The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com) 210
Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."
Passwords exist (Score:2, Informative)
That's the reason.
Re:Passwords exist (Score:4, Informative)
Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.
You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).
Millions of little websites still use passwords.
Re:Passwords exist (Score:5, Insightful)
Passwords suck. Even with SSO, even with a password manager, even with salting and hashing, passwords suck, and will always suck.
You need an authentication token. *One* authentication token. Microsoft can do it, Google can do it, Facebook can do it (but of course they are not compatible).
Millions of little websites still use passwords.
And then Microsoft makes use of Windows 10 (or compatible Windows Phone devices) mandatory for their SSO. Google randomly decides to just drop the whole SSO business. Facebook suspends your account because some asshole from Brazil has complained about one of your holiday snaps. What now? Will you just rebuild your whole online identity? Or forget about the dozens of sites you were participating in?
Re: (Score:2)
He's talking about an authentication token, not SSO. A real cryptographic token with take a challenge from the website and sign it with your key (possibly after entering a PIN) to prove that you are in possession of the token (and know the PIN). There's no way that this is tied to any one provider, because it's not SSO. (See PIV, OpenPGP card or any number of similar approaches.)
The tokens in use now are all TOTP or HOTP-type tokens where you generate a hash that proves that you and the authentication serve
Re:Passwords exist (Score:4, Insightful)
There's three possible kinds of security factors. Something you know, something you have and something you are (or, more cynically, something you can forget, something you can lose and something that can be chopped off). They all have their advantages and disadvantages, but saying that one is superior to the others is simply and plainly wrong.
And the key reason, btw, why pages don't do it is simple: When people forget their password, resetting that is easy (plus they get your email address so you can reset it in the first place), but if you lose the token...
Re: (Score:3, Insightful)
Re: (Score:2)
SQRL!
Re: (Score:3, Informative)
We can download a password manager for free. Authentication token managers are going to cost money, with the price depending on how many authentication tokens you need them to manage.
You can get a U2F USB token about the size of your house key for $8 that will manage as many separate authentications as you like. For $50, you can get one with NFC that will talk to your phone.
They look like a great system now, until you lose the physical token. If they ever become popular, then I'm sure there will be techniques to subvert them - MITM, phishing or misdirection - I'm not smart enough to guess. If they every become popular, then I'm sure the 'lost token' problem will frequently be solved
Reality is... (Score:2, Interesting)
... corporations are the ones making the world insecure by forcing things online and to have online accounts to track everything. They create massive attack surface in their mad quest for transparent user/customer data and profit.
Re:Reality is... (Score:5, Interesting)
Mind you, I don't disagree with your premise - The problem here has nothing to do with end-users, and everything to do with expecting them to remember over a hundred distinct "secure" passwords. But that glaring flaw aside (which leads people to use the least secure password a site will let them, and reuse it at every site they can), there *is* still such a thing as a pathetically weak password.
We've all seen, and can debate the exact accuracy of the relevant XKCD strip [xkcd.com], but the general idea holds true - We'd all do a hell of a lot better to use memorable three to five word phrases, than trying to squeeze something we can almost remember into leetspeak with an extra random character or two tacked on at the end.
Re: (Score:2)
Re: (Score:2)
I have never been able to accurately type four common words without spaces and with the letters obscured. For that reason, I've always used Ross Anderson's suggested method of taking a phrase that means something to me and using the first letter of each word in the phrase. Sure 8 to 10 characters are less secure than 24, but it's a damn sight easier to type.
Re: (Score:2)
Re:Reality is... (Score:5, Insightful)
24 character passwords are pretty impractical in my life, and indeed the life of tens of millions of others. Security engineering is much more successful when it works *with* the grain of human nature, not against it.
Re: (Score:2)
I've had problems with passphrases. I can remember something that's unlikely to be guessed, but I keep forgetting if there's a comma between clauses, or exactly what the capitalization is, or something like that. All it takes is one slip like that and I can't log in.
Re: (Score:2)
I have never been able to accurately type four common words without spaces and with the letters obscured. For that reason, I've always used Ross Anderson's suggested method of taking a phrase that means something to me and using the first letter of each word in the phrase. Sure 8 to 10 characters are less secure than 24, but it's a damn sight easier to type.
