Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy

Crappy Passwords Very Common 452

KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."
This discussion has been archived. No new comments can be posted.

Crappy Passwords Very Common

Comments Filter:
  • Number Theory (Score:3, Interesting)

    by ffatTony ( 63354 ) on Saturday March 16, 2002 @12:44PM (#3173509)

    I've had good luck guessing passwords using the method of adding a number to the user's name: e.g. someGuy's password is probably someguy[0-9]+[0-9]*

  • Biometrics... (Score:3, Interesting)

    by MosesJones ( 55544 ) on Saturday March 16, 2002 @12:45PM (#3173510) Homepage

    What this is saying is that if you know something of the person you can work out what they will say. This is always going to be the case until it is something actually unique for the person (fingerprint, iris etc). While we all _know_ that we should have passwords like "sdf987*(&^JJHASBDjkasdjkh231*()&as" and every account should have a different one it tends to be simpler to use something you can remember easily.

    So this isn't a suprise, and its what the Biometrics people have been saying for years.

    • Actually the example you give may not be the best passwords. Many people use brute force and almost all of them use a dictionary. There are a few that don't (they go through each an every possibility) and those ones pose a problem.
      Sequential password generate (aaa, aab, aac, aad...) pose problems as the generated password may occur much sooner than thought. The time taken decreases exponentially if the first few characters (either direction) are closer to the beginning of the alphabet.
    • by Walter Bell ( 535520 ) <wcbell@bel l a n d h o r o witz.com> on Saturday March 16, 2002 @12:54PM (#3173563) Homepage
      ...is that, although biometrics will generate a nice password like "sdf987*(&^JJHASBDjkasdjkh231*()&as" that nobody could ever guess, the problem of a replay attack is undeniable. That is, once somebody can obtain your biometric hash through the use of a rogue thumbprint scanner, there's no way (by definition) that you'll ever be able to change it to something different and make it secure again. And that is why putting biometric scanners on personal PCs with insecure Micro$oft operating systems opens the door quite wide to identity theft.

      The best authentication schemes involve something you know (a PIN or password) and something you have (a smartcard, RSA key fob, or some other device that implements a challenge/response system to authentication queries).

      ~wally

      • So, why can't individual biometric devices also have a key, and only 'trusted' scanners are allowed to communicate?

        Doesn't that solve your 'replay attack' scenario?

        -Jerdenn

      • Why does the OS make a difference? Would your favorite be OS immune to rogue thumbprint scanners? And why would putting a biometric scanner on an OS that is already wide open to identity theft (e.g. Win9x) make a difference?

        I wholly agree that two-factor authentication (something you have & know) is the way to go, but some of the hardware used can be vulnerable as well. Say for instance that you have an RSA key on a smartcard that has its own encryption. Now say that someone figures out how to sniff the key from the card via RF emissions. Poof. You are now vulnerable to having your identity stolen. ISTR reading a research paper that indicated hardware tokens were not as secure as advertised, although at the end of the day two-factor authetication is still better than one.

      • Windows stores passwords in a one-way hashed form, and cannot be recovered. They are, as i recall, base 64 encoded when transmitted when you logon, if logging on remotely. But other than that tokens are passed between the computers to continue your authentication within the domain.

        I dont know if it uses a nonce, however, and if that nonce is unique to the computer.

    • Re:Biometrics... (Score:5, Insightful)

      by BeBoxer ( 14448 ) on Saturday March 16, 2002 @01:46PM (#3173823)
      The problem with biometrics as passwords is that they can still be obtained via other methods such as password sniffing and they can't be changed. So by themselves, they are even worse than regular passwords.

      Let's look at the "obvious" method of using say fingerprints as passwords. A print scanner on your keyboard scans your print into some sort of unique id. When you want to log in to some service, the keyboard sends your username along with your print id in lieu of a regular password. The service checks your username and print in it's database and decides whether or not to grant access. The problem with this type of setup is that every service you use has the ability to impersonate you to every other service you use. Not a good idea at all. This is the same fundamental flaw credit cards have. Every vendor you do business with has the ability to impersonate you to every other vendor who accepts your type of credit card. Hence all the fraud. But at least with credit cards you can get a new number if someone starts abusing it.

      Really, the only way to do authentication that doesn't suffer from this flaw is to ue a public-key based method. It's absolute insanity to start sending your fingerprint everywhere and using it as an ID. Absolutely the dumbest way of doing authentication online I can think of. Which is not to say that biometrics don't have their place at all. It can be used in very limited means inside of closed systems and provide a reasonable increase in security. I think where this will end up is that we will each have a small portable hardware device which can do secure public-key based authentication for us. A fingerprint can be used to authenticate us to our hardware token. Since the fingerprint never has to leave the token, it isn't nearly as vulnerable to being stolen. Imagine an ATM card which has a small number pad on it. You type the amount you want to withdraw into your ATM card which scans your prints as you type the amount in. Then, you insert the card into the ATM machine and the card securely authorizes a withdrawal in the amount you entered. This authorization protocol can be public and standardized without any loss of security. Your fingerprint never leaves the card so isn't vulnerable to theft.

