The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 2, Funny) by Anonymous Coward on Friday August 19 2016, @07:46PM
Password policies don't matter if no one cares enough to guess your weak passwords. For this reason I recommend the following social policy.
(1) Don't talk to people.
(Score: 2) by krishnoid on Friday August 19 2016, @08:03PM
That's a little draconian -- it's fine if you keep it to talking to people you know and trust. [youtube.com]
(Score: 0) by Anonymous Coward on Friday August 19 2016, @08:12PM
People you know and trust are the most likely to betray you.
(Score: 2) by The Mighty Buzzard on Friday August 19 2016, @08:16PM
Well, yeah. If you don't know and trust them it's not possible for them to betray you, only to screw you over.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @01:01AM
Rickrolled!
(Score: 2, Interesting) by Anonymous Coward on Friday August 19 2016, @07:59PM
Quantity is more important than quality. Anything over 16 characters is going to be practically secure for longer than it takes for the password db/authentication mechanism to be exploited and the plaintext retrieved/captured.
The only time the added security of mixed case and non-alphanumeric characters adds a benefit is when you happen upon one of those dumb sites that is still using 8-12 character strong passwords, and honestly most of them probably have remote exploits calling their password entry/authentication mechanism's security into question anyways. And if you can steal it from there, it doesn't matter *HOW* secure your password is.
But maybe I am silly for thinking that way.
(Score: 3, Funny) by SomeGuy on Friday August 19 2016, @08:14PM
Yes, very silly. You forget that the system needs to LOOK secure, even if it isn't (also see: TSA).
Incidentally, your new password is: ^7j\%_kt%{s/Pn#Zm.D6b+xU{;>?WRh},wyCNM',&,(2hfJsCsMW7$G_,wGw36bF7jg$8sa/#fd(.vPN7nJN+4:^,8.yrQCE\;Q6VT(Twn)hC+a].$HgQNVdr&3E\b&~ZPW}eC#HrFTy(;3Ltk}^WD#])^@WDH``mu~BrX;s+bc7Hx%}+/hW3aqh;k&^Xa#bUCPY.n;TSaGs$#:cgEq4]55!"K;}.fP!Hm2~F4m5}`:f%,*2S7&GHt:tJ=N_s2nc~=_S'-epge75bJCC(N2/B}!F>H(D_*RL@z6#E5s{)*D/;9tEs,X)hgp]Lhn?b#.F7Jm7?`y28#[5"7>:x4$p`,>;a(EKLq*4ezgY_Ef[EMcz5yeg^(tr"&U/p_;-,#gTJq>$_q=u!2jF&?]Ude*C9J`7;~G(9F~AzB2&(D=uG7\n_aERgf+5K;eR:Ax/zeHZfKF5jE[)D^VyD&tQ:(tzh[f`$XBdQ9z:.Yp)X+wMA_$a='^#Yc^8FUj=!]NntSeQG7chPa*>Nmkg?MjSg+k^=U3[ux\M36]kXPQxj&CjYdh]h{'5qMS]362H5^$K%&bD'3;KgP2@NfkS$KfL{=p`mJ]LEP4?y(d/&(H/jP]zH?g-:.^jxT8VAT!BacZf';X>DK/M$*4V3hYR!66j/K;$8`X~7}Cgya~~$ZTcKVFXt.7W($=GGf]Mxg*pQ,=fAJ/\YbQy-9)qDSNpja"N6rLjYsRVF=hrVk`jFRY/Vpj#UWfL4Ae4q_&QNnEc)W;F5A{jUTZ\]Q>k+a"p8t"TS=V34~nku!MVhnc5'qrJW%WKTD*V+bK,2dnP[fsESG#gN"3`+%}Ds]#tV`2C4Lm/McqS+Bxy>dgCVyq/xQh?T:$K{a>K\%DXYK'_$/c$!"WbMe[hRkWUFLv=N]HjJ!PY62*L);F7+3BqUPM
You must not forget it, and you are not allowed to write it down.
