Feeds

back to article Passwords are for AES-holes

When did you reach burnout? For me, it was spring 2009. Looking back, I did well to last as long as I did but the constant pressure of coming up with something new, again and again, became too much. I'm not confessing to an emotional crisis, by the way. I'm talking about my ability to create new system logins that I can remember …

COMMENTS

This topic is closed for new posts.

Page:

Thumb Up

I use KeePass

You have 1 master password and optionally a key file and it opens up a wee database of passwords. It even does auto type and stuff which is simple but nice.

Not sure how secure it really is but it beats having 1 login for everywhere... probably. It is annoying to have 1 database file at work and 1 at home though.

6
0
Pirate

Re: I use KeePass

Can you install that on your work computers?

Oh, you don't work in banking / government / large company where everything is locked down and you're not even allowed to install a non-Microsoft browser "cos of cequritey".

2
0

Re: I use KeePass

Thankfully I'm not in such a locked down environment so can't speak from experience, but I use the portable version of KeePass and would assume (please correct if wrong) that this would work in such a "you can't install stuff" organisation. Unless of course the policies are granular enough to only allow certain EXEs to be run.

3
0
Silver badge

Re: I use KeePass

I've sometimes found it possible to run "foreign" EXEs via the simple expedient of renaming them as something acceptable like "notepad.exe".

1
0

Re: I use KeePass

"Oh, you don't work in banking / government / large company where everything is locked down and you're not even allowed to install a non-Microsoft browser "cos of cequritey".

I DO work in such an environment and KeePass is the group standard used by all the various bits of IT along with HR and compliance.

2
0
Trollface

Re: I use KeePass

A portable version? So, you don't work in a place that locks down the allowed device categories that you can stick into a USB port?

1
0
Thumb Up

Re: I use KeePass

KeePass has a portable version which doesn't require you to be admin of your own machine. Also, you can link it to your windows logon so don't even need a password to access the encrypted file.

1
0
Stop

And people wonder why code signing is important.

I've sometimes found it possible to run "foreign" EXEs via the simple expedient of renaming them as something acceptable like "notepad.exe".

Yay for code signing.

3
0
FAIL

Re: I use KeePass

My experience has been that the places I worked that had frequent forced password changes were in fact the places it was easiest to login as my boss. Why? Because by requiring frequent password changes, people start writing their passwords on post-it notes and hiding them in very predictable places. Requiring a password change once a year, and allowing full pass phrases so people can use complete sentences, IMO is the best compromise.

2
0
Anonymous Coward

Re: I use KeePass

if they let you plug in your own usb, what's to stop the cleaner plugging in their own usb key logger ;c)

0
0
Anonymous Coward

Re: I use KeePass

I use keypass for quite a few work and personal passwords. Sadly my current employer won't even allow me to plug in a USB stick without several levels of approval and a contract signed in blood that I won't be naughty (but they do require me to access around 20 different systems with complex passwords)

The solution I ended up with is KeePass on my smartphone with a very complex password. I figure unless I'm incredibly unlucky, anyone stealing my phone won't have a clue how to decrypt the database and I'll probably remote wipe it before they even get past the screen lock.

KeePass even has dropbox support to sync the database across machines, although I'm not quite ready to trust that yet.

(Anon because I'm talking about work)

1
0
Silver badge

Re: I use KeePass

Dropbox sync is actually pretty good. All it usually takes is saving the key database to a Dropbox subfolder (doesn't even have to be public) and it'll sync to the cloud. Your phone can then use a Dropbox sync program to draw the file from the cloud. As for security, the key database is encrypted (full-file encryption) based on whatever credentials you put in to unlock it, so even if someone were to intercept it, they'll likely be stymied trying to decrypt it.

0
0
Bronze badge
Holmes

LLoyds Bank Website

.. was like that at one time. You had to re-enter the password practically every time you did anything on it, almost to move the cursor. It is not so bad now.

1
0
Silver badge
Thumb Up

Correct Horse Battery Staple

That is all.