      Note that there are companies now selling the keyboard-style scanners. In my opinion, these are nothing but snake oil. From looking thru the descriptions of the available products, all of the ones I've found appear to be transmitting a fingerprint 'hash' to an authentication database. It's not hard to imagine software hacks which can record the fingerprint info as it comes in off the USB or parallel port and later replay that information to spoof users. While some hackers might still be guessing passwords, a lot are now using software to grab passwords either off the network or off the keyboard. Fingerprint scanners do nothing to prevent this type of hack except make it impossible to change the password after it's been stolen. So not only are you still vulnerable, your options for correcting the problem after the hack are drastically reduced.

      Inside of a corporate environment where all hardware and software installations are tightly controlled, there might be some value. But it's not a general purpose authentication technique. Every terminal you use will gain the ability to impersonate you, and every server you log into will gain the ability to impersonate you. Which is the case now, but I don't use the same password for Slashdot that I use for my shell accounts. And I don't log into my shell accounts from computers I have no reason to trust (such as at a cyber cafe.) If everyone is using biometrics, then the services you trust least (like Slashdot say) has the information they need to impersonate you to the places you trust most (your bank, your shell accounts at work, etc.) When I say 'trust', I'm probably using the wrong word. What I mean is I don't really care very much if someone steals my Slashdot password. It's not a big deal. I do care of someone steals my work passwords, or online banking passwords. I would never use the same password both places which is exactly what biometrics force me to do.
  • by bwulf ( 325 ) on Saturday March 16, 2002 @12:45PM (#3173511)
    ... water found to be wet[1], sky found to be blue, Earth found to be round[2] and CNN found to be obvious.

    [1] at certain temperatures
    [2] well, almost
    • Back in '91 and '92, I was a junior sysprog on a mainframe system running two different OS's. The security systems (at the time) didn't talk to each other, but the users wanted to have a single password for everything. The result was an ugly kludge (that I got to maintain since I was most junior) and this allowed me to see the day's before/after password change file. 750 or so users, and there were at least a 200 or so that referenced John Elway and/or the Broncos (this was in Denver), another 100 or so that went path of least resistance (AAAAAA1, AAAAAA2, etc.), a couple dozen that used NCC1701, NCC1701A, etc. etc.

      Not only is this story obvious, it's seriously dated. Stupid/obvious passwords have probably been around as long as there have been passwords...

  • Best password ever (Score:3, Interesting)

    by Apreche ( 239272 ) on Saturday March 16, 2002 @12:45PM (#3173515) Homepage Journal
    The best password ever is one my friend has. He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password. And after he told me this, he changed it. Because he changes his PGP keys every week.

    If you are one of these people who has a stupid password, you deserve what you get.

    I'm going to get the book of petnames now and write a brute force hack into paypal, wee! My money problems are solved. I don't do stuff like that, but someone should. Send all the money to me that is.
    • by ergo98 ( 9391 ) on Saturday March 16, 2002 @01:02PM (#3173616) Homepage Journal

      He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password

      That sounds like an interesting way of making a password a failsafe (i.e. you would be able to recover it if you forgot the special sequence of characters, and the password becomes not only the code sequence but also the process. i.e. A prehashing of hashing. An interesting scenario would be to say "my password is always WEAKPASSWORD but for each service I'll hash it through SHA1 with the service name, and I'll use characters 10-15 in hex form as my password"). I use strong passwords (bogus words, numbers and punctuations), yet one way in which my passwords are weak is that I don't prescribe to best practices for changing passwords regularly. Why? Because I've forgotten so many passwords that I'm cynical about the reality of password changing best practices...recently I was thankful that my FreeBSD box has the single user local mode (without physical security there is no security) that lets you supercede the security systems because it'd gone unmanaged for so long that I'd forgotten among the hundreds of passwords out there. I truly believe that if users are forced to regularly change passwords then they a) write it down, b) use weak passwords so they don't forget for the short period that they have to use it, c) they use the same password on many different services. I believe that c is very common, and if you analyzed people's ICQ, Hotmail, Slashdot, computer, domain, etc passwords you would find some pretty common correlations.

      And after he told me this, he changed it. Because he changes his PGP keys every week.

      He changes PGP keys every week? How do people that have to keep importing his public key feel about this? (Personally I'd have long refused to both importing a new key each week).

    • "I'm going to get the book of petnames now and write a brute force hack into paypal, wee! "

      Okay, now we're getting into people coming up with stupid names for their pets.

      The other dogs aren't going to pick on your dog for having a silly name, ya know.

    • If he thinks it necessary to change his PGP key every week, I might imagine he hasn't heard of (or simply doesn't understand) the PGP Web of Trust.

      Oh, and the main property of a good password is randomness and non-predictability. It doesn't really matter *how* securely he thinks he generated it, but if the output happens to be coincidentally weak you've not gained anything.

      Oh? My password? It's five digits from pi, starting with the 49702th digit.

    • by ruvreve ( 216004 )
      If you are one of these people who has a stupid password, you deserve what you get.

