write 'em down

I feel like the IT community really brought a lot of this on itself by at some point getting the idea into user's heads that passwords should never be written down. Really, it's all down to your threat model-- which is more probable? Li'l Johnny Hax0r running a script from his bedroom and incidentally hammering my bank account, or someone mugging me/breaking into my house and deciding of all things to abscond with my notebook of passwords? Which is easier for me to detect and react to (e.g. by resetting all my passwords?). And if my password is written down in ink, rather than entered into a spreadsheet on my computer, then I don't need to worry about spyware finding and stealing it.

What I think I'd like to see would be websites that have a strong password generator built in on the password creation page, you click, it gives you one and tells you to write it down in a notebook. Us humans are bad at creating random data (amanfrommars may be superior to us in this respect), why put the onus on the user when we have great algorithms to let the computer do it?

ISP don't have a clue, either

The ISP I use here in Australia enforces a strong password policy ... and then stores the passwords in plain text.

The database is available to all employees, including the out-sourced "help" desk!

They insist that there's no security problem.

WTF?

The fact that bothers me is not that users choose primitive passwords (maybe they like them to be close to themselves), but that the admins stored it not encrypted, in days where salted hashing is considered the minimum.

These people obviously know nothing about their job, hence the icon.

Reg Campaign Required...

.... PLEASE ... someone tell the security types that routine password expiry not only provides almost zero protection but actually causes one of the most serious problems: weak passwords.

Wot no hash?

Ugh - there should be laws against systems that store peoples' passwords in such an insecure manner. Rather than store the passwords, a secure hash of the password should be stored instead. If, at login, I can produce a password that results in the same digest as the one stored in the database then access is granted. At worst, an SQL injection attack would result in the database spewing out a load of hash values.

OK, so someone could still calculate a hash of "12345" and see whose username matches it, but at least those with relatively obscure passwords would still be afforded some additional protection.

Solution presents itself

We could all use a password to get a key from Verisign and use that when creating accounts - then we wouldn't need to type any passwords...

Site limitations

I have to agree with everyone who's irritated by sites limiting your password choice. For example, I really like one site's email (etc.) service, but for their max 12 character passwords. That might have been OK when the site was young, but it's in lookup table territory now. I use better than that on my Yahoo email, ffs.

You can strengthen your p/w (if you're not subject to such limitations) just by punctuating your passphrase, either properly or idiosyncratically. Those seaside lovers could try ...

Oh, I DO Like to Be Beside the Seaside!

or perhaps ...

Oh, do I like 2B beside the Seaside, theregister.co.uk? (for the artist who knows his pencils and is posting here.)

And yes, write them down, in a notebook with a lot of totally unrelated guff 'phrases' - you know which ones you've used (we hope). Twice, one in a secret place so you don't lose everything when it gets nicked.

Mine's the one with the ?N0t3b0Ok! full of guff in the pocket.

It's all a 'fail'...

Rock You, you fail on all levels - SQL injection, clear text storage, no password policy

But the debate here is about the analysis. Some commentards are gloating that lusers are morons. Yes, yes - we know that. (Actually, of course the majority of computer users may not have finely-honed security skills but they are no more moronic than the population at large... oh, I see what you mean!)

The problem is not stupidity per se - it's practicality. As others have noted, people can remember words and phrases in their own language better than they can remember meaningless character strings. So we end up with dictionary words. FWIW, substituting numerals for lowercase letters is better than nothing but not much use against a decent Rainbow Table.

Length, of course, is important (if my passwords were as short as my willie they would have been pwned years ago). The way Windows LAN Manager hash split passwords (until Vista, I believe?) meant that 16 chars became the minimum for the really paranoid and that attitude seems to have stuck among sysadmins. But it's counter-productive if a helldesk instructs lusers to use 16 random chars - virtually no-one has a clear idea of 'random' in this context and virtually no-one can remember 16-char strings.

As to horses for courses, of course it makes sense to use stronger passwords for banking or business than for wanking about on FaceAche or on Twatter (I wonder if Stephen Fry's password is 'Fat Smug Know-all'?). But human nature being what it is, people simply can't be arsed to remember more than a couple of passwords.

The taboo against writing down passwords is not always helpful. Obviously in a non-secure office environment sticking a post-it note to the screen with 'Passord: Bgx1#dw"£$' written it is insecure: having it written, perhaps back-to-front, unobtrusively in the back of your pocket diary is far less so.

So what are my solutions? What insights can I offer you? The answers are 'none' and 'none'. IMO, crap password security is a problem we are stuck with for as long as ordinary people (as opposed to geeks) use computers - in other words for ever

PS: I recently had to advise a home-office-computer-using client that having their pet's name as a password for everything from log-on to email to online banking (where, to be fair, the bank insisted on other characters as well) *and* as their security question answer was probably not a good idea.

"Sensitive" passwords? Really?

I question whether someone's password used on Facebook is "sensitive." It's not like RockYou was a banking app.

Granted, it doesn't excuse the lousy passwords people use, but I can easily understand people using stoopid passwords for a stoopid app running on the consistently frivolous and stoopid Facebook.