15
3
Thumb Up

Re: Correct Horse Battery Staple

XKCD wins

5
2
Thumb Down

In fact it is not

Try getting a user to enter a password like that one in a field with masked input -- without typos -- and then come back here and tell me how fucking smart Randall Munroe is, why don't you?

2
19
Silver badge

Re: In fact it is not

Okay, so how do they enter their strong password made up of numbers and letters and a limit set of non-alphanumeric characters in a field with masked input without typos?

18
0
Anonymous Coward

Re: Correct Horse Battery Staple

Whatever muppet votted this down is a clueless muppet when it comes to IT security - You name Jessica Harper per chance - whoever you are. Now she was shit, finaly justice :)))))))

3
3
Anonymous Coward

Re: Correct Horse Battery Staple

Leaving aside the issue of 'finger memory' (see Verity Stob, recently), the perfectly reasonable long, all-lower-case, real-word-containing password is simply not allowed by the vast majority of password systems I've had to use, because it fails complexity requirements. People are entirely capable of typing in short phrases without error, but it doesn't matter because no-one will allow them to.

8
0
Facepalm

Re: In fact it is not

Aoron - Then learn to type - Seriously it is easier to type "You are an idiot" as apposed to typing "Y0u ar3 a4 1d107" as it is very easy to remember and that being the key. Entropy and typing - embrace them or disinfect your malware ridden puter :p.

If somebody is incapable of typing in there password, should they be allowed to play with the other workers on a live network - NO.

3
4

Re: In fact it is not

...you can't even spell my name right, and you're going to tell me about strong passwords? Thank God you're here!

The point, for those thickos who've missed it (which is all of you so far!), is not that I don't know how to type accurately without being able to see what I'm doing -- I'm a sysadmin, of course I can do that. Users mostly can't. Since they're going to fuck up no matter what I give them, increasing the length of the password just makes it that much less likely they'll ever be able to get it right -- whereas, contrariwise, giving them an eight- or twelve-character password that doesn't even begin to look legible will slow them down enough so that they'll have a decent chance of typing it in properly in only four or five tries. ("What if," I hear you asking, "they write it down and put it under their keyboard or in their wallet, then?" -- if they do, so what? Offices have doors that lock, and the odds of someone getting mugged by a technical professional who knows what to do with a pocketed password really aren't all that high -- and a Post-It can't be cracked. Get with the times, kids.)

None of this ought to surprise anyone who has any experience of dealing with users at all, of course, but then this is the Reg comments; if I didn't want to deal with gratuitous harassment from ignorant dribblers, what would I be doing here in the first place?

4
21
Silver badge
FAIL

Re: In fact it is not

Correct Horse Battery Staple = Insecure

Passw0rd! = Secure

Go figure.

6
1
Anonymous Coward

Re: In fact it is not

Try typing in "Correct Horse Battery Staple" on a smartphone touchscreen, case-sensitive and with masked input, and see how long it takes before you change all your passwords to "sa".

4
0
Silver badge
Joke

Correct Horse Battery Staple = Insecure

That is correct because too many lusers are now using it because they heard it is secure

Fortunately one login for all except the HPC systems suffices here.

3
0
Silver badge
Mushroom

Re: In fact it is not

"The point, for those thickos who've missed it (which is all of you so far!), is not that I don't know how to type accurately without being able to see what I'm doing -- I'm a sysadmin, of course I can do that. Users mostly can't."

And there's the elitism that our industry is famous for: IT pros are perfect; users are useless. Well, Aaron, fuck you. You're wrong, and you probably know it.

Show me a study. Show me numbers that prove sysadmins are better typists than average users, and I still won't believe you.

I deal with "users" on a daily basis, and the ones I know are better at typing than I am, and I'd have no problem with Correct Horse Battery Staple.

18
2

Re: In fact it is not

'Passw0rd!', eh? Bless.

0
0

Fuck me, eh? Class!

There's that leveller charm! Bitter helpdesk lifer, eh?