      The problem is that most of the people that have 'easy' passwords are not the ones that are affected. In a corporate environment if somebody hacks into the system using an easy password its the IT departments fault and problem. HOW COULD THEY LET THIS HAPPEN! I don't care if the person wrote the password on the screen in white-out you should have stopped this hacker. You are FIRED! Meanwhile the bonehead who did it continues to do it. That is why the circle was invented, to graphically illustrate this very example :)

    • Because he [my friend] changes his PGP keys every week.

      Wow - every week, huh? Does your friend wear a tinfoil hat and worry about Major League Baseball spying on him with a satellite, too?
  • by TandyMasterControl ( 136043 ) on Saturday March 16, 2002 @12:46PM (#3173517) Homepage
    If you have access to a person's desk like the study stipulates, you have probably a 1 in 3 chance of finding the password written down somewhere.

    • Heh. When I *have* to write passwords down (I've got at least 20 completely different work-related passwords that I use maybe once a week if I'm lucky, and then they change in 6 weeks) I never write down the actual usernames. Now, all the really important and immediately obvious accounts are memorized because I use them a lot, so these aren't going to be easy to find accounts for.
  • It's written in all the study books I have been reading about. Most people will use their first name, the name of their pet or their birthdate in the password field. Only recently, you start to see smart software that refuses to accept this type of entries. What would be neat is a global password database where all the passwords that have been entered are stored as MD5, and each new password entered is checked agains the digest form to see if it matches, and if it does is refused. The dictionary words and common words should all be part of this database as a starter.

    PPA, the girl next door.
  • A cracker friend of mine noted this way back in 1983. Another interesting tidbit: back then, at least, a fairly high percentage of admins used "god" for the root password.
  • My desk... (Score:2, Funny)

    by Evangelion ( 2145 )

    ... is usually a fucking nightmare. Good luck trying to guess anything by it.

    [ note to self -- 3mptyC0k3C4n is not a good enough password anymore ]
  • Has to be crappy. (Score:5, Insightful)

    by Account 10 ( 565119 ) on Saturday March 16, 2002 @12:47PM (#3173526)
    The password policy where I work is 10 characters, mix of upper and lowercase, at least 1 non-alphabetic, expires every 6 weeks. So of course I write it down (indirectly) or put it in "logon.bat".
    Because of Windows' stupid caching, I already have to phone the helpdesk every 6 weeks to get my account unlocked when windows somewhere decides to try my old password 5 times in succession.
    • Actually its not windows using your old password, its a good way for someone to lock your account out and make you call IT and waste a few hours.

      Try this on your boss every day, make them hate IT as much as you. (-;
      • Try this on your boss every day, make them hate IT as much as you. (-;

        /RANT ON

        Make them hate IT as much as [they hate] you? You can't even remember your password and now you want to get the poor IT staff in trouble? Thanks a lot.

        I LOVE folks like you. You're the one with the 30 GB of mp3s on the server, the collection of screensavers on your desktop machine, and the Zip disk you swore would be used "only for work files, really."

        You, Sir or Madam, put the "L" in user!

        /RANT OFF

        Whew, that felt good. Who needs Karma, anyway ...

    • Sign of incompetence (Score:3, Interesting)

      by coyote-san ( 38515 )
      That policy is a sign of incompetence in the IT department.

      If strong passwords are used, they should long expiration periods. It's not unreasonable to memorize a truly random password if you only have to do it once a year. If passwords are expiring every six weeks, you *have* to write it down (on a card in your wallet, on your PDA or celphone, etc.) because it's impossible to remember them otherwise.

      Another good trick is to generate a list of a few dozen candidates and look for one with good "muscle memory." E.g., my main password now has a pattern of L-RR^-LL^-LRL where ^ means it's a key "straight above" the last key.
  • by jwinter1 ( 147688 ) on Saturday March 16, 2002 @12:50PM (#3173539) Homepage
    My password is and always has been newline, newline, newline.

    Gets me logged in quick, and noone seems to be able to guess those last two characters.
  • by defile ( 1059 ) on Saturday March 16, 2002 @12:50PM (#3173541) Homepage Journal

    I went to my bank the other day to assign a PIN to my ATM card. For this you need to sit down with a bank person at their desk. Just to be a pain in the ass, I asked her how many numbers I could enter (it's 7). She said 4. I entered 7 and it took.

    Then she went "How do you remember 7 numbers?" and I said "The same way I'd remember 4 numbers. It's not like remembering yet another set of numbers is going to be hard--I've memorized the passwords of at least 20 other services".

    To which the lady at the bank said "See, the best way is to just use the same password for EVERYTHING. This way you only need to remember one!"

    • by oo7tushar ( 311912 ) <slash.@tushar.cx> on Saturday March 16, 2002 @12:56PM (#3173579) Homepage
      The reason you want to enter 4 is because a lot of old systems only supported 4. They were trying to make you backwards compatible.
      But you raise an interesting point, passwords used to be the domain of the l33t (5, 10 years ago), but now everybody uses computers and they aren't as proficient. They can type, they can message but they don't understand computer security, for them the net is still their computer and the most secure box on the planet, why? because it's in their home.
      • The reason you want to enter 4 is because a lot of old systems only supported 4. They were trying to make you backwards compatible.

