back to article Passwords are for AES-holes

When did you reach burnout? For me, it was spring 2009. Looking back, I did well to last as long as I did but the constant pressure of coming up with something new, again and again, became too much. I'm not confessing to an emotional crisis, by the way. I'm talking about my ability to create new system logins that I can …

COMMENTS

This topic is closed for new posts.
  1. Thomas 18
    Thumb Up

    I use KeePass

    You have 1 master password and optionally a key file and it opens up a wee database of passwords. It even does auto type and stuff which is simple but nice.

    Not sure how secure it really is but it beats having 1 login for everywhere... probably. It is annoying to have 1 database file at work and 1 at home though.

    1. Wibble
      Pirate

      Re: I use KeePass

      Can you install that on your work computers?

      Oh, you don't work in banking / government / large company where everything is locked down and you're not even allowed to install a non-Microsoft browser "cos of cequritey".

      1. bluesxman

        Re: I use KeePass

        Thankfully I'm not in such a locked down environment so can't speak from experience, but I use the portable version of KeePass and would assume (please correct if wrong) that this would work in such a "you can't install stuff" organisation. Unless of course the policies are granular enough to only allow certain EXEs to be run.

        1. Uncle Slacky Silver badge

          Re: I use KeePass

          I've sometimes found it possible to run "foreign" EXEs via the simple expedient of renaming them as something acceptable like "notepad.exe".

          1. Gordon Fecyk
            Stop

            And people wonder why code signing is important.

            I've sometimes found it possible to run "foreign" EXEs via the simple expedient of renaming them as something acceptable like "notepad.exe".

            Yay for code signing.

        2. Dotter
          Trollface

          Re: I use KeePass

          A portable version? So, you don't work in a place that locks down the allowed device categories that you can stick into a USB port?

      2. Bassey

        Re: I use KeePass

        "Oh, you don't work in banking / government / large company where everything is locked down and you're not even allowed to install a non-Microsoft browser "cos of cequritey".

        I DO work in such an environment and KeePass is the group standard used by all the various bits of IT along with HR and compliance.

      3. This post has been deleted by its author

    2. The Man Who Fell To Earth Silver badge
      FAIL

      Re: I use KeePass

      My experience has been that the places I worked that had frequent forced password changes were in fact the places it was easiest to login as my boss. Why? Because by requiring frequent password changes, people start writing their passwords on post-it notes and hiding them in very predictable places. Requiring a password change once a year, and allowing full pass phrases so people can use complete sentences, IMO is the best compromise.

      1. Anonymous Coward
        Anonymous Coward

        Re: I use KeePass

        if they let you plug in your own usb, what's to stop the cleaner plugging in their own usb key logger ;c)

    3. Anonymous Coward
      Anonymous Coward

      Re: I use KeePass

      I use keypass for quite a few work and personal passwords. Sadly my current employer won't even allow me to plug in a USB stick without several levels of approval and a contract signed in blood that I won't be naughty (but they do require me to access around 20 different systems with complex passwords)

      The solution I ended up with is KeePass on my smartphone with a very complex password. I figure unless I'm incredibly unlucky, anyone stealing my phone won't have a clue how to decrypt the database and I'll probably remote wipe it before they even get past the screen lock.

      KeePass even has dropbox support to sync the database across machines, although I'm not quite ready to trust that yet.

      (Anon because I'm talking about work)

      1. Charles 9

        Re: I use KeePass

        Dropbox sync is actually pretty good. All it usually takes is saving the key database to a Dropbox subfolder (doesn't even have to be public) and it'll sync to the cloud. Your phone can then use a Dropbox sync program to draw the file from the cloud. As for security, the key database is encrypted (full-file encryption) based on whatever credentials you put in to unlock it, so even if someone were to intercept it, they'll likely be stymied trying to decrypt it.

  2. Nuke
    Holmes

    LLoyds Bank Website

    .. was like that at one time. You had to re-enter the password practically every time you did anything on it, almost to move the cursor. It is not so bad now.

  3. The BigYin
    Thumb Up

    Correct Horse Battery Staple

    That is all.

    1. Anonymous Coward
      Thumb Up

      Re: Correct Horse Battery Staple

      XKCD wins

    2. Aaron Em
      Thumb Down

      In fact it is not

      Try getting a user to enter a password like that one in a field with masked input -- without typos -- and then come back here and tell me how fucking smart Randall Munroe is, why don't you?

      1. Graham Dawson Silver badge

        Re: In fact it is not

        Okay, so how do they enter their strong password made up of numbers and letters and a limit set of non-alphanumeric characters in a field with masked input without typos?

        1. Aaron Em

          "[H]ow do they enter their strong password[...]"

          Carefully, that's how, because they can't parse it as anything except individual characters -- which is by design; I'd rather they take thirty seconds to enter their password, and get it right on the first try, than enter it incorrectly a half-dozen times, lock themselves out, and call me up to complain. (They'll complain either way, of course, but the way I do it, they complain less -- which is also by design. Believe it or not, some experience and thought has gone into this!)

          1. Anonymous Coward
            Anonymous Coward

            Re: "[H]ow do they enter their strong password[...]"

            Simple - they cut and paste it in from an MS Word file sitting on their hard drive ... who the hell would actually TYPE such rubbish!

      2. Anonymous Coward
        Facepalm

        Re: In fact it is not

        Aoron - Then learn to type - Seriously it is easier to type "You are an idiot" as apposed to typing "Y0u ar3 a4 1d107" as it is very easy to remember and that being the key. Entropy and typing - embrace them or disinfect your malware ridden puter :p.

        If somebody is incapable of typing in there password, should they be allowed to play with the other workers on a live network - NO.

        1. Aaron Em

          Re: In fact it is not

          ...you can't even spell my name right, and you're going to tell me about strong passwords? Thank God you're here!