(Score: 1, Funny) by Anonymous Coward on Friday August 19 2016, @08:29PM
There was a time when I used to tell people to change their random password to something they could remember. They never did. Instead they blamed me when they couldn't remember their random password. I don't bother to tell people anything anymore.
(Score: 4, Funny) by Whoever on Saturday August 20 2016, @01:21AM
His password is Perl code?
(Score: 2, Insightful) by Anonymous Coward on Friday August 19 2016, @08:22PM
Quantity is more important than quality. Anything over 16 characters is going to be practically secure for longer than it takes for the password db/authentication mechanism to be exploited and the plaintext retrieved/captured.
The only time the added security of mixed case and non-alphanumeric characters adds a benefit is when you happen upon one of those dumb sites that is still using 8-12 character strong passwords, and honestly most of them probably have remote exploits calling their password entry/authentication mechanism's security into question anyways. And if you can steal it from there, it doesn't matter *HOW* secure your password is.
But maybe I am silly for thinking that way.
Unfortunately you are being a bit silly, or at least overly simplistic. Consider the following two systems.
1) A system which requires passwords exactly 16 characters long (huge quantity, as you described above). The system will only allow 0 and 1 as data input.
2) A system which requires passwords exactly 8 characters long. The system will allow all alphanumeric characters.
Assuming users were using the system correctly (so no passwords of "0000000000000000" or "password"), which is easier to crack?
The length, complexity, and everything else doesn't matter as much as password entropy. There is a lot of information theory behind this, but the simple example can be seen at XKCD [xkcd.com].
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @02:55AM
honestly most of them probably have remote exploits calling their password entry/authentication mechanism's security into question anyways. And if you can steal it from there, it doesn't matter *HOW* secure your password is.
Which is why I don't bother with secure passwords for many online sites.
Why waste time creating and entering strong passwords when it's far more likely that such sites regularly get pwned. Just look at history. Car analogy: it's like paying to install stronger door locks on a soft top convertible when there's been a history of thieves not bothering with the doors to steal convertibles.
Don't use stupidly weak passwords which are guessable and don't use the same passwords for sites that count and that's enough. Which attacker is going to brute force your weak but hard to guess password over the network? It'll look like a DoS/DDoS attack! If they are brute forcing it locally then the password doesn't really matter already.
And even then, so what if your password on some forum is password12345? Someone can pretend to be you? It might make you even safer since you could plausibly say someone hacked your account and posted illegal stuff :). Whereas if your account is supposedly so secure with two factor auth etc and all that and one day it's used to posting child porn (due to some unknown flaw), they might not believe you when you say it wasn't you (even if it really wasn't you!).
There's also getting access via the "helpful" Support Team. Often you can take over someone's account by just calling support: http://imgur.com/WszA4Cw [imgur.com]
See also: https://www.youtube.com/watch?v=bjYhmX_OUQQ&feature=youtu.be&t=2m13s [youtube.com]
http://fusion.net/story/281543/real-future-episode-8-hack-attack/ [fusion.net]
(Score: 2) by tibman on Friday August 19 2016, @07:59PM
I've heard a few times now that SMS shouldn't be used for two-factor. But alternatives aren't discussed. An air-gapped dongle [amazon.com] sounds best but not very practical to have a whole keyring of two-factor dongles (because other companies might use different technologies). Anyone have any advice?
SN won't survive on lurkers alone. Write comments.
(Score: 4, Interesting) by The Mighty Buzzard on Friday August 19 2016, @08:12PM
For two-factor authentication? No. It's a foolish and annoying game that can very easily leave you locked out of something you badly need to get into right freaking now. Memorize a line containing 30+ characters from a favorite song, movie, book, Trump speech and use it as your password. You'll remember it longer than your current password and it's a hell of a lot more secure.
