Your Password ain't Squat!

[MA-Caver]

Interesting article about the invalidity of passwords in this day and age. Hackers are able to ascertain what our entry words/numbers are with a few simple tricks. Yet people still try to use very easy to ferret out passwords for their most valuable possession... their Identity.

Digital Domain
Goodbye, Passwords. You Aren’t a Good Defense.

Photo Illustration by Tony Cenicola/The New York Times


http://www.nytimes.com/2008/08/10/technology/10digi.html?ref=technology


By RANDALL STROSS

Published: August 9, 2008
THE best password is a long, nonsensical string of letters and numbers and punctuation marks, a combination never put together before. Some admirable people actually do memorize random strings of characters for their passwords — and replace them with other random strings every couple of months.
Then there’s the rest of us, selecting the short, the familiar and the easiest to remember. And holding onto it forever.
I once felt ashamed about failing to follow best practices for password selection — but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.
That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).
This procedure — which now seems perfectly natural because we’ve been trained to repeat it so much — is a bad idea, one that no security expert whom I reached would defend.
Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.

 

[terryl965]

Well I keep mine simple because I am not smart enough to remember. What is my name again.:erg:

 

[mrhnau]

What drives me nuts are the requirements for passwords. it seems everyone does it different, so you simply can't use the same password more than once. I've got about 6 I use and its annoying as heck to keep up with them!

 

[jks9199]

What drives me nuts are the requirements for passwords. it seems everyone does it different, so you simply can't use the same password more than once. I've got about 6 I use and its annoying as heck to keep up with them!

Tell me about it...

Work alone, I've got passwords for 2 "professional" email systems, a Hotmail account that I created before my employer provided email, 4 different passwords for some information sharing resources (maybe more... I keep thinking of another one everytime I pause), plus a password for the teletype system... And, of course, none of them share the same username. And that's not counting PINs and access codes for buildings and gates. Or my false-front identities on social networking sites like MySpace...

Or "personal" stuff like MT.

 

[Bob Hubbard]

Ask any old school Trekkie what their pin is. More than half will answer "1701".

 

[arnisador]

Every mathematician uses the first n digits of pi or e for their PIN. It's pathetic.

 

[stickarts]

Thanks for sharing! What gets crazy for me is the number of passwords I now have to try and remember. Between all of the applications and programs at work, stuff at home, and the Karate school, it gets insane!

 

[Rich Parsons]

I took some cryptology classes in college.

I studied up on it a little afterwards as well.

The issue is that no matter what your password is given time and desire people can break any password. The issue is to make it so hard they will not try.

The problem is that people need to remember them. If there was a standard as mentioned before that was common then people could remember a single password that could be useful for security.

But instead then people have to remember them so they go for easy or personal references. I know I was able to break many passwords of my friends and even instructors (* as part of an areed upon test *) by using what Iknew about them. At work there were so many systems with different passwords and different rules that most of the people I knew had a file on their laptop called passwords or in their planner was written down all their passowrds.

So, the point of making it more complicated has actually made the systems more insecure as people have to break the written rules to be able to remember them.

It is sad that there cannot be a commonsense approach to this.

 

[arnisador]

So, the point of making it more complicated has actually made the systems more insecure as people have to break the written rules to be able to remember them.

Yes, indeed! The picture in the first post here makes this point exactly. Every site has its own rules, so you need a different password (must have a punctuation character at this site, can't have a punctuation character at that site), which forces people to write down there passwords or use obvious passwords, suitably modified for each site. We need a single standard.

Just making a 5 second delay between login attempts goes a long way toward security.

 

[MA-Caver]

I took some cryptology classes in college.

I studied up on it a little afterwards as well.

The issue is that no matter what your password is given time and desire people can break any password. The issue is to make it so hard they will not try.

The problem is that people need to remember them. If there was a standard as mentioned before that was common then people could remember a single password that could be useful for security.

But instead then people have to remember them so they go for easy or personal references. I know I was able to break many passwords of my friends and even instructors (* as part of an areed upon test *) by using what Iknew about them. At work there were so many systems with different passwords and different rules that most of the people I knew had a file on their laptop called passwords or in their planner was written down all their passowrds.

So, the point of making it more complicated has actually made the systems more insecure as people have to break the written rules to be able to remember them.

It is sad that there cannot be a commonsense approach to this.

Well to lesser sites (games, discussion boards, etc.) I use the names of my favorite caves and some of them are backwards spelled. Since I've been to roughly 50 caves in my lifetime (so far) trying to figure out WHICH one I chose for that particular site... well seeing how it's going to do nothing more than play the same games that I play or get into THIS site and others ... :idunno: I'm not worried in too much about security.
As far as my personal accounts... at the moment I don't have any... so no worries there.
But if/when I do then I use a password and write it down in my wallet and keep a copy of it under my mouse pad... so no worries there for me.

 

[Bob Hubbard]

When I was an network admin, I took a copy of the user/password list and tossed it against one of the popular brute force crackers. 95% of the passwords cracked in under a few minutes. Only mine and the master server account lasted longer. They were 32 character long. Average was 6.

This will be an interesting read.
How long will your password stand up
http://www.lockdown.co.uk/?pg=combi&s=articles

 

[mrhnau]

I've toyed with those timed password generators. Rather than a static password, they get renewed periodically. In the case of the system I was working with, every 15 seconds. You get a device that is synchronized with the server and you can check your updated password.

Then, there is always biometrics...