Its funny I worked for a startup that got acquired by Comcast, and eventually we started having to follow the Comcast security policy which made us change domain passwords every month with requirements around using strange characters etc.
I'd say about 50% of the people ended up with their current password on a post-it on their monitor or desk.
Yes, this same thing happens on the ship I work on in the summers. There are about 300 people, and about half have to reset their password when they come on board. There is the arbitrary 8 character, at least 1 #, at least 1 special character, at least 1 capital, can't match a dictionary word, and can't be close to the previous password. Also can't contain their name. Try explaining that to 150 people over and over again...it is so painful to watch some people try half a dozen, even a dozen times and still not get a password that will work, and then the vast majority will either write it down in a public place, share it, or forget it.
I'd based on the available data that could have just as much security, without all the user hassle, if we just require long passwords, no other requirement. Can you see how much easier it is to just say, your password has to be 16 characters or longer. Just think of a passphrase. For instance: IWa1kmydogonSaturdays
Easy to remember, and I would argue, though would want to try to provide some evidence, that this would be just as, if not more secure than 8 characters with ridiculous requirements.
I loathe policies about expiring passwords because it breeds insecurity in the manner you mention. However, my company has this same policy, not because its been evaluated as being a good policy, but because our SOX audits require it.
I do a lot of pen testing, and one of the easiest ways to get access to important things is figure out a way to go into the IT department under some premise. Passwords galore, the rest is just memory :)
I did support for a hospital a while back. The favored ( by faculty, not IT ) strategy there was a sticky note on the back of an ID badge. My guess would be that this is common practice anywhere where people carry ID badges.
This is and isn't bad advice. Writing your passwords down and storing them in your wallet isn't necessarily a good idea. You may be able to secure your wallet, but there may be somewhere better to secure it (such as a house safe).
Keepass is brilliant and supported on Linux, Mac, and Windows.
I have one super-strong password that I've memorized that encrypts my KeePass database, and then I use Keepass to generate and store random passwords for me.
This looks like a good way to generate the passwords you put into 1password or another similar password tool. If the tool fails, you can regenerate the passwords if you need to.
- lame passwords for sites I don't care about (e.g., 'insecure')
- the same password for sites with semi-sensitive information (e.g., facebook)
- unique passwords for bank accounts, servers, etc.
So I try to strike a balance between difficulty in remembering & security.
The thing that's bitten me on the ass a few times with that strategy is failing to upgrade sites from "I don't care about" status.
I'll use the 'insecure' password to drop a comment on an interesting discussion on a site I've just found - like, say HackerNews or Twitter, then two years later I'm still participating in the community there, and it _could_ have still had the password I used that time to comment on a ValleyWag story. All of a sudden I _do_ care a bit about any reputation I might have. I was fortunate this time not to have any sites I cared about still using the same old password Gawker leaked (mainly 'cause I'd learned that lesson when my twitterstream started spamming acai berry sites when PerlMonks exposed my low-grade password back then.)
I think Schenier's right - the world isn't a place where "remembering passwords" works any more. We need too many of them and we don't have enough control over how other people store them.
A password safe with a strong passphrase backed up by somethig like dropbox or zumodrive is probably a minimum sensible approach now. Some care is needed with the devices you access that password safe on, and awareness of how software like browsers or your OS caches and stores any passwords it sees you use. Even with a properly secured password safe, a fair number of my logins are probably hosed if I lose my laptop... Firefox, Chrome Safari, Mail.app, Twitter clients, IM clients, IRC programs, FTP programs - all of them store credentials for me, _mostly_ in Mac OS X's keychain, but not in a "reliable enough way" to be considered "secure" if the physical hardware is in someone else's possession.
In related news, when I'm on a non essential site that requires a password, forces a weird restriction ("Your password must contain at least one number and one non word character) and won't let me save it in Firefox, I just copy the password, log out, bookmark the login page and then add #password to the URL and bookmark that as the new login page.
Then, come login, I can just copy the password from the URL.
echo -n "A long sentence I can recall. site_name" | sha1sum
I use the sha1sum from that as my password.
site_name may be hackernews, slashdot, home, etc. I can break them in half (20 chars) or quarters (10 chars) if the site can't accept a 40 char password. Also I can add a period on the end if the site requires special chars. These are strong passwords and unique for each site. Works great on Windows Linux and Macs. All I need to do is recall my sentence (with proper punctuation).
