Your password is not complex enough



  • Password Reset

     I recently realised that because I had to meet this stupid set of
    requirements on an account that I only type the password for every 3
    months (when it's password change time again) I have absolutely no idea
    at all what my password is.

    I wonder how many post-it notes there are around the office with people writing down passwords they have no hope of remembering.



  • @chiselwright said:

    Password Reset

     I recently realised that because I had to meet this stupid set of
    requirements on an account that I only type the password for every 3
    months (when it's password change time again) I have absolutely no idea
    at all what my password is.

    I wonder how many post-it notes there are around the office with people writing down passwords they have no hope of remembering.

    Take the day when it's password change time (eg: November20) and use that as password, you could even write it down, nobody will know what it is.



  • Take a word you can remember, and write it in l33t sp3@k.

    Not the most secure password, but okay for non major systems. 



  • I work for the US Military and passwords are just as horrendous here.  To log on as a system administrator the password is twice as complex as a normal user password.  I beleive the requirement is for minimum length of 16 characters along with all the other hoopla.  I wonder what rocket scientist decided that a 16 character password, that most likely EVERY administrator writes down somewhere, is more secure than an 8 character password you can actually remember.  Were any tests done to determine what is the longest string of characters that the average person can accurately remember for an extended length of time?  At one point I memorized PI to 20 + digits, but today I can only remember it as 3.141592565 = 10 digits.  Hmmm, maybe our security people are actually working for the other side...



  • @chiselwright said:

    (picture)
     

    We have similar password requirements here. Change every month, can't reuse one from the past two years, must be x characters long and must include 3 of the 4 groups listed.

    Of course, most people's passwords are either l33t-sp34k or have a number tagged on the end, and have a capital letter as the first character. That's not really a whole lot more secure. At least (after l33ting) push shift somewhere in the middle of the password to get a letter and number changed to uppercase and symbol. Eg, w0nd£Rfull (# instead of £ on a US keyboard I think). That way it's fairly easy to remember, but not easily crackable.

    My old, randomly generated Uni linux password was "knv00Asw". I tried to change it to a variation of my then-usual password, but the password program would always stop responding when I tried it. This was confirmed by IT, and I never did find out why it didn't like that password. In the end I stuck with the random one, by then I'd memorised it and it was pretty damn secure.



  • I think we had one that had to have 4 of those 4.  It only had to be changed every 90 days, so I just did !Testing1 !Testing2 !Testing3 etc.  Then it was the same base pw, and the number at the end kept changing 



  • I just use the same one, but append month and year at the end.  It's still secure enough.


     



  • Our company has a very similar policy. Passphrases are handy for things like this. Something as simple as "Obama 2008" meets the length requirement, contains uppercase, lowercase, numbers, and a special character (the space) AND expresses your political views all in one neat package. Plus there's enough candidates to let you change passwords every month from now till the election! :P



  • @morgano said:

    I work for the US Military and passwords are just as horrendous here.  To log on as a system administrator the password is twice as complex as a normal user password.  I beleive the requirement is for minimum length of 16 characters along with all the other hoopla.  I wonder what rocket scientist decided that a 16 character password, that most likely EVERY administrator writes down somewhere, is more secure than an 8 character password you can actually remember.  Were any tests done to determine what is the longest string of characters that the average person can accurately remember for an extended length of time?  At one point I memorized PI to 20 + digits, but today I can only remember it as 3.141592565 = 10 digits.  Hmmm, maybe our security people are actually working for the other side...

     

    Ah yes! Military overkill! I remember it well.







  • That looks like the standard Active Directory notification.  The WTF here though isn't ActiveDirectory.  AD allows the administrators to set the policy however they want, and then merely enforces the chosen policy.  A friendly message (perhaps with examples) would be nice, but not really necessary.  So go blame your admins :)



  • And then you finally come up with a good one, and then you need to pass the database admin password to a supplier (don't even start on the implications of that), and before you know it you're desperately hoping that they won't notice how you came up with:

     Am4nd45t1t5

    (I changed the first name, but this is the DB admin password a customer gave us to use).
     



