Informative)

    by tiny69 (34486) on Tuesday February 01, 2005 @02:46PM (#11542772) Homepage Journal
    If your passwords are less than 14 characters in length, periodically changing them will not improve security. It only takes 64GBs to hold every possible combination of password up to 14 characters using the following (include the space as part of the character set):
    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw xyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"',.?/ "
    Using the Rainbow Tables in a Time-Memory Trade-Off, it only takes a few minutes to crack any password up to 14 characters. http://lasecwww.epfl.ch/php_code/publications/sear ch.php?ref=Oech03 [lasecwww.epfl.ch]

    You can either spend a few months creating your own Rainbow Tables http://www.antsight.com/zsl/rainbowcrack/ [antsight.com], or you can buy the 64GB tables for $640, http://www.antsight.com/zsl/rainbowcrack/rt_price. txt [antsight.com].

    • Re:Rainbow Tables (Score:3, Insightful)

      by hankwang (413283) *
      It only takes 64GBs to hold every possible combination of password up to 14 characters using the following (include the space as part of the character set):

      The website you refer to is about Windows password hashes. :) Here on /. we all know that Windows is full of bad implementations. The paper explains that in that particular hashing algoritm, the 14 characters are converted to uppercase and treated as two separate passwords of 7 characters, reducing the problem to 2^37 possible passwords rather than 2^8

  • These sorts of things are typically imposed by an IT department who doesn't really have to bear the burden of the users costs. Strong & freq change is more secure, so why not? This obviously fails to "reductio ad absurdam" 100 char passwds, changing each time.

    IMHO, more important is correct systems security policies. Slow response/lockout to eliminate dictionary attacks. Strength is _NOT_ needed if the cost of guessing wrong is high (ie not /etc/passwd with hashes). Changing passwords is perhaps m

  • What does changing your password frequently do? If some one already hacked your password they probably had time to change it to lock you out entirely, Or put a trojan to tell them the new password once it is changed if they wanted to be stealthy about it.

  • some actual research (Score:5, Informative)

    by ecklesweb (713901) on Wednesday February 02, 2005 @01:21PM (#11551923)
    First, when you Ask Slashdot for actual research or empirical evidence to support a widely-accepted hypothesis (such as changing passwords often improves security), you get a bunch of anecdotal drivel. I know this from experience...

    That being said, here's at least one academic paper on the subject:
    http://www.cs.ucl.ac.uk/staff/S.Brostoff /index_fil es/sachas_transfer_report.pdf
    An interesting quote:
    "forced password changing causes password problems. The result was highly significant." followed by actual statics demonstrating the significance.

    Here's a white paper that seems to argue that complex passwords only provide real protection if you're able to reduce the number of passwords needed (this may just be a marketing pitch for a single-signon product)
    http://www.protocom.com/whitepapers/Eval AuthSecuri ty.pdf

    Most opinions that complex passwords and often changed passwords are more secure are probably based on the presumption that such policies increase the time required to crack a password:
    http://scholar.google.com/url?sa=U&q=ht tp://contra costa.edu/hpc/FaST/2003/Bonnie/passwd_sec.pdf

    However, as far as I can tell, no one has really gone out of their way to scientifically compare the effective security provided by various types of password policies in "real world" situations like you describe.
  • Passwordsafe (Score:3, Interesting)

    by bLanark (123342) on Thursday February 03, 2005 @08:46AM (#11560953)
    Look into PasswordSafe [sourceforge.net].


    I think that the project was begun by Bruce Schneier, of "Applied Cryptography", "Secrets and Lies" and "Cryptgram" fame. But now the utility is open-source and multi-platform.

  • English entropy (Score:3, Interesting)

    by Peaker (72084) <(gnupeaker) (at) (yahoo.com)> on Saturday February 12, 2005 @10:18PM (#11656074) Homepage
    Using passwords which are correct English sentences isn't much better.

    Correct English sentences have about 1.2 bits per character. That means that for 10 words of 5 characters each, you have 50 characters which are 60 entropic bits (~7.5 entropic bytes).

    That is as strong as a 10-character password, or so, but much much longer.

    Not sure this is the solution.
    I think that whatever is easy to remember, is easy to remember because it has low entropy and is easy to attack.

    The solution might be to use non-human memory? USB disk-on-keys containing crypto keys?
  • Grammar bots? (Score:3, Insightful)

    by ZeroExistenZ (721849) on Saturday February 12, 2005 @10:31PM (#11656159)

    I really wonder, when crackers are trying to hack passphrases, wherever generators with language-rulesets will arrise trying to construct valid "likely used" sentences.

    Once you get that, you'll have the same problem once again... (but perhaps some nice grammar-tech out of it coded up by kiddies)

    (Or ofcourse databases with silly but catchy punchlines.)

Facts are stubborn, but statistics are more pliable.

Working...