Are Often-Changed Long Passwords Really Secure? 233
Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?"
"I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
Desk (Score:5, Insightful)
But seriously, does a policy like this do anything but encourace people to write down their passwords?
Complexity or Quantity (Score:5, Insightful)
I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.
Re:Desk (Score:4, Insightful)
It depends where you write it down. If you write it down in some sort of password safe that's encrypted, and keep that only on your hard disk and PDA, that's a heck of a lot safer than the post-it note, and I'd go so far as to call that secure - provided you make sure to keep the encrypted copies in your posession and keyed with a "good" password (longer than 8 characters, who is the story poster kidding).
Seriously, if you're in IT, don't you already have a bunch of passwords you need to keep track of? Do you really expect to keep those in memory? Why *don't* you have some sort of password vault by now?
Re:Complexity or Quantity (Score:3, Insightful)
I my house secure? Sure I have never been burgled.
Should we shut down fort knox and store all the bullion in my spare room? Probably not
If I want to protect my information against my flatmate or a friend from opening it then an 8 character password is probably ok. If I want to protect my bank's central records or the ID's of my intelligence agents in North Korea 20 characters will not cut the mustard either.
Perhaps I did not make my point very well, the posters problem was not that they had to keep changing their password frequently and could not alternate between "password1" and "password2" but that they had to have several different passwords for several different systems. I was saying that by using personalised passphrases or passphrase acronyms this could be accomplished quite easily until SSO is implemented properly
SSO working fully fits in somewhere betweeen a totally secure Windows, a working manageable PKI and a viable method of stopping spam, pop-ups, 419 fraud and link spamming!!
Less secure (Score:5, Insightful)
You also are tempted to write them down, or use consequtive patterns as passwords:
qwer789456123
0ok9ij8uh
Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.
Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant.
Changing passwords frequently does not help (Score:4, Insightful)
Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.
The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.
Re:This is the reason (Score:5, Insightful)
This whole password thing has got to the point where it's ridiculous. It was Ok when you were on a mini computer with a few hundred users, but it is so inadequate and there is so much at stake, it's absurd that we're still using this dark ages technology.
Two factor security with strong cryptographic keys on devices that don't have to give up their secrets to any host -- that's the way to go.
Ultimately (Score:5, Insightful)
There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.
Security is irrelevant (Score:3, Insightful)
The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.
Sucks, but c'est l'entreprise.
Re:Not happy about it either (Score:3, Insightful)
Do you really want to attach value to things like your thumbs, fingers and eyes? I mean the kind of value that makes someone else want them; I like and value mine quite a bit. Also, if your fingerprint happens to get compromised(i.e. somebody manages a working fake), how do you plan on obtaining a new one?
Terrified of biometrics until somebody gives me compelling reasons not to be...
Re:Not happy about it either (Score:5, Insightful)
Gnu Keyring (Score:4, Insightful)
rules reduce my password security.
I use secure, easy to type, and easy remember passwords (see
http://ask.slashdot.org/comments.pl?sid=132
details on that).
I never reuse passwords except in a few rare circumstances (on
different Linux computers I personally control I reuse some
passwords).
To keep track of all those passwords I bought a (relatively
inexpensive) Palm Zire 31. On it I run Gnu Keyring
(gnukeyring.sourceforge.net). I have one significantly secure
password that I then use to encrypt all my other passwords. I backup
this Palm using an SD card. I also back up to via IR to my Linux
notebook where there is a client that can decrypt the data.
I also have a Palm-based phone (Samsung i330) that can run Gnu
Keyring--but I don't trust it. It makes mysterious 10-second data
calls that bother a paranoid such as me. Yes, I don't have any good
reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
don't need to trust it so much.
I recommend Gnu Keyring.
-kb
Re:Rainbow Tables (Score:3, Insightful)
The website you refer to is about Windows password hashes. :) Here on /. we all know that Windows is full of bad implementations. The paper explains that in that particular hashing algoritm, the 14 characters are converted to uppercase and treated as two separate passwords of 7 characters, reducing the problem to 2^37 possible passwords rather than 2^82 as you would think from the password length (e.g. if a 128-bit MD5 sum is calculated)
Re:This is the reason (Score:5, Insightful)
A hacker can't remotely access my shirtpocket.
A pickpocket would have access to trouser pockets and coat pockets, but would be noticed lunging for your chest.
If someone does get access to your shirt pocket you have bigger problems than someone getting your password.
Increased Usage of Sticky Notes (Score:4, Insightful)
2 cents,
Queen B
passwords.... (Score:5, Insightful)
Grammar bots? (Score:3, Insightful)
I really wonder, when crackers are trying to hack passphrases, wherever generators with language-rulesets will arrise trying to construct valid "likely used" sentences.
Once you get that, you'll have the same problem once again... (but perhaps some nice grammar-tech out of it coded up by kiddies)
(Or ofcourse databases with silly but catchy punchlines.)