  • @chiselwright said:

     I recently realised that because I had to meet this stupid set of
    requirements on an account that I only type the password for every 3
    months (when it's password change time again) I have absolutely no idea
    at all what my password is.

    I wonder how many post-it notes there are around the office with people writing down passwords they have no hope of remembering.


    Reminds me of when I gave SSH access to a friend, I decided to be a prick and give him this password:

    This!sMyLefty'sC@tch3r'sM!t

    I told him to pick his own password after he logged in through. He had the chance to copy paste too.



  • That is exactly why I have my passwords written down and hung up in plain sight next to my machine...  I have a number of them and they all have various requirements and they change all of the time...  I'm convinced that they want me to write them down.


  • Discourse touched me in a no-no place

    @XIU said:

    @chiselwright said:

    Password Reset

     I recently realised that because I had to meet this stupid set of requirements on an account that I only type the password for every 3 months (when it's password change time again) I have absolutely no idea at all what my password is.

    I wonder how many post-it notes there are around the office with people writing down passwords they have no hope of remembering.

    Take the day when it's password change time (eg: November20) and use that as password, you could even write it down, nobody will know what it is.

    Would fail if your account/real name was November (or possibly more realistically April, or June.)



  • @Change Password said:

    Please select another password that meets all of the following criteria: [...] must not have been changed within the last 1 days

    What the frak do they mean by this? I need to select a new password that hasn't been changed recently?



  • @Zecc said:

    What the frak do they mean by this? I need to select a new password that hasn't been changed recently?

    No, it means you can't change your password every day.  You must wait at least one day between changing your password.

    Though I think I've noticed a bug in the code that checks the password you provide.  Where I work we have a Windows domain with the same password requirements as given above, so first I used password A, then password B.  For the last 14 days of the password period I was warned I'd need to change my password soon; I tried once changing it back to password A, and I got the "can't use a previously used password" warning, so I didn't change my password.  A day arrived at which the system forced me to change my password - so I tried password A again and it worked.  I've been using password A again for nearly a month now, and it's about time that it'll force me to change it again - so I'm going to try password B again.  If it works, then we'll know that the force-you-to-change section of code (as opposed to the give-you-the-option-of-changing section of code) doesn't check your password against the previously used password list.  I'll let you all know when I find out for sure :)



  • This reminds me of a userfriendly strip, but I can't find it because UF's search is a huge wtf.



  • @Mal1024 said:

    This reminds me of a userfriendly strip, but I can't find it because UF's search is a huge wtf.

    http://ars.userfriendly.org/cartoons/?id=20071002 ?

    Second item for google user friendly password



  • For stuff like this, I use keyboard patterns.  Start at a position on the keyboard and type a pattern, alternating with SHIFT occasionally.  When you need to change to a new password, simply start at a new position on the keyboard, but use the same pattern and SHIFTing.  As long as you remember the pattern, you can securely put the starting character on a sticky note on the monitor.

    I haven't had to remember a corporate password in years. 

    Not perfect of course, especially when you sit down at the localization machine for Japanese and realize that some of the keys are in different locations... 



  • For such ultra-high complex passwords i usally take the first char from each word of a whole sentence.

    So: "WorseThanFailure is one of the best 20 websites i know!" gets to: "WTFiootb20wik!"



  • @morgano said:

    I work for the US Military and passwords are just as horrendous here.  To log on as a system administrator the password is twice as complex as a normal user password.  I beleive the requirement is for minimum length of 16 characters along with all the other hoopla.  I wonder what rocket scientist decided that a 16 character password, that most likely EVERY administrator writes down somewhere, is more secure than an 8 character password you can actually remember.  Were any tests done to determine what is the longest string of characters that the average person can accurately remember for an extended length of time?  At one point I memorized PI to 20 + digits, but today I can only remember it as 3.141592565 = 10 digits.  Hmmm, maybe our security people are actually working for the other side...