I'm sorry...why is this? If you don't lose track of where you are when mentally parsing a sentence and only typing in the first letter of each word, why would you lose track when typing the words themselves? I'm sorry, it seems to me that the first-letter thing would be much easier to get lost in while typing.
And why no spaces? Spaces count as 'special' characters and increase entropy...of course, some logins don't allow them, while at the same time requiring other special characters...so in those cases
Re: (Score:2)
I don't mentally parse a sentence each time -- it quickly becomes a mnemonic requiring no mental effort to recall. By contrast, typing 24 characters in a row without making a mistake while they're obscured is tricky.
Let's say your sentence is "A generation which ignores history has no past and no future" (Thanks, Robert Heinlein!). Your password becomes Agwihhnpanf. Probably you'll add or substitute a special character in there somewhere. It won't take more than five uses before you remember the letters. Th
Re: (Score:2)
I don't mentally parse a sentence each time -- it quickly becomes a mnemonic requiring no mental effort to recall. By contrast, typing 24 characters in a row without making a mistake while they're obscured is tricky.
Let's say your sentence is "A generation which ignores history has no past and no future" (Thanks, Robert Heinlein!). Your password becomes Agwihhnpanf. Probably you'll add or substitute a special character in there somewhere. It won't take more than five uses before you remember the letters. Then another 20 or so and it'll be muscle memory.
Of course, YMMV. But this has been my experience. Even more so when trying to use a mobile device.
Okay, thanks for explaining! My M does V, since I haven't had a problem typing in longer passwords (3 to 5 words, 2 to 7 letters each), yet have a heck of a time typing in (and primarily remembering, but I guess the base sentence would help with that) shorter mixed-case visibly nonsensical passwords. I use the muscle memory I have developed typing real words elsewhere to...type real words while obscured. Yes, sometimes I get ahead of myself and flub up once (but rarely twice), and I always like when ther
Re: (Score:2)
Re: (Score:3)
> A system shouldn't allow 1000 login attempts to the same account per second.
Cracking passwords generally isn't done by attempting to login, but by hacking into the database, obtaining the password hashes and then running a password cracker on them offline (using a dictionary, rainbow tables and whatnot). Cracking passwords like 1-2-3-4 is almost trivial in this case. "Difficult" passwords are a lot harder to crack this way.
So if you use 1-2-3-4 as a password on several sites, and only one of those site
Re:Reality is... (Score:5, Interesting)
But that's the point of the original comment in this thread, isn't it. What makes 1-2-3-4-5 insecure is the fact that the companies storing the hashes can't be trusted to keep them safe but the user gets blamed for having an insecure password.
Re: (Score:2)
This is entirely too sensible and therefore has no chance whatsoever of being generally adopted.
Reality is that passwords are a huge usability problem that is exacerbated by trying to treat the user as a programmable system component. Sadly, passwords of practical length/format don't, and probably can't, provide much security. And users, in general, are not reliably programmable.
What's my answer? Don't have one. But what folks are trying to do isn't working and probably can't work.
I think that the situa
Re: (Score:2)
Suppose an on-line attacker can get a list of user names. Then the attacker can try a series of weak passwords on each user. On a large site, the odds are that somebody's using an easily guessable password, and if the attacker just wants one login, and doesn't care which one, that could work nicely. Blocking IP addresses doesn't do much good against a botnet.
Re: (Score:2)
You've missed my point entirely. "12345" is the fifth numeric password an attacker would try [howtogeek.com] (after "1", "12", "123", and "1234"). It doesn't matter how securely you store it or how long each guess takes, if an attacker has a reasonably high chance of guessing it by a mere educated guess.
Sure, you could lock the account after X guesses - But then you've just given me a trivial way of locking out t
Re:Reality is... (Score:5, Insightful)
No, there were no password Ninjas in the deep of night , looking for Post-It Notes under keyboards
Sad thing is, after all this time and warnings about how it is unsafe, a sticky note out of plain sight is probably one of the most secure ways to store passwords. Especially if you trust the people who have access to your equipment, or if you simply lock them up in a drawer.
Nobody actually takes the risk of physically breaking into a place just to steal passwords. Attempting to break into your database is likely much less risky, much easier to do (given a reasonable hacker skill set), and much more rewarding.