Not to be snarky, but isn't your master password now sitting there, plaintext, in your command-line history? (Worse: when you accidentally do this in a terminal that's remoted somewhere.)
My current method for secure passwords on sites that have a max around 8 or 12 or so is to think of some song lyrics I know, pick n words, camel-case them, l33+-translate a couple letters, and add shift+numeral special characters to either side.
While my method isn't as secure as your most likely is, I prefer a simpler algorithm based upon the site name. I can perform my algorithm in my head and enter a password quickly and without having to refer to a terminal or another program.
Btw, do you ever worry that your command history might be accessed to discover your passwords?
This reduces the search space massively though as we now know you only use 0-f as characters, probably brings it closer to being brute forceable for the sites don't accept 40chars! And dont have rate limits.
There are also a number of apps for both android and iphone that will give you sha/md5 sums. The downside is you have to carry your phone and have enough batteries.
> (I have a second copy of that sheet left with a friend in an envelope)
I love jgc but here he's making the same mistake most people make when they speak about security: assuming all readers have the same need for security and run the same risks. They don't. There is no point for my mom to adopt this system, it's way overkilled for her. (I think there's no point for me either).
One needs to explain to users two things: the first is that there is a big difference between being A target and being THE target. If you are just A target, picking one password for each website you subscribe to is more than enough. If you are THE target, then people will get to you, no matter how secure you think you are.
I somewhat agree, but when mass hacks occur it opens people with poor passwords up to hackers because they've got all the time in the world to see whose accounts they can get into.
BTW Do you use the same password on your Gawker account elsewhere?
I always have a question come to mind whenever I read these kinds of guidelines: what percentage of computer users have ever had their passwords compromised?
I'm guessing there's no real way to gauge this because I've never seen a study nor heard anyone else touting one and yet, complex password protection guidelines are always being recommended. Why?
I have no idea about the percentages. But I've been hit twice. One by a leak from a sizable gaming website, and the other time by gawker. Neither time I gave a shit because thankfully I was smart about my passwords.
There's always a risk, it's not expensive to defend against, so why not?
Personally I don't see any reason for having them completely randomly generated.
'thIs1smyp4ssw0rd19%2' isn't any less secure than another 20 character password that includes lower+upper case letters, numbers and special characters.
Obviously, if you do something like 'c0r1np4ssw0rd" then it may get to the stage where enough people do that for crackers to expect it (maybe it already is, but as long as you follow his third and fourth rules ("Use mixed-case, numbers and special characters" and "Use passwords of at least 12 characters") you really should be fine, and you'll have an easier time memorising them.
(I can remember multiple 20+ character passwords that would be very difficult to crack, and have no need to write them down.)
That's not quite true. When we're talking about the security of a password, we're talking about how long it's going to take someone to crack a possibly salted hash (Gawker's weren't) of your password. When attempting to crack a hash, the attacker begins with dictionary words, then with leetspeak permutations of dictionary words, then starts adding random numbers in with random words.
It's hard to say in what order specifically they're going to try it, but generally speaking, they go from fewer bits to higher bits. thIs 1s my p4ssw0rd - that's not quite as many bits as you think it is. That's 4 permutations of dictionary words. That password probably hits the requirement of 80 bits, but it is less secure than other 20 character passwords. thIs1smyp4ssw0rd is going to be tried in its various permutations fairly early on in the cracking, and tacking on a few extra characters, while an order of magnitude increase in compute time, is not outside the realm of possibility.
The problem with this approach is that you can only remember a few passwords like this, which means that you are going to reuse passwords on multiple sites. One site compromise can compromise multiple accounts for you.
Back in 2005, I did something similar for a while after this [1] was posted to /. Eventually it became too annoying, and I switched to Password Safe and then to 1Password. Both are, in all ways, better than that slip of paper.
From the random generator's website: "Every one is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again."
Interesting guarantee for a random number generator to provide...
It's a browser extension for Chrome and for Firefox that seamlessly hashes the concatenation of your master password and the domain name of the site you're logging into. This produces a different password for each site, and requires you to remember only your master password.
The extensions were created by Blake Ross (big name in the firefox community), as well as Collin Jackson and Dan Boneh who are highly regarded security experts at Stanford.
Also, if you're interested, I've created a command line utility for Mac OS X that exposes the same functionality:
https://github.com/ali01/pwdhash.py
The most commonly used hashers are pwdhash, supergenpass and magicpassword. Given that they all use hashing algorithms, none of them will result in a password using special characters, which is not optimal.