    Don't use a password. Use a Pass Phrase: "England 5- Germany 1". Sorted



  • @deworde said:

    @morgano said:

    I work for the US Military and passwords are just as horrendous here.  To log on as a system administrator the password is twice as complex as a normal user password.  I beleive the requirement is for minimum length of 16 characters along with all the other hoopla.  I wonder what rocket scientist decided that a 16 character password, that most likely EVERY administrator writes down somewhere, is more secure than an 8 character password you can actually remember.  Were any tests done to determine what is the longest string of characters that the average person can accurately remember for an extended length of time?  At one point I memorized PI to 20 + digits, but today I can only remember it as 3.141592565 = 10 digits.  Hmmm, maybe our security people are actually working for the other side...

    Don't use a password. Use a Pass Phrase: "England 5- Germany 1". Sorted

    Except when the system blocks any passwords with English words in them.
     



  • @jo-82 said:

    For such ultra-high complex passwords i usally take the first char from each word of a whole sentence.

    So: "WorseThanFailure is one of the best 20 websites i know!" gets to: "WTFiootb20wik!"

    My uncle's solution is to use the title and ISBN of a book from his bookshelf. So, for example, his eBay password might be:

    John Astor's Translation of "The City of God" 0-9752298-0-X

    Yes, it's insecure, but only if you can guess which of the 3000 or so books in his library goes with a website.



  • @Carnildo said:

    My uncle's solution is to use the title and ISBN of a book from his bookshelf. So, for example, his eBay password might be:

    John Astor's Translation of "The City of God" 0-9752298-0-X

    Yes, it's insecure, but only if you can guess which of the 3000 or so books in his library goes with a website.

    It would be more secure if he didn't go around telling everyone what his password generation method was.

     
    Also, it seems obvious your uncle is very proud of all his reading and considers it a key part of his identity.  There's been studies showing that people use as passwords what they identify with -- e.g. if a guy has baseball paraphernalia on his desk, chances are high that some baseball player's name is his workstation password.



  • @seaturnip said:

    There's been studies showing that people use as passwords what they identify with

    I identify with numbers and letters, obviously. 



  • @dhromed said:

    @seaturnip said:

    There's been studies showing that people use as passwords what they identify with

    I identify with numbers and letters, obviously. 

     

    One could argue that the rare people who use highly randomized passwords take pride in the fact that they are security-conscious and consider that a part of their identity!  (Though of course, unlike most other cases of this phenomenon, that knowledge would be useless to an attacker.)

     



  • @seaturnip said:

    @Carnildo said:
    My uncle's solution is to use the title and ISBN of a book from his bookshelf. So, for example, his eBay password might be:

    John Astor's Translation of "The City of God" 0-9752298-0-X

    Yes, it's insecure, but only if you can guess which of the 3000 or so books in his library goes with a website.

    It would be more secure if he didn't go around telling everyone what his password generation method was.

    Even knowing his generation method, you'd still need to break into his office and try each and every one of the books -- or you could simply try every book that's ever been written. He's a philosopher, so he's got some pretty obscure works to choose from. For example, Amazon does not, to the best of my knowledge, sell a copy of a listing of every possible sin that was written in the late 900s AD.



  • Oh it's still relatively secure as far as it goes, but still going around telling people about your password strategy is just bad policy.  How hard is it to keep it to yourself?  Famous last words: "Oh it doesn't matter, they still shouldn't have enough information to break in."



  • If a book has an ISBN, it can be found somewhere.
    His passwords, unless he mistypes the titles, have only the entropy of an ISBN, which makes the entire title portion of his passwords basically irrelevant.



  • @Opie said:

    If a book has an ISBN, it can be found somewhere.
    His passwords, unless he mistypes the titles, have only the entropy of an ISBN, which makes the entire title portion of his passwords basically irrelevant.

    Still, new ISBNs have 12 digits (not counting check digit). That's gives about the same number of isbns as there are 6-7 digit passwords. And brute forcing a 7 digit password does not require a dictionary of a trillion book titles.



  • @Carnildo said:

    @jo-82 said:

    For such ultra-high complex passwords i usally take the first char from each word of a whole sentence.