Re: (Score:2)
It all depends on who you are trying to secure against. For example, everyone says not to use things that are important to you because they are easy to guess. The thing is, if you are worried about outside hackers with no connection to you, they have no basis of guessing that stuff. In most attacks, the hacker has no clue who the account belongs to, so they have no idea that Pepper is your dog and 11/23/99 is your wedding day, so Pepper!112399 is not a terrible password. On the other hand, if you are worrie
Cognitive Load (Score:5, Insightful)
Now, as for using 'good' passwords, it follows a similar pattern, with most people unwilling to dedicate the time and effort to memorize what amounts to a 'good' password, when they can remember their spouses birthday and their first pet's name just fine.
Of course, we have seen time and time again articles arguing both sides of the court, that long random passwords are either effective or not, and correct horse battery staple passwords are effective or not, so this portion of the discussion is going to be long, stupid and frustrating for evangelists on both sides.
Honestly, I've reached a point where I use 'good' passwords where it matters, (main email, financial items, Amazon etc) and just sort of hope for the best when I re-use the same 'decent' password everywhere else (forums, etc)
I say 'good' because we're at a point there have been enough breaches that we're all probably fucked anyways.
Re: (Score:2)
Re: (Score:2)
I remember a long time ago (probably like 20 years ago now) doing a password audit using l0phtcrack. Us IT guys got our passwords cracked in about a day of it running. We were using 6 - 8 character passwords with upper/lower/numbers/symbols.
The password that took the longest (actually, it ran for a week and never got cracked) turned out to be 2 dictionary words concatenated together with a number in between them. No upper case, no symbols. It just turned out that it was all about length.
That made me a belie
Re: (Score:2)
Websites meeting this standard could have fancy little badges of honor to display on their homepage.
Websites failing to meet this standard should be regularly listed in security advisories, companies could discourage or forbid their employees from using these websites, your web browser should warn you that your password
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I agree. Maintaining many passwords and changing them regularly is demanding . It's no use to exhort people to try harder(it only shows the person doing the exhorting does not understand the situation). Some people devise clever strategies but in general it's better to ask people to use a password manager so they don't even have to memorize the password.
Re: (Score:3)
Re: (Score:2)
Mod parent up. GP's system is roughly the worst password security proposition I have heard this year.
Re: (Score:2)
If the company cares even slightly about security, they offer 2 factor authentication.
Re: (Score:2)
Re:Cognitive Load (Score:4, Insightful)
Call me cynical, but most user security policies don't make much sense except from a job security standpoint.
Re: (Score:2)
And single sodding sign-on never works reliably, so there's always some system that doesn't get updated in any reasonable timeframe with your new password
Re: (Score:3)
Our family would have *loved* to have a password for 60 days. We had to change our passwords every 30 seconds and every password had to be 80 characters long and contain Unicode characters that hadn't yet been assigned!
Re: (Score:2)
This is the tragedy of the commons... everyone only thinking of themselves, then complaining about all the spam they are getting in their inbox.
If everyone put forth a little bit of effort to secure their shit, we might be able to have nice things.
Instead.... oh, who cares if this account is compromised... it doesn't affect me that greatly... so why should I bother?
You should bother because that compromised account is now a platform for malicious activity which then affects us all.
What could owners and servers do? (Score:2)
The site works with the username and weak password on creation to ensure better server side protection against plain text walk outs, usable network data loss or buying into cheap "standard" reversible cryto?
Could an extra layer of security be added to data on an network, during storage and real time use be added?
Expecting users to change habits and still enjoy a site is a
The fastest, most bang-for-buck fixes (Score:2)
Go through your text, and everywhere where it says "password" change it to say "passphrase."
The password-setting step, where you have the user initialize their password, should also say "don't re-use the same passphrase that you use somewhere else." Just say it. (If users want to ignore it, fine. You can't help people who don't want to be helped.)
This doesn't fix all the problems, but it fixes the most, in the smallest amount of time/effort. One of your interns can do all this in a single morning.
...
After t
Complex Passwords (Score:3)
Or maybe the complex passwords *ARE* the problem. Who the hell can remember 100 different complex passwords?
Repeat after me: TWO FACTOR AUTHENTICATION!
Use a simple password and an authenticator that produces a one-time password.
Re: (Score:2)
two factor authentication is great when done correctly, worse than useless when done poorly.
"security questions" are not 2 factor authentication. They are just low entropy passwords.
If 2 factor includes a device, then there needs to be some way to authenticate if that device is stolen when you are in a remote location. That of course also breaks the concept - but what is the alternative?
