back to article No, eight characters, some capital letters and numbers is not a good password policy

Internal cybersecurity audits rarely make it to the public domain, but when they do it’s often an eye-popping read. Take the Western Australian (WA) Auditor General’s 2017 recent report on the state of user account security in an Aussie state which tends a mammoth 234,000 Active Directory (AD) accounts across 17 state agencies …

  1. ArrZarr Silver badge
    Mushroom

    As one of the few gatekeepers to having passwords stored in the password manager in the office, I need to tell people (the developers usually being the only people who don't need telling) that <company name>123 is not a good password and I won't accept it about 50% of the time.

    Starting to consider sending these usernames and passwords to the whole company to force them to change it given that the password would then become public knowledge. Bad stuff would probably happen though.

    1. Charles 9 Silver badge

      Well, how do you make them care, especially if they're over your head?

      1. garetht t

        Over Your Head

        As a sysadmin you don't need to make users care. Users should be following the policy, and the policy should have the backing of senior management. Anything else is doomed to failure.

        This isn't my opinion, it's the advice of SANS and ISC2.

        1. Charles 9 Silver badge

          Re: Over Your Head

          EXACTLY! The real problem is if it's the senior management who isn't following the procedure. You can't force them and executives to do anything because they're over your head (unless you're an executive yourself). Any attempt will be met with a "Who hired this clown?"

          1. Kabukiwookie

            Re: Over Your Head

            This is why any Security Officer should be reporting directly to either the CEO and/or board of directors.

            What usually happens is that the person responsible for security winds up attempting to shove shit uphill,

          2. This post has been deleted by its author

          3. steviebuk Silver badge

            Re: Over Your Head

            And when you realise a company and its management are like that you go into record mode. Record everything you do and everything you warn them about, via e-mail. Then take backups of said recordings. So when the shit hits the fan you can prove it wasn't your fault and you gave them plenty of warnings. As I guarantee they'll try and blame you if they think they can.

            Not that I'm taking advise from him as I've known this for years, but, and ignore political views, Michael Cohen comes to mind. He appeared to love Trump (he was clearly just kissing arse to get what he wanted) but even he was wise enough to record sessions he'd have with Trump (is that actually confirmed as fact yet?), I assume for his own protection in case he ever got screwed over by said person.

        2. Doctor Syntax Silver badge

          Re: Over Your Head

          "Users should be following the policy, and the policy should have the backing of senior management."

          The only thing that would ensure such backing, short of a massive breach costing money for compensations and fines along with a loss of reputation, would be board level insistence. That insistence would need to be backed up with loss of bonuses and/or promotion as appropriate in the face of an audit report such as this.

          1. Charles 9 Silver badge

            Re: Over Your Head

            But like I said, what do you do when the problem comes FROM the board?

            1. Anonymous Coward
              Anonymous Coward

              Re: Over Your Head

              Bring in the BOFH.

        3. Ian Johnston Silver badge

          Re: Over Your Head

          As a sysadmin you don't need to make users care. Users should be following the policy, and the policy should have the backing of senior management. Anything else is doomed to failure.

          And the policy should be sane. The danger is that some paranoid IT dweeb comes up with rules so arcane and so irritating to users that the begin to take a perverse delight in thwarting them. The toughest policy in the world is no good if it leads to passwords on post-it notes by screens.

          1. ShadowDragon8685

            Re: Over Your Head

            Tie it to fiscal carrots and sticks. For the hoi polloi, they get a bonus day's wages if they use a password that a determined attempt by IT to crack [using any methods short of rubber-hose cryptography] is insufficient to the task.

            For executives, make receipt of *any* bonuses contingent on same.

            And for IT, the bonuses kick in when the company's passwords are safe.

            1. Charles 9 Silver badge

              Re: Over Your Head

              "For executives, make receipt of *any* bonuses contingent on same."

              Chicken-and-egg question: How do you enforce rules on executives when it's the executives who make the rules...and often are the ones who demand exceptions or replace the IT people with those who will? And note, this is not as rare as you think.

      2. juul

        Easy, you know what is logged and what is not, so log in as the person (not from your own pc), send the person a lot of pornsite URL's (both strait/gay/lesbian/shemale) from his/her own mail account, remove the mails from the "sent" folder.

        When the person reports this, tell them (after some time) that it looks like someone have hacked their mail account. That should teach the person to take security a bit more serious.

      3. Anonymous Coward
        Anonymous Coward

        "Well, how do you make them care, especially if they're over your head?"

        In my experience external auditors, if they sniff weak password usage its an instant fail (Lots of headaches though).

      4. J27 Bronze badge

        You don't, you document it so that after it becomes an issue you can point out that you notified your superior about the issue at the time. Passing the buck is all you really can do.

        If senior management wants to be incompetent there isn't much you can do other than cover your butt.

    2. Anonymous Coward
      Anonymous Coward

      A few years ago I moved a very profitable company with poor IT from POP3/SMTP email with passwords that never changed to Office 365 with proper password policies. Within 2 months I was forced to set the CEO's password to something without the required complexity that would never expire because he couldn't handle picking a new password every 30 days and then remembering it for more than 5 minutes. This for a user that had an online banking security dongle permanently attached to his PC and who would have fallen for one of those "your friend is stranded in a foreign country with no money" scam emails if I hadn't told him to call said friend.

      Sometimes it doesn't matter if IT try to do the right thing, the suits overrule us.

      1. Adrian 4 Silver badge

        A password policy that's unusable by the users can't be considered 'proper'. It's a failure.

      2. Dan 55 Silver badge

        All that's going to happen with a 30 day password policy is people will cycle the number on the end of the password and you'll get everyone swearing under their breath as each piece of software forces them to re-enter the password.

        1. vir

          Or yellow stickies on the monitor with the password du mois in plain view...

          1. usbac

            @vir

            Many years ago I worked for a managed services provider that had a contract with a major US bank. We provided support for the entire half of the state.

            Their corporate IT folks had a very strict password policy. They required a password change every 30 days, unique passwords, and over 10 characters. What this did however, is to create an environment where no one could remember their passwords. So, on EVERY monitor there was a yellow sticky note with the last few passwords crossed-out, and the current one at the bottom of the list. Even the director for the whole state had the sticky note.

            So, in the end, no security whatsoever!

            1. Ian Johnston Silver badge

              Their corporate IT folks had a very strict password policy. They required a password change every 30 days, unique passwords, and over 10 characters. What this did however, is to create an environment where no one could remember their passwords.

              I know an Oxford college which decided to boost security by having a different 4-digit access code for every door into the buildings, instead of one for all doors as previously. This meant that an average student needed to know codes for their staircase, both their tutors' staircases, the common room, the laundry, the library and as many staircases as they had friends on. The result was inevitable: within two days every lock had its code written beside it, usually in something indelible. They went back to one-code-for-all after three days.

          2. ITS Retired
            Facepalm

            Or like one person I knew back in beige CRT days, who wrote the passwords in pencil around the front edge of the monitor.

            Well, when you have some 2 dozen passwords with forced changes, depending on the login, from 30, 60, 90 days... and different password requirements for each password.

            Too frequent password changes is a security breach. It leads to people to have passwords such as - Password1, or passw0rD1, Password#1, etc,

          3. somethingbrite

            This is exactly what forcing people to change their passwords frequently results in.

            Bad password policy is rooted in poor psychology.

        2. Anonymous Coward
          Anonymous Coward

          Exactly. What worked for us is introducing:

          - a 15 character minimum for passwords

          - must use 3 of 4 elements: upper, lower, number, special character

          - a password repository app for shared/service accounts

          You could hear the users rummaging for their torches and pitchforks, and then we revealed the final part of the new password rules:

          - you must change it every 180 days (up from 45 days)

          Everybody put their riot utensils away and went off to think of a clever 15 character password, and it's been smooth sailing since.

          1. vir

            I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password and that capital letter requirements are fulfilled by capitalizing the first letter of same.

            But consider: an 8 character password with all four character types in play - lower case letter, upper case letter, number, special character - has 72^8 possible passwords (give or take, ignoring any disallowed special characters); somewhere in the region of 7.2E14. If we remove the requirement for upper case and special characters, the number of symbols drops to 36 but we can maintain the same keyspace size within an order of magnitude by adding one additional character and even quintuple it by adding two (1E14 for nine characters and 3.7E15 for 10). If we allow lower case letters alone, the keyspace is still 1.4E14 with 10 characters. What's more challenging for the user: remembering what special character/capital letter/random numeral they jammed into their password, or remembering one or two more characters?

            1. Adam 1 Silver badge

              > I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password

              So much true that hashcat even does this (and a=>@, l=>!, s=>5 style substitutions) and their permutations.

              At the end of the day, size matters. A 12 character password consisting solely of lower case a-z has more entropy than an 8 character password consisting of any character (upper and lower), symbol, digit and whitespace.

