Please do not change your password [telecom]

Please do not change your password You were right: It's a waste of your time. A study says much computer security advice is not worth following.

By Mark Pothier | April 11, 2010

To continue reading this story, enter your password now. If you do not have a password, please create one. It must contain a minimum of eight characters, including upper- and lower-case letters and one number. This is for your own good.

Nonsense, of course, but it helps illustrate a point: You will need a computer password today, maybe a half dozen or more - those secret sign-ins that serve as sentries for everything from Amazon shopping carts to work files to online bank accounts. Just when you have them all sorted out, along comes another "urgent" directive from the bank or IT department - time to reset those codes, for safety's sake. And the latest lineup of log-ins you've concocted won't last for long, either. Some might temporarily stay in your head, others are jotted on scraps of paper and stuffed in a wallet. A few might be taped to your computer monitor in plain view (or are those are from last year's batch? Who can remember?).

Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended.

...

formatting link

Reply to
Monty Solomon
Loading thread data ...

One can legitimately argue some passwords *SHOULD* be changed.

As a good example of which, consider these cracked passwords which can be seen in the bottom page margin on page 40 of the April 2010 hardcopy issue of WIRED:

Paris Hilton: TINKERBELL SARAH PALIN: WASILLA HIGH MILEY CYRUS: LOC092 SALMA HAYEK: FRIDA LINDSAY LOHAN: 1234

:-)

Reply to
Thad Floryan

Then there is the classical 'good' password:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento

Purportedly used by a blonde, as in "Helloooo -- they said it had to be eight characters and a capital!"

***** Moderator's Note *****

I'm sure that the poster's remark is not made with any malice toward any particular person with light colored hair.

Bill Horne Moderator

Reply to
Robert Bonomi

Something I discovered on my own twenty years ago when I was in school and working for a phone company. We put a new policy in place where users had to change passwords once a month and use upper and lower-case letters, a number, and a special character. When we put the stricter password policies into place the users were more likely to write their password in pencil under their keyboard or write it on a poorly-hidden sticky note. It actually made things less secure. We were finding people's passwords just by glancing around their offices for a few seconds.

John

-- John Mayson Austin, Texas, USA

Reply to
John Mayson

Or LEETize it. Tinkerbell would become 7iNk3rbE1l

***** Moderator's Note *****

Bad idea! "Leet" speak is a well-known variant of American English, and therefore subject to dictionary attack.

Bill Horne Moderator

Reply to
T

This topic seems to have caught fire - although lots of sites hide the refs to the original doc.

Maybe the globe refers to this one:

formatting link
if it doesnt - much easier to read without all that ad clutter)

Note - it does not say that passwords are not good security and that we dont need them.

What it goes on about is that the cost for a user of mucking around with passwords vastly outwieghs the benefits, so using the same password in lots of different sites, and choosing simple easy to remember ones is a sensible tradeoff - for a user.

There is some other discussion of cost benefit to other security advice as well.

It also concentrates on consumer cost benefits....

... or maybe

formatting link
Stephen

Reply to
Stephen

Perhaps but if one mixes in symbols it makes it that much harder: E.g. 7 _iN!k3rbE1L:

***** Moderator's Note *****

So long as the English equivalent is known or easily guessed, you lose. All major-league "dictionary" password-guessing program include such varients, and numbers before and/or after the commonly-used passwords. Using "Leet speak" or other "Pig Latin" substitutions is just "Security through obscurity": it stops being fun as soon as you meet someone else that knows the code.

Good security policies are like regular exercise: by the time you realize you should have done things differently, it's too late to act. [TM]

Bill Horne Moderator

Moderator's Note Copyright (C) 2010 E. William Horne. All Rights Reserved.

Reply to
T

In article , Robert Bonomi wrote:

Oh, no! Bill, *you* weren't using that for your password, were you?

Kidding aside, _if_ the system in question uses all the characters in a password of that length, it's not a bad choice. The length alone is sufficient to render dictionary-type attacks 'impractical', and the components are easy enough to remember that one is not likely to 'need' to 'have it written down' to refer to, every time you need to use it.

In all seriousness, I've seen lots of 'rules' for constructing 'quality' passwords -- minimum length, unexpected capitalization, including 'non- letters', etc. -- but very little about how to construct a "good" password -- one that is easy to remember, yet 'un-guessable', and, also, not subject to 'dictionary attack' type approaches. First on this list is "_don't_ use 'personal' information' -- things like names of family members, birthdays, schools, etc. When an attacker is trying to "guess" the password of a "known" person, these are the _first_ kinds of things they try. (a co-worker nearly fainted when, in response to his claim of using a 'quality' password, I retorted "you're probably using something like ..." and named the first names of 2 of his children. I had the right two names, but in reverse order. He _promptly_ changed his password to something that did -not- rely on personal information. :) Second, come up with something that _is_ easy to remember, and then use something trivially *DERIVED* from that, rather than the 'easy to remember' thing itself. e.g., pick a common word, stick a punctuation symbol or two in the middle of it, and an unexpected capitalization -- you _don't_ have to remember the exact string of symbols, just the 'word', and where the modifications go -- three or four 'simple' facts, vs one 'complicated' one. Or, pick a memorable nursery rhyme, and use the first letter of each word of, say, the second line of it -- like "4a20bbiap" ("four-and-twenty blackbirds baked in a pie"). Again, the phrase itself is already imprinted in memory, all you have to consciously remember is 'use the first letter'.

Techniques like this produce essentially 'un-guessable' pseudo-random character sequences that are imperviously to anything but an exhaustive brute-force attack, *while* being _easy_enough_to_remember_ that there is no tendancy/incentive to record them on a "crib-sheet".