I don't know where you're getting your users, but maybe once you've spent some time supporting, among others, several offices full of blue-haired old ladies who loathe computers with a blinding passion yet must use them nonetheless, you cancome back and talk to me some more. 'Til then, you'd do better to remember Wittgenstein's admonishment and keep your ignorant gob shut.

4
15
Silver badge
Stop

Re: In fact it is not

They're called "lusers" for a reason...

4
1

Re: In fact it is not

"Correct Horse Battery Staple = Insecure

Passw0rd! = Secure

Go figure."

From Microsoft Technet http://bit.ly/KGxWq5

"7 characters Minimum password length

Password must meet complexity requirements (capital letter, small letter and one digit or non-alphabetic, also not more then 3 characters from the username)"

Wiith Active Directory as it comes out of the box Passw0rd is fine.

2
2

"Active Directory as it comes out of the box"

There's your problem right there --

7
0

"[H]ow do they enter their strong password[...]"

Carefully, that's how, because they can't parse it as anything except individual characters -- which is by design; I'd rather they take thirty seconds to enter their password, and get it right on the first try, than enter it incorrectly a half-dozen times, lock themselves out, and call me up to complain. (They'll complain either way, of course, but the way I do it, they complain less -- which is also by design. Believe it or not, some experience and thought has gone into this!)

0
4
Silver badge

Re: In fact it is not

@Aaron Em

Hate to tell you this...but I use a similar idea for my ma-hoos-ive WiFi password. I don't seem to have any trouble.

And for SSH pasphrases.

Security is generally a trade off between convenience and, well, security.

2
0
Silver badge
Facepalm

Re: In fact it is not

Cripes. I thought people would take this suggestion light-heartedly, not get a bee up their collective arse.

I would say that a system which considers "pa5$word!" more secure than "HighTreeGiraffeeIcecreamParlour" is fundamentally broken. One might be shorter, but it is a bugger to remember (meaning it will often be written down - security lost) the other is a bit harder to type (meaning is may be entered wrongly once to often leading to lock-out - PITA but security remains).

And there are other measures too; key-fobs, one-time tables, blah-de-blah.

Me - I prefer the more complex, long keys as all I have to do is memorise a picture. Heck, I can probably even write them down in ideograms for myself and they would still be secure (I don't do this, however, as pictures fit nicely into the old noggin).

That is my opinion. It's not wrong, it's opinion and in point of fact it happens to be right because it is my opinion and it applies to me.

9
0

If that's so, then why

did you present Munroe's opus as though it were all that needed saying? I believe the exact phrase you used was 'That is all' -- which, as swiftly became obvious, it wasn't.

Can't speak for why anyone else got cross about it, but for my own sake, I am sick and tired of XKCD fans because they largely behave as though pointing at their favorite "look how smart I am!" cartoon can stand in place of putting some actual thought into anything. Even when Munroe's got the right end of things, which happens less often than his partisans care to admit, he's not God or Donald Knuth. In a case like this one, where there's arguments to be made on either side -- no, I don't agree with the arguments in favor of the "correct horse battery staple" style password, because I've seen them fall flat on their face in the real world, but at least I acknowledge that they exist -- waving your favorite 'toon, in place of showing some evidence of original thought, just makes you look like a fool.

3
12
Silver badge

Re: If that's so, then why

Why?

Mostly because systems that demand "w1bbl€!" as a password, rather than what I would consider a "proper" one do my freakin' head in and don't even start me on the ones that have a upper limit of about 16*.

I was already using a system similar to the one discussed on XKCD (using poetry, if you must know) and was aware of the idea of non-symbolic but long "passphrases" from using the likes of GPG (clue is in the name "passphrase"). The XKCD just happens to be the most well known example AFAIK.

It is length that is a better measure of password strength, not necessarily complexity. Don't take that up with XKCD, take it up with grc.com and the method espoused by XKCD does lead to easy to remember, long password that don't need to be written down.

If your users have short, complex ones and have to change them frequently; I guarantee they write them down or use some kind of basic system for generation passwords "blah1", "blah2" etc. Both of which negate your security (of course, coercion can always be used to get a password; no matter how secure it is).