              Those in a position to influence password system design should consider flat out blacklisting terrible passwords. I'd personally consider integrating with pwnd passwords either directly or by just downloading the list and rolling your own.

              1. Dom 3

                I had a go a few years ago. Any new password was first run through this:

                https://www.systutorials.com/docs/linux/man/1-pwqcheck/

                which recognises that a long password of only two character types is as strong as a short password of four character types. (I didn't use the defaults, FWIW).

                After that I ran it through a dictionary checker against a common password list, and a standard word list. If the last (up to) four characters were digits they were stripped before this test. And leet-speak variations were also tested, e.g p455w0rd would fail.

                And people *still* managed to come up with piss-poor passwords.

                I would like to have gone full john the ripper on it but I wasn't going to be able to sell that one to the customer.

            2. Anonymous Coward
              Anonymous Coward

              We have to use a 8 character local admin password that looks like it's been typed by someone headbutting a keyboard. Which also changes on a regular basis..... So we poor contractors have to write it down....

              I have suggested about changing it to something like <InsertAdminName>isacompletenobhead as it will be easier to remember and using your maths - be more secure?

              For some reason, they've not agreed to this.....

            3. Anonymous Coward
              Anonymous Coward

              exponential vs polynomial complexity

              “An 8 character password with <72 characters> has 72^8 possible passwords 7.2E14. <Even with only lower case> we can maintain the same keyspace size … by adding one additional character. If we allow lower case letters alone, the keyspace is still 1.4E14”

              Exactly! Password complexity is polynomial in the size of the character set and exponential in its length. Given C characters for a password of length M there are C^M possibilities which increases much faster with M than it does with C: exponential vs polynomial.

              Longer passwords can be easier to remember and to type: “my idiot sister has two brats” or even “My idiot sister has 2 brats!” (using stupid special-character rules) vs “T%7<a&K*” with only 8 characters. Character limits on passwords are insecure via both complexity and post-it notes.

          2. Robert Carnegie Silver badge

            Why special characters? We all know computers run on just 0 and 1. enough of those and... it's remembering them that's a pain.

            Especially when one user at work needs up to six passwords. Changed on different days, if at all.

            My system - 6 letters, one capital; two numerals; no vowels. Special character? Exclamation mark, you creep. Just because a smiling brown pile isn't on my keyboard... I never used APL. Wait, a black heart, that'll do. ...Apparently you're a character that The Register doesn't support, and neither do I.

            Oh - no vowels. Happy now? Wlsdyn47! [ = well s*d you anyway ].

        3. taxythingy

          Yup. My main work account's iterator is up to 30-mumble, and our lab group password rolls based on seasons. Anything else is generally considered "too hard" and will end up with post-its by every PC.

          At home almost everything is on a password manager, but that doesn't cut it for unlocking a PC 20-30 times a day.

        4. Kabukiwookie

          Indeed.

          This is good advice:

          https://xkcd.com/936/

          1. Chris Evans

            XKCD example doesn't work for me.

            I can't remember the example

            Over the last four or five years https://xkcd.com/936/ has been quoted in these forums three or four times most years. Each time I've tried to remember the example password, but can't. Horse and Staple I can remember, was another of the words Door... No and what order are they?

            I know if I had to use the password more often I might remember it but there are quite of few passwords I only need to use three or four times a year!

            One password I use about monthly is something like sH68*452aX2 I can just about remember that. Some peoples brains seem to wired differently and can remember different things easier than other people.

            I write them down physically but in an obfuscated way and don't carry the copy around.

            My recommendation to friends and family is to use as a complex a password system as they find challenging but manageable.

            Having throw away passwords for sites you don't worry about, but not 123456.

            Capitalise say third or fourth character...

            1. Robert Carnegie Silver badge

              Re: XKCD example doesn't work for me.

              Can you remember "xkcd936"?

              With the punctuation marks :-)

            2. Anonymous Coward
              Anonymous Coward

              Re: XKCD example doesn't work for me.

              Another good idea is to use a series for your passwords, for example: animals, boys names, vehicles of whatever denomination you fancy etc... Do a bit of number substitution in a non standard sort of way and add in some specials and if you really want to confuse people then you mis-spell the original word to make it easier for you to remember with the substitutions - this way you can fairly easily be over the 8 characters and it's not difficult to remember, and it's also not too bad to remember the previous ones either. An example of this I once used when I had the dinosaur series was the name quasisaurus (nope, don't think there was ever a dinosaur called that but it translated as Qu45!Sauru$). I'm not saying this is perfect or that it'll work for everyone but it's a start.

              1. Anonymous Coward
                Anonymous Coward

                Re: XKCD example doesn't work for me.

                My preference is for private, family, invented words. As in what your kid called the fridge when he/she was 3 and couldn't pronounce fridge. (something like fwidjerer). Maybe a pair of words to be on the safe side. Just not obvious ones that every three year old seems to say. And any extra obfuscation you can add for length, and remember ( like a three because she was 3 when she said it).

            3. illiad

              Re: XKCD example doesn't work for me.

              well how about this system..

              choose an easy to remember phrase eg bosisstupid

              now add 4 letters/nums you can easily remember, that will be added to the above phrase..

              eg jon5 bull nad4 , etc... that should give you enough different passwords.. :)

        5. hmv

          Indeed. That's why NCSC recommend against enforced frequent password changes.

        6. Anonymous Coward
          Anonymous Coward

          True. Which is why we've finally decided to set a 16 character min password that never changes. We'll also have 2FA on as well.

          1. werdsmith Silver badge

            All goes to show that a system of authentication by password alone is not fit for purpose and something better is needed.

            My own passwords (I have many dozens of different ones) is based on a formula which takes some context from the environment it is meant for and by applying the formula to that context comes up with a unique string. It means I don't have to remember the dozens of passwords, just one formula.

            If I use a login rarely I just make up some crap and forget it, then go through the recovery process every time I need it.

            1. Orv Silver badge

              It means I don't have to remember the dozens of passwords, just one formula.

              I used to use that scheme, but realized if someone ever got more than one of my passwords it would be pretty easy to reverse-engineer.

              Not to say that's true of yours, but I can't do Blowfish in my head. ;)

        7. DJSpuddyLizard

          Password027!

        8. picturethis
          Thumb Down

          "30 day password policy"

          I don't know why this continues to be considered good practice in the industry. Because it's NOT. All's this does is encourage writing down the password on a post-it and then putting it on the bottom of one's keyboard.

          Forcing someone to remember a new password every 30 days is ridiculous - In this age of smart phones, most (99%) people can't even remember a new phone number every 30 days.

          And why 30 days? Why not every day, why not every year, why not every 5 years? Where's the proof that this does anything to improve overall security?

          This policy actually results in less actual security - find a better way, this one has got to go.

          To the original poster: (AC indeed is appropriate).

      3. Dom 3

        "he couldn't handle picking a new password every 30 days" - nor should he have to. The environment where this was a good idea has not existed for decades. Even .gov.uk have caught up:

        https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

        Nor is it difficult to teach (even CEOs!) methods for creating strong but memorable passwords. No, not correcthorse(...) but using the initial letters of a phrase, or using the strong stub + domain-based suffix method.

      4. AlexGreyhead

        Wait, so Steve isn't trapped in Magaluf again...?

        1. Hans Neeson-Bumpsadese Silver badge

          Wait, so Steve isn't trapped in Magaluf again...?

          No, he should be on his way home - I sent him the money to cover the cost of his plane ticket. No worries though, as I've got a few quid coming my way from this Nigerian prince, so I can afford it.

      5. Bibbit

        "This for a user that had an online banking security dongle permanently attached to his PC"

        Perhaps you robbing him might have taught him something? Sounds like he was too thick to notice and he would have blown that money on CEO rubbish like coke, private jets and a dominatrix anyway. CEOs cannot really be victims like real people (class war, fight the power, stick it to the man, eat the rich, etc).

      6. JimboSmith Silver badge

        Had a new C level manager who complained that he didn't like having to reset his password every 90 days. My suggestion was that if he didn't do it (j.e. asked to be an exception) he was in breach of IT policy and leaving the business more open to attack. He then said he preferred to just use the one password. He elaborated on his theme for his passwords. The theme he confided was sports based so I logged in as him using his password. You should have seen the look on his face at that point. He'd used his football team plus a number as a password. I had guessed that he'd used the year his football club was founded at the end. He said "in this one instance" I could treat him like a child and explain how I'd done that. I pointed out his love for Arsenal was well known and I had guessed the year might be the suffix. A talk then followed on social engineering given he mentioned he supported Arsenal in interviews he gave to people. Nice guy and grasped the concepts I was talking about very quickly. He agreed that he did need to change his password more often.

        1. Anonymous Coward
          Anonymous Coward

          "his love for Arsenal"

          You have also worked under the same bosses as me.

