Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Password Complexity in the Enterprise? 216

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"
This discussion has been archived. No new comments can be posted.

Password Complexity in the Enterprise?

Comments Filter:
  • by 9mm Censor ( 705379 ) * on Monday June 12, 2006 @06:39PM (#15520212) Homepage
    I work at a call center. The password I was given, was "apple123". After 6 months I was prompted to change it. So now my password is "apple456". If I were to work here for another 6 months, I would change it back to "apple123" but I quit because I value my sanity.
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday June 12, 2006 @06:59PM (#15520333)
      The key is not how complex you can make a password.

      The key is how will an attacker defeat it.

      So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.

      Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour ... 288 a day ... 864 over a 3 day weekend. Round that up to a thousand and it's still a "one chance in a million" to guess the password over 3 days of trying.

      As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.

      And WordNumberWord is not that difficult to remember.

      Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.
      • How many times have banks/people lost money due to weak passwords?
        vs
        How many times have backs/people lost money due to social engineering?

        Forcing people to have crazy passwords may reduce the number of
        times that password is cracked (from near zero to nearer zero).
        But stopping social engineering will have a *far* greater impact -
        because its actually pretty common for people to hand over their
        passwords and account details to nigerians or email from pay pal.

        So its not about the size of your password. For examp
        • And that holds true for any authentication system. Lock your users out (so they have to come to you) after 3 tries.

          Yes, but this then EASILY enables a denial of service attack. If I don't want you to be able to log in, all I need to do is fail to enter your password 3 times. That's why the temporary lock-out and active monitoring is a good thing (tm). -inco

          • You have a good point - A timed lockout is required to stop
            brute force, but wont hinder a user (who needs to wait 60 seconds after
            every 3 tries).

            However that wont stop a DoS on an account. If DoS is the goal,
            the hacker has a process that keeps entering your ID with a bad
            password. Probably a better solution there is after 10 bad tries -
            lock that IP out for an hour.

            Anyone dealing with this? How are you doing it?
        • Lock your users out (so they have to come to you) after 3 tries.

          I agree with this general principle, but you have to be careful: This can easily turn into a Denial of Service situation. Anyone who'd like to lock out your account just has to fake three logins and you're stuck until you get an admin to unlock you. (This can get rather bad if the admins are swamped, or not available at the time you try to access the system.) I tend to prefer time-limited lockouts, or possibly a system where once you are

        • Which is real practical in a 24 hour operation where you work bankers hours and take a long lunch. And no one on the night shift speak Hindi.
        • For example: PIN codes
          are pretty secure, but they are only 4 digits.


          Incorrect. Go and call your bank
          • Incorrect, yes, but for all intents and purposes, correct.

            If you want to be able to use an ATM anywhere in the world, you'd better have 6, or even better, 4 digits in your PIN.

            I travelled to France, intending to just withdraw cash, rather than deal with exchange houses, etc... machine would not accept my PIN because it had 7 digits, and their machines could only handle 6.

            An inconvenience in my situation, but had potential to be a serious problem.

      • That's only a real problem if your lockout has an auto-reset.

        If you're configured to lock an account after 3 bad attempts (like most systems I've ever been on), with the only account reset possible being a manual reset with administrator intervention, how can someone guess 3 billion (or whatever) times?

        Well, anyway, in Windows, the SID-500 account (built in Administrator) can't be locked out. So I suppose someone could sit and hack away at that password all day long. Which is probably why it's a good idea
    • At my previous job, there were two of us with sudo access on the new fileserver I set up: myself, and the previous admin (who wasn't really a computer guy, just the guy who ended up doing their computer stuff before I was there).

      His password was qwer.

      Needless to say, I restricted SSH access (which was the only remote access to the fileserver) to my user and my user alone.
    • You didn't happen to work for a company called "UNATCO", did you? I know a lot of their passwords were like that.
      • Seeing as my password is "apple123" I think that is a bit of a hint ;) Hint #2: Jobs gives me a job. Hint #3: White computers! Hint #4: Stupid users. Hint #5: WTF are you doing on /. if you dont know that I am working for apple (via a contractor) yet.
  • Skroob. (Score:4, Funny)

    by Tackhead ( 54550 ) on Monday June 12, 2006 @06:39PM (#15520214)
    > We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters.