        If I plan on travelling to Europe I'll change it. It hasn't affected me otherwise.

    • And as it turns out, research shows that 7 is the max number of digits easily remembered by subjects in studies of short-term memory. Short-term memory is, of course, the pathway one generally needs to traverse to produce long-term memories.


      As for passwords, I have a handful of nondictionary "words" that I recycle with variations (replacing this or that letter with special characters or numbers). Thus, though I have a base of perhaps 5 passwords, with the variations it becomes more along the lines of 15 to 20. The main problem I have is that most of my passwords have to be replaced once a month. It IS easy for people to forget passwords when they have to be long, contain "weird" characters, and change every 30 days or so. I don't know what the best answer to this is but it is a difficulty people have. I see MANY coworkers writing their new password on sticky notes which then go somewhere in or on their desks (mine goes in my fanny pack which never leaves my side - until I get the password down cold, then it is trashed).

      • And as it turns out, research shows that 7 is the max number of digits easily remembered by subjects in studies of short-term memory. Short-term memory is, of course, the pathway one generally needs to traverse to produce long-term memories.

        Telephone numbers are seven digits. But they used to be only six digits, which means that the telephone company probably didn't do this study to figure out how many digits to use.

        I bet if we used 8 digit phone numbers for 30 years they'd be able to remember 8 digits without problem. :)

      • If you don't think about the digits as separate numbers, you can easily remember more than 7. Groups of two are easiest, I think (probably due to all the practice most people get through combination locks), unless there is an easy-to-remember pattern in the digits.
  • Passwords.. (Score:5, Insightful)

    by bje2 ( 533276 ) on Saturday March 16, 2002 @12:50PM (#3173542)

    you know what my problem is??? i have dozens and dozens of passwords to remember...i have my work computer, my work e-mail, my home computer, my 2 home e-mail accounts, eBay, Slashdot, IM, etc...it's just too many passwords to remember...

    because of that, i've fallen into a bad rut for my passwords, i only have like three that i use on a regular basis, and i just reuse them whenever i register for a new account...don't get me wrong, i know that's a terrible thing to do...but i just can't bother myself to rememeber more and more passwords...god forbid someone found one out...

    does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?

    ...that said, i think i'll go change my slashdot password...
    • I do the same I thing I do with email addresses, one for 'serious' things, and one that I can throw away on worthless websites, etc. etc.

      My banking, insurance, and other important stuff I use the serious password, and everything else gets the lame one, which I never change.

    • I do the same thing, at least for internet services I don't really care to much about. I'll use the same, really stupid, password for things like audiogalaxy and other services where I don't really care if my 'account' gets 'hacked'. To log into my provider's network, however, I have a fairly decent password.

      I don't think this is a terribly stupid thing to do, just convenient is all.
    • Re:Passwords.. (Score:3, Insightful)

      by Remus ( 70051 )
      I was in the same situation and decided that neither using only a few passwords nor trying to memorize >= 10 passwords is a really good idea. So I started using Keyring for PalmOS [sourceforge.net] on my Palm. It even generates random passwords for me (useful for all those web accounts) and I only have to remember one master password.

      Passwords that I use regularly stick after a while anyway.

      Remus
    • A friend of mine has a clever technique for generating unique passwords to sign on to various online services.

      Hence, his passwords are "AOLsucks", "EBAYsucks",...

    • If you carry a Palm device, like me, I've discovered a really neat program.

      Keyring. [sourceforge.net]

      It's a program that is password protected and allows you to keep track of your passwords on your palm...
    • You can get at least a little bit more secure by using MD5. Pick a master password - a really good master password. Something relatively long, that you've never used before. Something that you'll never forget. Now, find a javascript MD5 site. here [geocities.com]'s one. Type your master password in, and then type in the name of the site (all into the "Enter your message:"). Hit "run MD5". There's your password. Use the first 8 characters, or the last 8 characters, or something like that. The two advantages of this solution is that 1) you only have to memorize one password and 2) no one has your master password except you (and anyone looking over your shoulder). I wouldn't suggest using this technique for your really important passwords, but it's good enough for the medium important ones.
    • does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?

      Use Microsoft(R) Passport(tm).
  • by seldolivaw ( 179178 ) <me@@@seldo...com> on Saturday March 16, 2002 @12:51PM (#3173543) Homepage
    I realised this the moment the team leader of our software development project -- a woman who is about to graduate with a *degree* in *computer science* revealed that her password for nearly everything was her name, spelt backwards. *D'oh!*
  • Hey, the Brunching Shuttlecocks just published an article relevant to this one: The Twelve Least Surprising AP Headlines [brunching.com].
  • From Jakob Neilsen's UseIt [useit.com] column on usability and the Internet, comes this column on Security and Human Factors. [mondosearch.com] His summary:

    A big lie of computer security is that security improves as password complexity increases. In reality, users simply write down difficult passwords, leaving the system vulnerable. Security is better increased by designing for how people actually behave.


    Sysadmins are fond of forcing users to use complex passwords. What happens then is that the user writes the password on a yellow adhesive note and sticks it on the monitor. Better to let the user use the first password that comes to mind, with possible gentle restrictions like no dictionary words, so that the user can hold the password in his or her head without writing it down -- or putting it in a "Passwords" file on the hard drive. How many theives really look up biographical information on computer users and find out all the names of their family members?
  • by EricKrout.com ( 559698 ) on Saturday March 16, 2002 @12:53PM (#3173560) Homepage
    The best way to think of a password is to conjure up a phrase that's random, but easy to memorize. Then, just use the first letter of each word as your password.

    For example, if you're told to pick a password with at least six characters, you could randomly come up with: Dubya Doesn't Know A Goddamn Thing

    Then, you'll have a good, random password (ddkagt) and you'll remember it, too.

    If there are other restrictions (you need numbers, mix of upper/lower cases), just adjust your random phrase to coincide.

    m o n o l i n u x :: Imagine There's No Windows(tm). It's Easy If You Try. [monolinux.com]
  • Back in '94 when I took over as network admin for the stockbrokerage I worked for the only joy I found in the job was guessing passwords. I could usually do it on the first guess. A tip here is if it's not in the roledex under "password" then it's in the pictures on the desk. This is especially true if the only picture on the desk is the guy's sailboat.
  • I'm not surprised (Score:2, Informative)

    by Sits ( 117492 )
    Passwords often have to be at least 6 characters long which is just about the largest thing that people will be able to memorise. Often, drachonian admins force people to change their passwords every few months forcing users to commit yet another password to memory so they end up using things that they already know well as passwords. At least the people wern't writing them down on post it notes (even if they were doing the next worst thing). Jakob Nielsen wrote a bit about this in Security and Human Factors [useit.com].

    I remember reading about how one of the most popular passwords in the 80s was fred because it was easy to remember and all four keys were close together.
  • ...or they can be handed over to you voluentarily, if you say you're doing research on passwords. :-P
  • by Anonymous Coward
    This is the typical crap about passwords that gets handed around. PGP encoding and changing passwords weekly. As if. Looking at the number of sites I have passwords to, it numbers something like 60. People want usable computers not sophisticated mnemonics.

    Not that I always agree with him but this article is ideal:

    http://www.asktog.com/columns/026Security.html

    Time to accept that this is the reality of existence. You will never get people to memorize hundreds of passwords. I've seen businesses lose tons of money because they require cryptic passwords and the user moves on to the competitor.

    BTW the password nightmare is currently handing M$ a big victory in Passport. God knows I would love to have a single password...
  • by r00tarded ( 553054 ) on Saturday March 16, 2002 @12:59PM (#3173604)
    greg: whats your password?
    user: asterisk-asterisk-asterisk-asterisk-asterisk-aster isk-asterisk-asterisk
    greg: !?
    user: you cant tell if im really stupid or really smart can you?
  • Maybe if people only had to remember a few passwords they wouldn't pick such easy passwords. But the fact is EVERY DAMN SITE REQUIRES YOU TO REGISTER.
  • by Servo5678 ( 468237 ) on Saturday March 16, 2002 @01:00PM (#3173609)
    Back when I was helping out a friend of mine (and die-hard Star Trek fan) setup his first computer, I told him to pick a password. What'd he come up with? Of course: "enterprise".

    I told him that was too easy to guess and that he should use numbers in it somewhere, too. Which of course led to "enterprise1701".

    *sigh*

  • Neat (Score:5, Informative)

    by EricKrout.com ( 559698 ) on Saturday March 16, 2002 @01:01PM (#3173613) Homepage
    I just did a bit more research on something that I just posted and found this page [aber.ac.uk].

    With each page load, 20 random passwords are created. That's useful, but it goes one step further and conjures up a reasonable phrase to coincide with each random password.

    It even includes non-alpha characters!

    This may seem fairly lame and trivial (it could probably be written in 10 minutes by a PHP ace), but considering the astonishing number of people who have horribly easy-to-guess passwords, it's a good resource.

    m o n o l i n u x :: One Kernel To Rule Them All! [monolinux.com]
  • more bad passwords? (Score:2, Interesting)

    by thogard ( 43403 )
    I ran a password sniffer like program when I worked for the USDA.
    We had a system that required at least one non-alpha in the password.
    The result was 50% of people picked eagle1.
    I've got a friend that claims his list of 50 passwords will get him into just about any system anywhere. Since he's had run ins with both the NSA and AT&T, I think he might be right.
  • by XBL ( 305578 ) on Saturday March 16, 2002 @01:03PM (#3173625)
    I can have an invisible password! It even logs me in like magic! Therefore, its better than Linux.
  • I have a grand total of about 5 passwords; these range from crappy throwaway ones ("what, you want me to have an account before I can download? blegh, 12345") to semirandom alphanumerics; all I do is mix them (123zas2de8rt456), mix case (zAs2D*ert123456), and come up with a new password every so often to throw into the mix.

    This has the advantage of being quite scalable (root password: mix of two longer random alphanumerics with two mixed case variations -> simple shapes on KB for Fileplanet), easy to remember (every login is based on a known set of passwords and a few rules), and reasonably secure provided you don't pick obvious password fragments and use stronger ones on important accounts.

    Of course, since 99% of my logins are done using a few RSA keys most of this is pretty irrelevent. If only I could use RSA auth on all those fscking websites..
  • by Anonymous Coward
    The problem is that there are a lot of authentication routines that limit users to 8 characters, etc. so you need a word or short combination of characters.

    If more software could use long pass-phrase type authentication and just hash it to a manageable size, security could be improved.

    Rather than having a simple "gone4fshn" or something as a password, you could set something more intelligible like "i like to go fishing on (some) river" which is easy to remember, easy to type, but too lengthy to bruteforce.

    Just a thought.
  • In high school, a friend of mine has "hoyas" as his password for the school network. Another friend guessed this easily when we were talking outside the computer lab one day. He looked the guy up and down. Then he bolted into the lab and the idiot ran into the lab after him, both of them racing to change his password.

    Of course, my retarded friend was wearing a Georgetown hat, and a georgetown Tshirt.

    Duh.

    And with regard to pets....whenever someone asked what they should set their password to, I would always tell them, "use the name of a DEAD pet." Much harder to guess than a living one. Especially if it's long dead.

  • I have a bunch of friends from college, who got hotmail accounts after they graduated when the university cancelled their e-mail accounts. Their favorite net activity is cracking in to a hotmail account of someone we know and impersonating them. Hotmail has a security question which asks questions that only the specific user would know such as "What is the name of my CAT?" This is great for attackers who don't know you personally but what about the perspective intruders who do know you personally?

    My solution is not to use hotmail although there is no reason for me to use hotmail in the first place, but I have so many non-techie friends who love hotmail and will never switch.

  • I'm currently running a network for about 60 people.

    I constantly bump into people whose passwords are "Password", "Password2", the name of the company, their own name, etc.

    Part of me wants to force them to use complex passwords. And part of me knows that if I did, I'd spend my whole time resetting passwords for people.

    When we got the new printer/copiers in, they had protection on them, so everyone got a 4 digit user id, and a 4 digit password, to retrieve their prints when they got to the printer. They were told that printing would be monitored and charged to their departments, and that they should keep their passwords secret.

    I wandered around a week later, and over half of them had little yellow post-its on their monitors, with their id/passwords on them. Because, for some reason, people can't remember an 8 digit number unless it's a phone number.
  • In Cliff Stoll's book "The Cuckoo's Egg" (it's about his experience as an astronomer/sysadmin chasing a cracker in the mid 80s), you get an entertaining window back into a very different era in computer security...and yet perhaps it wasn't all that different. At one point Stoll mentions changing the root password on a machine to something like "basilisk", because no one would ever think of trying the name of a mythological creature as a system password. =)

    My own favorite piece of password advice came from the "Unix Handbook" that my university passed out to incoming students...a line in big, bold text:

    Do not choose a password that is even remotely related to Star Trek of Monty Python.

  • Epasswd (Score:4, Insightful)

    by jhunsake ( 81920 ) on Saturday March 16, 2002 @01:11PM (#3173664) Journal
    Enforce password conventions the way NASA does... Epasswd [nasa.gov]
    • Re:Epasswd (Score:3, Interesting)

      by pmc ( 40532 )
      Enforce password conventions the way NASA does

      Hmm - not too bad an application. Users will write them down if they are too complex; that is the difference between strong and effective.

      The policy I came up with at my last company was minimum of 6 characters, not like your name, must start and end with a letter, and must contain a non-letter. This got the success rate of lophtcrack with multilingual dictionaries down from 80%+ to about 4% on hybrid scan. This was enforced by Password policy enforcer [tpis.com.au] (a company I have no connection with except as a satisfied customer), which has slightly better functionality than epasswd.
      • Enforce password conventions the way NASA does... "Epasswd differs from the vendor's password programs in that it enforces strict password construction requirements which include a minimum number of numeric, special, lower, and upper case characters as well as the min and max password length. [...] Passwords that have been changed using epasswd have withstood processing by the Crack 5.0 release which is a publicly available password cracking application"

      Unless you've got physical access to the machine, in which case you can just find it on the PostIt note stuck to the monitor.

      Honest to god, who actually runs dictionary attacks on passwords for hostile purposes in the real world? Really, who? Examples?

      My own experience with my company is that requiring a mixed alphanumeric, timing it out, and disallowing the previous 9 passwords just leads to me using "[usualpassword]0-9". Combine that with Window's lovely trick of expiring your network passwords on the server because you haven't logged your machine out for two weeks (no, really), and you get a royal pain in the ass for both users and tech support, and zero extra security, because it's an intranet password, and anybody who's in a position to enter it could just pick up my machine instead.

  • A good password is not necessarily one that is random characters. In my experience, an easy to remember one that is difficult to crack involves building one from common terms.