My rights don't end where your fear begins.
(Score: 2) by NotSanguine on Friday August 19 2016, @08:24PM
Memorize a line containing 30+ characters from a favorite song, movie, book, Trump speech and use it as your password. You'll remember it longer than your current password and it's a hell of a lot more secure.
Better yet, memorize a *slightly modified* version of the above. For example:
"It was twenty hours ago today, Sergeant Porpoise taught the band to play"
Easy to remember, and just about impossible for a dictionary attack to break.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by The Mighty Buzzard on Friday August 19 2016, @08:37PM
I'd agree but any system that allows for unlimited, non-throttled password attempts (necessary for a dictionary attack) probably stores your shat plaintext anyway. Us, we're uber secure. We salt AND rot-26 users' passwords before storing them.
My rights don't end where your fear begins.
(Score: 2) by NotSanguine on Friday August 19 2016, @08:40PM
Ginsberg's Theorem at work, eh? [wikipedia.org]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Gaaark on Friday August 19 2016, @08:48PM
I've gone with the XKCD method of picking 4 or more random words, then with each site i visit, i tack on an identifier.
My passwords are now at minimum 18ish characters. Add on the site identifier, and it explodes to another 8ish characters: so, usually a minimum of 26ish characters.
I should probably go with a completely random pass for websites and let my desktop 'password keeper' thing memorize it, but i'm not used to having my desktop properly backed up until the last couple years, so am not in the habit.
Now all i gotta do is have an externally sited desktop backup :(
If i change my password every once in a while, it is easy to remember and change: just have to remember what my site identifier is and where i put it, lol.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by hemocyanin on Friday August 19 2016, @09:06PM
Have you tried diceware? Similar system but truly random:
http://world.std.com/~reinhold/diceware.html [std.com]
(Score: 2) by Gaaark on Saturday August 20 2016, @12:52AM
I just choose 4-5ish words that have no connection with each other, but that seem to be easy for me to remember.
If i had to rely on dice/random, i might not be able to remember it (i'd probably have a better chance of remembering the dice roll result, lol... numbers seem to be no problem for me: combination locks/door pin numbers/debit card numbers... it all just stays in the head for some reason).
I just choose a bunch of words and find the ones that fit into my brain easily, i guess.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by art guerrilla on Friday August 19 2016, @11:44PM
not sure to admit to this:
but for 'non-secure', optional sites, i use a system of prefix(website)suffix...
where the prefix and suffix are the same for all the sites, and the site name (or nickname, or abbrev, etc) is the distinguishing feature...
um, i don't think i should give any examples...
(Score: 2) by Gaaark on Saturday August 20 2016, @12:48AM
EXAMPLE:
biggusdickusmontypython.comclipclop
Is this what you mean? :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Funny) by Anonymous Coward on Saturday August 20 2016, @01:22AM
I've gone with the XKCD method too. I use correct horse battery staple everywhere.
(Score: 2) by tibman on Friday August 19 2016, @08:55PM
Really looking for advice on a better two-factor. I'm already convinced it's a good thing. Currently use it on nearly everything (that has it) and have never been locked out. Also, you can do a 30+ character password and two-factor. You don't have to choose.
It isn't used for every login (typically). It's used for the first login from an unrecognized device or to do something drastic like change your email address. The idea being that a password (hash) resides on the server which can be stolen en mass. The two-factor is something the user has that cannot be stolen during a server breach. SMS is especially nice, imo, because you get a text when someone unauthorized attempts to login to one of your accounts with your correct password. A very scary event. An air-gapped dongle can't do that. You would never know that one of your passwords has been somehow stolen.
SN won't survive on lurkers alone. Write comments.
(Score: 1, Informative) by Anonymous Coward on Friday August 19 2016, @11:41PM
OATH (which is different from OAuth) has a few algorithms that they created, TOTP and HOTP are useful for 2FA and ORCA can help prevent certain problems with its challenge-response structure.