Bio-metrics can work if they can be made sufficiently reliable,
Re: (Score:3)
If 2 factor includes a device, then there needs to be some way to authenticate if that device is stolen when you are in a remote location.
Another horrible version of 2 factor authentication is when the device is a smart phone that you are using to log onto the service in question.
Re: (Score:2)
Like, say, text message transaction codes sent to a smartphone used to do online banking.
And please don't think nobody would be stupid enough to do that.
Re: (Score:2)
Smart phones are at least somewhat secure, if you bother to set a good password.
Even fingerprints with enough to defeat most thieves, not that many of them will be bothering to log in to your email on the off chance there is something useful there. They will try to wipe and dispose of the phone as quickly as possible.
Re: (Score:2)
Chances are good that you're as creative as 99% of the pet owners out there and picked the name for your pooch from a rather small pool of possible choices.
Re: (Score:2)
This works for me:
1. Don't bother to remember or write down password.
2. Get the application to send me a password reset.
3. Change the password to some long random thing.
4. Login do my stuff
5. Logout, rinse, repeat.
Pros:
Don't need to remember password.
Password can be long and complex.
Kind of like 2 factor auth.
Cons:
Works only for places that provide password reset (who doesn't?)
Re: (Score:2)
That's pretty much what someone did at an office I worked before.
They had a system where someone could call IT to say they forgot their password, which resulted in their account being locked and a new password was generated. What this person did was to call IT as the last thing before he went home, said he forgot his PW, had his account locked, then next morning he would show up, pick up his password "for the day", enter it, shredder the paper it was printed on, do his stuff, call IT at noon with a lost pas
Password fatigue (Score:2, Interesting)
Look no further than the simple explanation: Password fatigue.
It's not uncommon in a large employer to have 6-10 passwords to different systems, all with different rules. And they change every 30-60 days.
Naturally, this causes users to write them down, sometimes on stickies under their keyboard (agh), sometimes on the stickies program on their frickin desktop (ARGH).
Rather than lamenting this obvious fact, it's time we change standards to recognize what REALLY happens, instead of what SHOULD happen. (Refe
Re: (Score:3)
going to do a quick count of how many pwds I deal with at work: ...
49.
I have 49 separate pwds I need to know to do my job.
of those *several* are in a one-note file that is on a secure server so others with the same need to know can remain synchronized.
Three or four of these also require a SecurID or similar token.
Only two are committed to memory.
nb
Bad habits are forced (Score:2)
Re: (Score:3)
Paypal, the assholes, only allow 20 characters max. Apparently they were running out of bits and have to save money somewhere. Anyway, that's not the aggravating part. The aggravating part is when you enter the password, it just truncates to 20 without telling you. Then you go to log in with the password you just set and find it doesn't work. It doesn't work because you've entered to many characters, but it lets you enter them when setting the password...it just throws the extras away and performs the set!
A password should NOT contain a mix of characters (Score:4, Insightful)
Work policies that require 8 characters, 1 upper, 1 lower, a number, a symbol and change every 3 months are guaranteed to result in everyone eventually adopting Common1! where Common is any common 6 letter word and the number 1 increments every 3 months.
Re: (Score:2)
I have seen argued by experienced security professionals that any password that can be remembered is probably easy to crack with current CPU based systems.
Re: (Score:2)
Re:A password should NOT contain a mix of characte (Score:4, Informative)
There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.
Re: (Score:3)
There are a number of sites I use infrequently, such as my pensions website, where I have to rely on password reset *every* *goddamn* *time*.
That's fine. Think of it as an ad-hoc form of authentication service. Instead of providing a password to prove who you are, they securely send a token to you via a trusted third party service (your email provider) which you then authorize.
Because the reset goes via that system, it's no less secure relying on it all the time than it is remembering the password. I actual
It's very simple (Score:3)
A password is intended to ALLOW access. If I come up with random "complex" passwords, I will either have to write them down, or use some sort of passwords safe, because they are intrinsically not "mnemonic". For many things I just don't care very mush, and I have to have dozens to hundreds of new passwords a year.
There has to be a compromise between security and functionality, and people are making that compromise.
passwords are a burden (Score:4, Interesting)
It's quite simple, remembering passwords is a mental burden that you rarely find anywhere else in life. For our possessions, we have physical keys that provide weak security and we expect law enforcement to ensure a violation of that weak security and our insurance companies to replace our losses. The closest thing in real life is remembering people's names and there is a common set of names people have that are phonetic as well. If you want to solve the password issue, people need a physical object (a key) that will authenticate them. We will all carry a key like this and once again rely on our weak physical security which requires physical proximity to undermine.
Re: (Score:2)
Phones make good keys. They have multiple layers of security (physical, then an unlock code or fingerprint), the good ones are encrypted by default and everyone carries them anyway.
Computers should have NFC pads so they can do a secure challenge/response kind of thing when logging in to sites, like how mobile payments work.
Re: (Score:2)
In the UK for while we started getting little keypads - completely stand alone that you plugged your card into, entered the PIN, entered some other details (e.g. amount of transaction if necessary) and then got an 8 digit code back to use as a passcode.
Completely OS/browser agnostic.
Unfortunately, it never really took off. I think people just didn't find it convenient enough to have the keypad. Of course, had it taken off then people would have had multiple keypads and left one at work etc so they wouldn't
Not as big an issue as poor password POLICIES (Score:5, Interesting)
How about great big "fuck you" instead? How about a wall of shame for every website that does not hash passwords, with salt, prior to transmission over the internet? This is kiddy level shit here. The slowest smartphone in the world should be able to do this in its sleep.
And the majority of sites still have incredibly stupid password policies, almost all forcing you to use special characters and numbers instead of long passphrases which, if properly constructed (such as via dicewords), can be considerably more secure than the average "unicorn16!" type password. Some sites even impose a ridiculous maximum length policy, and some sites also forbid certain special characters, probably for some horribly depressing reason like they can't be bothered to make sure the password field can't be used for SQL injection or overflow attacks.
Work passwords aren't much better. The constant changing is completely pointless; everyone either uses a very simple incrementing number system (often tied to the current month) or they use Post-Its. A sane alternative would be to track logins and alert the user and/or security admins of unusual times or locations and to use keyfiles on smartcards or regular USB drives.
I've checked the literature and these ridiculous practices are still being taught to people studying for CompTIA certifications. Can't someone please... I don't know, do something about this? Can't we have some industry leaders say that they're no longer recognizing CompTIA Security+ or Network+ certifications as worth anything? This shit has been going on for far too long, and in an effort to made up for their shitty password infrastructure many places are adopting painfully annoying supplementary security systems.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
1) It explicitly requires JavaScript on the client browser to be enabled. 2) Where do we store the salt? On the server? Well, that means we have salt+hash on the server which is what you wanted to replace in the first place (we'd also need to send it back to you without really knowing who you are, which doesn't seem secure). So we'll store it on the client! Which means it will be unique to the browser. Sucks to be you if you ever want to log in from a different device or clear your cookies, your password wont be valid. 3) Since we can never really trust that the client is actually doing what it should be doing - it may well still just be sending us a plaintext password - to be secure we're still gonna have to salt and hash it on the server anyway. 4) Hopefully the above points demonstrate that the security gains are, realistically, utterly minimal if salting/hashing is done server side PROPERLY. Sure, ebay wouldn't have lost your password if they followed this scheme (usability be damned of course) but likewise they wouldn't have if they were salting/hashing server side in the first place.
1. I'll take that risk. Better yet, get one third party source to provide the script and box for everyone and I'll whitelist only that source in uBlock. Better yet, put this in HTML6 or something. Implement some highly specific DSL stuff that hopefully can't be exploited. (Protip: Offer $100k reward during draft phase to the first one to publish an exploit.)
2. Storing it on the server is fine. You obviously need some salting, prior to it being stored in the database, or else a break-in would be trivial
Re: (Score:2)
Re: (Score:2)
This was about good passphrases, not bad ones. If you don't understand how using a cryptographically secure hash function with salt (even known salt) accomplishes this goal, then "I am sorry" but you do not understand the first thing about
Re: (Score:2)
So there exists a browser extension to implement what you desire, it is called HashPass.
However, if you use such a strategy, you *still* must have a password resilient to dictionary attacks. The attack scenario it provides *some* protection against is if you use a site that has poor security storage policies, without your knowledge (e.g. stored in clear text). The idea is that if such a crappy site gets compromised, it's view of plain text password is the end result of your client side salt, which now can
Re: (Score:2)
Note I *think* he's saying that whatever string the client ultimately sends to the server should still be one-way crypted and salted in the usual way. Meaning a compromise of the database still has reasonable protection.