    So: "WorseThanFailure is one of the best 20 websites i know!" gets to: "WTFiootb20wik!"

    My uncle's solution is to use the title and ISBN of a book from his bookshelf. So, for example, his eBay password might be:

    John Astor's Translation of "The City of God" 0-9752298-0-X

    Yes, it's insecure, but only if you can guess which of the 3000 or so books in his library goes with a website.

    Actually, it's quite secure.  Do you have any idea how long a brute force program would take to crack that?   With  the number of characters, and taking into account that it needs to cycle every possible combo from "a" to "+", by the time it's tested it's first FEW HUNDRED THOUSAND combos, it's probably time for your uncle to change his password again, ruining the efforts of the brute force hack.



  • @Kyanar said:

    by the time it's tested it's first FEW HUNDRED THOUSAND combos

    I think you lack appreciation for computing scale. A few hundred thousand is some fraction of a megahertz. It's just not a big number these days.



  • @asuffield said:

    @Kyanar said:

    by the time it's tested it's first FEW HUNDRED THOUSAND combos

    I think you lack appreciation for computing scale. A few hundred thousand is some fraction of a megahertz. It's just not a big number these days.


    Possible combinations to go through are calculated through this equation: N^L + N^(L-1) + ... + N^(L-L+1)

    N = Number of possible characters, usually 26 * 2 + 10 (Alphanumeric case sensitive) + ? (Special/non-English characters)

    L = Length of password.

    Mind you that's only if the password is sorted in plain-text, which is more secure against brute force only, for hashed passwords the amount of combinations is only N^L (N and L are calculated from the hash output, not the password), which is usually only less secure against plain-text if the password is longer than the hash. This is only calculating the probability of success on brute force. Other methods have different probability calculations obviously. Note: if the password is hashed I need only find a collision, which may or may not be your password, usually it is your password though.



  • @Lingerance said:

    Possible combinations to go through are calculated through this equation: N^L + N^(L-1) + ... + N^(L-L+1)

    N = Number of possible characters, usually 26 * 2 + 10 (Alphanumeric case sensitive) + ? (Special/non-English characters)

    L = Length of password.

    Mind you that's only if the password is sorted in plain-text, which is more secure against brute force only, for hashed passwords the amount of combinations is only N^L (N and L are calculated from the hash output, not the password), which is usually only less secure against plain-text if the password is longer than the hash. This is only calculating the probability of success on brute force. Other methods have different probability calculations obviously. Note: if the password is hashed I need only find a collision, which may or may not be your password, usually it is your password though.

    I think you forgot to include whatever conclusions you were going to draw from this information. 



  • D'oh, Anyways, the ISBN password is 59 characters long, and has a selection set of at least 64 characters, which is roughly 2^360 combinations for that length, the brute force has to go through each possible combination of characters for each length smaller than that to be able to gain access to the account. As I know 2^64 ~= 16 x 10^18, I can conclude that the length alone makes brute forcing unreasonable, but the fact that it is more than likely hashed, which the hash length is probably smaller than the password itself, the brute force needs only find a collision which is theoretically easier (due to a smaller number of possibilities). So the password itself is secure, but the way it is stored may compromise that.

    Conclusion in bold.



    PS: 2^360 == (2^6)^60 == 64^60



  • @Lingerance said:

    D'oh, Anyways, the ISBN password is 59 characters long, and has a selection set of at least 64 characters, which is roughly 2^360 combinations for that length, the brute force has to go through each possible combination of characters for each length smaller than that

    That's true only under the assumption that every possible 59 character string is a valid ISBN-type password. Strings like "M;Y&NWHRNTN3BBS5Q\91<@8S43GPYE9MI$Q`S4V6E4.5.RB6@C(=9V>)" aren't, so any brute force attack can discard them. The actual entropy of these passwords is roughly equal to the size of the ISBN space, which is about 2^32 (or less).