SMS is a terrible idea for 2FA according to most experts, even when it was proposed, but caught on anyway as it is a good technique to make users give you their phone numbers. In the world of tracking people, the phone number is the most valuable, especially now with everyone having cell phones.
(Score: 4, Interesting) by edIII on Friday August 19 2016, @08:33PM
Well, yeah, but what if you hate the users? ;)
Just load up some Rainbow tables and make sure a password doesn't exist within it, or at least warn the user that the password is in the 'well known' list.
Fuck that. If you don't the keyspace becomes reallllly fucking small really fucking fast. You'd figure NIST would understand something about permutations and the average office worker that will tape their password on the monitors...
At a minimum it needs to be a combination of both letters and characters, ONE of them being capitalized. Doesn't matter where. That together represents a keyspace of 62^8 versus 26^8.
The best password is at least 4 words, or 2 phrases, with numbers surrounding them:
RockyMountain2287234OysterSquirrel. - Easier
Costlier343Bluegrass997PredonatingPlonk2227373. - Harder
The numbers can be in the form of 7 digits, which is easier to remember like a phone number. I've sometimes used phone numbers that were disconnected, but popular. Like this pizza place back in the 80's I loved. You can even begin and end it with 3 number sequences, or better, randomly dispersed between the words or phrases.
You would think they're harder to remember, but they are much easier to remember than 8 random characters over 80+ possible characters in some cases. I've forgotten passwords that I was able to recreate just by trying combinations of it, so it has some memory error recovery built in.
It's all about permutations and probability so I can't understand why NIST is asking to deliberately weaken keyspace....
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Snow on Friday August 19 2016, @09:28PM
I have a handful of passwords but most logins use the same insecure password. Do I care if my soylent login gets hacked? Not really, so insecure password it is. I have a work password that meets work requirements and has a number tacked on the end so when it expires, I increment the number.
Finally I have my 'super-secure' password, which is a derivative of my deceased dog's ear tattoo number. It seemed like a good idea, because if I ever forgot it, I could just call her over and take a peek.
Anyways, my password strategy is complete shit, but convenient, and I like it that way.
As a side note, one of my email accounts was compromised. My ISP locked the account and I had to call them to unlock it. They made me choose a long password. I have no idea what it is. I had to change it to log in when I changed my mobile device. That was less then a week ago, and I tried to log in today, and I have no idea what the password is anymore - super annoying.
(Score: 2) by Dr Spin on Saturday August 20 2016, @08:56AM
That is why you put it on a post-it note on the monitor!
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by theluggage on Friday August 19 2016, @09:35PM
Costlier343Bluegrass997PredonatingPlonk2227373
From TFA: "Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”
Ok, they're engaging in a little comic exaggeration, but I've encountered plenty of services that wouldn't accept your password suggestions unless you scattered a few "!" and "$" symbols in there (making it harder to remember for you for relatively little security gain).
It's all about permutations and probability so I can't understand why NIST is asking to deliberately weaken keyspace....
No, its about user friendliness as well, and, taken together, the overall thrust of the rules is trying to make passwords easier to remember and encourage the use of longer phrases that users don't need to write down. The only effect of composition rules is to make people use well-known letter-symbol substitutions. "SwordfishTastesBetterWithPeanutButter" is surely an improvement over "Sw0rdF!s#" even if its not up to your standards...
My objection is that this is all well and good but I still can't invent and remember 100 strong passwords (especially as my dear employer insists on changes every 90 days). Can't we find a better way? I'm basically reliant on a password manager to generate and fill in passwords anyway so why can't I just exchange public keys and have my computer do challenge/response?