        2. Ian Johnston Silver badge

          He'd used his football team plus a number as a password. I had guessed that he'd used the year his football club was founded at the end.

          The fault was not his. The fault was having a password policy which could be fully complied with in a way which left his password easily guessable.

          1. JimboSmith Silver badge

            The fault was not his. The fault was having a password policy which could be fully complied with in a way which left his password easily guessable

            Well the password guidelines stated that you weren't supposed to pick something easy to guess. He judt didn't think that his password was easy to guess. This was also a fair few years ago when an 11 digit password was supposedly harder to crack.After 5 attempts it would have locked the account anyway.

        3. Spacedinvader
          Joke

          Let me guess...

          His password is now Chelsea+TottsSuck1!

      7. therealmav

        not surprised, forcing users to change good passwords every 30 days is a bad policy. check out NCSC advice for a better policy

      8. jmch Silver badge

        "...proper password policies. Within 2 months I was forced to set the CEO's password to something without the required complexity that would never expire because he couldn't handle picking a new password every 30 days"

        Forcing password change every 30 days is not a good password policy. It just encourages use of weak passwords.

        While I'm at it... forcing use of special characters is also not a good idea, especially for any company working in an international environment where different locale's keyboards have different subsets of special characters almost always mapped to different keys that can cause all sorts of trouble. Upper + lower case + numbers give 62 options*, which if combined with min password length of say 12 characters is much more secure than 8-character password that has special characters.

        "This for a user that... "

        Of course as usual the weak link is the idiot user. It's effin unbelievable that as an IT user in financial services I have to go to a bunch of courses about "Know Your Client", anti-money laundering, anti-corruption policies etc (almost all of which I will NEVER encounter / need at work), while there is no course on security including password policies that is compulsory for all users (including business users who would not know this stuff AND who WILL need to use this every day)

        *for English alphabet, some more for some other alphabets

      9. Anonymous Coward
        Anonymous Coward

        Keep an on that account. That will be targeted I bet. And if it doesn't have 2FA on, someone, at some point will get into it and set a redirect on his mailbox. I've seen that done before and it not be noticed for months unless you're looking for it.

      10. Christian Harten

        30 days seems pretty excessive, I believe this probably encourages bad passwords (for example just incrementing an integer). Another consideration, perhaps it's better to get fired insisting people stick to good password practice than to be an employee of a company that has a gigantic data breach due to incompetence - because this will be seen as reflecting poorly on the people in IT, not only executive who might be at fault. I would at least keep evidence of that.

    3. Adrian 4 Silver badge

      How do you know they've got rubbish passwords ? Do you store them unencrypted, or capture them at the point of entry ? If so, I don't think the password quality is the biggest security problem.

      Perhaps you try a dictionary attack against them - but that's only likely to get the ones you already know to be common, like 'password'. It's not going to catch 'password<random number> for any but a handful of not-very-random numbers.

      1. Orv Silver badge

        How do you know they've got rubbish passwords ? Do you store them unencrypted, or capture them at the point of entry ?

        He said this was a password management system, so presumably these are shared passwords that have to be decryptable to be used.

        And yeah, shared passwords are their own issue, but realistically you're not going to give every single employee a separate account with every vendor you work with. It's unmanageable.

        1. jmch Silver badge

          "realistically you're not going to give every single employee a separate account with every vendor you work with. It's unmanageable."

          Yes, and that's a prime reason to reject any vendor that doesn't support single sign-on. One user, one password for all systems.

      2. Anonymous Coward
        Anonymous Coward

        @Adrian4

        It's my understanding that they're stored hashed, with the same password resulting in the same hash. So one you know that value XYZ123 corresponds to "password123" you can go searching for accounts with an associated hash value of XYZ123 and know that they all have the password "password 123".

        Some systems would combine it with usernames or other predictable data (e.g. fob number or something similar) so they don't all have the same hash but it can be determined by hashing $fobnumber+ $username + "password123" (and a bunch of other passwords) and comparing them result against the stored hash.

        Takes more time but it's something easily automated!

        If someone is actually cracking passwords or intercepting them, there's a problem.

        1. Dom 3

          Salted hashed passwords have been standard in any sane system for ages!

          1. Anonymous Coward
            Anonymous Coward

            If only that were true, password reuse wouldn’t be such a problem (phishing attacks aside). The trouble is, there is no way of knowing how your passwords are going to be stored and time and again large companies that should absolutely know better have demonstrated they cannot be trusted to implement such basic safeguards.

        2. Adrian 4 Silver badge

          Sure, but that assumes you have hashes for all the passwords you want to check. It will work for stupidly obvious ones like 'password' but not for a large enough set to be useful. Which is why password crackers start with a dictionary and modify it in increasingly complex ways.

          I'm kind of puzzled by the downvotes actually. People are welcome to their opinion, but I didn't expect to get such a consistent level of disapproval for basically asserting that passwords shouldn't be stored in an accessible form.

          Can someone explain what was so offensive ?

        3. Loyal Commenter Silver badge

          It's my understanding that they're stored hashed, with the same password resulting in the same hash.

          If they are doing that, then I'd take their security expertise with a pinch of SALT...

      3. jmch Silver badge

        "How do you know they've got rubbish passwords ? Do you store them unencrypted, or capture them at the point of entry ? If so, I don't think the password quality is the biggest security problem."

        You don't store them unencrypted, of course. But you know the encrypted hash of the most common crap passwords and so can detect and reject these. It's also possible to detect password strength at point of entry and approve / reject it. That's not a security problem at all.

      4. rg287 Bronze badge

        "How do you know they've got rubbish passwords ? Do you store them unencrypted, or capture them at the point of entry ? If so, I don't think the password quality is the biggest security problem."

        If it's your database and you know the hash used and any salts, you can just build your own rainbow table.

        You could also log what proportion of password changes are knocked back as policy non-compliant and required to pick something else because the user has tried to pick a weak password.

        Many organisations are now polling the HaveIBeenPwned API when users change their password and prevent them using anything in the HIBP database (this uses a k-Anonymity model so you're never sending passwords or complete hashes over the internet). You could log hits the same as people trying policy non-compliant passwords to give you an overview of what proportion of users are trying to use crappy passwords.

        iPerhaps you try a dictionary attack against them - but that's only likely to get the ones you already know to be common, like 'password'. It's not going to catch 'password<random number> for any but a handful of not-very-random numbers.

        There are dozens of tools designed for password database cracking. Many have various intelligent levels of hybrid-attack, so it'll start with a dictionary, but then enumerate the dictionary attack with a 1 on the end, then a 2, try the usual 133t substitutions, etc. Faster than a brute force and unfortunately highly likely to get a strike for anything less than a passphrase (multiple words) or a random string from a password manager. Words plus numbers or substitutions tend to follow patterns and the tools know what those patterns are.

      5. Loyal Commenter Silver badge

        Perhaps you try a dictionary attack against them - but that's only likely to get the ones you already know to be common, like 'password'. It's not going to catch 'password<random number> for any but a handful of not-very-random numbers.

        If you have the (encrypted) password database (which you would, if you're doing an official security audit), you'd be surprised at how little time it takes to brute-force a dictionary attack, along with all variants (replacing 1 with !, s with $, vAriAtiON in case, etc. etc.), especially if the passwords aren't salted, and you can do a rainbow attack (hash all the variations up front, and just compare to the hashes in the password database). Once you've got all the passwords that are based on words in the dictionary, you can then start working on the remainder by checking all 8 character passwords, then all 9 character ones, etc. etc. No password is uncrackable, given enough time and computing power, which is why you have policies to regularly change them.

        The thing that protects you from a dictionary attack in a production environment is the increasing delay and lockout after 'n' wrong guesses that is built into the login system. These are moot if you can just access the database with the password hashes in (or, in this case, an old copy of it in an easily accessible location), and side-step the authentication gateway.

    4. Shadow Systems Silver badge

      At a job that will remain nameless to protect the stupid...

      I was one of the IT monkies as an intern. The boss kept having trouble remembering his password, using the reset password link, flubbing the reset process, then calling up IT to fix things.

      One day he calls up & demands it be reset, coworker does so & says "I've changed it temporarily to your first name. Log in & change it immediately." Boss hangs up, coworker starts to, & boss calls back so fast it rang as soon as the handset touched the cradle. Boss thunders "It doesn't bloody work!" Coworker & I trade confused looks. Coworker asks incredulously "You can't remember how to spell your first name?" Boss is so loud I can hear him from the next desk over. "Of COURSE I can you bloody fool! It's Y O U R F I R S T N A M E. Now fix the bloody thing!" Coworker & I just stared at the phone in disbelief.

      Sometimes you can't win for trying...

    5. Karl Vegar

      Well.

      Log in as a few of them, and send out an invite to their team / the rest of the company.

      Open bar event of some kind, some words about bringing a cake on Friday, BBQ at home.