    Let's take for example a Hitchiker's Guide to the Galaxy theme.
    Take a 2 syllable word, say "zaphod"
    Take a number, of course "42"
    Put the number between the syllables word: zaph42od. It is still pronouncable, and you know where it came from, but now it is a common word that has numbers not at the end, but inside it, so even cracking programs will have a significantly more difficult time randomly generating it.

    The other technique I use is to also hit the last key twice: zaph42odd. It ofuscates it further but at the same time has a minimal cost to you for remembering it.

    So, even if you're a lamer whose password is "password," changing it to pass43wordd makes it significantly harder to crack but just as easy to remember.
  • by dsb3 ( 129585 ) on Saturday March 16, 2002 @01:13PM (#3173669) Homepage Journal
    I once named a pet (it was a fish, in fact) after one of my passwords. Shame it wasn't one of the more pronounceable ones.
  • It's secure because you can provide your own entropy and the conversion to a passphrase is done with client side javascript. It also supplies some server side entropy by SSL, in case the entropy you supply isn't good. You'll have to click yes to accept the selfsigned SSL certificate since I haven't gotten around to renewing my commercial certificate. It uses the diceware [diceware.com] word list and a similar algorithm to generate the phrases.

    To run the script, click here. [nightsong.com]

  • You know, this sounds a lot like the 20/20 hindsight problem: Things become obvious after you know about them. If you know my passwords, it would be very easy for you to figure out how I came up with them. However, there are thousands upon thousands of ways I could come up with my
    passwords, so the chance that somebody will come up with what one of them is at the right time on the right computer is rather low. For example, I
    might have a slinky sitting on my desk, but that doesn't mean somebody will immediately think of my password as being "metalSlinky" or "51inky"
    or "rollsdownstairs". They will be even more confused when they find out my password is actually created from the name of my dog. Since I might have a picture of my dog on my desk, they could then say "Oh, yeah, I knew that," but we both know they were really focusing on my slinky.

    Of course, at the same time I would never underestimate the ability of people to come up with really, really bad passwords...

    "The combination is: 1. 2. 3. 4. 5."
    ...
    "Remind me to change the combination on my luggage."
  • by sulli ( 195030 )
    "Good" passwords impossible to remember.
  • Lyrical passwords... (Score:3, Interesting)

    by Colz Grigor ( 126123 ) on Saturday March 16, 2002 @01:24PM (#3173721) Homepage
    I think my passwords are usually pretty difficult to figure out...

    I pick some lyrics to a song that I know:
    "Penny Lane is in my ears and in my eyes."
    (I usually pick more obscure songs, but this is an example...)

    I then (sometimes) swap two words...
    "Penny Ears is in my lane and in my eyes."

    Then I convert it to a lower-case acronym...
    "peiimlaime"

    Convert every other character to 'leet (sometimes starting with the first, sometimes starting with the second)...
    "p3i!m1a!m3"

    This password is too repetitive... it's got two !s, two ms, and two 3s. I unconvert some of the 'leet to help out...
    "p3iim1a!m3"

    Now I convert some of the letters to upper-case...
    "p3iIm1A!m3"

    Looking at that password and not knowing how it was derived, you might think it's pretty random. But if you were a big Beatles fan, it'd be pretty easy for you to remember this one.

    One big problem with lyrical passwords, though:
    Don't hum the tune while you're typing in the password!!!

    ::Colz Grigor
  • by Wordsmith ( 183749 ) on Saturday March 16, 2002 @01:25PM (#3173726) Homepage
    Welcome to the Slashdot Server

    Login: CmdrTaco
    Password: Kathleen

    "Whoohoo! I'm in!"
  • Every semester we run crack on Unix passwds at my university. Number one: "Princess." Number two: "GoVols." :-) We enforce no dictionary words, etc. now and shut down the offending accounts. We also moved away from Unix based mail to IMAP with a Webmail interface running on SIMS off LDAP. They don't even get Unix accounts anymore unless they ask. Well, excuse me, your worshipfulness!!!!
  • Lotus Notes mail has a cool password generator. I converted it to Javascript once and use it for all my passwords:

    I can't post it here because it won't go past the lameness filter, but you can find it here [standyck.com].

    It produces nonsense passwords, but they are easy to remember because they come out like pseudo-words. e.g. jenzog72, or slocrip16. It's about the only thing useful I ever got out of Notes.

  • I used to get by on the net with just one password. It was very secure in that it was nice and random and not likely to appear in any cracker's dictionarys. I never really thought about security much... until a web based forum I was subscribed to was cracked. At the time I was an administrator on one of the largest online gaming forums in Europe (now sadly no longer with us), and another regular from those forums got hold of my password. Luckily he merely posted a few "hahaha I've got Skunk's password" posts and didn't do any damage, but the potentail was there.

    Since that incident I've instituted a strict policy of having at least 4 different "main" passwords, each with a different security level. I look at any site I sign up for very carefully - do es it look trustworthy? Do I trust the owner of the site (chances are my password will be stored in their database in plain text)? My "low level" passwords are used for unimportant sites while I save my "high level" ones for e-commerce and administrator functions.