But most of all, I think you need to relax and breathe a little. I'm not the one slinging the insults around.

*Pretty soon I will start ranting about the cretins who can't validate an email address**.

**Anyone who thinks they can by definition doesn't know how to validate an email address.

9
0
Silver badge

Re: If that's so, then why

So we reach the crux of it, which is that you just don't like anything that refers to XKCD and your'e so determined to hate everything related to Randall Munroe's "opus" that you reject, out of hand, eminently sensible and workable solutions to the whole password problem with the same elitist bullshitting attitude you always seem to have on these forums.

Now here's the affix: I don't work in anything directly related to IT these days. I got out of it, in part, because of people like you throwing your not inconsiderable weight around every chance you got, insulting everyone who wasn't uyou as "luser" waste of space morons who obviously have to be nannied through everything - even when it wasn't true. In fact especially when it wasn't true. You are an arrogant little blowhard who has a little bit of power over his domain (oh ho ho) and refuses to accept that maybe, just maybe you might be wrong sometimes.

What's the biggest single security hole passwords have these days? People writing them down. Why do they write them down? Because they can't remember them. What do we want people to do with their passwords? Remember them and not write them down. On that score alone the regular language phrase is superior to the cryptic nonsense string of characters. People are able to remember phrases because they are semantic. They contain meaning, and meaning is the glue that makes memory stick.

And in terms of entropy it's a winner again. An 8 character password is easier to brute-force than a 32 character one no matter what characters it's made up from. There is no difference between the strings abababab and nGl04$sh when you are brute-forcing and if you have access to hash tables there's no amount of security that can keep you out over even a short period.

So it comes back to blocking that one major hole: the user. Your solution ensures that there will always be a human-readable copy of some large portion of your userbase's passwords available on handy little pieces of paper. The regular language solution provides a way to close that hole.

So as far as I can tell the only reason you have for rejecting it is that you didn't come up with the idea and Monroe did. Which says plenty about you and little about the idea itself.

13
1
Anonymous Coward

Re: In fact it is not

I worked for a large services company once, on an Security Cleared project, and their documentation actually advised a strong password written on a Post-It note over a shorter less secure memorised one.

Of course the problem is security in depth: the above assumes your local physical environment is secure (a false assumption). The article author's assumption that the pass that got him in to the building is enough to prove his access to systems (it's not, it's only single-factor).

3
0
Silver badge

Re: If that's so, then why

"you didn't come up with the idea and Monroe did."

I actually don't think Monroe did, but I could be imagining things. Can't find a reference just now.

1
0
Gold badge

Re: If that's so, then why

"What's the biggest single security hole passwords have these days? People writing them down."

Seriously, I think I'd need to see the stats to back that one up.

You need to consider the attack vectors. For something like online banking or internet shopping, the vast majority of attackers are in a different country from the piece of paper where you wrote the password down. If you can live with the inconvenience of being unable to bank or shop except where your piece of paper is, you can make the password as strong as you need.

In an open-plan office environment, where the attackers are disgruntled or mischievous co-workers (or sub-ordinates), the system probably isn't internet visible and the *only* attackers are ones who occupy the same building as your piece(s) of paper. It ain't such a good system then. At least part of the password needs to exist inside your head.

8
0

Re: If that's so, then why

...you mean you guys actually let random people on the Internet sit there and beat on your login prompts with brute-force attempts? Good God.

Oh, yeah, Graham! After that, I'm unshakably convinced that you left the IT business because you just so couldn't stand to deal with loathsome assholes like me, and not because, say, you lacked the basic competence to keep every asshole in the world from trying your doorknob as often as he likes. That's a much smaller hole than a few Post-It notes in an office that gets locked up every night. Sure.

1
13
Silver badge

Re: If that's so, then why

"you mean you guys actually let random people on the Internet sit there and beat on your login prompts with brute-force attempts?"

Well if anyone had actually said that you might have a point.

Again you're assuming you know everything.