      After the first few, some just might take a hint. Otherwise, these events are probably going to be a nice benefit. Just make sure you make them something you enjoy as well.

    6. Anonymous Coward
      Anonymous Coward

      "As one of the few gatekeepers to having passwords stored in the password manager in the office, I need to tell people that <company name>123 is not a good password and I won't accept it about 50% of the time."

      Step 1; Randomly generate a password for each account

      Step 2: Take out all the available company post-it.

      Step 3: Put the password onto the post-it

      Step 4: Tape it on user computer screen

      Step 5: Replace it whenever it is password changing day

  2. jms222

    Same as mine

    Wow. I use those especially "password" for absolutely everything and have never had any trouble. What are the chances ?

    1. taxythingy

      Re: Same as mine

      Wow, that's amazing! I've got the same combination on my luggage.

  3. anothercynic Silver badge

    I'm waiting for someone...

    ... To implement a K-anonymity filter for Active Directory. And OpenDirectory. And OpenLDAP. And... and... and...

  4. Dwarf Silver badge
    1. Doctor Syntax Silver badge

      Re: Obligatory Dilbert

      There's also the Dilbert user ID policy.

      http://dilbert.com/strip/2000-08-19

      1. JimboSmith Silver badge

        Re: Obligatory Dilbert user ID

        I moved and got a new GP as a result of this. I spotted on my first prescription from the new one that GP ID codes are last name then their first initial. I had a GP who suffered from their code when read outloud sounding like slang for a particular genital. It was a bit unfortunate that.

    2. bombastic bob Silver badge
      Devil

      Re: Obligatory Dilbert

      and a few lines from the movie 'Hackers'... (from themoviequotes.com)

      Eugene Belford: Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...

      Margo: [glares at The Plague]

      Eugene Belford: god. So, would your holiness care to change her password?

      1. Anonymous Coward
        Anonymous Coward

        Re: "dog"

        Seems that the recent lists show dog as the most common used. Then dogdog in second, and dogdogdogdog in third. I forget where dogdogdog comes in.

      2. Version 1.0 Silver badge

        Re: Obligatory Dilbert

        And of course there's always https://xkcd.com/936/

  5. Anonymous Coward
    Anonymous Coward

    Behind the freshly painted white picket fence, plenty of corporate networks are probably not as far away from this near failure of account security as they’d like to imagine.

    I can assure you that this is true.

    The boneheadedness of people in the upper reaches of the food chain who delight in "not understanding IT" is 80% of the problem. The opionion that "nobody would attack us" is 20% of the rest.

    > You are on an Internet server that seems not have to been updated in a long time.

    > You might find a surprise in your webserver file hierarchy.

    > You can go [N]orth or [E]ast.

    > [N]

    > You find a rootkit hidden in C:\Tmp

    > [Look]

    > The rootkit seems to have sent a lot of data to an Ukrainian IP address.

    > [Inventory]

    > You have 2 dollar to buy a new USB stick. Otherwise the budget for the year has been exhausted.

    > [Leave]

  6. GnuTzu Bronze badge

    Dictionaries

    One would think that dictionary checks upon creation of password should now be mandatory, and might as well make it the top, say 30, languages used in the country, or maybe the top 200 languages in the World.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dictionaries

      Go one further, download the ones used for brute forcing and check it against them. They aren't that hard to find.

      1. Adrian 4 Silver badge

        Re: Dictionaries

        How about running a few password crackers against the login and disabling any accounts that fall to it ? Then the people who pick good passwords get to keep them and the people who pick poor passwords have to come cap in hand to IT and ask for a new one.

        1. Charles 9 Silver badge

          Re: Dictionaries

          "Then the people who pick good passwords get to keep them and the people who pick poor passwords have to come cap in hand to IT and ask for a new one."

          Watch it. An executive probably won't go through that door with a cap but with a replacement, and probably a report of a reduced IT budget and a communique to his friends at other firms black-marking you.

          1. Robert Carnegie Silver badge

            Re: Dictionaries

            Executives' passwords are to be remembered by their secretary. Solved. Or, they get a golden key card to insert in the PC instead of a password. And it's the secretary's job to take it out after they go home.

            Anyway their hardware is... limited. http://dilbert.com/strip/1995-04-03 yes that one.

    2. bombastic bob Silver badge
      Devil

      Re: Dictionaries

      one step further, hard-to-guess user names that don't match e-mail names. It's an additional step that can prevent cracking your system, if the user names are also hard to guess.

      'Jimmy1973' is too obvious. How about 'JMR.cor.bat.hor.sta' [a mild reference to "that comic" that I haven't seen mentioned yet, something about a horse saying "correct, that is a battery staple"]

    3. Shadow Systems Silver badge

      Re: Dictionaries

      I'll suggest one step further. Use a dictionary written in Elder God runes. Anyone trying to hack your password gets eaten by an irritated Elder One. Snacks for everyone!

  7. Doctor Syntax Silver badge

    None of this is helped by web sites that insist on having a user account where none should be needed. Those get a password which expresses my view of the site. I live in hope that they store them in plain text (it wouldn't surprise me) and sometimes read them.

    1. vir

      Yes! Thank you! I do quite a bit of purchasing at the company I work for and every supplier needs a new user account with a password. What's my username at this site I haven't visited in six months? Did they let me use my email? Was their password minimum 6 characters or minimum 8 characters? Did it need a special character? One of them requires a password that is EXACTLY 14 characters long. Another requires a special character within the first four characters. Just give me the option to check out as a damn guest.

      1. A K Stiles
        Facepalm

        I've lost count of the number of occasions where I've gone to log in to one of those '6 month' sites, failed to get the password right after several attempts, clicked the reset password notification, followed the email to reset the password and then get the message that the password I'm attempting to use doesn't comply with rules X, Y, z, 3, %, and then not had to change the password because I can use that information to figure out the particular arcane combination I used in the first place. Just tell me the arcane rules the first time I got my password wrong, dammit!

      2. Craigie

        Is your browser not set to save passwords? Click in username box and choose the likely single username you've created on the site. Don't care what the password is as the browser remembers. Works pretty much every time. I have no idea what most of my passwords are as they were auto-generated and are recalled without my having to do anything other than be logged in to Chrome.

  8. Anonymous Coward
    Anonymous Coward

    Never the Director's Fault

    It would be easy to point the finger at the Sys-admins, but how many times does this not fall on the correct shoulders? I only make this point from my own battles in the past to get Information Technology Directors to enforce NIST/ ISO 27001 standards. Unfortunately in the commercial sector - if they aren't being forced to adopt a standard, may choose not to "burden" themselves with "unnecessary" complexity which leaves the Corporation Vulnerable.

    Until the United States adopts a policy similar to the GPDR, it's next to impossible to hold companies accountable for their own negligence when it comes to information security (Equifax, cough... cough...), and the turd rolls down hill when the fan is engaged.

  9. wikedstik

    I set my password to 'incorrect', that way if I forget it and try to login it will tell me 'Your password is incorrect'

    -Dilbert cartoon

    1. bombastic bob Silver badge
      Devil

      your password is incorrect

      from a Captain Tylor OVA: "delete all data"

      and you can change your root password to 'TSA-sucks' whenever you take your laptop computer on an airplane

    2. Robert Carnegie Silver badge

      My hint is "here is no hint."

  10. Anonymous Coward
    Anonymous Coward

    Password quality is not an absolute

    Policies have to be commensurate with risk level, which in turn has to be fairly assessed (we all tend to exaggerate), and one needs to take the whole environment into account not just the individual system.

    For instance, the requirements for my El Reg password, where the worst that can happen is that the quality of my comments will improve, and my work laptop disk encryption are not and need not be the same.

    Likewise, passwords are not a valid solution across the whole spectrum of risk. There is no point having your 60-rule password complexity and reuse policy to protect an asset once the value of that asset makes it worth it to beat the password, 2FA, etc., out of the password-holder. Or just knock a hole on the wall beside the reinforced door, so to speak.

  11. JeffyPoooh Silver badge
    Pint

    "Internal cybersecurity audits..."

    The only stored passwords on any system should be salted and hashed. Never, ever, never-ever store the plain text passwords. Right?

    So presumably these auditors got permission and copied out the hashed password file, and then ran the usual dictionary attack on it, hashing their dictionary in the only-possible forward direction.

    So... Doesn't that imply that the password file in question contains passwords that were not salted?

    Does the audit report mention that perhaps the passwords should be salted? Or would that cut-off future business...?

    (Corrections welcome...)

    1. Anonymous Coward
      Anonymous Coward

      Re: "Internal cybersecurity audits..."

      > So presumably

      Not a good idea to make assumptions. If you are interested, contact the auditors and ask them (please post back if you do).

      1. JeffyPoooh Silver badge
        Pint

        Re: "Internal cybersecurity audits..."

        AC, "Not a good idea to make assumptions."