He wants something to automagically take his password and make it unique per site so he doesn't have to remember them all. Note that this is what things like the extension Hashpass do, generate a site specific password derived from your master password and transformed for the site.
Of course
Re: (Score:2)
Re: (Score:2)
HTTPS serves a different purpose.
Re: (Score:2)
The salted hash is to prevent a GOOD password from being discovered even if a site is compromised. If that same GOOD password is being used with a different site (and thus with a different salt, but all salts and the hash algorithm can be entirely known to the attacker) then the attacker can... what? Good cryptographically secure hashes are one-way things. He can't use the stolen hashed pass
Re: (Score:2)
Protecting *bad* passphrases from being discovered is completely beyond the purview o
Re: (Score:2)
You store the salted-hashed password on the server. The server never gets to know your "real" password.
Your "real" password, if it's a good one (i.e. long and unusual enough to resist the cleverist brute force cracking systems out there), can be freely reused with any website you wish (as long as all websites use this scheme) and each site breach will be completely contained--knowing your hashed version on site A doesn't get the attacker anywhere with site B, because a completely d
Re: (Score:2)
The other possibly, that I'm currently thinking very hard about, is to write a suite of free (with premium upgrades and management available) tools to allow the users to add this layer themselves
I do residential IT services... (Score:2)
Because the biggest single problem my customers have is remembering passwords, the first thing I tell them is write them all down in a safe place. Everyone has a good place they can hide a sheet of paper.
I'm fully aware that a significant fraction of the password cheat sheets will end up taped to the monitor, but in my customer demographic the online threat and the physical breakin threat are totally disjoint. Even their laptops seldom leave the house.
But we do know what secure passwords (Score:5, Insightful)
> Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols.
These requirements profoundly _discourage_ secure passwords. The difficulty of remembering them, and typing them well at a hidden password field, strongly encourage storage of passwords locally in cut&paste text windows or in local plaintext password storage. The current champion application for this security failure is AWS, which stores complex randomized alphanumeric strings which _no one_ can remember, forcing their default inclusion in plaintext local user fules or even hardcoded in saved wrapper scripts.
I'm afraid that robust password generation was much better explained and documented in an old XKCD cartoon, https://xkcd.com/936/ [xkcd.com]
Is there really a paradox? (Score:4, Insightful)
My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security.
But among all the accounts that people have, how many of them are really worth of effort to reduce the hacking risk? I'd think a lot of people reuse the same passwords on many sites, because they do not really care if they are hacked on most of their accounts. Actually, this is kind of hinted at in TFA:
Additionally, consumers prioritize their password strength based on which accounts they believe need to be the most secure. Respondents indicated that they create the strongest passwords for financial (69 percent), followed by retail (43 percent), social media (31 percent) and entertainment (20 percent).
That would seem to indicate that if people reuse many passwords, they still don't use the same one for their bank and for facebook... It is strange the TFA asked people if they thought their accounts had values to hackers, but didn't go as far as asking the surveyed people what value they perceived themselves in their accounts.
Re: (Score:2)
Passwords shouldn't have to be good (Score:2, Interesting)
Well, then passwords don't have to be strong. This doesn't fix password reuse though
Re: (Score:2)
Most password cracking is done by stealing the database with the password hashes and then using some GPU based system to crunch those against known rainbow tables and some well known tricks people use to create passwords.
None of what you suggest would make any difference.
Re: (Score:2)
crunch those against known rainbow tables
Note that this *also* would be a sign of an incompetent site. Password databases should be impervious to rainbow tables. Also, a GPU would not really be that useful for a rainbow table. A rainbow table is a precomputed table of hashes, meaning it's a straight lookup rather than actually having to perform the hash calculation. A competent site would have a sufficiently long random salt incorporated to render rainbow table impossible.
Of course, dictionary attacks against offline database are still a probl
Long story short (Score:3, Informative)
Begin article.
Passwords are a chore to remember. People are lazy.
End article.
Bloody stupid article (Score:2)
The reason people re-use passwords is overwhelmingly because so many sites require them. A vanishingly small percentage of the population could realistically expect to remember what may be 100 or more passwords to manage all their online activities. The variations in password acceptance across all those sites is equally irritating ("Do not use special characters" "You must use at least one special character" "Password must be at least 8 characters" "Password must be exactly six characters" etc etc).