          The point, for those thickos who've missed it (which is all of you so far!), is not that I don't know how to type accurately without being able to see what I'm doing -- I'm a sysadmin, of course I can do that. Users mostly can't. Since they're going to fuck up no matter what I give them, increasing the length of the password just makes it that much less likely they'll ever be able to get it right -- whereas, contrariwise, giving them an eight- or twelve-character password that doesn't even begin to look legible will slow them down enough so that they'll have a decent chance of typing it in properly in only four or five tries. ("What if," I hear you asking, "they write it down and put it under their keyboard or in their wallet, then?" -- if they do, so what? Offices have doors that lock, and the odds of someone getting mugged by a technical professional who knows what to do with a pocketed password really aren't all that high -- and a Post-It can't be cracked. Get with the times, kids.)

          None of this ought to surprise anyone who has any experience of dealing with users at all, of course, but then this is the Reg comments; if I didn't want to deal with gratuitous harassment from ignorant dribblers, what would I be doing here in the first place?

          1. Steve Knox
            Mushroom

            Re: In fact it is not

            "The point, for those thickos who've missed it (which is all of you so far!), is not that I don't know how to type accurately without being able to see what I'm doing -- I'm a sysadmin, of course I can do that. Users mostly can't."

            And there's the elitism that our industry is famous for: IT pros are perfect; users are useless. Well, Aaron, fuck you. You're wrong, and you probably know it.

            Show me a study. Show me numbers that prove sysadmins are better typists than average users, and I still won't believe you.

            I deal with "users" on a daily basis, and the ones I know are better at typing than I am, and I'd have no problem with Correct Horse Battery Staple.

            1. Aaron Em

              Fuck me, eh? Class!

              There's that leveller charm! Bitter helpdesk lifer, eh?

              I don't know where you're getting your users, but maybe once you've spent some time supporting, among others, several offices full of blue-haired old ladies who loathe computers with a blinding passion yet must use them nonetheless, you cancome back and talk to me some more. 'Til then, you'd do better to remember Wittgenstein's admonishment and keep your ignorant gob shut.

              1. Whitter
                Mushroom

                Re: Fuck me, eh? Class!

                You do remember that IT is a *support* role? Hate your users? Then sod off.

                1. Anonymous Coward
                  Stop

                  Re: Fuck me, eh? Class!

                  You do realise that in IT you have to plan for everything or your moaned at by people expecting the impossible. Trust me the term lusers is something that is earned over time. Besides

                  Lusers stands for Local Users.

                  As for IT being a support role, EVERY role in a company is a support role to another department and IT need support from HR and also need support from other departments to...bottom line make money as they do directly or indirectly. Everybody supports everybody else and to think of it as a one way relationship is just the wrong attitude to have unless you have low blood preasure.

                  But the big thing to remember is, IT is the only department that can and eventualy will replace you, by which time they themself will be replaced and we can all go on holiday.

                  As for passwords, everybody has there own oppinion and in that it is like a religion to so many people. No matter if you believe in passwords or not, you have to repect those that do and that would be the binary overlords.

                2. Aaron Em

                  I don't hate my users

                  I also don't expect more out of them than they're willing to give. Trust me -- I can harp on improved security, et cetera, all day, and if it's too much of a pain in the ass for people to enter their passwords every morning, so that I have to unlock and reset ten or twelve accounts every single day, then improved security et cetera doesn't sway them one damned bit.

                  "How," I hear you asking, "do you know this?" I've tried! Hell, I used to be an XKCD fan myself -- it was trying to implement that particular suggestion, and seeing the utterly disastrous results it produced in terms of user satisfaction and user relationships, that put me off the damned comic in the first place.

                  I mean, honestly! Graham the mirror-shouter excepted, how did you people imagine I came around to the attitude I have on this subject, anyway? Just woke up one morning with a hair up my ass?

                  1. Graham Dawson Silver badge

                    Re: I don't hate my users

                    Given the way you post here it wouldn't surprise me if you frog-marched them all into a small concrete room and screamed at them for an hour about your new security policy before sending them off to the daily waterboarding session.

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: I don't hate my users

                    lol

                    so because you utterly failed in implementing the "system" it must be bad? maybe you just suck very badly at your job.

              2. Chris 3
                Pint

                Re: Fuck me, eh? Class!

                I have a sudden vision of your colleagues helpless mirth as they arrange for you to be in charge of user support for those 'special users'.

                No, no - don't tell me - you're actually deeply respected at work and they put you in charge of the difficult cases so that you can make use of your special talents.

              3. semprance

                Re: Fuck me, eh? Class!

                Aaron Em: "I don't know where you're getting your users"

                Yeah, you're right, no true scotsman would, would they?

                You know where the door is.

            2. Uncle Slacky Silver badge
              Stop

              Re: In fact it is not

              They're called "lusers" for a reason...

          2. Anonymous Coward
            Anonymous Coward

            Re: In fact it is not

            I worked for a large services company once, on an Security Cleared project, and their documentation actually advised a strong password written on a Post-It note over a shorter less secure memorised one.

            Of course the problem is security in depth: the above assumes your local physical environment is secure (a false assumption). The article author's assumption that the pass that got him in to the building is enough to prove his access to systems (it's not, it's only single-factor).

          3. Anonymous Coward
            Anonymous Coward

            Re: In fact it is not

            Aaron Em's userlist: -

            * Aaron Em

            * Aaron Em's Mum

            "Correct horse battery staple" has only been around about a year. Which of those users tried it once, fucked it up and locked himself out of his encrypted account I wonder.

      3. Anonymous Coward
        FAIL

        Re: In fact it is not

        Correct Horse Battery Staple = Insecure

        Passw0rd! = Secure

        Go figure.

        1. Michael H.F. Wilkinson Silver badge
          Joke

          Correct Horse Battery Staple = Insecure

          That is correct because too many lusers are now using it because they heard it is secure

          Fortunately one login for all except the HPC systems suffices here.

        2. Aaron Em

          Re: In fact it is not

          'Passw0rd!', eh? Bless.