(Score: 2) by edIII on Friday August 19 2016, @10:51PM
It probably isn't. What's difficult to see is that the phrases are actually a reduction in keyspace. The latter is 9 characters expressed across a possible minimum of 72 characters, perhaps even up to 94. Yours is 38 characters expressed across 52 possible characters. Superficially, those 38 characters are stronger. Another way to look at it though, is that is just 6 words with consistent capitalization. So the permutations are not really a whopping 38^52, but the number of possible words raised to the 6th power.
A quick search [quora.com] for the number of words an average English speaker knows revealed that at age 12 it was only around 12,000 words. A college graduate may understand 23,000, and the average Millennial American now may know as many as 1,000 I think, and can spell half of them....
30,000 raised to the 6th power is actually less than your difficult 9 character password by about 60 orders of magnitude. You want those words to not only be random, but to be gibberish in a sentence. Your phrase is actually correct. The interspersing of a few number sequences raises the permutations quite significantly, while not making it all that much more difficult. We can remember 7 digit numbers fairly easily, and do so all the time.
It's not about up to my standards at all. MATH. That's it. The only standard. Higher permutations and lower probabilities are always better, so my standard is whatever will ultimately increase keyspace, in the most user friendly manner I can find.
Hehe. That's pretty much what 90% of us here do I bet. Challenge is that it's a bit more sophisticated, and not as easy to maintain when you're not a power user. I do agree though, it would be kickass if the browsers would start supporting SSH key management. You hit a secure website and *your* system pops up the request for the passphrase, decrypts your key, and then securely presents it to the remote site. That's a lot of work that I doubt will ever happen though. At the moment I suspect most of us the challenge/response with SSH to establish encrypted tunnels that have access to administrative systems, those not even being accessible from the Internet at all. Which is fairly critical in a lot of cases, and the last the use case saved my butt. The web management was hacked for a popular piece of equipment and many people were being owned, unless you had web management blocked with IP tables and only allowed tunnel'd SSH sessions to access it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by fnj on Saturday August 20 2016, @12:04AM
Oopsie. Doesn't compute. 30,000 raised to the 6th power is 2.43E+22. 96 raised to the 9th power is 5.73E+19. Sorry, but 6 words picked randomly from a set of 30,000 represents MORE entropy than 9 characters picked randomly from a set of 96. Isn't math wonderful? And astonishing?
You need to revisit the concept of orders of magnitude. 60 orders of magnitude spans the range from 1 to 1E+60. It is an almost unimaginably vast range. The number of atoms in the UNIVERSE is only estimated to be about 1E78 to 1E82.
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @01:00AM
Not to mention that if you apply similar reduction to the complexity of Sw0rdF!s#, it is just one of maybe 30,000 words plus nine opportunities at maybe a half dozen variations (that is really being overly generous). With those assumptions, its entropy is only about 1.2E12, or forty bits.
(Score: 2) by edIII on Saturday August 20 2016, @01:11AM
Funny thing is, I used a calculator. Still should have sanity checked the value, but I was writing the post while also sysadmin'n ;) Please be gentle...
Thank you very much for checking the math. I certainly fat fingered the 96 ^ 9 for sure. I saw an exponent of 72 instead of 17. Go figure.
Can you check that again? :D
I got 7.29 * 10 ^ 26 [duckduckgo.com].
I think it's contagious. You're welcome.....
P.S - Also interesting to note that an average person with 15,000 word vocabulary is only about 1 order of magnitude less than Shakespeare. I keep feeling that there really is a loss of keyspace because words literally do reduce the keyspace away from just random letters. That's why I feel adding the numbers in there and shifting the words in between them significantly increases keyspace.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by theluggage on Saturday August 20 2016, @12:16PM
The latter is 9 characters expressed across a possible minimum of 72 characters, perhaps even up to 94. Yours is 38 characters expressed across 52 possible characters.
Trouble is, even if your math is correct (and a couple of people above have challenged it) you're basing it on false assumptions about the world - in particular that the password is randomly chosen and that the cracker will resort to a dumb "infinite monkey" technique to guess it. The "keyspace" of words that users are likely to pick is far, far smaller than the number of possible permutations.