    All this should have been obvious from the start, but then that's the benefit of hindsight :)
  • The root cause of all this, IMHO, is the "expert" advice to "never write down your password". What nonsense! Real security experts understand that there are about 3 things that can be used as authenticators for you: something you know, something you have, something you are. The problem is that a ton of cognitive research and computing experience over twenty years has failed to demonstrate that you can know something complicated enough to serve by itself as a secure password!

    Much more sensible is to randomly generate a password (using as much of the keyspace as reasonably possible), write it down, and stick it in your wallet or purse. Now it is something you have: a perfectly good authenticator that is as secure as the keys to your home and car.

    Insufficient security? Combine it with something you know by not writing down the last four randomly-generated characters: you can probably remember those, and a hundred thousand combinations to try will at least force the person who stole your password to have a means of rapidly checking alternatives.

    Alternatively, what I do is store the passwords on my PalmOS PDA, with a free app that lets me protect them with a "master password". Again, the master password is insecure, as it needs to be memorized, but it can be fairly strong, since it is all I need to memorize, and in any case it is only the second line of defense. In a more security-serious environment, you could combine this with the previous scheme.

    Note that you will eventually memorize frequently-used randomly-generated passwords: these can then be thrown away.

    Note also that the conventional advice to "change your password often" is a contributor to the problem here: it virtually guarantees that weak passwords will be chosen or that passwords will be written in too-convenient places. If your system is reasonably secured, there is no reason to ever change a password. Finally, if you do need to change a password for some reason, the "something you have" scheme described above works much better than memorization.

  • Want "line noise"-looking passwords ?

    I sometimes "play a tune" on the keyboard, using the old Amiga OctaMED or Protracker music software keyboard mapping (sometimes shifted to the left or right for variety's sake).

    So even I can't immediately tell what my password is, since I'm not using the "remembering words" bit of my mind. The fastest way for me to find out the password as a series of letters and numbers is to retype it in a shell window...

    Alternatively, I mentally superimpose a simple outline image of something onto the keyboard, and trace that outline, pressing keys...
  • Most of the passwords I use are in fact quite weak. Why? Because I don't really care if someone hacks into my spam account and if there is no one I know who would have the patience or know how to hack into the Linux partition I have. The fact is that the vast majority people don't have the ability to crack even the simplest of passwords (with the exception of "password"), and any one who does has a lot better things to do than screw around with some of my accounts. True the important passwords I have are still strong (I don't want someone breaking into my university account) but feel free to screw around with my hotmail account.
  • "Of course my password is the same as my pet's name.
    My cat's name was Q47pY!3, but I change it every 90 days." - Roddy Vagg
  • Didn't /. already run something about secure password schemes? Anyhoo, I usually strive for easy to remember, yet hard to dictionary attack. The easiest ways are:


    l33t-speak: replace letters with numbers. So your wife's name of Kathleen becomes "K@thl33n"

    inserting numbers for syllables of a word like: "x10u8" (extenuate)

    Using directions and keyboard geometry. (For my pin number I would use something like 36987, which is a backwards L on the keypad.)

    Inserting a number sequence inside of a word. r3o1v4e1r5 = rover + pi

    Using these methods, it's pretty easy to come up with a word that's relatively secure to a dictionary attack yet is as simple to remember as a much easier word.


    (One thing: PLEASE don't use your SS# in any of these!)

  • I thought it was common knowledge among sysadmins that people's passwords WILL suck.
  • One of my friends had a clever way of thinking up passwords. She would take her high school class schedule, say:

    Calculus
    Physics
    Chemistry
    Band
    Literature
    Study Hall
    Biology

    She would then alternate between the floor it was on and then the first letter of the class: 5c4p2c5b3l7s2b

    It's something you did for a year of your life, so not that easy to forget, and you could always look it up.

  • by rcw-home ( 122017 ) on Saturday March 16, 2002 @04:08PM (#3174395)
    1. It has to take someone longer than 30 seconds to memorize it if they were to see it written down somewhere
    2. It has to take me less than 2 seconds to type it in

    Any password that fits this criteria will take a long time to crack and even longer to figure out by looking over someone's shoulder.

    ObTrivia: at a place I used to work, 246 out of 780 user accounts had a password of "", "pass", or "password". Before I convinced the IT director to let me implement strong passwords, anyway.

  • by ca1v1n ( 135902 ) <snook@noSPam.guanotronic.com> on Saturday March 16, 2002 @05:25PM (#3174753)
    I haven't logged in as root on my box since I installed linux, thanks to sudo. My root password is a rather complicated string of characters that bears no resemblance to any words. My user password is similarly strong. Unfortunately, remembering lots of strong passwords isn't exactly easy. So, I've gotten lazy and reused some of them. Based on my tech support experience, I would guess that most people only have one or two passwords that they reuse. Snoop their plaintext logins to thespark.com or something like that, and you've got them. I've never made an unencrypted login to my box, and my passwords are strong, but that doesn't make them secure. Excuse me while I go change them...

"Don't tell me I'm burning the candle at both ends -- tell me where to get more wax!!"

Working...