What happens when you lose your laptop or netbook or whatever handy device you use to browse the web? Are you then leaving it to the OS login screen to protect everything? I d rather have passwords I remember in my head. If I forget often, I click the reset button/forgot your password. Whats more, I generally visit important places more often than unimportant ones, so I wont forget my important passwords. Also, start using sites like mint.com. Instead of logging into your bank account, log into mint to check balance and expenditures.
Lets face it, none of this is every gonna keep you totally out of trouble. If you re so paranoid (aka my security professor at school), shut all your online accounts down.
So you have a paper on your wallet, which can be used to obtain every password you use, using an intricate and very specific "algorithm".
Then you publish the fact itself and the algorithm in your blog(real name), which, besides, doesn't depend on a passphrase (which could turn your method in a sort of dual factor authenticator).
The paper could be photocopied and returned to your wallet and you'd never know.
Please, don't talk me about how many bits of entropy your passwords have. They aren't secure.
It's an interesting concept because passwords could be infinitely more secure if everything adopted a two-factor authentication system with something physical that you carried around like an RSA SecurID. Unfortunately, even that system risks being compromised, and like the sheet of paper, highly inconvenient.
But on the other hand, your garage door works with a rolling keY too, and you're also SOL if you lose your opener (unless you, ironically, have a keypad).
I did some consulting work at a big pharma company. And they solved the whole problem of someone stealing (or more likely losing) a RSA key by keeping all the keys at the helpdesk!
You just called up, said you need the ID, and they read you the number over the phone...
Me: "Hi I'm XXX and I need the RSA key for COMPANY X."
Helpdesk: "Okay... It's on the board here somewhere... Found it... It's down to the last bar. Let me wait until it flips... Okay. Six bars... 643332."
I generate a new random but semi-pronounceable password for every account using apg (http://www.adel.nursat.kz/apg/), then store it in one of several gpg-encrypted, replicated master password files.
The first few times I use a newly generated password, I have to look it up in a master file. It's weird how quickly semi-pronounceable nonsense + some symbols get stuck in your head though.
"Write them down and keep them in your wallet because you are good at securing your wallet."
I'm having a very difficult time articulating just how horrible this idea is. Now if somebody compromises your password list, by either finding or stealing your wallet, they also get all of your personal and banking information as well!
I use Wallet, a password manager/generator that's available for OS X and iOS, supports encryption, and syncs between devices automatically. I use a different random, strong password for all of my accounts, and it's easier to manage than keeping lists of passwords. Works for me.
I think that using password schemes is bad. Because in order to be useful, the method needs to be fast, simple and replicable.
Suppose that someone creates a fake website in order to grab one of your smart passwords. If he understands that you use a method, he will try to deconstruct the method based on the fact that his website surely is included in some manner in the password itself.
Also, since many people who use these methods tend to divulge them to the community, there isn't even a need to create a fake website to understand your passwords.
The only solution that really works is to use a password manager. My favorite obviously is Passpack, because I am a co-founder, but regardless of which software you choose the important thing is that you use it.
My advice is not to relay on any clever schemes because you may be in for a bad surprise.
[+] [-] mikeryan|15 years ago|reply
I'd say about 50% of the people ended up with their current password on a post-it on their monitor or desk.
[+] [-] nowarninglabel|15 years ago|reply
I'd based on the available data that could have just as much security, without all the user hassle, if we just require long passwords, no other requirement. Can you see how much easier it is to just say, your password has to be 16 characters or longer. Just think of a passphrase. For instance: IWa1kmydogonSaturdays Easy to remember, and I would argue, though would want to try to provide some evidence, that this would be just as, if not more secure than 8 characters with ridiculous requirements.
[+] [-] verdant|15 years ago|reply
Another reason to grumble over SOX.
[+] [-] ErrantX|15 years ago|reply
I do a lot of pen testing, and one of the easiest ways to get access to important things is figure out a way to go into the IT department under some premise. Passwords galore, the rest is just memory :)
(this is, sadly, only a slight exaggeration)
[+] [-] brettnak|15 years ago|reply
[+] [-] _b8r0|15 years ago|reply
Rather than writing the passwords down, use a decent tool like 1password (http://agilewebsolutions.com/onepassword) or Keepass (http://keepass.info/).
[+] [-] Legion|15 years ago|reply
I have one super-strong password that I've memorized that encrypts my KeePass database, and then I use Keepass to generate and store random passwords for me.
[+] [-] joshkaufman|15 years ago|reply
[+] [-] snes|15 years ago|reply
It has a multifactor grid authentication, which along with a user defined password, makes it secure enough for me.
When I started using it, I changed most of my passwords to be 100 characters long. But many sites had a maximum 20 characters or equivalent rule.
[+] [-] klochner|15 years ago|reply
[+] [-] bigiain|15 years ago|reply
I'll use the 'insecure' password to drop a comment on an interesting discussion on a site I've just found - like, say HackerNews or Twitter, then two years later I'm still participating in the community there, and it _could_ have still had the password I used that time to comment on a ValleyWag story. All of a sudden I _do_ care a bit about any reputation I might have. I was fortunate this time not to have any sites I cared about still using the same old password Gawker leaked (mainly 'cause I'd learned that lesson when my twitterstream started spamming acai berry sites when PerlMonks exposed my low-grade password back then.)
I think Schenier's right - the world isn't a place where "remembering passwords" works any more. We need too many of them and we don't have enough control over how other people store them.
A password safe with a strong passphrase backed up by somethig like dropbox or zumodrive is probably a minimum sensible approach now. Some care is needed with the devices you access that password safe on, and awareness of how software like browsers or your OS caches and stores any passwords it sees you use. Even with a properly secured password safe, a fair number of my logins are probably hosed if I lose my laptop... Firefox, Chrome Safari, Mail.app, Twitter clients, IM clients, IRC programs, FTP programs - all of them store credentials for me, _mostly_ in Mac OS X's keychain, but not in a "reliable enough way" to be considered "secure" if the physical hardware is in someone else's possession.
[+] [-] kanru|15 years ago|reply
[+] [-] techbio|15 years ago|reply
[+] [-] cliveholloway|15 years ago|reply
Then, come login, I can just copy the password from the URL.
[+] [-] 16s|15 years ago|reply
echo -n "A long sentence I can recall. site_name" | sha1sum
I use the sha1sum from that as my password.
site_name may be hackernews, slashdot, home, etc. I can break them in half (20 chars) or quarters (10 chars) if the site can't accept a 40 char password. Also I can add a period on the end if the site requires special chars. These are strong passwords and unique for each site. Works great on Windows Linux and Macs. All I need to do is recall my sentence (with proper punctuation).
[+] [-] crux_|15 years ago|reply
[+] [-] Jach|15 years ago|reply
My current method for secure passwords on sites that have a max around 8 or 12 or so is to think of some song lyrics I know, pick n words, camel-case them, l33+-translate a couple letters, and add shift+numeral special characters to either side.
[+] [-] zcid|15 years ago|reply
Btw, do you ever worry that your command history might be accessed to discover your passwords?
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] matclayton|15 years ago|reply
[+] [-] mirkules|15 years ago|reply
[+] [-] dekz|15 years ago|reply
For those with openssl.
[+] [-] crocowhile|15 years ago|reply
I love jgc but here he's making the same mistake most people make when they speak about security: assuming all readers have the same need for security and run the same risks. They don't. There is no point for my mom to adopt this system, it's way overkilled for her. (I think there's no point for me either).
One needs to explain to users two things: the first is that there is a big difference between being A target and being THE target. If you are just A target, picking one password for each website you subscribe to is more than enough. If you are THE target, then people will get to you, no matter how secure you think you are.
[+] [-] jgrahamc|15 years ago|reply
BTW Do you use the same password on your Gawker account elsewhere?
[+] [-] agraddy|15 years ago|reply
[+] [-] Abid|15 years ago|reply
I'm guessing there's no real way to gauge this because I've never seen a study nor heard anyone else touting one and yet, complex password protection guidelines are always being recommended. Why?
[+] [-] xlevus|15 years ago|reply
There's always a risk, it's not expensive to defend against, so why not?
[+] [-] corin_|15 years ago|reply
'thIs1smyp4ssw0rd19%2' isn't any less secure than another 20 character password that includes lower+upper case letters, numbers and special characters.
Obviously, if you do something like 'c0r1np4ssw0rd" then it may get to the stage where enough people do that for crackers to expect it (maybe it already is, but as long as you follow his third and fourth rules ("Use mixed-case, numbers and special characters" and "Use passwords of at least 12 characters") you really should be fine, and you'll have an easier time memorising them.
(I can remember multiple 20+ character passwords that would be very difficult to crack, and have no need to write them down.)
[+] [-] lukeschlather|15 years ago|reply
It's hard to say in what order specifically they're going to try it, but generally speaking, they go from fewer bits to higher bits. thIs 1s my p4ssw0rd - that's not quite as many bits as you think it is. That's 4 permutations of dictionary words. That password probably hits the requirement of 80 bits, but it is less secure than other 20 character passwords. thIs1smyp4ssw0rd is going to be tried in its various permutations fairly early on in the cracking, and tacking on a few extra characters, while an order of magnitude increase in compute time, is not outside the realm of possibility.
[+] [-] jakehow|15 years ago|reply
[+] [-] michael_nielsen|15 years ago|reply
[+] [-] stevelosh|15 years ago|reply
Write that passphrase down and put it in a safety deposit box if you want people to be able to retrieve them after you die.
[+] [-] jcromartie|15 years ago|reply
https://gist.github.com/745446
[+] [-] jdludlow|15 years ago|reply
[1] http://ask.slashdot.org/comments.pl?sid=152097&cid=12762...
[+] [-] joshkaufman|15 years ago|reply
Copy this empty table: http://pastebin.com/tzbd7FCt Fill it with this random password generator: https://www.grc.com/passwords.htm
Be sure to use a fixed-width font.
[+] [-] tudorachim|15 years ago|reply
Interesting guarantee for a random number generator to provide...
[+] [-] flogic|15 years ago|reply
[+] [-] ali001|15 years ago|reply
http://pwdhash.com
It's a browser extension for Chrome and for Firefox that seamlessly hashes the concatenation of your master password and the domain name of the site you're logging into. This produces a different password for each site, and requires you to remember only your master password.
The extensions were created by Blake Ross (big name in the firefox community), as well as Collin Jackson and Dan Boneh who are highly regarded security experts at Stanford.
Also, if you're interested, I've created a command line utility for Mac OS X that exposes the same functionality: https://github.com/ali01/pwdhash.py
[+] [-] dchest|15 years ago|reply
You can get it here: https://chrome.google.com/webstore/detail/hegbhhpocfhlnjmemk...
Website version: http://sellme.ru/p2
Source: https://github.com/dchest/cryptopass/
[+] [-] crocowhile|15 years ago|reply
[+] [-] ankimal|15 years ago|reply
Lets face it, none of this is every gonna keep you totally out of trouble. If you re so paranoid (aka my security professor at school), shut all your online accounts down.
[+] [-] samuel|15 years ago|reply
Then you publish the fact itself and the algorithm in your blog(real name), which, besides, doesn't depend on a passphrase (which could turn your method in a sort of dual factor authenticator).
The paper could be photocopied and returned to your wallet and you'd never know.
Please, don't talk me about how many bits of entropy your passwords have. They aren't secure.
[+] [-] lukeschlather|15 years ago|reply
[+] [-] jasonjei|15 years ago|reply
But on the other hand, your garage door works with a rolling keY too, and you're also SOL if you lose your opener (unless you, ironically, have a keypad).
[+] [-] kgo|15 years ago|reply
You just called up, said you need the ID, and they read you the number over the phone...
Me: "Hi I'm XXX and I need the RSA key for COMPANY X."
Helpdesk: "Okay... It's on the board here somewhere... Found it... It's down to the last bar. Let me wait until it flips... Okay. Six bars... 643332."
Me: "Thanks a million."
[+] [-] sigil|15 years ago|reply
The first few times I use a newly generated password, I have to look it up in a master file. It's weird how quickly semi-pronounceable nonsense + some symbols get stuck in your head though.
[+] [-] devinfoley|15 years ago|reply
I'm having a very difficult time articulating just how horrible this idea is. Now if somebody compromises your password list, by either finding or stealing your wallet, they also get all of your personal and banking information as well!
There is a reason that the government advises people not to carry their Social Security cards in their wallet (http://ssa-custhelp.ssa.gov/app/answers/detail/a_id/446/~/ca...).
I use Wallet, a password manager/generator that's available for OS X and iOS, supports encryption, and syncs between devices automatically. I use a different random, strong password for all of my accounts, and it's easier to manage than keeping lists of passwords. Works for me.
[+] [-] sullof|15 years ago|reply