"Sw0rdF!s#" isn't "9 characters expressed across a possible minimum of 72 characters" - its a commonly used password [wikipedia.org] that will be on many lists of "bad passwords" with a couple of predictable "readable" letter-symbol substitutions thrown in (CamelCase, O=0, i=! etc) - which is precisely what you are going to get if you simply force people to use "At least 1 upper case character, 1 symbol and 1 number".
Any self respecting "rainbow table" or other cracking tool will surely include some of these common permutations. Also, you somewhat assume that the cracker is trying to crack one specific password: more likely, they've got 100,000 password hashes from somewhere and they'll be happy if 10 of them turn out to be "$3cr3t" or "Pa55w0rd". Or that they know your Facegoog password is "Sw0rdF1sh" and are trying to guess which minor variation is your Twitbook password. Any system that lets hackers brute-force passwords by making repeated login attempts has more urgent problems than its password policy.
You hit a secure website and *your* system pops up the request for the passphrase, decrypts your key, and then securely presents it to the remote site. That's a lot of work that I doubt will ever happen though.
Yet every half-decent terminal emulator or file-transfer utility supports it for SSH.... and HTTPS effectively does the reverse to authenticate the site. All the crypto code needed is out there, it just needs the protocol and UI.
(Score: 2) by DECbot on Friday August 19 2016, @09:39PM
GreatSong(Tommy867-5309Tutone)
I see the allure.
cats~$ sudo chown -R us /home/base
(Score: 5, Informative) by http on Friday August 19 2016, @09:42PM
I can't tell if you're trolling or if you're actually not understanding the math: exponentiation trumps multiplication every time.
26 ^ 8 = 208827064576
62 ^ 8 = 218340105584896
...but...
26 ^ 12 = 95428956661682176
Adding 50% to the length of the password (not even doubling the length) gets you a keyspace three orders of magnitude greater than nearly tripling the alphabet size. The best password is a unique phrase that you can reliably reproduce.
I browse at -1 when I have mod points. It's unsettling.
(Score: 1, Insightful) by Anonymous Coward on Friday August 19 2016, @10:00PM
^^^This! And if the site has a policy where you have to change your password frequently, you will NEVER be able to come up with a secure password that you can remember. Thus, you will rely on the password recovery mechanism with its attendant weaker security. FAIL! Let people come up with a good password and keep it. If your system is compromised, the attackers will have wallked off with your data before the password change policy kicks in anyway! Security theater, I tell you.
(Score: 2) by edIII on Friday August 19 2016, @11:12PM
I honestly don't understand the point you're trying to make. Yes, exponents result in MUCH larger numbers than simple multiplication.... but that's because it's multiplication over and over again. I'm sure you know that :)
However, what is the exponent again? The exponent is the number of selections you're making (password length) and the base is the total number of possibilities for that selection. At least when you want permutations of something.
My point remains. Keyspace is exponential of course, but one of them is larger than the other. You failed to note that:
That's quite a bit bigger than 218340105584896 (26 ^12). Which seems like we have a game of leap frog going on, and I'm gonna win with every character added :)
Only for the user. Security is evaluated quite impartially by simply looking at keyspace, probabilities, etc.
Not unless that base is quite large, and exponent isn't small, will you see the keyspace expand to over 70 orders of magnitude (minimum for me, although I feel a lot more comfortable at 100). You still need at least 8 characters before exponents start "creating walls" that make brute force not a viable activity. Using just characters that base is only 26. Capitals gives us 52. Adding in numbers gives us 62. Allowing a short range of symbols can give us upwards of 90. That makes a big difference.
Exponents also don't mean much when you take a closer look at the keyspace. Don't be fooled into thinking your phrases protect you, when they actually reduce keyspace. Any time you can infer a pattern, you're reducing keyspace. Squirrel seems like a good 8 characters, but it is in fact only ONE well known word. It's a single record in a Rainbow table, and doesn't represent the keyspace implied by 8 random characters. Likewise, 5 well known words do not represent 25+ selections against the alphabet. They represent 5 selections against the dictionary of words we know.