        It's called "thinking"; you may wish to try it sometime.

        1. Loyal Commenter Silver badge

          Re: "Internal cybersecurity audits..."

          @JeffyPoooh

          I suspect it went something like this:

          1) obtain the password hashes (and salts) of say, 10,000 passwords

          2) using a common passwords dictionary (easily available from previous research), hash each of those passwords, using their salts, starting with the most commonly used password in your dictionary (e.g. Password123). First pass - 10,000 hashes. If this finds, e.g. 23 matches, then the second entry in the dictionary needs only 9,977 hashes.

          3) Once you have eliminated the passwords in the common passwords dictionary, you will have a smaller number of passwords left to crack, e.g. 4,576 of them. You then move onto using a larger dictionary, and making common substitutions, e.g. 1 or ! for i, etc., adding numbers and characters on the end, etc. (e.g. L3monade.1) This is slower, but will get most of the remaining passwords. Each one you crack means fewer hashes for the next dictionary entry.

          4) Once you have eliminated all the passwords based on single words, move onto two words, then three, etc. separated by various punctuation, numbers, etc.

          5) You will now have a small number of passwords left that are not based on dictionary words (probably in the double digits). If you are still interested in cracking these, then start with the minimum password length (e.g. 8 characters), and run through all the letter/number/character combinations that you haven't previously checked. Each of these you will only have to hash a much smaller number of times.

          Eventually, you can crack all of the passwords in the file, salted or not. It is simply a matter if applying enough computing power to it. If you're a researcher, you probably have access to a decent number of processor cycles to do this. If you are a hacker, you are probably using someone else's anyway. A good way to find some for free is to go and check various git repositories for people's AWS keys...

  12. Orv Silver badge

    In my experience, user frustration with password complexity rules often happens because they're told only that a password is too weak, and not *why*. Where I work I've watched users fumble for 30 minutes trying to find a password the system would accept. People for whom English is a second language struggle especially hard.

  13. EJ

    https://www.knowbe4.com/weak-password-test

    And it's free... except for the inevitable dialogue with their sales team, but they are low pressure and actually pretty good to work with.

  14. Queeg

    I've always preferred ..

    Ultra personalized passwords. (Oh God!, not Mothers names and Birthdays) No.

    Pick your favourite Book, Song, Poem, etc.

    Now pick a line from said work.

    e.g "Hello darkness, my old friend I've come to talk with you again Because a vision softly creeping

    Left its seeds while I was sleeping".

    Then take the 1st letter of each word and transpose to symbol where needed.

    hdm0f!ctTwy484v$c71$w1wS

    It's your favourite song, book, etc your probably not going to forget it :)

    As individual passwords creating them like this could become a pain, as a master password though I've found it very useful.

    Your attacker has to guess your Song,Book,Poem,etc then the part you chose, then the transposition you used.

    Good luck with that

    1. Loud Speaker

      Re: I've always preferred ..

      Worse still, you lose the post-it note you wrote it on, and have to access the account after a month away in a country where you had to speak another language.

      I will continue to use "correct-horse-battery-staple" unless money depends on it. (Except for government websites that don't allow passwords longer than 8 characters).

      1. J. Cook Silver badge
        Joke

        Re: I've always preferred ..

        @Loud Speaker:

        That's probably a combination of an IBM-ism, glue code to give the ol' dinosaur a 'modern' web access portal, and (willful) ignorance on the developer's part to modern standards. :)

        I use a password manager for my own use; my work team at [RedactedCo] use a shared password manager web application.

      2. Version 1.0 Silver badge

        Re: I've always preferred ..

        I always prefer "BadPassword" as my default password for accounts that I don't care about. Who would ever use that? It's completely safe.

        1. Orv Silver badge

          Re: I've always preferred ..

          I actually had a user tell me, with a straight face, that they thought their password was safe because it was too obvious for anyone to expect. They'd used "password." Another used their username, but backwards.

    2. J. Cook Silver badge

      Re: I've always preferred ..

      @Queeg:

      That's... a lot of effort for a password. (more so that what I used to use, which was a random keypress pattern ingrained into muscle memory. however, that has it's own issues... :)

      My favorite secret type is a passphrase, if the system will allow spaces. Easy to remember, hard to guess, and as long as it's a decent character length, expensive to brute force.

      Obig. XKCD: https://xkcd.com/936/

      (FWIW, Active Directory running in 2000 Native mode and later will cheerfully allow spaces)

    3. bombastic bob Silver badge
      Devil

      Re: I've always preferred ..

      correct horse battery staple [obligatory]. much easier.

      Compuserve used to do this, issue your initial password as 2 random words separated by punctuation.

      sword+rabbit

      that works, too.

      1. GruntyMcPugh Silver badge

        Re: I've always preferred ..

        @Bombastic Bob: "Sword+Rabbit"

        I do something like this, my current password is 19 characters, two words that would each pass complexity requirements by themselves, with a separator.

        But then we recently got cracked during routine PSN compliance testing, and my previous 13 character complex password was unravelled.

    4. eldakka Silver badge

      Re: I've always preferred ..

      Pick your favourite Book, Song, Poem, etc.

      That opens it up to social engineering. Better off picking a random one of those, rather than favourite.

      Well, unless you've always been too embarrassed to admit "Sounds of Silence" is your favourite song to anyone so therefore you've always kept it secret ;)

      1. Robert Carnegie Silver badge

        Re: I've always preferred ..

        If you misremember a song then it's highly secure... maybe. I don't think "ladymondegreen" will do.

    5. This post has been deleted by its author

  15. Jay Lenovo Silver badge
    Flame

    If you're having security issues...

    Wouldn't it be wiser to cure your bad password problem first, before telling the world specifically which vulnerabilities you are susceptible?

    Seeding the use of best practices by fanning the fire I suppose.

    1. Aladdin Sane Silver badge

      Re: If you're having security issues...

      I feel bad for you son.

      I got 99 problems but passwords ain't one.

  16. This post has been deleted by its author

  17. Mr_Happy
    FAIL

    Meanwhile our admins have made the password requirements so complex and expire every 30 days that everyone has to write them on a post it note and place it under the keyboard to have half a chance of logging in the next morning

    1. onefang Silver badge
      Joke

      "write them on a post it note and place it under the keyboard"

      Instead of on the monitor, clever, security by obscurity.

  18. bigtreeman

    pwgen

    my old fave is

    $- pwgen -y 10

    egh]aig0Da oVo9wohm}a iJoh9Ievu^ aig7oWua{p iM;ohwaeb3 di#eF4doh4 aGhi~ecie5 aefoh/S6Nu jei8qua=Qu cud0Zail~o Alon~oh4ju dae^the2Ci Ooxahp3ci. mohloJu%i9 Ohxae:ti8r Wu2ohshax; Eiz1hi_afa Aij5Weex%a ieG@oL3foh uPh#oov1ki nahZ"ie0af hou=Ch2Iex Go`h-u4ohx ahquo5Ief& ue8phae[P8 noCha[oy5e Na6zoj%ah9 noHu.es%o0 Bul3rid_ai ieth3Roh%G Pochei$qu0 Gei_gh2bie ohgai8Oot! ujee2Eej"i Loh2ze_Fos Zoh_Dairi4 Au3ou>v8ei uShaiw#u9u hagho3Iec# Ath4Fo.Pho Noo|h0quah eg0ahTh.ee geFae^x;i1 poe)caif3E eeHah5ahw> og_ohs6Si4 aZaeng{ie3 iey5ieT=oo Cheigh>ei5 LooGu0of,u vai4AiTe$o oofoo3Jo$e eik-i7aiGh eidu|iMe2p ja/a3Oos7l gae"Tie3ph eiJoo2vei| toos2be_L7 Wo|chioz5b Shoh5wae<z oo;t3shauN aiThi3Aa[g coh!phoh7A rah2Mu/cho Meu]t\aPe1 Ij#eekie0o cheiv:a9Ar Ek0pae@rae kux+ai6eiY aiK;i7aize IePh4ko(ib eim=ahy2Ei uw5Meithu, Aech0ieP;o Noon"ieL6h Mec=ahM0Ut adae!H2pho eev-ai8ePh quah1Jei^s ed7Ad5zu+u Ree\n+i4He nij'e2Begh aFe`ch5Nai Au`Ph6zaev ooH+oh3nae EiZu9xee'v Zei(T2yaip aesh<um0Ku Ooca-V4lo4 Foh2agh/ei aef2EeNg[u gu,a2Es0wa mahr_ohS9e Jah{g0pahv Zie?g7ia/d uv_ieHu4Io mu7Vo{chai eek4xe'Koo kooY;aefa5 ieKah9ohw{ Ad8meexae< Enge&G6Voh ee<d"aa3Ah ahShah+Je3 yee4Pa>Zah ie6uiPoh.k hai2Iefo&g Mahdu*p3ba Aghe9eeT\a Ooy"oo*k2u een9Ohqu|i Quai9goh^v soo4Faev+e Ahgh}a0aic voh:bae9Th vo0ro%aShe Cae1ohv^e8 io@noPoo2U Dukoh>to7r ahtho}hi5E Iulo|itu9x quach5uNg: ailoo=F5xa phosh6ve'F Se%quip3La The{t.u2Yu leeG!iesh6 aiCoo;H3nu uisoh5Fei@ eeKa+j2shu Iom_ei0loo nai~hahb3M uhe5Hoath; Pue)gh)ai9 OeX8hi.Chi mae7Ohm|of xoh7Ahgh;o va|mahH7Uz foh|Koo2oh Ahlie@d6ai

    gives a screen of ?random passwords to choose from.