    "0123456789aBcDeF"

    That's amazing. I've got the same password on my 6-piece luggage set!

  • by Anonymous Coward on Monday June 12, 2006 @06:43PM (#15520248)
    Those requirements don't sound too tough, though 16 charaters is a little long.

    As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

    Example:
    Slashdot is full of bad grammer,misspellings and inaccuracy

    =

    s1F0bgMaI

    The phrase is easy to remember; the number and uppercase substitutions come with repetition.
    • Yes, but try getting an administrative assistant to do this. They won't; you can guarantee they will just do the easy thing and write it down. This is not always a bad thing, though, provided they don't stick it on their monitor or something.
    • by renelicious ( 450403 ) on Monday June 12, 2006 @07:01PM (#15520349)
      Actaully I think the "first letter of the phrase" idea is too complex, why not just use a phrase. Most sane passwords allow up to 128 characters. You can easily type a whole sentence, which is much easier to remember. Use something like:

      Jane's birthday is on October 12th. (with puncuation)

      or

      Do or do not, there is no try.

    • Also:

      Slashdot users are uneducated unemployed and overweight

      =

      SurU2a0

      Slashdot users frequently complain about things, despite being overlooked and ignored because of their ignorance.

      =

      sUfcaTdb0a1b0t1

      =

      Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

      =

      ga5e2pcntd31g1719905

      Diabetes is god's way of telling you to lose weight, and that you look disgusting.

      =

      d1gW0tyT1w47yLd

      • I like those password, but I would just type them in full. All of our passwords are phrases that are over 30 characters long including punctuction. This excludes those that need to be entered frequently and repeatedly, like that for managing printers, which is short and not very secure but doesn't really matter because that password can really only stop and restart printers. I used to abbreviate like you did, but I've found I can often type the whole phrase faster since I don't have to think of the word, th
      • by bigmouth_strikes ( 224629 ) on Tuesday June 13, 2006 @02:35AM (#15522182) Journal
        > Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

        Hey, I resemble that remark!
    • As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

      This is one of my faves.

      It's immune to a dictionary attack, and any good password will be. It's also largely immune to social engineering, i.e. somebody looking over your shoulder as you type. You think "Now I'm possessive it isn't nice. You've hea

  • by Flimzy ( 657419 ) on Monday June 12, 2006 @06:45PM (#15520252)
    ...from simply rotating the password?

    Jan: 0123456789abcDE_
    Feb: 123456789abcDE_0
    Mar: 23456789abcDE_01

    You get the idea

    No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.

    • by Kadin2048 ( 468275 ) <slashdot...kadin@@@xoxy...net> on Tuesday June 13, 2006 @09:42AM (#15523485) Homepage Journal
      I know people who do something similar to this, by typing geometric patterns on the keyboard. (They weren't using it actually to control access to anything, just as passwords to test accounts and the like.)

      You start off with "1qaz2wsx3edc" and then when it expires, you change it to "qaz2wsx3edc4", etc. Depending on how intelligent the password system is -- in this particular case, not very -- you could get away with it. I think more secure systems probably pick up on the lack of difference between the two and would prohibit it.

      It's easy to create very complex, seemingly-random passwords that include numerics and punctuation this way, but it's very prone to shoulder-surfing. If anyone sees you enter it even once, they'll know what you're doing.
  • Suggested to me: (Score:5, Interesting)

    by wild_berry ( 448019 ) on Monday June 12, 2006 @06:46PM (#15520258) Journal
    One of the best I'd seen was to take first letters (or last, or second, etc.) from words in a song that you know the lyrics well. They have a decent amount of randomness and each album you buy will supply a couple of years' worth of passwords.

    Writing them down in a safe location is a helpful aide-memoir. You could just have a lyrics file saved to a thumb drive or scrawled in a diary.
    • The problem there is forgetting which song and which phrase in which song.

      "... okay, now for the root password, did i use the chorus from broken, the bridge from coin-operated boy, or the intro from engel?"
    • That's pretty good, even if you write it down as someone finding them is likely not going to assume song lyrics are a password. Contrast this to "zex242ab" which does indeed appear like a password.