  • @Heron said:

    Though I think I've noticed a bug in the code that checks the password you provide.  Where I work we have a Windows domain with the same password requirements as given above, so first I used password A, then password B.  For the last 14 days of the password period I was warned I'd need to change my password soon; I tried once changing it back to password A, and I got the "can't use a previously used password" warning, so I didn't change my password.  A day arrived at which the system forced me to change my password - so I tried password A again and it worked.  I've been using password A again for nearly a month now, and it's about time that it'll force me to change it again - so I'm going to try password B again.  If it works, then we'll know that the force-you-to-change section of code (as opposed to the give-you-the-option-of-changing section of code) doesn't check your password against the previously used password list.  I'll let you all know when I find out for sure :)

    It didn't work, which leaves the question of how it let me change back to password A.  I can only assume that they reset the password database on the domain at some point.



  • @m0ffx said:

    @deworde said:

    Don't use a password. Use a Pass Phrase: "England 5- Germany 1". Sorted

    Except when the system blocks any passwords with English words in them.

    OK... "Anglicko 5- Nemecko 1", and it's [i]prostredník[/i] to that little annoyance.

    How short an English word would such a system block anyway? Presumably "a", "I" and "O" are not blocked. Maybe it would look for whole words only, to avoid the "clbuttic" trap. That'd just make it difficult to come up with a passphrase though; back to square one, unless you know French or Skutočnian or whatever. I'm starting to think that the sticky-note industry has a vested interest in all this.

     



  • @asuffield said:

    I think you lack appreciation for computing scale. A few hundred thousand is some fraction of a megahertz. It's just not a big number these days.


    But you also have to take into consideration what is being attacked. I highly doubt an eBay brute-force attack would be executed in a fraction of a megahertz. Even using the API to validate the user, it still has the delay of the internet connection and return time. Also, I'm sure eBay would lock it down after so many attempts. I haven't logged in for quite a while, so I don't know what their attempt policy is. But, I know that many of the websites I use do have such a lock-out policy. For instance, the bank will lock out in 5 attempts (I believe), and the only way to unlock it is to contact the bank directly.



  •  

    Also, I'm sure eBay would lock it down after so many attempts.


    Any system which blocks brute-force attacks is obviously not vulnerable to brute-force attacks. That is not a particularly insightful observation. The interesting cases are systems which are vulnerable to brute-force attacks.



  • @asuffield said:

    Any system which blocks brute-force attacks is obviously not vulnerable to brute-force attacks. That is not a particularly insightful observation. The interesting cases are systems which are vulnerable to brute-force attacks.


    It may not be insightful, but declaring that thousands of combinations can be done in the blink of an eye isn't exactly correct, either. What average user has a password worth stealing for a site/system that doesn't have a "x tries, lock-out" process? The example given was an ISBN on eBay and supposedly a different ISBN for every other membership. So, even if you brute-forced a system that didn't have a lock-out (and I can't think of any I've used that don't except e-mail, and I always delete those damn "Your password is ___" mails), the revealed password is no good except on that system. Obviously there is the remote chance that the compromised system contains the passwords to other ones, but then again, why would you do something like ISBNs only to store them where someone can get to them?



  • @AbbydonKrafts said:

    What average user has a password worth stealing for a site/system that doesn't have a "x tries, lock-out" process?

    802.11 wireless networks. Public-key systems. Any unix or windows host where you can read a copy of the password database and merely have to break the hashes, or similar attacks that involve cracking open a captured database. In general, any case where you are dealing with data rather than a remote system. Most systems have a weakness of this form somewhere.



  • @asuffield said:

    802.11 wireless networks. Public-key systems. Any unix or windows host where you can read a copy of the password database and merely have to break the hashes, or similar attacks that involve cracking open a captured database. In general, any case where you are dealing with data rather than a remote system. Most systems have a weakness of this form somewhere.


    Thank you for outlining some good ones that "structured" passwords should not be used on. Absolute random garbage is all I use on those.

    One thing that really irks me is when a system limits the maximum length of a password to something small. I forgot which site I'm a member of that does it, but it has a max of somewhere around 12 characters.

    I really need to implement across-the-board hashes as passwords. It'd make things much easier, but way more secure than what I'm doing on some of them.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.