    Give users an idea of what a password could be, from the examples they might create a good password they can relate to.

    When a user has to think of a password they can remember, they are severely limited by their lack of imagination. Further research might find the worst passwords in the least creative people ? accountants ? bosses ?

    1. Prst. V.Jeltz Silver badge

      Re: pwgen

      ooh yes , i like that first line , it really speaks to me , im gonna use that

      egh]aig0Da oVo9wohm}a iJoh9Ievu^ aig7oWua{p iM;ohwaeb3

      1. Aladdin Sane Silver badge
        Joke

        Re: pwgen

        And now I have to change my password, you bastards.

    2. Anonymous Coward
      Anonymous Coward

      Re: pwgen

      @bigtreeman: Whoa, careful with the use of that command! I’m not sure if there are many Elder Gods whom you didn’t summon with that particular invocation there!

  19. TechnicalBen Silver badge

    Summer123

    You have worked under the same "IT" department as me I see.

    1. Prst. V.Jeltz Silver badge

      Re: Summer123

      DayofWeek123 really popular too

  20. DrD'eath

    Password security check

    If anyone has concerns that their password may not be complex enough to be secure, send it to me for a full in depth analysis.

    1. Alister Silver badge

      Re: Password security check

      @DrD'eath

      My password is Sw0rdf15h!

      1. DrD'eath

        Re: Password security check

        Alister, (or should I say John T.) Of course it is Sw0rdf15h!m it's always Sw0rdf15h!.

    2. Robert Carnegie Silver badge

      Re: Password security check

      Mtlhrw13

      But I've changed it.

      What does it mean? (1) Nothing, it's random consonants. (2) It means "Metal harrow 13", which is what I remember. And which in turn doesn't mean anything, although it sounds like it does. I don't use "Metal harrow 13", because it's longer but not really more secure. But, I believe, not less secure.

      1. illiad

        Re: Password security check

        the problem with Mtlhrw is that you CANNOT SEE what you are typing!!!

        miskey, and you cannot get in..

        Odd thing I find, is keyboards do not work so well on the login screen!!

        1. Robert Carnegie Silver badge
          Joke

          Re: Password security check

          My keyboard has a fault in password mode, it always comes out as: ********

          But I do log in ok so.... I may have just told the world what my password is. It is ********

  21. Jo_seph_B

    correct horse battery staple. Length is key imo not complexity. Make it longer but easier to remember rather than shorter and complex helps users and has been the most effective way of killing two issues, users in ability to remember and the use of simple to crack passwords.

    We check AD once a month for weak passwords, with just a solid dictionary and 1 day checking its amazing how many so called 'complex' passwords it will get (mostly due to a solid dictionary of real world passwords. Those users are reminded twice before having their account locked and having to answer to their manager. Good policy and backing of the business are key to our progress. In the last two years its dropped from capturing over 60% of the passwords in AD down to around 10%. Still too many but with a high staff turn over and lots of users it'll never be perfect.

    1. Prst. V.Jeltz Silver badge

      Interesting , how do you do that? you pull them out to dictionary them? where are they stored in AD?

      1. Jo_seph_B

        Yes basically. Dump out the hashes and then use something like John the Ripper or Cain and Abel on it.

        Worryingly its rare I find an AD install where LM hashes are disabled which makes it even easier. It can hit silly numbers of passwords in very short time spans. NT hashes take a bit longer and need some more work.

      2. Spanker

        Yes, I could use some info on auditing password strength on installed systems.

  22. Fursty Ferret

    It's not surprising when you implement a system that forces people to change passwords every 3 months that you get passwords like "August2017" or "myusualpassword"+(number of times changed).

    1. Anonymous Coward
      Anonymous Coward

      goto admit i do that , but use obscure name of a place thats not in dictionary so feel ok about it

  23. Prst. V.Jeltz Silver badge

    234000 ad accounts?

    1% of aussies work for WA gov then?

    1. werdsmith Silver badge

      Service accounts, application login accounts and other stuff have passwords two.

  24. Pete 2 Silver badge

    A brick in the wall

    There is more to IT security than passwords. And it seems to me that if a determined hacker has managed to breach ALL the earlier levels of security, then a few puny keystrokes as a the last line of defence won't be much of a deterrence. No matter how long, contrived or frequently changed the password policy requires them to be.

    All a computer-level password can be expected to do is to keep out the casual, in-office, user who wants to use someone else's PC to send rude messages to the CEO. While there exist admin-level users with universal access, few hackers would bother trying to brute-force a user password - they would go straight to the root accounts and concentrate on them. Same amount of effort required, far higher gains on a successful breach.

    And with the security "wall" that all companies have, there are far more easily exploitable holes than this. The whole "strong password" security theatre is nothing more than that. There are many more pressing security problems that need to be addressed before user's passwords gets to the top of the pile.

    1. hmv

      Re: A brick in the wall

      Yes security is more than just passwords, but passwords are pretty important.

      Many places offer some form of remote access secured by ... the account password. And yes such services are regularly probed by password guessers.

      As to targeting privileged accounts, I've seen a demonstration of someone escalating from a non-privileged account to domain admin in less than an hour. So no, attackers will quite happily target non-privileged accounts.

  25. Milton Silver badge

    It's just a mental trick

    Passwords really don't have to be so hard. Most people have heard of concepts like mnemonics and even the memory palace, where highly visual oddities are used to aid memory.

    So you need a new Amazon password? Picture a bloody great water snake chowing down on a heavy load of pound coins. Twist the expression of the words. Get: "5nake(<LBs" [You have (< for an yawning mouth with a forked tongue, and LBs for the imperial representation for pounds as a weight. The word formed has quite a striking appearance, especially the caps. You can say it, but an eavesdropper still won't actually be able to type it correctly merely from the sound. You won't forget it, or the association with Amazon.]

    Corporate login for your health insurance employer? Picture your thoroughly unpleasant boss plummeting onto a hospital bedpan. Get "91tHI75h1t". You can say it ("git hit shit"), but again, an eavesdropper still won't actually be able to type it correctly merely from the sound. And again: memorable, visual, the word itself quite striking in appearance.

    Why is it a good defence? Not a single word suceptible to dictionary attack. Ten characters of mixed case alphasymbonumeric, for a choice of at least 70. A bit under three quintillion possible passwords. The most common entry mistake you commit will be typing a letter for a digit or vice-versa, which you probably won't do three times in succession—so, common errors will rarely lead to lockout.

    Allowing The Adversary "magic tech" that could try a million different passwords every second without lockout, it would take nearly 90,000 years to try every single possibility. I'm pretty sure your company's planning horizon doesn't extend beyond a decade (and the Board's doesn't extend beyond next January's bonuses) so you should be just fine.

    Take a creative two minutes to dream up your new password, stamp the image in your mind, and away you go. (If all else fails, use mental pictures of things connected with food and sex, which are particularly prone to stick in the mind's eye, for some reason.)

    Go on, give it a try. Go on, go on, go on ... ;-)

    1. Prst. V.Jeltz Silver badge

      Re: It's just a mental trick

      You won't forget it, or the association with Amazon

      Waddya nuts? there is no way i could recreate that thought process and come up with the same password twice in a row

      1. Charles 9 Silver badge

        Re: It's just a mental trick

        And I routinely deal with people with really, REALLY bad memories. That's why I always counter "correcthorsebatterystaple" with "donkeyenginepapercliprong". Their thought processes get twisted around, leading to incorrect recall. Now multiply that by a few dozen.

        1. Terry 6 Silver badge

          Re: It's just a mental trick

          You don't need to "counter" and it doesn't need a bad memory ( or recall, which is more to the point) just a loss of self-confidence within the task will do. Anyone trying to remember a list of random objects with no contextual cues is going to either muddle them or panic and be unable to recall them. Someone who doubts their ability to recall the list even more so. At best correct/horse/battery/staple is going to elicit some kind of "was it a staple or was it a needle?" type or response from a large chunk of the population from time to time

          1. Charles 9 Silver badge

            Re: It's just a mental trick

            But that's exactly what I meant by "counter". Forget remembering the password. How bad is it if you can't remember the mnemonic, such that you need a mnemonic for the mnemonic until it's turtles all the way down? Thus "Was it correcthorsebatterystaple or donkeyenginepaperclipwrong?" All four words with similar but incorrect counterparts (horse-donkey, battery-engine, staple-paperclip, correct-wrong) and in the wrong order. This ain't the Middle Ages when memory was basically your only lifeline and life wasn't as complicated as it was.

  26. IT Hack

    Layers...like an onion

    Thing is that you cannot look at this as just a password policy. There are other security aspects that also impact on usage.

    I see a lot of people say that post it's are vital to remembering a password. Well as we know that is also a risk. We mitigate that risk by using clear desk policies as a best practice.

    Of course in and if itself will not solve the issue of bad passwords. There are plenty of other policies to deal with that. As already mentioned...monthly scans to blacklisting.

    So yeah...onions.

    1. Terry 6 Silver badge

      Re: Layers...like an onion

      clear desk policies as a best practice.

      Best practice???

      By whose definition? Probably not that of the people doing the work of the place, who like their stuff around them, feel comfortable and work well that way. i.e. real people getting results for the organisation.

      Work place has to be a human environment, not a machine environment, for most people. And that means photo of the dog/child/car/spouse, potted cactus, furry toy, and some well thumbed documentation.

      Oh, and btw if there's no space for a post-it with the password on the desk they'll probably put it in a wallet or lunch box - or even agree to share one. ( Shouts across the room, "Hey Fred, what's the password this month?")

      1. IT Hack

        Re: Layers...like an onion

        Best practice??? By whose definition?

        Pretty much every infosec pro I've spoken to or worked with. On top of that we also consider passworded screen savers a best practice.

        New regulatory issues also drive the adoption of these policies, the newest being GDPR. Of course GDPR does not stipulate clear desk policies but as a security manager one would consider a clear desk policy as a mechanism to reduce the risk of data breaches.

        https://www.sans.org/security-resources/policies/general/pdf/clean-desk-policy

        1. Terry 6 Silver badge

          Re: Layers...like an onion

          Pretty much every infosec pro I've spoken to or worked with

          Probably though not the best policy for Bill in Orders, Freda in marketing or Betty in HR who like and need to work in a human environment with familiar cosy items round them and the paper manual with the stuff they need to type no more than 3 inches away. Ultimately they are the organisation and Infosec are the defences. Yes they have to be responsible, but they also have to be able to do their jobs in an effective and comfortable way. And the organisation has to be able to retain them - which means not putting their backs up too much.

          1. IT Hack

            Re: Layers...like an onion

            Probably though not the best policy for...

            We are not talking about family pictures or drawings by ones kids. We are talking specifically about information that is considered sensitive.

            So when you don't need it you lock it away. It is not difficult or complicated. Of course if you approach this like a bull in a china shop you will put peoples backs up. Much like any project that involves people...get the interaction wrong and you will have an uphill struggle. Basic management 101 (or should be). You are right in that regard. I find most reasonable people understand the reasoning if explained properly...not to viewed as a punishment but rather a best practice.

            1. Terry 6 Silver badge

              Re: Layers...like an onion

              I'm not seeing through this clearly. Clear desk, to the point that there are no post-its or anything else means clear desk.

              Tidy desk sounds a laudable aim, but isn't relevant to this discussion.

              No secure documentation left on the desk is a dead end in this regard if, a.) they are prepared to keep a written password ( already out of bounds everywhere, but pretty much everywhere does it anyway) or b.) the premises are meant to be secure so what difference does a filing cabinet make...... (And if that's just complacency - it probably is- that's a different issue anyway) or c) they aren't convinced that a written down password (inside their "secure" office) is a problem

              And, as I pointed out already, people will still find other, probably worse ways round it. And yes, I have seen a password written on a lunch box in a staff fridge. Everyone else who had an identified lunch box had their own name on it, one person pointed out that theirs was the one with an identifying string, which was their "log in" (his words). And I've heard staff groups discussing what password to use that month. As in them looking at the table and someone suggesting 4icedbuns because there were 4 iced buns left on the plate. Or, slightly better, saying to a colleague/group " my password is..... Just in case I forget." and them sharing/writing down each others' p/w. And no, management won't support IT staff unless it's a really egregious breach - because these are valuable staff who get the organisation's work done.

  27. Jtom Bronze badge

    Ok, from a slightly different angle, how about addressing customer password requirements? I must have over a hundred different passwords, and no single password template would be acceptable at all sites - different lengths, special characters, capitalization, etc. what do you think your customers do? Yeah, simplist things possible, post-it notes, and unencrypted files listing sites, user ID, and password (I really loved the site that required a special character in the user ID). Here’s a trick I’ve seen done: when the site is saved as a ‘favorite’ it is renamed as siteiduseridpassword, so the result would be: abcbank jtom pass123, SHOWN ON THE FAVORITES BAR. Makes life so easy.

    Look, please, if you make the decision, the first question you should ask yourself is, does this application really require a password??? I can log into my electricity account, look at how much I owe, and pay the bill. Why do you require a password?? If someone wants to pay my bill, LET THEM. They have my permission! Now, if you have a feature where I can store credit card info, and pay my bill automatically, then require a password just on that feature.

    If your site lets me store recipes, keep track of loyalty points, make comments, etc., then give ME the option to opt out of using a password. I have no fear that someone will post a comment on a site like this under my user name. It would gain them nothing, and at worse, I would change my name and then password protect it. If someone is desperate enough to log into my Subway account and steal loyalty points for a free sandwich, then they may do so, and may God bless. And I have no idea why anyone would go into my Kroger account and mess with my shopping list. I’m not going to buy a crate of spam simply because it is on the list.

    Maybe if I didn’t have to contend with this I would be more careful with passwords where they really mattered.

    1. Robert Carnegie Silver badge

      I probably could get a job for Heinz breaking into people's online grocery accounts and substituting Heinz products for the other brands. (Customer relationship meddler, probably.) You won't question it if a store delivers Heinz instead of the brand you requested - that happens - until maybe the fourth time. And then you'll assume it's a bug. But it isn't a bug. It's me. Just conveying orders.

      1. Charles 9 Silver badge

        Plus, what if they use your "open" accounts to glean information for a social engineering attack to get to your more secure stuff? That's one reason most sites insist on passwords and so on: they don't want the liability, especially if they're under journalistic scrutiny.

    2. sbivol

      Why protect personal data

      You need to keep your electricity bill private, otherwise a thief would know exactly when you are at work or on vacation.

      The shopping list is enough for a trained eye to tell who you vote for. Political organizations pay good money for knowing your affiliation and for being able to track how it changes over time. You can tell if someone's [wife is] pregnant just by the shopping list.

      I can't find a good example for recipes, but someone will find a use for such information.

      Using a password manager makes things simple, even the browser's built in "Remember password" provides more protection than no password.

      1. Charles 9 Silver badge

        Re: Why protect personal data

        Recipes are probably a clue as to cultural background or maybe even ethnicity, since these kinds of things tend to begin with local ingredients and get passed through the generations if they don't stick to regions. Consider: Not too many people not of German background would probably carry a spaetzle recipe. Fewer still that AND a rouladen recipe, etc.

  28. ShowEvidenceThenObject

    IT will not win any support

    This is typical - what we see is a lot of legacy stuff trussed up in a security policy with very little time to review or modernise.

    Regardless of the policy, we still cannot expect people to support or follow policy without more education, or a hard lesson in cause and effect, such as being fined under GDPR.

    We still have two problems. Information usually goes into a single bucket, and the security of it becomes IT's problem to fix, monitor and enforce. IT security has become more complex, and the company's solution is to put in generic access barriers, and an access policy. We expect that to be propogated to the business to read, understand and follow.

    IT is my life, but I appreciate not all people are that way; I too would rather that nurses spent their time nursing.

    IT will continue to hurt until better systems exist that can classify information correctly, silo it correctly, then put the correct access requirements in place - taking away that decision from general users.

    Sure, content management and correctly marked templates are viable, but I've not seen an organisation, private or public, that fully understands how to use information metadata, let alone how to silo and protect it properly.

  29. Anonymous Coward
    Anonymous Coward

    Trustno1

    What is damn scary is that I can identify a certain vendor in that lot as one if them is a password that would appear repeatedly in their systems.

    1. werdsmith Silver badge

      Re: Trustno1

      scott / tiger

  30. This post has been deleted by its author

  31. adam payne Silver badge

    what the state’s admins weren’t doing was blacklisting known terrible passwords or requiring them to meet a given level of complexity

    One agency was found to have over 2,000 shared accounts with privileged access.

    it was found that one agency had left an old offline AD database in a location support users and contractors were able to access

    Another had, “inadvertently shared its entire AD database with a third party

    #CaptainPicardDoubleFacePalm

    Kudos to the auditor for releasing this.