You need to work a little hard to increase keyspace, and reduce keyspace weaknesses by randomizing it a bit further. The adding of numbers or symbols dramatically increases keyspace, while not making it all that much more harder to remember.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Insightful) by stormwyrm on Saturday August 20 2016, @03:00PM
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @11:19PM
I use a hashing algorithm that I can perform in my head with a printed table to generate my password for each site. When the algorithm generates something that clashes with a site's fancy composition rules, I default to one of a couple memorized passwords depending on the importance of the site.
Without a password manager or a scheme like mine its impossible to remember hundreds of unique passwords. By using fancy composition rules, you make it more difficult to remember the password and thus more likely for the user to just give up and use an old one.
(Score: 2) by stormwyrm on Friday August 19 2016, @11:41PM
Then your users will hate you right back, and they will undermine your security policy every chance they get, and do dangerous things like write their passwords down and put them in insecure locations, because they can't freaking remember them with all the asinine restrictions you try to impose. You need to compromise with the limitations of human memory and cognition and make it work for you instead of against you. This is why XKCD 936 [xkcd.com] is a reasonably sound recommendation, only I'd use more words instead of just four.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Interesting) by hendrikboom on Friday August 19 2016, @09:31PM
Is there any hope for people with mobility disorders, such as Parkinson's, who cannot type correctly? Or, for that matter, people whose laptops have bouncy keys?
These people need to be able to *see* the passwords they are typing.
-- hendrik
(Score: 0) by Anonymous Coward on Sunday August 21 2016, @12:09AM
There are other input devices than keyboards. Also, I usually turn on "bounce keys" at its lowest level on any computer due to shitty keyboards.
(Score: 2) by urza9814 on Monday August 22 2016, @10:18PM
Some places have been making passwords visible *by default* lately. Those morons over at Amazon.com are one such example, although I think that only occurs on certain devices so far.
(Score: 5, Touché) by MichaelDavidCrawford on Friday August 19 2016, @09:55PM
If I need to join a site that requires a strong password, I enter some random gibberish that I'll never ever remember, then request a password reset every last time I log in.
That cannot possibly be secure.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Funny) by Scruffy Beard 2 on Saturday August 20 2016, @05:44AM
Been there, done that.
Often, the reset password is not truly random. So if you reset your password, but don't change it, you may suddenly be using a common password.
(Score: 2) by vux984 on Tuesday August 23 2016, @10:30PM
I deal with a client site like that. Most irritating part is that its a site I only need to use once every 3-4 months, but they make users reset their passwords every 30 days, and they auto deactivate the account after 60 days requiring me to jump through some more hoops to reactivate.
So I have to phone them, have them reactivate the account, and then reset the password, pretty much every time I need to log in.
(Score: 2) by stormwyrm on Friday August 19 2016, @11:32PM
Let's see. So if you had an alphanumeric, case-sensitive 8-character password, each letter could have 60 possibilities for it, roughly 5.9 bits of entropy. At 8 characters, that would be 1.6×1014 possible passwords (47.25 bits of entropy). Now, if you restricted one of the characters to being a digit, that would be seven characters (41.3 bits of entropy) plus a numeric character (10 possibilities, 3.3 bits of entropy) at the end (because this is what most people will do if not restricted otherwise), that leaves us with 44.67 bits of entropy, or 2.8×1013 possible passwords. Forcing the restriction has cut the space by about an order of magnitude.
However, if you could enforce random positioning of the digit somehow, e.g. by making the password checker move the digit to a random position, that would again be seven characters (41.3 bits) plus a numeric character (3.3 bits) plus eight positions (3 bits) for a total of 47.3 bits of entropy, slightly increasing the strength of the password. But no one is going to do that, and the digit will most likely be in a predictable position.
Forcing people to use upper-case characters in addition to numbers will also weaken the password even more. Again, when faced with this restriction, people will tend to put the capital letter at the beginning and the digit at the end, so for an 8-character password that would be six characters (35.4 bits), plus one capital letter (4.7 bits), plus one digit (3.3 bits) for a total entropy of 43.4 bits, 1.2×1013 total possibilities.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by stormwyrm on Saturday August 20 2016, @12:33AM
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @12:58AM
Dictionary attacks are the least security threat. You are better off putting your security in better encryption, least access between subsystems, and tightening the configuration of exterior facing servers.
The way to mitigate brute force attacks is to rate limit failed password retries and possibly lock the account after a maximum number of failures within a certain time frame.
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @01:39AM
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @02:26AM
If the hackers have stolen all the password hashes, odds are they already have greater access than your puny password would allow them (already have credit card numbers, SSNs, etc.).
Get the database system user account, and you needn't mess around with individual user accounts.
(Score: 2) by Common Joe on Saturday August 20 2016, @06:13AM
Bzzzt. Wrong. Stealing hashed passwords is a semi-regular occurrence and when used with rainbow tables, it's turns out to be surprisingly effective. (Which I don't understand because salt.)
The best defense is a layered strategy which includes protecting against dictionary attacks and your other suggestions.
(Score: 2) by curunir_wolf on Saturday August 20 2016, @01:16AM
I am a crackpot
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @02:21AM
Yeah, the passwords are static.
2 factor is good but mostly also static.
Static 2 factor works over mobile sms and also over a second password protected account, for example email.
One way would be to use GPS time plus a personal "fudge factor".
Since everyone under the waves of the GPS satellit see the same time, one only needs a password and for the 2nd factor, the personal fudge factor, which is a time of maybe hours (24:xx), minutes (59:yy) and seconds (59:zz).
So to login you get to enter your password plus the GPS time plus (or minus) your fudge factor (challange) xxyyzz?
For even more security, after sucess login, renegotiate new fudge factor?
Requirment is acces of sender and receiver to gps time
(Score: 2) by Scruffy Beard 2 on Saturday August 20 2016, @05:46AM
umm, GPS time is not secret; at least on human time-scales.
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @01:21PM
yes, GPS time is not secret. it is even predictably changing.
however, numbers are no secret. also letters are no secret.
for your regular passwords paradigm to work, one has to agree on a set of symbols, like {1,2,3..} and/or {A,a,B,b,C,c,...}.
so it is the combo of these symbols (characters) that's the secret.
this GPS time thingy suggested isn't a password replacement but rather a simple version on how to do 2 factor authentication, instead of using SMS or another email address?
example:
the GPS time is running on server. the GPS time is running on client.
on first setup (preferably via prime numbers public-private key) after regular password, setup 2 factor by negotiating a "fudge factor". this is a number that can be added or deducted from GPS-time that is know to both server and client.
so on next login, via password also let client check GPS time, deduct/add "fudge factor" and send to server (+- transmit time of communication). server compares to its own GPS-time and the "fudge factor" and see if it fits.
on logout renegotiate new "fudge factor".
possible sequences are small with, say days (0...364), hours (0...23), minutes (0...59), seconds (first half and second half = 2, because of transmit lag) and add or subtract (2) = 364 x 23 x 59 x 2 x 2 = 1'975'792 (?)
normal 2 factor challange is for 4 places with 26 big and 26 small alphabet letters = 731'616 possibilities?
(Score: 2) by Justin Case on Saturday August 20 2016, @05:58PM
Yes, but under the best practice of "something you know" + "something you have", it proves you have a GPS!
(Score: 2) by Scruffy Beard 2 on Saturday August 20 2016, @06:28PM
Not it doesn't. You can derive GPS time within about 300ms using NTP.