          1. Anonymous Coward
            Anonymous Coward

            Re: In fact it is not

            I can get away with many permutations of Password

            Pa$$word

            P@ssw0rd

            etc

            The annoying thing is the company I work for has implemented SSO for a lot of it's systems but still doesnt get about secure ID. I have a secure ID token and I would have thought that this would be an ideal way to authenticate myself to almost all our systems?

        3. Wensleydale Cheese

          Re: In fact it is not

          "Correct Horse Battery Staple = Insecure

          Passw0rd! = Secure

          Go figure."

          From Microsoft Technet http://bit.ly/KGxWq5

          "7 characters Minimum password length

          Password must meet complexity requirements (capital letter, small letter and one digit or non-alphabetic, also not more then 3 characters from the username)"

          Wiith Active Directory as it comes out of the box Passw0rd is fine.

          1. Aaron Em

            "Active Directory as it comes out of the box"

            There's your problem right there --

            1. Anonymous Coward
              Thumb Up

              Re: "Active Directory as it comes out of the box"

              LOL yip - ANY software defaults that are not your own standards would be a security oversight.

      4. Anonymous Coward
        Anonymous Coward

        Re: In fact it is not

        Try typing in "Correct Horse Battery Staple" on a smartphone touchscreen, case-sensitive and with masked input, and see how long it takes before you change all your passwords to "sa".

      5. The BigYin

        Re: In fact it is not

        @Aaron Em

        Hate to tell you this...but I use a similar idea for my ma-hoos-ive WiFi password. I don't seem to have any trouble.

        And for SSH pasphrases.

        Security is generally a trade off between convenience and, well, security.

        1. The BigYin
          Facepalm

          Re: In fact it is not

          Cripes. I thought people would take this suggestion light-heartedly, not get a bee up their collective arse.

          I would say that a system which considers "pa5$word!" more secure than "HighTreeGiraffeeIcecreamParlour" is fundamentally broken. One might be shorter, but it is a bugger to remember (meaning it will often be written down - security lost) the other is a bit harder to type (meaning is may be entered wrongly once to often leading to lock-out - PITA but security remains).

          And there are other measures too; key-fobs, one-time tables, blah-de-blah.

          Me - I prefer the more complex, long keys as all I have to do is memorise a picture. Heck, I can probably even write them down in ideograms for myself and they would still be secure (I don't do this, however, as pictures fit nicely into the old noggin).

          That is my opinion. It's not wrong, it's opinion and in point of fact it happens to be right because it is my opinion and it applies to me.

          1. Aaron Em

            If that's so, then why

            did you present Munroe's opus as though it were all that needed saying? I believe the exact phrase you used was 'That is all' -- which, as swiftly became obvious, it wasn't.

            Can't speak for why anyone else got cross about it, but for my own sake, I am sick and tired of XKCD fans because they largely behave as though pointing at their favorite "look how smart I am!" cartoon can stand in place of putting some actual thought into anything. Even when Munroe's got the right end of things, which happens less often than his partisans care to admit, he's not God or Donald Knuth. In a case like this one, where there's arguments to be made on either side -- no, I don't agree with the arguments in favor of the "correct horse battery staple" style password, because I've seen them fall flat on their face in the real world, but at least I acknowledge that they exist -- waving your favorite 'toon, in place of showing some evidence of original thought, just makes you look like a fool.

            1. The BigYin

              Re: If that's so, then why

              Why?

              Mostly because systems that demand "w1bbl€!" as a password, rather than what I would consider a "proper" one do my freakin' head in and don't even start me on the ones that have a upper limit of about 16*.

              I was already using a system similar to the one discussed on XKCD (using poetry, if you must know) and was aware of the idea of non-symbolic but long "passphrases" from using the likes of GPG (clue is in the name "passphrase"). The XKCD just happens to be the most well known example AFAIK.

              It is length that is a better measure of password strength, not necessarily complexity. Don't take that up with XKCD, take it up with grc.com and the method espoused by XKCD does lead to easy to remember, long password that don't need to be written down.

              If your users have short, complex ones and have to change them frequently; I guarantee they write them down or use some kind of basic system for generation passwords "blah1", "blah2" etc. Both of which negate your security (of course, coercion can always be used to get a password; no matter how secure it is).

              But most of all, I think you need to relax and breathe a little. I'm not the one slinging the insults around.

              *Pretty soon I will start ranting about the cretins who can't validate an email address**.

              **Anyone who thinks they can by definition doesn't know how to validate an email address.

              1. tony2heads
                Go

                Poetry

                I use the initial letters of song lyrics (with an occasional number in there)

                The trouble is I sometimes hum the song (as it has to be one I like so that I can remember it)

                1. I think so I am?
                  Coat

                  Re: Poetry

                  Hah, I used to use telephone numbers and substitute the numbers for letters for old style text phones

                  2= abc, 3= def ..... every repeat number in the string was the next letter

                  07485558471 = 0pgtjkluhq1

                  but now just used 16+ length paraphrases

            2. Graham Dawson Silver badge

              Re: If that's so, then why

              So we reach the crux of it, which is that you just don't like anything that refers to XKCD and your'e so determined to hate everything related to Randall Munroe's "opus" that you reject, out of hand, eminently sensible and workable solutions to the whole password problem with the same elitist bullshitting attitude you always seem to have on these forums.

              Now here's the affix: I don't work in anything directly related to IT these days. I got out of it, in part, because of people like you throwing your not inconsiderable weight around every chance you got, insulting everyone who wasn't uyou as "luser" waste of space morons who obviously have to be nannied through everything - even when it wasn't true. In fact especially when it wasn't true. You are an arrogant little blowhard who has a little bit of power over his domain (oh ho ho) and refuses to accept that maybe, just maybe you might be wrong sometimes.

              What's the biggest single security hole passwords have these days? People writing them down. Why do they write them down? Because they can't remember them. What do we want people to do with their passwords? Remember them and not write them down. On that score alone the regular language phrase is superior to the cryptic nonsense string of characters. People are able to remember phrases because they are semantic. They contain meaning, and meaning is the glue that makes memory stick.

              And in terms of entropy it's a winner again. An 8 character password is easier to brute-force than a 32 character one no matter what characters it's made up from. There is no difference between the strings abababab and nGl04$sh when you are brute-forcing and if you have access to hash tables there's no amount of security that can keep you out over even a short period.

              So it comes back to blocking that one major hole: the user. Your solution ensures that there will always be a human-readable copy of some large portion of your userbase's passwords available on handy little pieces of paper. The regular language solution provides a way to close that hole.

              So as far as I can tell the only reason you have for rejecting it is that you didn't come up with the idea and Monroe did. Which says plenty about you and little about the idea itself.

              1. The BigYin

                Re: If that's so, then why

                "you didn't come up with the idea and Monroe did."

                I actually don't think Monroe did, but I could be imagining things. Can't find a reference just now.

              2. Ken Hagan Gold badge

                Re: If that's so, then why

                "What's the biggest single security hole passwords have these days? People writing them down."

                Seriously, I think I'd need to see the stats to back that one up.

                You need to consider the attack vectors. For something like online banking or internet shopping, the vast majority of attackers are in a different country from the piece of paper where you wrote the password down. If you can live with the inconvenience of being unable to bank or shop except where your piece of paper is, you can make the password as strong as you need.

                In an open-plan office environment, where the attackers are disgruntled or mischievous co-workers (or sub-ordinates), the system probably isn't internet visible and the *only* attackers are ones who occupy the same building as your piece(s) of paper. It ain't such a good system then. At least part of the password needs to exist inside your head.

                1. Graham Dawson Silver badge

                  @Ken Hagan Re: If that's so, then why

                  I didn't see your post before, the righteous fury was clouding my eyes. :)

                  You're right, I guess I was probably overstating the password thing. Claiming X is the single biggest vector is a silly thing to do and I'll try not to do it in future. It's still an issue though, not just in office environments, but anywhere people use complex and hard to memorise passwords.

              3. Aaron Em

                Re: If that's so, then why

                ...you mean you guys actually let random people on the Internet sit there and beat on your login prompts with brute-force attempts? Good God.

                Oh, yeah, Graham! After that, I'm unshakably convinced that you left the IT business because you just so couldn't stand to deal with loathsome assholes like me, and not because, say, you lacked the basic competence to keep every asshole in the world from trying your doorknob as often as he likes. That's a much smaller hole than a few Post-It notes in an office that gets locked up every night. Sure.

                1. Graham Dawson Silver badge

                  Re: If that's so, then why

                  "you mean you guys actually let random people on the Internet sit there and beat on your login prompts with brute-force attempts?"

                  Well if anyone had actually said that you might have a point.

                  Again you're assuming you know everything.

                  1. Aaron Em

                    Re: If that's so, then why

                    Well, OK, fair enough, you just deniably implied it --

                    "There is no difference between the strings abababab and nGl04$sh when you are brute-forcing"

                    No, I don't think I know everything, though given your apparent propensity to get your knickers in a wad, I can see how it'd come across that way. It's just that I don't privilege your bald-faced assertions of how much more you know than I do, over what I've learned through the experience of doing my job -- speaking of which, said job being one you've already admitted you weren't up to, why should I be entertaining your best-practices advice in any case?

                    1. Graham Dawson Silver badge

                      Re: If that's so, then why

                      If by saying I wasn't up to the job you mean I wasn't complete up my own arse then, yes, you're right. I lacked sufficient rectocranial insertion to survive the world of software development.

                      No, I wrote good code. It works, does its job and is secure. I was not the best but I was good. I left because a) people like you kept telling me how to do things despite their claimed solutions being obviously stupid and broken and b) I get better money making holes in peoples walls and filling them with copper, with the added bonus of setting my own hours and not having to deal with (a) at all.

                      My assertions are no more beardless than yours: you may believe that your complete knowledge of your own experience makes your claims superior to my own but that simply demonstrates further your apparent inability to understand that other people disagree with you for reasons other than being stupid lusers and XKCD fans. In fact you may be surprised to learn that there are people who have had far more experience of this than you. You're arguing with some of them right now and making yourself look like an arrogant cock in the process.

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: If that's so, then why

                        Oi! Grah and Aaron!

                        Why no icon? In the singular because you should both be using the "get my coat", and in both your cases it'll be a fucking anorak.

                        1. Aaron Em
                          Coat

                          Well I'm not

                          about to argue with that.

                    2. Anonymous Coward
                      Anonymous Coward

                      Re: If that's so, then why

                      re: "...There is no difference between the strings abababab and nGl04$sh when you are brute-forcing..."

                      To be pedantic: A series of lower case characters the same length as a series of random characters, upper case, lower case, numbers and special characters, will be cracked much faster by brute force. This is because you go through all the lower case combinations second, after dictionary derived possibilities. Once you've done that you add in numbers, upper case and then special chars.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: If that's so, then why

                  Good god. You can be brute-forced from 1000 different ip addresses on 1000 different networks with just a single probe from each. How the hell do you prevent that on a system that is publicly available and is designed to allow remote access?

    3. Anonymous Coward
      Anonymous Coward

      Re: Correct Horse Battery Staple

      Whatever muppet votted this down is a clueless muppet when it comes to IT security - You name Jessica Harper per chance - whoever you are. Now she was shit, finaly justice :)))))))

    4. Anonymous Coward
      Anonymous Coward

      Re: Correct Horse Battery Staple

      Leaving aside the issue of 'finger memory' (see Verity Stob, recently), the perfectly reasonable long, all-lower-case, real-word-containing password is simply not allowed by the vast majority of password systems I've had to use, because it fails complexity requirements. People are entirely capable of typing in short phrases without error, but it doesn't matter because no-one will allow them to.

      1. Robert Carnegie Silver badge

        Re: Correct Horse Battery Staple

        isirta

        Why not? Well, it isn't enough characters. Also it stands for [I'm Sorry I'll Read That Again], the quite rude and weird radio comedy show mostly from the 1960s with the Goodies -and- John Cleese and Humphrey Barclay and... oh, look it up.

        Maybe it's foolishly optimistic but I'd propose that a user should be allowed to tick a box to say that they understand why a really strong password is important, and then pick their own anyway - like that.

        We have to use 8 characters mixed-case and a number and change once a month. I have RSI and I can't get to my keyboard-alternative without typing a password first. I get through it by pretending that the letters are a swear-word, and the number... my secret. (I hope.)

    5. Anonymous Coward
      Anonymous Coward

      Re: Correct Horse Battery Staple

      For anyone who hasn't seen it yet. http://xkcd.com/936/

      One of the many, many times XKCD has made me sit up and think.

      1. Anonymous Coward
        Anonymous Coward

        Re: Correct Horse Battery Staple

        My new password for everything: aaronemwas beingamassivecocktoday.

        And i mean everything.

  4. Anonymous Coward
    Joke

    Use two-phase visual login

    Use two-phase visual login. You first show a picture of yourself and for the verification your secratary has to show her tit. This then logs you in and also verifies your identification the added human component.

    But on a non-deemed-sexist (had I switched roles - nobody would of thought it to be sexist - funny that) idea.

    Why don't they combine the ID cards you need to use the company toilet et all as a proximity login that also has you type in your micky-mouse password. AND this is the best part - the security ID's are not allowed to leave the building (beeps and flashes and locks the doors if you try) - they are left with the security receptionist who each morning looks at you - and hands you the ID with your picture on it. Genius and clearly so complicated that it's insulting to receptionists that they are not already given this role.

    We then have a system that has verified identity, reduced loss of security pass's and also security pass's that if somebody leaves the company on short notice are not left out in the wild. Also ontop of that you can still use the same password over and over again as long as only you know it as it is just iceing on a rather nice cake.

    Back in the old days, people had like ophysical security and things with keys - believe they were called offices and they did work. Nowadays with this modern assimulation of battery farm office spaces that would make a chicken blush we find this solution is now impossible and remarkably we now need to find a new solution.

    Personaly - go old-school - give your staff the space they deserve and don't make them have to use toilet cubicles with a laptop and mobile just to get a sence of space.

    1. Wensleydale Cheese

      Re: Use two-phase visual login

      @PXG

      "Why don't they combine the ID cards you need to use the company toilet et all as a proximity login that also has you type in your micky-mouse password."

      We had this more than a dozen years ago when I worked at a bank. We had a personal smart card which plugged into a reader attached to your PC before you logged in. You entered the master password for the card and it logged you on to your workstation. It could also save login credentials for Windows apps and websites and fill them in for you at the appropriate prompts in the same way that modern browsers do. These cards were separate from the ones used to gain access to the building.

      If you needed to leave your desk for any reason, you just pulled the card from the reader and the password protected screen saver automatically kicked in.

      These were separate from the cards used to access different buildings and server rooms.

      Another part of that solution was that if you used your card to log in at another computer in the company, say in one of the training or presentation rooms, it would promptly download and install the apps you were authorised to use, along with the settings you had on your main PC. This was great for monitoring the systems I was managing while attending a course.

      The technology is out there if you look for it.

      1. Anonymous Coward
        Thumb Up

        Re: Use two-phase visual login

        Oh yeah I know the ability is out there, saw what you outlined at Infosec in 1998/1999 (one of those years) and wasn't new then.

        The real crux is that these ID login cards are often very anonymous in looks and in that I mean have no picture of the user. This prevents them being used as building entry ID's were humans are involved (can still use as swipe cards/proximity still).

        I have also found that places that use these tend to place the physical security of these down to the user and allow them to go to lunch with it in there pocket or take home or have on the ID keychain with there security pass. This leaves the RFID variations open to being cloned - not many employee's I know of that hand out RFID security tokens also offer you a sheilded wallet to keep them in, dont cost much for them either - just not enough news headlines to drive that market into reality, just yet.

        Point is that most RFID/login computer card/physical keys handed out to users only have the added security being deminished as there allowed out of the building and/or at best they get lest under the keyboard/in there top draw of the desk.

        What I have not seen is one that is also a security ID and you are verified by a human when you enter the building who then hands you your ID and you hand back when you leave the building. Something as simple as that. Sure I would love a system of plastic cards that had a digital ink that were generated when you entered the building. So reception/security takes a new picture everyday so your picture actualy reflects what you look like and not what you looked like before you went on holiday last week etc etc. That would be nice, some would say annoying and sadly that is the way of life.

  5. Jim 59

    Well written article, good pictures.

    "...likelihood of a civil servant leaving my 'strong' password on a USB stick in the back of a taxi or a sacked call-centre underling in Bangalore selling my 'strong' password to the highest bidder."

    Passwords don't work like that. The Man does not have your password, so he can't leave it on a USB stick. The System does not store your password, so the underling can't sell it.

    1. Anonymous Coward
      Anonymous Coward

      "The System does not store your password"

      But oh so depressingly often, it does. People are happy to store your password in plaintext, and just as happy to email it to you as a reminder, also in plaintext. You cannot assume that third parties are following the bare minimum of best practises, and you probably already know that your employers are not.

    2. Alistair Dabbs

      I am only allowed a limited number of words to discuss my topic of the week. In this instance, passwords are an analogy for all forms of security in that they are utterly useless because they rely on blind trust. My wife once checked into a hotel on business and, as is standard practice, allowed the receptionist to make a copy of her VISA card as 'security'. Within half an hour (as we discovered when the bill turned up a month later), one of the hotel staff was using my wife's VISA card details to buy himself plane tickets, clothes and all manner of other shit. Passwords are just the same. If you think passwords are somehow protected from humans seeing them or recording them or backing them up or printing them out for their mates, you are living in a land of self-delusion.

  6. 0765794e08
    Megaphone

    Yes, passwords are annoying...

    ... but really annoys me is sites that, for some inexplicable reason, force you to use weak passwords. And by weak, I mean short.

    For example, National Savings & Investments (NS&I) limits their account password to a measly 8 characters. If you use Tesco.com, you’re stuck with a maximum of 10 characters for your password.

    Rather than bemoaning having to use strong passwords, I think it would be more productive to name and shame the silly companies that don’t even give you the option of choosing a strong password.

    1. HipposRule

      Re: Yes, passwords are annoying...

      Probably depends on what you are really logging on to. Not sure about all but iSeries (AS400) is a max of 10 for both username and password

    2. Anonymous Coward
      Anonymous Coward

      Re: Yes, passwords are annoying...

      Sites like this limit the maximum length of passwords for the simple reason that people can't remember long passwords. I have a long WiFi password, I used song lyrics, it turns out that even if I actually tell people what it is, tell them the places where people often go wrong (spaces? No spaces? Is it an "a" or a "the" at that part of the lyric) even if I write it down, no-one has managed to correctly enter it. It's only 10 words, two lines of a fairly well known musical. People who can't touch-type simply can't enter long passwords when they're *ed out.

    3. Shooter
      Unhappy

      Re: Yes, passwords are annoying...

      I've run across a depressing number of financial/retail sites that don't allow punctuation or special characters in their passwords...

  7. Aaron Em

    Dabbs again?

    Crowbarring open a designated-whiner-for-the-users niche here at the Reg, I suppose, because that's exactly what a red-top tabloid for IT professionals desperately needs to have.

  8. Anonymous Coward
    Anonymous Coward

    Post-It notes and

    The other problem with forcing users to have too many strong passwords is that they will inevitably write them down, typically on a Post-It note stuck to their monitor or in the pen drawer of their desk pedestal unit. Many of them are quite aware that this may be against the house security policy but they are also aware that the main reason for plethora of passwords is that different parts of the organisation refuse to cooperate with each other for political reasons.

    Another problem is when the corporation's big knobs demand exemption from the corporate security policy and then proceed to use some weak password that they use everywhere. This was exactly the case at my previous contract: the head honcho had his secretary's secretary order the IT manager to allow the use of "the same 4 digit password that he uses for everything". The IT manager resisted bravely for a few minutes but capitulated when he remembered the fate of former rebels in management.

    1. Dave 126

      Re: Post-It notes and

      The same 4 digit password, you say? I can imagine the BOFH having some fun with that!

  9. Anonymous Coward
    FAIL

    Pot... meet Kettle

    Seriously Reg, how you can have the gall to publish an article criticising anyone else's login/password failings, is beyond me. Especially when your own website has about eleventy-billion completely pointless separate subdomains, all requiring individual logins –and there are Alzheimer's inflicted goldfish with better recall than your login cookie's "remember me.." option.

    Title says it all.

    [Had to login for about the fourth time today, to post this]

    1. Anonymous Coward
      Thumb Up

      Re: Pot... meet Kettle

      Madra - If you ever stand as a MP or in any politcal capacity, then you can count on my vote as somebody who can cut thru the mustard.

      On a plus side(sofar) I have been asked if I care about cookies and this has only been the once, thus far touch wood(on the internet this turn of phrase is often understood and if it is you only have yourself to blame).

      1. Anonymous Coward
        Facepalm

        Re: Pot... meet Kettle

        [edit] s/understoon/misunderstood/

        sorry

  10. Paul Smith
    FAIL

    security joke

    The worst security joke I have encountered so far was when I contracted for a international business machine manufacturer. The had just installed a very new and very expensive mainframe in the basement of one of their national HQ's. To get to it you had to swipe a card to get through the first door, be physically signed in by a rented uniform, and swipe a different card and enter a challenge response password to get through a second door. And repeat the process to get out again.

    There were no toilets in the basement.

    By the third day of operation, we had a rota where whose ever turn it was had to go through the security procedure to get out again and go up to the second floor toilets. They then had to work their way down through the fire escapes, wedging the doors open with ash trays, until they were back in the computer room. Then go all the way back up to the toilets and came back through the official security channels. That department was later critised for not showing initiative.

    1. Anonymous Coward
      Thumb Up

      Re: security joke

      Oh I completely believe this.

      Toilets and cigarettes have been the durge of security in so many area's for a while and this was before the smoking laws came into effect. See that firedoor with sensor - if you put duct tape over that sensor then we can smoke all we like without grief from alarms going of in reception.

      Though days like this you can just play a ice-cream truck ringtone out load near a fire-exit and stand a fair chance of having it opened for you :).

      1. Anonymous Coward
        Anonymous Coward

        Re: security joke

        So true about the fire doors...

        The last place I worked the idiots in the warehouse continually left the doors open (because it was either too hot or they were just too lazy to close them) and then wondered why so many times things were stolen. Numerous times I left the building in the evening to see the doors left open because none of the warehouse staff closed then when going home.

        I've also visited the pharmacy departments of countless UK hospitals and while most have security doors and signing in and out at the front and expect "all staff to challenge visitors" conveniently leave the rear delivery door open due to frequent deliveries throughout the day and maintenance / cleaning staff needing access to remove rubbish (mostly packaging). You could walk into most of these and as long as you look confident and vaguely business like you'll be ignored every time. It's not just the Controlled Drugs that are valuable either, frequently the price of a single pack of drugs is over the £100 mark and one person can easily pick up 3 or 4 cases containing 20 or so packs in each.

        1. Wensleydale Cheese
          Go

          Re: security joke

          Another story about open doors.

          At one customer I had to be signed in to the server room every time. That was fine until the time we did some weekend work. Little did I know that the operators cleared off half way through Saturday afternoon and I couldn't get access to bring the production system back online.

          I rang my contact at his home to ask to be let in. He told me about the loading bay door at the back, and sure enough it was left open.

    2. Anonymous Coward
      Anonymous Coward

      Re: security joke

      I used to work at a company who had a super secure R&D area. To access it you need an ID card and finger print check. Except you didn't. In the delivery bay there is a locked door which is unlocked by a motion sensor for people coming out of the secure area. People would rarely come out of that door because there are more convenient ways out. But anybody walking past it would unlock it. So if you forgot your pass all you had to do was stand by that door until it was triggered. For your added convenience a green light would come on when it is unlocked, so you didn't even have to stand conspicuously close enough to hear the click of the lock.

      After I left I heard they had quite a major confidentiality leak in that place. Their solution was to frost the windows of the R&D area.

  11. burnard

    People not passwords = security

    It doesn't matter if the password is simple. Just block brute-force attacks and only allow 3 attempts before a reset. Simples.

    I enjoyed the rant. I woudl add the point that forcing people to have so many logons forces them to use a simplier password or set of password than they might normally do. If I only have to remember one or two passwords then they can be complex.

    Also users need showing how to build complex passwords....i.e. swapping "e" for "3" for example. It's not rocket science.

  12. John 110
    Facepalm

    or you could...

    ...implement single signon like we have. It remembers all your passwords for you and types it in to your sensitive applications, even if you're not there (if you forget to lock your PC - like most people here). Abusive email to the Director - no problem, he won't even know it was you.

  13. Christian Berger

    It's a question of password management

    First of all, don't make the requirements to strong. If you want your people to have at least 3 digits and 3 letters in their passwords, they need to change every month, you'll end up with passwords like June2012.

    In some cases it may be wise to write down passwords onto a sheet of paper you carry around with you, or even a plain passwords text file. However those instances are rare and need to be well thought out. Don't put such a file onto a computer you neither can secure nor own. (e.g. an iPhone)

    However the main point is to use public key authentication whenever possible.

  14. Andy Farley

    In user testing

    For websites we found most people have 3 passwords of various complexity that they always re-use. Force them to do something else and they forget them and are likely to use a standard guessable one. IOW, let people enter what they want to enter.

    I'm all for password unblanking functionality as well. Off by default but if you're at home what does it matter if the cat can see over your shoulder? How many of us are in cyber-cafes logging in anyway?

    Password blanking is the illusion of security, nothing more.

    1. Wensleydale Cheese

      Re: In user testing

      @Andy Farley

      "I'm all for password unblanking functionality as well."

      I agree and I use it for the long pass phrase I use in various places.

      When I'm at home, nobody else can see my screen.

      At work, there's a solid wall behind me, so the same applies.

  15. Anonymous Coward
    Anonymous Coward

    Sections 43 & 44 of the Terrorism Act 2000

    Having 13 passwords at work is good practice from a security point of view, but the people who implement these things tend to be strange people who are neither like nor quite understand normal human beings.

    Ultimately, you need to balance security with employing normal members of the public who are doing normal office jobs. All these weirdos do is breed contempt for employers and cause stress to normal human beings.

    You don't need to protect your own IT systems from your regular employees (unless your HR department and security staff on the door have failed to do *their* jobs already), only spies and rogue employees, who'll still find a way around 13 passwords to do bad deeds.

    Sadly, I've met too many of these obsessive IT systems admins or people with some kind of say over how IT works in an organisation, and they're generally highly paranoid individuals who think every other college is either corrupt, incompetent, an arsehole, part of a clique, clueless, or use some other trick to hoodwink everyone else into employing them. They see themselves as the only person in the whole company who does their job well and takes things seriously, the irony being that they're almost always clueless themselves or take weeks to do what normal IT staff do in an hour.

    Like I said, it would be great for security if everyone had to remember 50 passwords and change them all every day, but what kind of life would that be for a human being?

    If you want to roll out IT systems that have inherent flaws that need 13 passwords to fix, you need to fix the IT system, not the humans. It's like Black & Decker expecting their customers to be genetically altered so that their hands better fit the designs of their tools, rather than redesigning their tools to for human hands.

    All of which makes me think that one day babies really will be microchipped so that computers can detect who's using them and work out whether that person should/can be where they appear to be...

    It'll be like Terminator, but without Skynet.

  16. Anonymous Coward
    Anonymous Coward

    i use a commercial password manager

    Of course, since I'm the system admin and network admin, it does serve to protect system passwords that need to be accessed by users other than myself. Fortunately, it comes with the option to allow users to store personal (business personal?) passwords. I use it to store everything, since I'm in charge. My only problem with the application is that while I can search for any of the system userids that I have stored, it doesn't have a similar function to search my personal passwords....and I have over 70.

    Every website gets its own username (email address...I'm the email admin as well) and password.

    The only ones I have issues with are those that limit the length. For those, I just generate a long password and in the account notes indicate how many characters to actually use.

    If you care which one I use, I'll post it.

  17. Tom 38

    This is why the world is slowly moving to identity management

    SSO is the future, but for SSO to succeed properly, we all need to pay attention to proper identity management. Many consumer facing websites (and almost all 'social' apps) will now support login via OAuth from Google or Facebook. This is good, but limits a user to sites that support their chosen identity provider

    What needs to improve is WAYF protocols to allow a site to say "Okay, I need to identify you, but I don't really mind who does it", allowing all identity providers to be amalgamated into one true identity source, minimising the work required for both service providers and identity providers.

    SSO - particularly SAML - has been made obscenely complex by tool makers (Sun, MS, et al) who have a vested interest in making the protocols so complex and fiddly that in order to implement them properly, you need their libraries to do it, and their tools to produce the metadata. The tag line should be "SAML - from the same people who brought you SOAP".

    SAML also has one of the most bizarre transports known to computer science - PAOS, or 'Reverse SOAP'. Eurgh.

    1. Charles 9

      Re: This is why the world is slowly moving to identity management

      The trouble with that approach is that people are getting leery about trusting the SSO providers. Almost all moves towards simplification involve trusting some third party in an atmosphere that's steadily progressing towards "Trust No One" (as "trust" facilities get big bulls-eyes on their backs for industrial spies).

  18. Uplink
    Go

    Passwords are the past

    With the development of smartphones and other portable kind of computers, I do have to wonder why are we still using passwords. Why can't we have something like a general hardware token, like the ones some banks give out, but general? Can be your smartphone with a "Google Authenticator"-style application. One that works like this:

    1. Generate a public/private key pair (say, with PGP or similar)

    2. Upload the public part to the website or service where you need to authenticate yourself.

    3. Put the private key in your smartphone in secure storage (not your SD card, altnough if it's encrypted I guess it can go there too).

    4. Each time you need to log in, you pop your smart phone app up, you enter a password (or screen pattern) to obtain access, then generate a six digit code (that lasts 30 seconds) that you input into the service/website to gain access.

    If you're paranoid, you could store a key pair for each service you use, and then select it from a list after you unlock your app. There are also plenty of other ways to be even more paranoid: make the password not work unless your bluetooth headset is connected to your phone too for example, but then you'd only have to secure your own phone in the most paranoid way thinkable, not the entire Internet per individual user.

    1. The Serpent

      Re: Passwords are the past

      Your password-free system requires a password

  19. Anonymous Coward
    Anonymous Coward

    I sympathize with the author - and I work in IT Security myself. Many of the "security procedures" that make life difficult for the users are in fact adding very little value - if any - in term of security.

    I would rather have users using long strong passphrases which are only renewed every 6 or 12 months. Double that with single-sign-on or identity federation, hunt and eliminate the situations where the users are forced (even if just for convenience) to share passwords with others (not by punishing the users, but by finding out why was the sharing needed in the first place, and offering an alternative secure way of working).

    There are many technologies which can actually simplify the life of the users - and increase their productivity as a result. But, from my experience, the biggest obstacle in deploying those is... wait for it... The Management! On more than one occasion I've sign amazing short-sightinness, in the name of "cost savings" and "efficiency".

    That, my dears, is the real challenge.

  20. Anonymous Coward
    Anonymous Coward

    I use Password Safe but there's some danger in that also if your computer is compromised, it's game over for all your accounts, many of which may be sensitive.

    I'd be interested in a small device with no network connectivity to hold your passwords in an encrypted database like password safe. Select a password and have it display a QR code. Scan the code with your phone or with a cheap (hypothetical) USB device on PC and the password is copied to the clipboard. It's a few extra steps but at least it gives you a way to store your passwords and access them without losing all of them if desktop/phone is compromised.

    Provide some way to connect the device to a PC to backup the database but be careful not to allow the device to be backdoored this way if a person had physical access.

    1. Anonymous Coward
      Anonymous Coward

      Hmm...

      The trouble with putting something into the clipboard is that it's still in memory, unencrypted. If your machine is compromised, it's still fairly easy to find. I'm not sure what the best way to do it would be, possibly an app that puts the password directly into the password field in the web site you are visiting and instantly submits the page would work. However, I suspect that this would be compromisable as well, even if you're using in-private browsing or its equivalent.

  21. johnwerneken
    Trollface

    I know the firm...it was El Reg!

    Been El Reg 'registered user' since Christ was a corporal. To comment, Reg website wanted me to sign up as a NEW USER, which I attempted to do, using the same decades-old primary email address. Now it says, that one is taken, please log in...

    It must be AWFUL to work there! ROTFFLMFAO

  22. Anonymous Coward
    Anonymous Coward

    Mostly a user

    I run most of the daily IT in our service team.. I'm a skilled amateur, no more. I know my stuff well enough to know when to call for help, and more important, well enough to know when to tell the help to call for their help.

    But 90+% of my time is as a user.

    And between the two roles I have plenty of experience in password issues.

    So,

    Users are indeed all of the staff who do the work of the organisation - but most of the users are usually not the IT department and some of them are doing the core business that the organisation is there for. Front line staff get their jobs because they are meant to be good at what they do. Not because thtey are good at remembering the housekeeping. So we shouldn't be surprised if they hate long complicated passwords, especially ones that only appear as a row of *********s so they keep them simple, write them on Post-its or tell their admins. (Our admin keeps a log book of managers' user names and passwords locked in her draw). Some probably have their PA log-in for them in the morning, anyway..

    Staff ( and are always running up against deadlines ( that probably includes you too).. This is partly ( mostly) because managers estimate how long a job should take without allowing for the bits of admin that the rest of the organisation demands, which means not only the log-ins to all sorts of software, but all sorts of returns and accounts and check lists, all of which eat into the time that they have to do the actual job. Your important security protocol may be the first one of a long list of things thay need to do, before they get on with the actual work. I once had to point out to a manager that we were spending so long doing tasks related to "being accountable" that there was no time left to do the thing we were accountable for.

    So getting the password wrong three times because we couldn't remember if it was N0v3mbER or N0vembe7 and anyway, we don't know what we typed becasue it's all a row of stupid *******s then spending 10 minutes calling IT and a further 30 waiting for them to reset the password and then being forced into choosing a new instantly forgetable one.. just isn't a good option.

  23. JeffyPooh
    Pint

    Keyboards are the weakest link

    Do you trust your keyboard? You keep typing all your passwords into it.

    More generally, I am pretty certain that Gödel's Incompleteness Theorem can be mapped to Computer Security thereby proving that perfect computer security relying only on computers is an impossibility. The reason that I'm not perfectly certain is that darn Gödel again.

  24. Daniel B.
    Boffin

    Nice

    Looks like I'm not the only one complaining about this, and I *work* as an IT Security Consultant. In fact, I recommend against having retarded password policies that encourage bad practices, like the ones having corny restrictions like "password must have 4 different letters not swapped more than 3 times with the previous password, not look alike when crosseyed to your last 7 passwords" and similar stuff. The zillion password problem should be solved for a large organization using LDAP and syncing that to the oh-so-awful AD. But few to none companies do that, so it gets annoying...

This topic is closed for new posts.

Other stories you might like