Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials. Sensitive login credentials - stored in plain text - were left exposed because of a SQL injection bug in RockYou's …
write 'em down
I feel like the IT community really brought a lot of this on itself by at some point getting the idea into user's heads that passwords should never be written down. Really, it's all down to your threat model-- which is more probable? Li'l Johnny Hax0r running a script from his bedroom and incidentally hammering my bank account, or someone mugging me/breaking into my house and deciding of all things to abscond with my notebook of passwords? Which is easier for me to detect and react to (e.g. by resetting all my passwords?). And if my password is written down in ink, rather than entered into a spreadsheet on my computer, then I don't need to worry about spyware finding and stealing it.
What I think I'd like to see would be websites that have a strong password generator built in on the password creation page, you click, it gives you one and tells you to write it down in a notebook. Us humans are bad at creating random data (amanfrommars may be superior to us in this respect), why put the onus on the user when we have great algorithms to let the computer do it?
Iil just ask him to remember it for me
ISP don't have a clue, either
The ISP I use here in Australia enforces a strong password policy ... and then stores the passwords in plain text.
The database is available to all employees, including the out-sourced "help" desk!
They insist that there's no security problem.
The fact that bothers me is not that users choose primitive passwords (maybe they like them to be close to themselves), but that the admins stored it not encrypted, in days where salted hashing is considered the minimum.
These people obviously know nothing about their job, hence the icon.
Pa55word is not secure at all. Any adversary worth their salt (pun not intended) is gonna try 'password' in all its guises (most rainbow tables will have those variants in anyway) and substituting 5's for S's 3's for e's etc is about the most obvious attempt at a cipher. People even employ it to attempt to make their car index plates more personal.
oidltbbtss is not strong either and would brute force using only lower-case in as much time as it takes me to write this. However, if you typed ohidoliketobebesidetheseaside, you would have a very strong passphrase.
Unfortunately, because engineers who write password entry boxes are for some reason still pre-occupied with the non-existant shoulder-surfer, you would have a high chance of mistyping it. Fortunately, this attitude is now changing and you can often elect to see the characters as you are typing them, with the best examples being where the character is visible temporarily and is then masked with an asterisk.
Once this barrier to security is removed, passphrases will be most usable and security increased dramatically. Even then, they still need to be combined with using a mouse to choose a PIN from a list of characters presented in a random order so as to defeat keyloggers.
This really is trivial to do and some banking institutions are getting close to what is (reasonably) secure, it just need to filter down a bit and hopefully breaches like this will make engineers more thoughtful of the approaches to security.
Reg Campaign Required...
.... PLEASE ... someone tell the security types that routine password expiry not only provides almost zero protection but actually causes one of the most serious problems: weak passwords.
The thing is...
regardless of whether or not password expiry increases or decreases security the current industry best practice (the standard to which you are held by, for example, IS27001 and the DPA) is that password expiry is required.
Eg Principle 7 of the DPA ("Secure") requires the use of "Appropriate technical and organisational measures" which, currently, means use expiring passwords (amongst other things) because that's considered to be current best practice ie an "appropriate technical ... measure".
Re: Why not ms Vance?
*He* left the Reg 18 months ago to become a full-timer on the NYT.
Wot no hash?
Ugh - there should be laws against systems that store peoples' passwords in such an insecure manner. Rather than store the passwords, a secure hash of the password should be stored instead. If, at login, I can produce a password that results in the same digest as the one stored in the database then access is granted. At worst, an SQL injection attack would result in the database spewing out a load of hash values.
OK, so someone could still calculate a hash of "12345" and see whose username matches it, but at least those with relatively obscure passwords would still be afforded some additional protection.
This would definately fall foul of European data protection legislation (eg the UK's Data Protection Act) because storing passwords in the clear falls well short of industry best practice i.e. the appropriate technical measures required by principle 7..
Not just users to blame
I'm pretty good with my passwords (no two are the same, but I have a system that allows me to remember pretty much all of them).
However, what pisses me off is when I am confronted with shite like this:
Your password must be between 8 and 10 characters
You cannot use spaces in your password
You cannot use non alphanumeric characters in your password
It means that I can't use one of my 'systems' (or any of my preferred other password choices) and instead I'm forced to use some crappy password that I will invariably forget because I was so constrained in what I could choose.
If users are to be encouraged to use secure passwords, then maybe there shouldn't be so many shite limitations that remove some of the best ways to make passwords secure (length, symbols etc.)