  32. Quenda

    How about limiting the number of login attempts?

    Surely if there is a limited number of failed logins (say 10 failures and the account is locked) then unless the user has completely stupid passwords like "password" then a dictionary attack won't work. Limiting the number of failures seems to be able to overcome these type of attacks and protects users from themselves.

    Any system that allows thousands of failed logins is asking to be hacked - you can't rely on users to have sufficiently complex passwords to resist millions of brute force attacks.

    1. Charles 9 Silver badge

      Re: How about limiting the number of login attempts?

      Unless it's an insider or someone else who's managed to get a hold of the (encrypted) password database. Then all bets are off in terms of attempts.

    2. Robert Carnegie Silver badge

      Re: How about limiting the number of login attempts?

      If your department's accounts lock after ten bad login attempts, then I can do denial-of-service on you by trying each account ten times. You see? This is hard.

  33. rcp27

    The Only Winning Move is Not to Play

    Having gone through a variety of iterations of password policies and security headaches, I have formed the opinion that the problem isn't that there are "good" passwords and "bad" passwords, or "good" password policies" and bad ones. Rather, I have concluded, if the answer is "a username and password", you're probably asking the wrong question. Computers are really good at storing, copying, transmitting and manipulating simple information. Username and password as a means of securing data just isn't appropriate in the present day.

    1. Charles 9 Silver badge

      Re: The Only Winning Move is Not to Play

      To which the next question would be, "Then what do you use that can work even with CEOs with poor recall, can't be stolen or coerced, and can't be copied or imitated?" If even ONE of those gotchas remains, it WILL be exploited: for the lulz if nothing else.

  34. Sean o' bhaile na gleann

    What's so difficult?...

    I find it truly difficult to understand the fuss about choosing passwords. Perhaps it's just my mind-set. It often seems to me that 'computer security' is just a money-making FUD generator.

    My current employer is very typical of all the sites I've worked at with regard to passwords:

    ...Eight characters max length

    ...First character must be alphabetic

    ...Case-insensitive (lower-case gets translated to upper-case by default)

    ...Use of @ ! $, etc is frowned upon because of code-page translation difficulties (SecAdmin says "Use 'em if you want, but don't come crying to me if things go wrong!")

    ...Passwords expire every 30 days

    ...New password cannot be any of the previous thirteen

    ...New password cannot feature anything from a long list of prohibited character sequences

    ...Three tries are you're out. (SecAdmin has to manually reset password to an expired one that I have to change again upon first - successful - retry)

    Coming up to my 50th-ish year of working on IBM mainframe systems protected by RACF and I've never once, not ever, had my password cracked or my account hacked, etc., and - to the best of my knowledge - none of the systems I've worked on has suffered any form of exposure either (if they did then *I* never got to hear about it).

    1. Charles 9 Silver badge

      Re: What's so difficult?...

      "Three tries are you're out."

      So what happens when it's am executive that gets locked out, misses closing a deal because of it due to not being able to get critical documents in time, and starts asking, "Who hired these clowns that cost us the deal?"

      1. Terry 6 Silver badge

        Re: What's so difficult?...

        Three?? With both a username and a password to try and recall. And with several dozen accounts in your life?

        It can take two or three goes just to get the right username. And then there are the password choices ("Did I use that one with the battery and staple or whatever they were or is this the one that's my mother's middle name plus my golf handicap and did it have to have a special character....?" With the best will in the world you have to expect most users to need >3 attempts at least once or twice a month at least if they aren't logging in every day.

  35. russmichaels

    Re: "The former policy wonk -

    The problem is that STILL too many websites still encourage poor passwords and even limit the length of the password to a paltry 8 or 10 characters.

  36. skswave

    time for TPM with virtual Smartcard its built in

    And TEE protected credentials on mobile

    putting trusted computing to work at Rivetz

  37. skuba*steve

    Passwords LOL

    It's a constant battle for any sysadmin - shared accounts, admin passwords never expiring, stale user accounts. When I started with my current employer they had a practice of never deleting old user accounts (in case they wanted to come back), passwords were forced to change *once a year* and half the company was using a variation of the [companyname]123.

    It's not until something happens (we got hit with a Ransomeware attack late last year) that the SMT starts paying attention to cyber security, particularly if you aren't an IT-centric company; we are manufacturing, so IT is a support element rather than core to the business. It's been a battle just to get USB device control and web/mail content filtering in place, and for the most part I've had to put it all under the banner of "GDPR compliance" to make any headway.

    Unless you have the backing of the SMT and above, or suffer a major security leak, the company just thinks you are being difficult for the sake of it.

  38. Concerned but optimistic

    The other usability thing that is most often ignored is the ability to get special characters on mobile devices with pop up keyboards. At least 3 extra taps to a get % symbol and back to alpha, not to mention how bloody obvious that can be to someone peering over your shoulder.

  39. kraftdinner

    Why do we keep having this conversation? It's crazy obvious people hate remembering passwords. Something needs to change and it's the IT community that needs to promote that change.

    1. Charles 9 Silver badge

      $64M Question: Change it into WHAT? As bad as passwords are, any alternative cooked up has had drawbacks of its own (biometrics can be copied, dongles can be lost, etc.).

  40. Sixtysix
    Go

    Store all your passwords in your wallet...

    I use https://www.passwordcard.org/en for (some) of my passwords.

    I have an algorithm based on domain name (one letter and number of characters gives me a start point) that lets me work out/replicate where the password starts, which direction it goes (one of the 8 cardinal directions based on TLD) and how long it should be.

    Do not need to use on my devices as I have my KeePass db, and don't use for all websites, but does let me access "throwaway" sites with a strong password, and access to my secondary email account which will allow (indirectly) access to primary email (and thence my KeePass backup) when I'm out and about/abroad/etc.

    I have several copies... and don't care if other people see!

    1. Charles 9 Silver badge

      Re: Store all your passwords in your wallet...

      Thing is, you can MIS-recall your algorithm, and everything starts going wrong and you can't recall the right method you were using. I routinely have to deal with people with such bad recall they common words, sometimes their own name, yet need online access to reach their appointments, benefits, bills, etc. Makes me worry if their caregiver pops the cogs before them from stress...

  41. somethingbrite

    It's not poor password policy - it's poor psychology.

    If you force people to change their password every 30 days they will simply start creating easy to remember passwords.

    We live in an age of passwords and pin numbers. We don't get to create or change them all, but we have to remember them all. And there are a lot of them in our lives.

    I can appreciate the desire to keep systems safe, but your's isn't the only password that people have to remember in their lives and increasing the complexity of the password and the frequency of changes will simply result in people choosing simpler combinations, repeating combinations with only minor changes or both.

    1. Charles 9 Silver badge

      "...but your's isn't the only password that people have to remember in their lives..."

      But ours is the one on which our money (and necks) are on the line. So, perspective. Who cares about the next guy? The liability is on US, so OURS is the only one we CAN care about.

  42. Mark Wallace

    All you need is a simple script...

    That runs overnight, and cycles through all the "bad" passwords, trying to log into the account of every user in the organisation.

    If it succeeds in logging in, it can do all kinds of nice things to encourage the errant user to repalce the password with a decent one.

    I'll leave the definition of "nice things" up to you lot -- mine is far too evil.

    1. Charles 9 Silver badge

      Re: All you need is a simple script...

      Are you willing to do this even to an account of someone over your head, knowing there's a risk said person pins the problems onto you instead?

      1. Olivier2553 Silver badge

        Re: All you need is a simple script...

        The very first step into installing a security policy is that it is endorsed by the topest brass.

        As a security administrator, you cannot do anything if you don't enroll your heirarchy, up to the top of the top.

        1. Charles 9 Silver badge

          Re: All you need is a simple script...

          Problem is, that first step is often the hardest, as the top brass are often the LEAST likely to approve of ANY security plan, seeing as how they need to get to the crown jewels anytime, without notice (in their perception) in order to keep the business going. They basically can't see it until it hits them directly, by which point it's probably already too late.

  43. itsme

    Haveibeenpawned and password managers

    To solve the problems of bad passwords, I am surprised no one has suggested checking the passwords users submit against haveibeenpawned. At least then you do not have a password that is out there in the wild (and immediately solves the stupid paswords). Such a plugin to AD would help enormously. It could check off line, if it finds a bad password it locks the account and forces a password reset.

    Overall, I think the only way forward is a password manager that provides you with a random password checked against such a database for each site. The password manager enforces a strong password that does n't change. All passwords are regularly checked against the havibeenpawned dictionary to ensure it has not been lost by some organisation.

    Something like Bitwarden, which can be self hosted if you think that is more secure, is a great option although it does not give all the functionality I'd like at the moment.

  44. Bob Ajob

    Obligatory xkcd link

    https://www.xkcd.com/936/

    As the author wrote -

    "To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019