6
0
Thumb Up

Re: "Active Directory as it comes out of the box"

LOL yip - ANY software defaults that are not your own standards would be a security oversight.

0
0

Re: If that's so, then why

Well, OK, fair enough, you just deniably implied it --

"There is no difference between the strings abababab and nGl04$sh when you are brute-forcing"

No, I don't think I know everything, though given your apparent propensity to get your knickers in a wad, I can see how it'd come across that way. It's just that I don't privilege your bald-faced assertions of how much more you know than I do, over what I've learned through the experience of doing my job -- speaking of which, said job being one you've already admitted you weren't up to, why should I be entertaining your best-practices advice in any case?

1
9
Silver badge

Re: If that's so, then why

If by saying I wasn't up to the job you mean I wasn't complete up my own arse then, yes, you're right. I lacked sufficient rectocranial insertion to survive the world of software development.

No, I wrote good code. It works, does its job and is secure. I was not the best but I was good. I left because a) people like you kept telling me how to do things despite their claimed solutions being obviously stupid and broken and b) I get better money making holes in peoples walls and filling them with copper, with the added bonus of setting my own hours and not having to deal with (a) at all.

My assertions are no more beardless than yours: you may believe that your complete knowledge of your own experience makes your claims superior to my own but that simply demonstrates further your apparent inability to understand that other people disagree with you for reasons other than being stupid lusers and XKCD fans. In fact you may be surprised to learn that there are people who have had far more experience of this than you. You're arguing with some of them right now and making yourself look like an arrogant cock in the process.

9
0
Silver badge

@Ken Hagan Re: If that's so, then why

I didn't see your post before, the righteous fury was clouding my eyes. :)

You're right, I guess I was probably overstating the password thing. Claiming X is the single biggest vector is a silly thing to do and I'll try not to do it in future. It's still an issue though, not just in office environments, but anywhere people use complex and hard to memorise passwords.

2
0
Mushroom

Re: Fuck me, eh? Class!

You do remember that IT is a *support* role? Hate your users? Then sod off.

3
0
Stop

Re: Fuck me, eh? Class!

You do realise that in IT you have to plan for everything or your moaned at by people expecting the impossible. Trust me the term lusers is something that is earned over time. Besides

Lusers stands for Local Users.

As for IT being a support role, EVERY role in a company is a support role to another department and IT need support from HR and also need support from other departments to...bottom line make money as they do directly or indirectly. Everybody supports everybody else and to think of it as a one way relationship is just the wrong attitude to have unless you have low blood preasure.

But the big thing to remember is, IT is the only department that can and eventualy will replace you, by which time they themself will be replaced and we can all go on holiday.

As for passwords, everybody has there own oppinion and in that it is like a religion to so many people. No matter if you believe in passwords or not, you have to repect those that do and that would be the binary overlords.

0
0

I don't hate my users

I also don't expect more out of them than they're willing to give. Trust me -- I can harp on improved security, et cetera, all day, and if it's too much of a pain in the ass for people to enter their passwords every morning, so that I have to unlock and reset ten or twelve accounts every single day, then improved security et cetera doesn't sway them one damned bit.

"How," I hear you asking, "do you know this?" I've tried! Hell, I used to be an XKCD fan myself -- it was trying to implement that particular suggestion, and seeing the utterly disastrous results it produced in terms of user satisfaction and user relationships, that put me off the damned comic in the first place.

I mean, honestly! Graham the mirror-shouter excepted, how did you people imagine I came around to the attitude I have on this subject, anyway? Just woke up one morning with a hair up my ass?

1
8
Silver badge

Re: I don't hate my users

Given the way you post here it wouldn't surprise me if you frog-marched them all into a small concrete room and screamed at them for an hour about your new security policy before sending them off to the daily waterboarding session.

6
0
Anonymous Coward

Re: "[H]ow do they enter their strong password[...]"

Simple - they cut and paste it in from an MS Word file sitting on their hard drive ... who the hell would actually TYPE such rubbish!

1
0

Page:

This topic is closed for new posts.