***** Moderator's Note *****

The problem that the Microsoft paper alluded to is that security researchers and "experts" don't consider the value of the users' time when making recommendations about password strength, change intervals, etc.

The problem, as I see it, is that the users don't believe the data in their computers is worth protecting, and thus feel that security is an imposition on their already-precious time.

Bill Horne Moderator

P.S. No, that wasn't my password: *MY* password includes a punctuation mark.

Reply to
Robert Bonomi

snipped-for-privacy@host122.r-bonomi.com (Robert Bonomi) wrote in news:9KSdnVsbTf1Rh1fWnZ2dnUVZ snipped-for-privacy@posted.nuvoxcommunications:

Many years ago, one user would ask for a password reset almost every Monday. One time I reset the password and handed this user a piece of paper on which was the name of a small Welsh town: Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch. Of course the Unix system in question only used the first eight letters, but the user had not bothered to learn that.

Reply to
Paul

..........

Given that most (if not all) access systems above basic level only allow "N" attempts at a password before locking out an account, there must be a reasonable level of complexity that allows a relatively easy to use password to still be effective and practically invulnerable to any brute-force/dictionary attack?

Most password policies are just way over the top for systems that (usually) will not allow access after a few attempts - and that essentially discredits the whole security paradigm.

-- Regards, David.

David Clayton Melbourne, Victoria, Australia. Knowledge is a measure of how many answers you have, intelligence is a measure of how many questions you have.

Reply to
David Clayton

I gather that with a reasonable policy like four tries separated by ten seconds, then wait 15 minutes until you can try again, four characters are plenty. The advice to have scrambled passwords is based on a model from ancient Unix systems where hostile people can look at the hashed passwords and do a batch offline attack.

As Cormac points out, if the threats are phishing and keyloggers, it doesn't matter whether your password is one character or a thousand.

R's, John

Reply to
John Levine

On Mon, 19 Apr 2010 08:11:24 +1000, David Clayton wrote: .........

......... Whoops, forget that pre 2007 Windows Server systems had one account that could never be locked out and could sit there taking ongoing attempts: the Administrator account!

-- Regards, David.

David Clayton Melbourne, Victoria, Australia. Knowledge is a measure of how many answers you have, intelligence is a measure of how many questions you have.

Reply to
David Clayton

It seems to me that you also have to have a long list of UserNames, or whatever the particular sites call them, because each site has its own rules for constructing usernames, and many of them are different from each other. Some of them are derived from internal sources, such as account numbers, that you cannot guess unless you have an external list. Some of them are random. One particular site has a username of

12 numerals, apparently random, and there is no way to derive them from internal or external sources. Wes Leatherock snipped-for-privacy@aol.com snipped-for-privacy@yahoo.com
Reply to
Wes Leatherock

I use letters, numbers, upper and lower case on my passwords. One exception is using the social Security web site, they require the use of numbers only. To me that can cause a security problem.

Reply to
Steven

It's worse than that; here are the specific instructions from the SSA (since I just went through this last month and saved to PDF every page during the benefit application process):

" Choose a new 7 digit password. Use 7 numbers that are " meaningful to you to help you remember. " " Helpful hints for choosing a password: " " * Use 7 numbers only. " * Use a number that is meaningful to you so that you will " remember it. " " Do NOT choose a password containing: " " * part of your Social Security number; " * a series of numbers that would be easy to guess: " 1234567 or 7654321; " * a series of the same numbers: 2222222 or 3333333; or " * your temporary Password Request Code (PRC). " " Do NOT use a password others might associate with your: " " * telephone number, " * birthday or your child's birthday, " * license plate number, or " * street address number or zip code.

that's it. Real secure, huh? :-)

Reply to
Thad Floryan

[[.. snecky ..]]
[[.. snip ..]

Ah. ".....CommaSacremento".

Reply to
Robert Bonomi

INCORRECT. The _encrypted_ password is often stored in a WORLD-READABLE location. Bad guys are known to copy out the list of encrypted passwords, and run their _own_ implementations of the encryption algorithm on their own hardware. No 'alarms' to the system administrator, no account lock-out, no slow-down after each bad guess, etc.

Systems that lock an _account_ out after a 'few' bad guesses are *really* vulnerable to DOS attacks. Hit every 'system' account with the 'required' number of bad guesses, and 'do something' to force a reboot, and *NOBODY* can get back into the system.

A better (FSVO 'better') way is to increasingly delay responses within a single 'session' (TCP or dial-up) as incorrect answers accumulate. Then when the 'limit' is reached, stop responding on that session -- *while* keeping the session open.

Unfortunately, when the bad guys have bot-nets with machine-counts in the

6 to 7 figure range, they can generate a _lot_ of sessions from a lot of different sources. In "information warfare", like any other form of war, the defenders are always on the 'backside of the curve', and playing catch-up. It just goes with the territory.
Reply to
Robert Bonomi

That was true 20 years ago. It's not true now, even on the Unix systems where this problem originated.

Four tries in a row, then a 15 minute delay seems to work well to deter password guessing while avoiding user lockout.

R's, John

Reply to
John Levine

On Mon, 19 Apr 2010 06:35:51 -0700, Wes Leatherock wrote: .........

Unless there is a published list of e-mail addresses somewhere, which in some cases match the login user names (or something close).

-- Regards, David.

David Clayton Melbourne, Victoria, Australia. Knowledge is a measure of how many answers you have, intelligence is a measure of how many questions you have.

Reply to
David Clayton

Thats it. I have talked to some of their IT people and they fell the same thing. I have locked myself out more then once and it requires me to start all over getting a new password. My wife's account locked itself and to this day no one knows why. It is the most users UN FRIENDLY site I have ever used. Medicare is much better.

I used the application for Social Security online and found it to be a pain as far as time, but made things much easier in getting it.

Reply to
Steven

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.