Why it's hard (Score:2)
passwords should contain uppercase and lowercase letters, numbers and symbols
No, far more effective would be minimum password (phrase) length. People thinking 8 characters are fine as long as it is leet-speak is a problem. The way most people use uppercase, numbers, and symbols make the dictionaries a little more tedious, but not *that* much more so.
Sure, the most secure approach is totally random, but if people insist on it being human friendly, number of characters is the key point to emphasize.
Completely misses the point (Score:2)
It's not about understanding the risks. It's about considering the dangers to be significant. I reuse passwords all over the place, and most of my passwords are very simple. And I understand that because of my behaviour, it'd be very easy to hack into my slashdot account. There's no paradox there. I don't consider my slashdot account to be vital. If someone wants to hack into my slashdot account, I could care less. I'll get another slashdot account. It was free the first time. It'll be free the sec
Passwords are outdated. (Score:2)
The issue is that GPU scaling has exceeded the functional life of passwords. So we make longer more complex passwords and next year or the next some GPU breakthrough will enable those to be broken in reasonable time. It's just a delaying action against the inevitable death of passwords as a valid authentication option.
Re: (Score:3, Informative)
I'm pretty sure that most employees who are forced to pick new passwords once/month just use something like:
This meets all of the upper/lower/digit/symbol requirements, and it never repeats.
I also think the ones that don't use this method just write the password down on a post-it note that they keep in the office.
Re: (Score:2)
That's too long for some systems used where I work where the length has to be exactly 8 characters and not contain any "special" characters in order to allow the passwords to work also on some oddball systems.
Re: (Score:2)
That's too long for some systems used where I work where the length has to be exactly 8 characters and not contain any "special" characters in order to allow the passwords to work also on some oddball systems.
Tell me about it. But sometimes it's simply shockingly bad security choices on the part of the company, as well. For instance: my old bank started requiring a fixed-length, 6-letter password that was case-insensitive and mapped to the corresponding phone digits to consolidate their dial-up and online logins...I have no idea if they still do that, since I abandoned ship shortly thereafter. I simply wasn't comfortable with having my banking access protected by, essentially, a 6-digit number.
To be fair, the
Re: (Score:2)
Yeah... I don't know anyone who writes it down on a post-it next to their computer, but we do have a 90 day policy, and my password strategy is not quite what the GP described, but it's not too far off, either. That's the stupidity of just not allowing us to create a really great pass-phrase that would take years to break. That's all on top of two-factor authentication (RSA SecureID) when not signing in from our internal network.
The stupidity is that on systems that have multiple users, we have a shared a
Re: (Score:2)
I'm guilty of the increment counter in pwds at work.
As to the SecurID token...
Co-worker has pwd and username on post-it on back of token...
smh
Re: (Score:2)
Yup. A password under 8-12 characters in length, consisting of a simple dictionary word (with simple digit substitution of a = 4, e = 3, i = !, random capitalization, etc) can be solved by a GPU in less than a second or two. Combine several non-related words together and you might have a fighting chance. Don't even get me started about how many friends and relatives don't use 2-
Re: (Score:2)
... Better let an application generate password for user's eyes only and force user to memorize it (or to write it down, at their own risk).
Let's see... my work account, two banks, several credit cards, two healthcare accounts (FSA AND HSA) as well as my health insurance, accounts for my kids in school (like paying for school lunches), ISP account, several streaming services, slashdot, reddit, and a number of other forums I participate in (and not me, but most people will have several social media accounts).... you get the idea. I'm supposed to remember all those completely random passwords?
Oh, and another pet peeve: changing passwords often - it does nothing for password guessing, all passwords with same randomness have same probability of being guessed. Changing passwords are meaningful only if old password is already compromised, but you never know when it exactly happened, so unless you are changing password after each session, it is almost completely useless.
Now that I can agree on - our company's policy is jus
Re: (Score:2)
Re: (Score:2, Insightful)
In the early '90, when you had one password for your email and that was it, password were useful. Now you are supposed to keep more than 30 different, complex passwords. Oh, and you should replace them every 3 months.
But, yeah, people follow risky password practices because of laziness. It's not because passwords are a simple, lazy way to implement authentication that has became unmanegable.
Re: (Score:2)