Spafford On Security Myths and Passwords

An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."

APG

[wuzzeb]

I have found that using APG [nursat.kz] is a great way to generate passwords. They are easy to remember since you can pronounce them. For example, I just ran the generation and these are the passwords that popped out. I have found that most users can remember these kinds of passwords.

lewcyHirUx6 (lew-cy-Hir-Ux-SIX)
drywaWrop2 (dry-wa-Wrop-TWO)
ScekGul4 (Scek-Gul-FOUR)
lacWaup7 (lac-Waup-SEVEN)
IphIaft3 (Iph-Iaft-THREE)
glidTevPos8 (glid-Tev-Pos-EIGHT)

One attack he didn't mention...

[patio11]

... getting your server brute-forced by a Slashdotting.

MOD PARENT +5 Funny!

[WoTG]

Uh... yeah, those passwords look easy enough to remember.

Heck, I forgot my 4 digit alarm code about 6 months ago... and you want me to remember how to "spell" glid-Tev-Pos-EIGHT???

I write passwords down...

[cirby]

Well, they *look* like passwords.

They're not actually *to* the systems they're next to, but it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Re:Password change policy

[KiloByte]

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

I'm afraid that you have never seen a corporate environment; otherwise you wouldn't mention "doing the sensible thing".

Re:Advice on passwords

[raftpeople]

It happened to me. I was logging onto some box after having passed through a few different operating systems on various boxes to get there, when I keyed in my password the damn thing got echoed back to the screen and the person behind me started laughing (it was one of those passwords you wouldn't tell your mom about!).

Easy for a Star Trek Fan Maybe...

[Qybylance]

They do sound an awful lot like planet names... "Scotty, beam me down to Lac Waup 7!" "Can we recover the team on Sek Gul 4?" "The colony of Ip Laft 3 is under Romulan attack!"

Re:Advice on passwords

[wildsurf]

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

Passwords are like toothbrushes. Don't get too enameled with yours, or it'll cause a dentin security and may even expose your root.

Re:Password changing

[MrLizardo]

The biggest threat to security is often from within the corporation/organization itself. And there's a big difference between being able to walk by someone's desk and see the sticky note with the password on it versus climbing under their desk and putting a key-logger between the system and the keyboard. Think about the following two scenarios:

Scenario 1:
Worker: What were you doing going through the drawers in my desk for while I was away?
Cracker: Sorry. I was looking for a stapler.

Scenario 2:
Worker: What were you doing crawling around under my desk, screwing with my computer?
Cracker: Sorry. I was looking for a stapler.

See, one of these is activities is a little more dubious than the other. Also, you don't have to be a 1337 hax0r to be a threat to security. All you have to do is have access to a file/account/system you shouldn't.

Re:Dupe

[Warg! The Orcs!!]

If I recall correctly, posts pointing out duplicate posts have been posted before.

Requirements...

[Vo0k]

A real error message from a real e-store registration, denying access for a customer who entered his actual, legit personal data:

"Your surname name is too short. Surname must be at least 4 characters long."

Re:Couldn't agree more on some points

[cyborch]

... there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices ...

... 99% of security compromises ...

... 25% of people ...

In other news: 87.3% of all surveys are made up on the spot.

biometrics

[Anonymous Coward]

Hope I don't have to get new fingers every 30 days when they bring biometrics as password replacements....

Passwords Suck

[esme]

We should all be using public keys.

-Esme

Re:Password changing

[Phleg]

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

You must be new here.

Re:Diceware

[Anonymous Coward]

Your passphrase would then be:

                                cleft cam synod lacy yr

  Which interestingly is Welsh for all your base are belong to us

My way

[sasdrtx]

Abcd0001

Increment as needed.

Re:Shoulder surfable.

[Rob the Bold]

You ever wonder why password fields don't echo the actual characters back to the screen?

I used Lotus Notes for a while, and it had a "cool" feature of echoing seemingly-random numbers of heiroglyphics when you typed each character of a password. You never knew if your finger slipped or if you did just type bird-bird-eye-"guy going like this"-bird-ankh-ankh-ankh. Worse then single stars, worse than nothing, really.