      Another suggestion I've heard is to use a combination of visual patterns on a keyboard, i.e. "pl,12#edc" is a good password that you can follow visually without having to necessarily remember it exactly.

      ...and hope you didn't eat something messy for lunch that'd leave a trail behind as you type. ;-)

      /K

  • by mph ( 7675 ) <mph@freebsd.org> on Monday June 12, 2006 @06:46PM (#15520259)

    I know a few...

    "Theta alpha two seven three seven blue"

    "One one A"
    "One one A two B"
    "One B two B 3"
    "Zero zero zero destruct zero"

    But usually, voice identification is enough.

  • by biglig2 ( 89374 ) on Monday June 12, 2006 @06:47PM (#15520263) Homepage Journal
    Make the passwords to hard to remember and people write them down because thay have to.

    Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

    Myself, I use muscle memory to store mine. I make up an entierley random password and spend 20 minutes typing it over and over again until my hands remember how to make that sequence of twitches. Works great; and no risk of me acidentally telling someone my password because I don't know what it is.
    • Of course writing your password down and keeping it in your wallet or purse is better ... follow the MONEY!.

      Just use the serial number off a piece of currency, and a few letters, and you're gold. Just don't spend your password,

    • >Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

      Not only that, it has a quantifiable value, allows you to choose an arbitrarily complex password, and protects against the self-administered DoS of a forgotten password: http://www.berylliumsphere.com/security_mentor/200 4/03/heresy-write-down [berylliumsphere.com]
    • by JaredOfEuropa ( 526365 ) on Monday June 12, 2006 @08:18PM (#15520727) Journal
      Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.
      Paper left in a wallet tends to become crumbly and perhaps ultimately unreadable. That's why people tend to keep such bits of paper in their desk drawer rather than their wallet. Or (especially if they have to remember multiple passwords) in a Word document protected by a silly password. Of course, passwords for "functional" accounts that are shared between users are recorded in a different favorite place: the office whiteboard.

      To improve security and make the users happy at the same time, this is what we are currently doing:

      1) Enforce "good" passwords but do not let them expire (do lock it out upon 3 incorrect passwords). Instead, notifying the user of his last login time and last workstation used.

      2) Look for Single Sign-on solutions. Some applications can leave user authentication up to the OS: being logged in to Windows NT (for instance) is good enough for the application to trust that you are you. If you are writing an application that requires controlled access, consider implementing SSO.

      3) If you cannot get around the fact that users will have to deal with multiple password, consider a Password Vaulting solution. Basically this is nothing more than a bit of client-side code that remembers passwords as they are entered once, and then enters them automatically the next time you come across the same login window. Sounds crummy, but there are a few secure enterprise-level password vault applications that store passwords centrally and encrypted.

      4) Use sudo or kerberos or similar for functional accounts.
    • there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet.

      This would probably work well for me even though I have about 20 passwords. My wife on the other hand has 1 password and 20 purses. I can see her going to work and claiming she has to go home and change purses.
      • Sorry, I was using purse in the UK English sense, not the US English sense. We say handbag where you say purse, and we say purse where you say... I don't know actually what you say.
        In UK English, a purse is literally "a bag for holding coins"; more practiacally these days a woman's purse is a large wallet that has a coin holding compartment. Wallet is optimised for people with trouser pockets; purse is optimised for people with bags.

        Anyhow, what I mean is, keep the password in the same palce as your credit
    • by WuphonsReach ( 684551 ) on Monday June 12, 2006 @10:35PM (#15521318)
      I divide my passwords up by classification:

      1) The ones I deal with on a daily basis. These number in the range of about 1 dozen, but are still easily rememberable. Length varies from 12-30 characters, includes digits, mixed-case and is comprised of multiple words. Memorable, typeable, and fairly secure. Some of the longer ones are 40-80 characters in length, but they are ones that I only use when booting up the laptop every few weeks. I use them all frequently enough that they're memorable (although I still back them up in a GPG-protected file).