I like password generators like PasswordMaker. I use it as a Firefox addon. It generates a password based on one password and the url of the site thus you get a unique password by using only one password which you keep in your head and never use anywhere else.
The only weakness is keyloggers.
Here we go again...........
The message here isn't the users who choose weak passwords. The message is the (32million-N) users who wasted their time choosing and remembering strong passwords and had them compromised anyway.
Users show a better understanding of the risk than most security people:
You say using the mouse will defeat a keylogger but what if hackers start including screen cap tools and mouseloggers? Macro programs already exist that can mouselog for scripts; malware can employ the same tactic, and screencaps will help to point out where the mouse is clicking.
Solution presents itself
We could all use a password to get a key from Verisign and use that when creating accounts - then we wouldn't need to type any passwords...
I have to agree with everyone who's irritated by sites limiting your password choice. For example, I really like one site's email (etc.) service, but for their max 12 character passwords. That might have been OK when the site was young, but it's in lookup table territory now. I use better than that on my Yahoo email, ffs.
You can strengthen your p/w (if you're not subject to such limitations) just by punctuating your passphrase, either properly or idiosyncratically. Those seaside lovers could try ...
Oh, I DO Like to Be Beside the Seaside!
or perhaps ...
Oh, do I like 2B beside the Seaside, theregister.co.uk? (for the artist who knows his pencils and is posting here.)
And yes, write them down, in a notebook with a lot of totally unrelated guff 'phrases' - you know which ones you've used (we hope). Twice, one in a secret place so you don't lose everything when it gets nicked.
Mine's the one with the ?N0t3b0Ok! full of guff in the pocket.
It's all a 'fail'...
Rock You, you fail on all levels - SQL injection, clear text storage, no password policy
But the debate here is about the analysis. Some commentards are gloating that lusers are morons. Yes, yes - we know that. (Actually, of course the majority of computer users may not have finely-honed security skills but they are no more moronic than the population at large... oh, I see what you mean!)
The problem is not stupidity per se - it's practicality. As others have noted, people can remember words and phrases in their own language better than they can remember meaningless character strings. So we end up with dictionary words. FWIW, substituting numerals for lowercase letters is better than nothing but not much use against a decent Rainbow Table.
Length, of course, is important (if my passwords were as short as my willie they would have been pwned years ago). The way Windows LAN Manager hash split passwords (until Vista, I believe?) meant that 16 chars became the minimum for the really paranoid and that attitude seems to have stuck among sysadmins. But it's counter-productive if a helldesk instructs lusers to use 16 random chars - virtually no-one has a clear idea of 'random' in this context and virtually no-one can remember 16-char strings.
As to horses for courses, of course it makes sense to use stronger passwords for banking or business than for wanking about on FaceAche or on Twatter (I wonder if Stephen Fry's password is 'Fat Smug Know-all'?). But human nature being what it is, people simply can't be arsed to remember more than a couple of passwords.
The taboo against writing down passwords is not always helpful. Obviously in a non-secure office environment sticking a post-it note to the screen with 'Passord: Bgx1#dw"£$' written it is insecure: having it written, perhaps back-to-front, unobtrusively in the back of your pocket diary is far less so.
So what are my solutions? What insights can I offer you? The answers are 'none' and 'none'. IMO, crap password security is a problem we are stuck with for as long as ordinary people (as opposed to geeks) use computers - in other words for ever
PS: I recently had to advise a home-office-computer-using client that having their pet's name as a password for everything from log-on to email to online banking (where, to be fair, the bank insisted on other characters as well) *and* as their security question answer was probably not a good idea.
top 10 to be expected, actually
the author says:
"The trivial nature of the top ten RockYou passwords is bad enough"
but of course, you wouldn't get any non-trivial passwords in the top ten, would you?
If "Tyu334&UpW" was the #1 popular password, that'd be news...
"Sensitive" passwords? Really?
I question whether someone's password used on Facebook is "sensitive." It's not like RockYou was a banking app.
Granted, it doesn't excuse the lousy passwords people use, but I can easily understand people using stoopid passwords for a stoopid app running on the consistently frivolous and stoopid Facebook.
Your passwords will be compromised
Sadly it seems companies will never get it right with storage of passwords. I like to use this method - http://www.uner.com/resources/passwdBranching/passwdBranching.html - click on the password branch tool. I email the webmaster because it does not work well with some European domains, but so far I did not get a reply.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire