back to article Don't shame idiots about their idiotically weak passwords

Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else. By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker. Security …

Re: It was Ubisoft.

You can add Gentings online casino to that, amongst others. That allows you to create a long password but then the standard login form, and mobile page tells you the maximum is 16 characters. Switch to an alternative login page (possibly the password reset one) instead of the popup and suddenly the long password is acceptable

0
0

Re: Oh, I think I know the place!

I worked for a company that had somewhat similar terrible rules. A user eventually figured how to make it easy.

Month 1 password = AAAAAAAA

Month 2 password = BBBBBBBB

Month 3 password = CCCCCCC

and so on, worked a treat, even I could remember my password!

After 12 months back to AAAAAAAA

This was for the JDE accounting software on IBM.

1
0

Nice advertorial for Redacted Firm.

11
0
Silver badge

Psychology? Maths? Technology? Education? Defence in depth?

Why, here's an idea. Let's improve all of them. Each of us can contribute in our own fields of expertise, while bearing in mind the bigger picture.

Now, here's a question for the commentariat. Is it helpful when journalists present these themes as an either/or and in opposition to each other?

6
0
Silver badge
Trollface

Frequent changing of strong passwords

Correlates almost exactly with increased consumption of yellow Postit notes.

58
0
DJO
Silver badge

Re: Frequent changing of strong passwords

Correlates almost exactly with increased consumption of yellow Postit notes.

Absolute twaddle.

I use a green Postit note.

41
0
Anonymous Coward

Re: Frequent changing of strong passwords

They're more environmentally friendly?

24
0
Silver badge

Re: Frequent changing of strong passwords

The plain white Postit notes are more environmentally friendly due to no dyes being used.

.

I'm bullshitting here as I have no idea, but in a world where some meat flavoured crisps are suitable for vegetarians it make perfect sense :)

18
0
Am

Re: Frequent changing of strong passwords

Chicken flavour(ed)(*) pot noodle has always been suitable for vegetarians - well, at least from the 80s it has been!

(* I can't remember which one denotes it has been artificially flavoured to taste like the real thing, and which denotes it has been flavoured with the real thing. Which is annoying as we were having this discussion at work on Friday)

8
0
Silver badge

Re: Frequent changing of strong passwords

plain white = bleached.

You want the off-grey ones.

19
0
Anonymous Coward

Suitable for vegetarians

I once asked a muslim colleague if there were actual rules on smoky bacon crisps since they didn't contain any animal products.

He said he'd treat it like real bacon and make sure his mother never found out.

33
0
Silver badge

Re: Frequent changing of strong passwords

Flavoured = must contain a flavouring ingredient that is substantially the flavour intended

Flavour = could be flipping anything and will depend on how the recipient's taste buds interpret the random cocktail of chemicals used to make up the flavouring ingredient. See "beef flavour crisps" for this in action - no real beef in them and generally tastes nothing like beef actually tastes. However are an institution on their own these days...

10
0
Silver badge

Re: Frequent changing of strong passwords

@Nick Ryan, that makes sense, I was given (I think as a joke) a pack of Hedgehog Flavoured Crisps back in the 80s as a kid and I don't remember liking them much because I thought they were made using derivatives of actual hedgehogs, but it turns out they were flavoured crisps by a brand called Hedgehog and the word "Flavoured" got them into trouble so they changed it to "Flavour".

https://www.doyouremember.co.uk/memory/hedgehog-flavoured-crisps

4
0
Silver badge
Trollface

Re: Frequent changing of strong passwords

I use green pen on a green Postit note!

*I am torn between troll, joke or "Mine is the one with the pack of Postits and *all* my passwords on it for when the servers/pc/power cuts out" icons.

5
0
Silver badge

Re: Frequent changing of strong passwords

suitable for vegetarians

They aren't suitable for anyone who likes chicken

5
0
Am

Re: Frequent changing of strong passwords

@Nick Ryan - thanks :-)

I might even remember it for more than a day this time...

1
0
Trollface

Re: Frequent changing of strong passwords

"See "beef flavour crisps" for this in action - no real beef in them and generally tastes nothing like beef actually "

Almost, but not quite, entirely unlike beef? The Sirius Cybernetics Corporation would be proud!

3
0
Bronze badge

Re: Chicken flavour vs Chicken flavoured

I thought it was fairly simple:

If it is chicken flavoured, it has been flavoured with real chicken.

If it is chicken flavour, it has made with something that isn't chicken, but tastes like it might have been.

Then I had a little run around Statutory instruments and got horribly confused, until I discovered

REGULATION (EU) No 1169/2011 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 25 October 2011

on the provision of food information to consumers, amending Regulations (EC) No 1924/2006 and

(EC) No 1925/2006 of the European Parliament and of the Council, and repealing Commission

Directive 87/250/EEC, Council Directive 90/496/EEC, Commission Directive 1999/10/EC,

Directive 2000/13/EC of the European Parliament and of the Council, Commission Directives

2002/67/EC and 2008/5/EC and Commission Regulation (EC) No 608/2004

where Article 7 (Fair information practices) states simply:

1. Food information shall not be misleading, particularly:

...

(d) by suggesting, by means of the appearance, the description or pictorial representations, the presence of a particular food or an ingredient, while in reality a component naturally present or an ingredient normally used in that food has been substituted with a different component or a different ingredient.

There is also this: UK GUIDANCE ON PICTORIAL REPRESENTATION RELATING TO FLAVOURINGS AND INGREDIENTS THAT DELIVER FLAVOUR

It discusses on page 6 'Flavoured' vs 'Flavour'

The term ‘X-flavoured’ should be used in the naming of a food or drink where that food or drink contains the food ingredient of flavour X or where the food or drink contains a flavouring derived from the food ingredient flavour of X.

For example:

1. Where ‘natural X flavouring’ is used; or

2. Where ‘natural X flavouring with other natural flavourings’

is used; or

3. Where ‘flavouring’ that is derived wholly or mainly from X flavour are used in the food/drink product.

The term ‘X-flavour’ should be used in the naming of a food or drink where that food or drink has the flavour of X but does not contain X.

For example:

1. Where ‘natural flavouring’ is used or;

2. Where ‘flavouring’ that is not derived wholly or mainly from X flavour is used in the food/drink product.

Which is what I thought in the first place, but I don't know what that opinion is based on.

It's not my area of expertise (if any is), and I don't want it to be!

2
0
Silver badge

Re: Frequent changing of strong passwords

beef flavour crisps

Well they do taste like beef flavour crisps if nothing else!

0
0

Re: Frequent changing of strong passwords

Ahh Hedgehog crisps,a poorly recorded piece of History. I must say I never realised they made it into a supermarket. Growing up we bought ours in bulk from Survival Foods (no Americans that is not a place nutcases use to stock up their bunkers)

1
0

"focus on positives, confront stereotypes and prime people to make better security choices"

Sounds wonderful, but unfortunately without concrete examples of how to do this, it sounds just like every other buzzword-bingo management presentation I've ever attended, where they exhort us drones to "maximise this, synergise that, and leverage the other", then leave us to work out the actual mechanics of implementing their fluffy ideals.

(To be fair to Doctor B, I didn't attend the presentation at the IRISSCERT conference in Dublin, Ireland last week, so it may be the article that lacks the information, rather than her presentation. But lacking the information still is </yodamode> )

22
0
Anonymous Coward

Does anybody know where the sysadmin goes to get Best Practice information on stuff like this?

how long? funny chars? history length?

And not just for passwords - my current administration commander in chief has decided that all the useful I.T engineer techniques and tools are now problems that need to be disabled. I'm talking:

Mapping to C$

using "Connect to another computer" on:

regedit

services.msc

compmgmt.msc

printmanagement.msc

eventviewer

etc

getting info from WMI..

PStools

in fact any method of logging on that is not through the main session logon box is blocked. (which is how they have achieved this) Even if you are admin of the machine.

The reason for this? "Best Practice"

This is why I'd like to see where this "Best Practice" is written down. Is it just word of mouth between sysadmins?

Its sounding a bit like "Best Practice" in this case is being used the same way "Health and safety" or "Data Protection" are trotted out when someone just dosent want do / change / explain anything.

14
0
Anonymous Coward

Why, XKCD of course.

18
0
Am

I'm pretty sure most sysadmins(*) wouldn't consider this best practice over, say, making sure no-one has admin access who doesn't need it.

Our auditors have no problem with this, either.

(* Source: myself and all the ones I know)

11
0
Silver badge

Depends. What's your job role? Best practice in this particular case is least privilege. So if you're an accountant who just happens to know about this stuff, then you shouldn't really have access to any of it. On the other hand, if you're a sys admin or something, then you should have access to a domain admin account that has access to these things - though, in line with best practices, your general day-to-day user account should not. You should be elevating when required rather than running root all the time. And if you were a certified sys admin, you'd know that.

Generally, you'll find best practice outlined in the written guidelines for any piece of software, which you're required to read and regurgitate during mid-level certifications. A mid-level security practitioner needs to know general security best practice. An MCSE needs to answer questions on Microsoft best practices during his exams, since he is expected to be able to design a Microsoft network from scratch if required. The same is true for other vendors - usually their 2nd or 3rd tier certs are very heavily based on knowing best practices, rather than just knowing where things are and what they do.

You then need to keep up with best practice by reading white papers published by the vendors, and attending conferences hosted by them. This is all very available to IT pros as they get older - you start getting bombarded with invitations to conferences more or less as soon as you wield the slightest hint of power, and IT pros have a great deal of influence on expensive kit purchases - and tends to become increasingly what you spend your time doing as you progress from supporting other people's work to actual design and implementation. I spend as much time reading as actually working in a given week, these days.

It's not mythical, or just word-of-mouth, and tbh if you've never seen best practice anywhere and have no idea where to find it, then you're likely in a fairly junior role. You'll find you're drowning in endless white papers soon enough.

3
2
Silver badge

Generally, you'll find best practice outlined in the written guidelines for any piece of software, which you're required to read and regurgitate during mid-level certifications.

You appear to be conflating best practice with vendor recommendations. They aren't synonyms. Taking Microsoft (since you mentioned them) recommendations and defaults to be "best practice" is how we ended up with open NetBIOS ports, ActiveX browser plugins, Adobe Flash dependent configuration systems, Exchange servers based on JET etc. etc.

Best practice is to keep up with an evolving threat landscape which may mean disregarding vendor advice as obsolete or self-serving. For example, it was best practice to eradicate Flash and Silverlight long before Adobe and Microsoft would officially endorse such a policy.

10
0

Subtle reminders and behavioural priming have been shown in experiments to be a way to get developers to produce more secure XXXcodeXXX methods to de-fenestrate HR wonks, for example.

fixed that....

1
0
Silver badge

" A mid-level security practitioner needs to know general security best practice"

And where will he find that?

in the "Microsoft security certificate" revision book ?

"you'll find best practice outlined in the written guidelines for any piece of software" Yeah fine , for applications , but an entire network isnt a piece of software that has a manual.

3
0
Silver badge

Mostly

Far the commonest attack vector on passwords is to watch over the user's shoulder as they type it. Strong passwords make that harder.

Frequent changes of password are pointless, as any exploit on your account is likely to happen soon after it has been stolen. You will have no idea it has been stolen until too late.

Trying to get users with a careless nature to be a lot more careful is impossible. You can employ an expert psychologist/manipulator and that may help a little, but you can't beat mandatory strength checkers and a written copy in an old-fashioned notebook in the same old-fashioned pocket or handbag where you keep your plastic.

3
7
Anonymous Coward

Re: Mostly

"Far the commonest attack vector on passwords is to watch over the user's shoulder as they type it."

Bollocks.

The End

14
5
Silver badge

Re: Mostly

"written copy in an old-fashioned notebook in the same old-fashioned pocket or handbag where you keep your plastic."

Well , I'm not against writing passwords on paper in your house , in a drawer. This means every hacker in the world cannot access them without coming to your house, which they tend to draw the line at.

However " the same old-fashioned pocket or handbag where you keep your plastic. " sounds like its going to travel every place that you do and could get lost at any minute in a public place . Or worse , stolen.

Therefore this is a bad idea for the same reasons its a bad idea to write your pin on your plastic

2
0
Anonymous Coward

Re: "watch over the user's shoulder" ... Bollocks.

I can't even begin to imagine the contortions required to snoop passwords while peering over a users bollocks.

13
0

Re: Mostly

Not necessarily.

I do my own checking out at the supermarket's self-checkout things. Very frequently, because of how sodding paranoid the system is, an employee will have to come over and make the machine continue the transaction. (Things like "oh, you didn't place that on the scale! This is the second item in the transaction you didn't put on the scale! HELP! I NEED A HUMAN TO MAKE SURE THIS GUY ISN'T THIEVING!")