      2) The ones that I let the web browser remember. Such as forum passwords. Since I use a laptop that I keep secure, I'm not terribly worried about letting the web browser remember these. Those passwords are generated by a random algorithm and are usually 20-40 characters in length with random caps and symbols inserted into the middle / ends / beginning. I keep track of these by placing them in a text file prior to encrypting to contents of the text file with my GPG key. If I ever need to look them up, I open the text file, copy the contents to the clipboard and decrypt it.

      3) Other seldom used passwords. These are almost all randomly generated (30+ characters with random sybols, digits and caps). Again, I simply store them in plain text files where the contents of the file is a GPG encryption block. To get at the password, I copy the contents into the clipboard, decrypt and there I have it.

      The plain text file with GPG encrypted contents works well for many reasons. It's backup-friendly (I could even put the contents into source code control), I can e-mail the blocks to myself on other machines without worries or I can make backups of all of my passwords by mailing them to a webmail account. I can setup the contents of the file to be readable by my co-workers for cases where multiple of us need access to the password.
    • The muscle memory one is not so good if you have lots of passwords, of course; in that case.

      I have three, and manage withouot a card - my password, my root password, and an insecure password I use on web sites etc. where I won't loose any critical data (and where obviously i don't want the web site to have my real password) Oh, and a variant on my insecure password for sites that have more complex password rules than my insecure password meets.

      Of course, this means that CmdrTaco could hijack my Flickr accou
    • Muscle memory is great until you go on a trip to France, and at the internet cafe are greeted by an AZERTY keyboard!
  • Every company has some information that needs to be secure. With a network, you're only as secure as the weakest link--one machine is all it takes for someone to infiltrate it.

    While your company's password policy is much more stringant than my company's, it doesn't sound too paranoid at all. As far as remembering the password, you should write it down and carry it with you if you're having trouble remembering it. It should only take a couple days of logging in before you have it down, so then make sure y
    • In all reality the long password idea is great. However once you have a 16 digit password it no longer really matters if you mix it with numbers and special charaters. This is from an article on password myths: "Now consider this password: SeandialVickyandhorusbloomkendallWyoming. It is not complex by any measure. It contains only two character types and all of the components are words. They are, in fact, words picked from the Microsoft password strength checker's dictionary, which includes 2,254 words. Th
    • I'd argue that. Nowadays it's pretty hard to crack the corporate firewall to be able to attack the machines you could try a password attack on, and moderately risky to get physical access to the building and the network wiring. It's dead easy, though, to e-mail a trojan or other malware masquerading as some suitably-attractive bait (new screensaver, porn, etc.) and count on at least a few people in the company getting bit by it. Note that that malware doesn't need to crack your password, it's already logged

      • Every time I see someone go over rules like your suggestion, I wonder why everyone suggests to limit the keyspace and provide a clear logic for attack? Correct me if I'm wrong, but it seems that those rules (easily learned through minimal social engineering) would make it easier to crack, despite the length minimums. For example:

        Given a 6 character password from that scheme, I know the following always holds true:
        Minimum of 1/3 of the password is uppercase, dictionary attacks are weak, limiting to non dicti
  • unlikely (Score:3, Insightful)

    by hrbrmstr ( 324215 ) * on Monday June 12, 2006 @06:55PM (#15520306) Homepage Journal
    "16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string"

    this is an exaggeration. I can believe 8-character password every 45 days that cannot be the same as any of the previous 6, but there's no way that the stated requirements are correct. every user would have sticky notes on the bottom of their keyboard or phone or on their laptops in order to remember their password.

    no real enterprise security shop would condone such a moronic password policy.

    if a company were that paranoid, they'd have invested in PKI or use SecurID.

    tell us what the real requirements are and maybe we can offer some concrete suggestions.

    • Re:unlikely (Score:5, Interesting)

      In my job, I talk to network administrators very frequently while supporting our software. Generally the problem is, our product's default password doesn't meet their complexity requirements. The solution is simple, I ask them what their requirements are and make one up that meets them.

      Those requirements are absolutely not unlikely. I run into requirements at least as idiotic about once a month. Some of the stuff I've heard, I didn't even think it was possible to create a password that met them, and they had to be changed once a month. I've also run into stuff that probably reduces the keyspace (requiring 2 numbers, 2 special characters, 2 upper, 2 lower tells you a lot about every password when minimum length is 8). That one also had to be changed monthly.

      These requirements are for ... well, I'm not going to even say what type of company that last particular one was in order to protect my job, but trust me, you'd be very surprised, and probably upset. The fact is, the type of critical thinker that can actually come up with a good password policy is somehow a rare person, even in IT. Since the people doing the hiring generally have no idea how to interview, you'll find that person with almost perfect random distribution at small and large companies, government offices, schools, banks, consultants, mom-n-pop stores, you name it. It's a sad, sad situation.


    • no real enterprise security shop would condone such a moronic password policy.


      Never underestimate the power of human stupidity. Or corporate stupidity, for that matter.
  • Request password reset daily. I have 4 or 5 user IDs across a multitude of systems in my company and can never remember the ones I use about once a month or so. Typically I end up having to request a password reset for those systems. I have a co-worker who has to request a password reset every time he logs into his bank system. Back when I was working at EDS so many people were requesting a password reset that they started making each department pay for them (Apparently it was billed out at around $30.) Or
    • Re:Easy Solution (Score:3, Insightful)

      by fish waffle ( 179067 )
      I have 4 or 5 user IDs across a multitude of systems in my company and can never remember the ones I use about once a month or so. Typically I end up having to request a password reset for those systems.

      At my former employment i had at least as many, with the same problem, and much the same solution. Several of my coworkers kept the usual piece of paper in their desk with passwords, and many just kept text files on the system they used most often.

      I complained at one point and was told i should just use th
  • Password security actually doesn't bother me that much.

    Physical access to systems is a much more pressing concern. I work in a college, and there is no way I'd be able to enforce a strict password scheme in such an enviroment. Students can't remember a simple password, let alone something designed to beat a determined attacker.

    So, rooms are locked, laptops are secured, and accounts are locked down so that any attacker hacking an account is left with nowhere to go.

    Obviously, I enforce strict passwor
  • My method (Score:3, Insightful)

    by Rysc ( 136391 ) * <sorpigal@gmail.com> on Monday June 12, 2006 @07:18PM (#15520429) Homepage Journal
    I use two complementary password generation schemes:
    (1) I pick a word or pair of words and convert them to 31337. Example: supersecure->sp3rs3cur3. This is 10 chars long, which is Good Enough for a commonly rotated password, easy to remember but hard to guess.
    (2) I choose a phrase, such as a quote I like, and use the whole thing, For a while my root password was: myvoiceismypasswordverifyme. Now, technically that's not very secure because it's all lower case letters. But due to the length the amount of time it would take to crack is quite high. Again, good for a commonly rotated password.

    For added security I use method 2 with method 1. Here's a secure password I no longer use: Iseemt0behavingtremend0usdifficultywithmylifestyle ! (Uppercase I intentional; exclemation point included.)

    You get the idea.
  • What I like (Score:3, Interesting)

    Unless there's some flaw that I don't know about, I've always liked the password method where it's two random English words (DoorAsphalt or MessHeave). It's easy to remember, and assuming, say, a 40,000 word dictionary, that gives 1.6 billion combinations.
    • That's statistically as secure as a four and one half letter password, assuming 96 usable characters. Does that qualify for a flaw you don't know about?
      • That's statistically as secure as a four and one half letter password, assuming 96 usable characters. Does that qualify for a flaw you don't know about?

        Yes, that's true. But what is the goal of a password? If it can be that easily defeated with brute-force methods, I suggest that password complexity is just a red herring for bigger flaws in the security system. It should not be possible to feed 1.6 billion combinations of something into a security system without someone noticing.

        If we're talking about

        • I use a similar method on some systems, though I inject a random number in the sequence. Like Door19Asphalt or Mess27Heave. Just avoid using the current month or year, and of course 42.

          And no, none of those work on my slashdot ID.

        • It should not be possible to feed 1.6 billion combinations of something into a security system without someone noticing.

          I worked at a place a couple years back that had a dodgy .php script on a web server. And wouldn't you know it, there was a ginourmous .htpasswd file sitting in the docroot. And, as luck would have it, some of those passwords were also system passwords (yes, this was against policy, but the terminally obstinate could and would get around the rule).

          Since I don't have access to his

  • My policy (Score:4, Interesting)

    by RemovableBait ( 885871 ) * <slashdot@blockav[ ].co.uk ['oid' in gap]> on Monday June 12, 2006 @07:23PM (#15520451) Homepage
    I've always found it a total pain to remember passwords for different resources, so I came up (probably stole the idea from someone, too long ago) with a method of using the keyboard as a sort of encoder/decoder. What I do is I have a memorable word or phrase, but I always type in the letters above or below the actual characters. This means I can turn a memorable phrase, say, "slashdot.org", into gibberish, like "woqwye95l94t". (No, that isn't my Slashdot login, so don't even think about it :).)

    I've found that, while you need to think about it at the start, it doesn't take too long before you're used to using it. Of course you can (as I have) obfuscate it even more. For example, you could change the case (upper/lower) on alternate letters, type your memorable word/phrase in backwards, alternate above and below keys, etc.

    Just an idea, real good for the corporate logins... you can easily remember a word or name, and quickly turn it into something the IT Dept. would approve of.
    • Look into using a password safe or keeping seldom-used password / account information in GPG-encrypted text files. That way you only have to remember a core password / passphrase to get at seldom-used secrets.

      For the GPG method, create a new text file for each resource. Open it up in notepad, type in the access information. Then copy the contents to the clipboard and encrypt it before pasting it back into the text file. Now you have a secure secret that you can put anywhere (shared folder, mailed to y
      • This is a fairly good idea -- assuming you use a good password for the GPG encryption. Because unlike system-access passwords where (assuming it's intelligently built) the attacker would be locked out after a few bad attempts, if they get your encrypted file, they can hammer away at it until the end of time in order to get at what's inside. So that password has to be much more secure than anything inside it.

        Also, if you're going to go the stored-and-encrypted route, there are a number of small shareware typ

  • Take a simple phrase or word, and apply your own standard cipher.

    I take input (like "frankenfurter") and apply:
    - reverse letters "retrufneknarf"
    - substitute numbers for vowels "r1tr2fn3kn4rf" or "r4tr3fn2kn1rf"

    I can write this original word right on my monitor, or in my wallet, and it still doesn't give my folks enough to hack in quickly. Each time i need a new password, I pick a new input word, but keep the cipher the same.

    Pick your own cipher, but there are lots of standard
  • or -- God forbid -- have a security system that makes sense?

    The first person to suggest a system that both makes sense and is actually secure will be rich overnight. Don't ask for something if you don't know anyone who can provide it, and can't say how yourself. It's like whining that GM hasn't made a car that gets a bujillion miles per gallon and has pretzels for exhaust.
  • Anyway ... you know what this makes me do? Write it down somewhere. How secure is that?

    If you have an easy to guess password, anyone with an Internet connection is a threat. If you have a hard one (not guessed in one month) and have to write it down, the only people who could log in as you are people with physical access to your piece of paper.

    Yes, you do have a right to complain as that system seems to be a bit overkill, but writing down a hard password is infinitely better than having to use an easy one
  • After getting fed up with trying to think up clever, secure, mnemonic passwords every time an online service forced a change on me, I decided that all new passwords for every account everywhere would be a unique one: "ps waux | md5" ("ps -ef | md5sum" for you linux folk), truncated via cut(1) to whatever maximum password length.

    Next, I create a pgp-encrypted (symetric -- with a good password) text file with the account info for all my accounts. I email that to my gmail account for online backup and to ha

    • I used to do something very similar until I got my Palm. Now I just use GNU Keyring [sourceforge.net] to store all my passwords, locked up behind a single strong password.
      • I really like that program. I also like that I can use Java Keyring [pipex.com] to open the file on Windows, and confirm that I'm making a good backup of the database.

        In my ideal world, there would be a port of it to the BlackBerry, as I carry that more than my Palm Pilot nowadays.

    • I use GPG as well, but I keep each password in a separate text file. That way, even if someone shoulder-surfs me, they can only see a single password.

      Most passwords that I use are randomly generated using a custom script that I wrote (a dictionary of 300k words combined with numbers, caps and symbols).
  • Write it down (Score:4, Insightful)

    by Wanker ( 17907 ) * on Monday June 12, 2006 @07:44PM (#15520563)
    Write it down somewhere. How secure is that?

    This is surprisingly secure, as long as you write it somewhere safe. Security pioneer Dorothy Denning does this, as do a number of other "security professionals". There are simply too many places a password is needed now to follow good security rules for all of them. The human-factor limitations lead to the obvious conclusions that people must either:
    • write down a password
    • store the password online
    • use the same password lots of different places
    • choose a really simple password

    Writing down a password is safe if nobody can get hold of what it's written on. Storing it online is pretty much just like writing it down, except there are opportunities to make it safer. There's really no safe way to use the same password lots of different places or a really simple password.

    Use a password generator to create some truly horrific 20-character monster and write it down. Keep that paper safe!
  • One time our CEO was in a meeting with clients, and she had to tell them the password so they could access a page on our website. She told me she embarassed having to tell them the password was "nachomama".

    She was lucky she didn't use the other password "sofakingwetodddid".

    That's how you ensure your passwords don't get around.
  • by J.J. ( 27067 ) on Monday June 12, 2006 @08:32PM (#15520793)
    1. Are you in a Windows domain?
      • if yes, is the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\NoLMHash set to 1?
      • if no, then your password is:
        • converted to uppercase,
        • truncated to 14 characters
        • stored in two seven-character halves that may be bruted independently -- single 2GHz system can brute the entire keyspace in about 90 days.

      • if NoLMHash is set to 1, then your password is stored as a relatively secure MD4 hash. resources to crack in a reasonable timeframe are significant.
      • either way, the complexity of your hash is actually irrelevant:
        • in any domain that still supports NTLM authentication (vice pure kerberos) you can use smbproxy [google.com] to authenticate with the hash, vice the password. w00t.
        • the hash is stored in the domain SAM and the local SAM, and may be dumped with pwdump [google.com], given administrator credentials
        • the password hash is also stored in a user's logon struct, down in ... winlogon.exe (?) -- that whole "single sign-on" thing. has to be somewhere.


    2. not in a windows domain? I'm not qualified to answer.


    so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.

    what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.

  • You should keep a dollar folded up in a safe place in your wallet, and just use the serial number on it as your password.
  • Most people have responded with their experiences in keeping track of their passwords, but I was wondering if it would be possible to implement a system where the password expiry would be based on the complexity of your password. So when you enter your passowrd, the system could analyse the length, number of repeated characters, digits, and symbols. Then with the complexity, it could calculate the exipry time. So people who have passwords of length 8-12 would have to change their passwords every month, t
    • Most people have responded with their experiences in keeping track of their passwords, but I was wondering if it would be possible to implement a system where the password expiry would be based on the complexity of your password.

      And as an attacker, if I could find out this information (knowing which accounts expire frequently), that would tell me which accounts to attack (due to having less complex passwords). Not outside the realm of possibility, however unlikely, and it provides information on the pas
  • Get a bloody SecurID token [wikipedia.org] (or similar) already.
  • We allow pretty insecure passwords, all things considered. "password,1" would be valid, for instance, because it's longer than 8 characters and has punctuation and a number.

    At the same time, we lockout after three unsuccessful attempts, and we don't allow password reuse for more than 2 years. So while the passwords tend to be on the simple side for the average user, the danger for brute forcing is nonexistent because of the low lockout.

    I myself believe in obscene passwords. "Strong" password validators ligh
    • So while the passwords tend to be on the simple side for the average user, the danger for brute forcing is nonexistent because of the low lockout.

      Assuming, of course, that you've analyzed all of the methods that the password could be used to make sure that they're not vulnerable to offline cracking attempts. Most things (like passwords sent over an SSL connection) are such that offline cracking attempts turn into offline cracking attempts on the underlying encryption, but some things (like WPA passphras
  • At my company, they have almost the same policy as yours - though not quite as restrictive. Strike one. Once, they had to migrate us all from one email server to another or change some startup script or something, so they called us all up and asked us what our passwords were. Strike two. About a week later, I found an Excel spreadsheet with every user's login name and password on the common "public" fileshare. Strike three...

    Though probably unethical, it was very interesting to see what everyone used as pas

  • Hashapass! (Score:2, Interesting)

    by the_mice ( 163224 )
    I've started using what I think is a great was to create what appear to be rather secure passwords that are easy to remember and recoverable (that's a highly qualified statement as I am in no way a security expert). Go to:

    http://www.hashapass.com/ [hashapass.com]

    and enter your "parameter" (e.g. "march2006") and "master password" (e.g. "mysecretpassword") and you get a password (e.g. "K0u4CUXG") generated from the two. Of course you still have to remember the password, but at least if you forget it you can recover it from
  • Once you sign up your thumb, you just swipe your thumb and youre logged in. With further swipes, you can make it remember passwords to various websites and the likes.

    So get a complex password, and put it in a piece of paper in your wallet. Then use the thumb device to 'remember' it and just use your thumb. Its faster than typing the password, and breaking it is currently hard (not enough hacker culture knowledge out there to break it quickly).

    My friend spent a little while yesterday trying to break it and f
  • by patio11 ( 857072 ) on Monday June 12, 2006 @10:25PM (#15521268)
    They're easy to remember and extremely difficult to brute force. Just tell your users "Write a snippet of something which is meaningful to you". We can all type at 30+ words a minute so entering a 30 character password in natural English (perhaps without spaces) goes supringly fast. For example, supposing I liked classical literature, I could use socaesarmaythenlesthemayprevent (this is part of Brutus' soliliquy in Act 2 Scene 1 of Julius Caesar, which I had to memorize way back in high school). If you want to be reaaaaally anal you can obfuscate it a bit (l33tify, what have you). There is no convinient dictionary of "meaningful phrases in English" out there, although I suppose it would be somewhat less than secure if someone were able to find out you were, e.g., a Star Trek fan. And they're guaranteed to be easy to remember -- humans are a lot better remembering natural language they have an emotional connection to than remembering arbitrary alphanumeric strings. In fairness, I stole this tip from a Slashdot discussion about a year back sparked by advice from Microsoft, and have been using rediculously long passphrases since for all my "if that breaks, I'm "#$"#"#$%ed" logins (I still go with crazy insecure for trivial things like my slashdot login). I've got about 12 of them at the moment and have no problems with remembering them and changing with the security policy, whereas beforehand I had a discrete post-it.
  • People won't brute force your 96 bit passwords, but that doesn't make you secure. I'm betting you have plenty of bigger security problems that have been ignored/overlooked.
  • Passwords suck (Score:3, Insightful)

    by RzUpAnmsCwrds ( 262647 ) on Monday June 12, 2006 @11:21PM (#15521512)
    Passwords suck. They always have, and they always will. Unlike smartcards, they don't protect against man-in-the-middle atttacks. They are easy to forget, easy to guess (in many cases), and, with a bit of social engineering, easy to steal. Many sites (Slashdot included) don't even bother to use SSL for logins. That's just sloppy.
  • Having just gone through this, I can commiserate. We have to change passwords every 6 months. Here are the criteria:

    at least 8 characters
    both upper and lower case letters
    at least one number or symbol
    can't contain a dictionary word of 4 characters or longer
    none of your last 6 passwords
    not any account name
    no date or year
    no sequentially repeating characters
    no space, editing, field-separator or quote marks
    no letters in forward/reverse alphabetic sequence
    no letters in forward/reverse keyboard pattern
    no diction
    • Lucky you. At least you know what the criteria is. It is not unusual that there is no documented policy, or if there is one, that it doesn't match the configured policy. Better yet, you might have several accounts with conflicting password policies (e.g. one has min n characters, another max n-1 characters.)

      My idea of a convenient and secure solution is a smart card based USB token with a PIN code. Unfortunately, from the management point of view, forcing employees to memorize 16 character passwords each

  • I'm hoping you're not using Windows. I happened upon a nice little tool that allows me to blank all Windows passwords under 2K/XP (Must be using the NTFS file system, however,) if you give me physical access to the computer.

    Gain access to PC
    Blank all passwords
    Tell someone
    ???
    Profit!
  • Even remembering a password that changes every month isn't too bad. But remembering 50 passwords that have different rules, and have to be changed at different intervals is almost impossible.

It is surely a great calamity for a human being to have no obsessions. - Robert Bly

Working...