They have a post at the self-checkout that someone is SUPPOSED to be manning all the time, but very frequently it goes unmanned. The employee logins are a four-digit number, and so is the employee password. Literally anyone with rapid recall - or who can observe one employee plugging in and telling the sodding thing to let you go a few times - could memorize these numbers, then make use of those times when the system is unguarded to do some shenanigans with the machine.

Pointlessly, most likely since security cameras are a thing, but it seems probable that the employee login ID is used for other things to, and if it happens to be used for something web-facing, bam, you're compromised.

2
0

Re: Mostly

"written copy in an old-fashioned notebook in the same old-fashioned pocket or handbag where you keep your plastic."

Haven't done that since the 80's when I got home from a PC conference (of all places) to find find my note replaced by one that just said 'wanker'

2
0
MJI
Silver badge

Re: Mostly

I refuse to use those things. They are slower, less pleasant and encourage dumping employees.

And I have ONE item I am NOT putting it in the bag it can go in my pocket thanks!

As I told a manager once, just easier to shoplift an item than use those tills.

2
0

Re: Mostly

I use them because I am never, *ever* satisfied with the way the shop's employees bag my goods; this is especially problematic if I'm doing shopping for two households at once and need to keep two separate sets of bags and two separate receipts.

That, and I just like doing it my own dratted self.

1
0
Silver badge

Who?

Dr Jessica Barker is…

Okay, but who is the Dr Radcliffe also quoted in the article?

I'd suggest rewriting the article beginning with the conference then the speakers, then the recommendations…

…but pointing out sloppy article writing to journos is unlikely to help… ;-)

8
0
Silver badge

Re: Who?

Also, the article doesn't have any numeric characters in it.

18
0
Silver badge

Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive

I don't try to scare people I try to educate people, using real life examples to illustrate the point.

8
0
Headmaster

One way of doing it...

By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.

“Don’t spread fear - spread hope,” Dr Radcliffe concluded.

I guess changing your name midway through a presentation would frustrate a fair few hackers

31
0
Silver badge

Re: One way of doing it...

Did you just assume her name? You chauvinist pig.

7
0
Silver badge
Coat

Re: One way of doing it...

I guess changing your name midway through a presentation would frustrate a fair few hackers

Maybe she has a scrambler suit?

Mine's the one with red, no yellow, no blue, no red stripes…

1
0
Anonymous Coward

"Don’t spread fear - spread hope"

Oh my god.... what we really need in security, some hippy/new age movement...

"Let's hope you won't be demoted to changing printer toners next time you use a six letter password which is your birth date..."

8
1
Silver badge

Re: "Don’t spread fear - spread hope"

Given the constant war on bad passwords and the resentment users have about them, hippy/new-age seems a little less than useful. Doing the same thing over and over and expecting the outcome suddenly to be different is a definition of madness. I would say also of contempt. Help them out fer crissakes.

1
0
Silver badge

Re: "Don’t spread fear - spread hope"

"Doing the same thing over and over and expecting the outcome suddenly to be different is a definition of madness."

But don't forget. Doing the same thing over and over and actually getting a different outcome is a definition of persistence.

5
1
Devil

"Gameify" it

Your password scored 57 password points today.

You need another 47 points to unlock 12 character passwords *and* two new login images!

29
0
Silver badge

Re: "Gameify" it

I know when they don't really care about security in the way they say they do, when they limit my password to 8 characters!

10
0
Silver badge

Re: "Gameify" it

> You need another 47 points to unlock 12 character passwords *and* two new login images!

Cyber Monday special: Unlock 12 character passwords *and* two new login images for only $3.99

Offer may not be used in conjunction with any other offer. Individual images may differ from store to store. While stocks last. Any similarities with offers in EA games are purely coincidental.

3
0
Silver badge
Windows

Here's looking at you!

I'm moving 4,000 users to Windows Hello with new laptop roll-out of Windows 10. They can't thank me enough.

4
4
Silver badge

Re: Here's looking at you!

Well, at least the ones who don't change their hairstyle, facial hair, eyeware, or makeup.

Coming soon stuck to the side of a computer monitor near you... a polarioid selfie.

13
2

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018