back to article Don't shame idiots about their idiotically weak passwords

Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else. By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker. Security …

  1. Prst. V.Jeltz Silver badge

    Organisations such as the NCSC are taking these ideas on board by, for example, dropping the traditional advice that passwords should be frequently changed. Frequent changes might sound good on paper but they only encourage the use of weak, easily guessable passwords in practice, hence the problem.

    Well if you enforce a frequent change policy ,you can enforce a "not weak" policy cant you?

    .. and drop the frequent changes.

    1. Lee D Silver badge

      If your password is brute-forceable, you shouldn't be using it.

      If it's not brute-forceable, you have no need to change it every two seconds.

      If you think it's compromised, you need to change it whether or not you're certain, or "it's that time".

      I implemented this on day one at my new workplace. Nobody has ever argued, even outside security auditors.

      1. Charles 9

        "If you think it's compromised, you need to change it whether or not you're certain, or "it's that time"."

        But the thing is, how do you know it's compromised or not. I thought that was the point behind periodic password changes: to deal with undetected breaches by either closing them (the user changes the password) or making IT aware of them (the hacker changes the password and locks out the real user).

        1. Ben Tasker

          I thought that was the point behind periodic password changes: to deal with undetected breaches

          That was the point yeah. The thing is, it's unusual for someone to just sit on a known-good password - generally they'll use it as a point of entry more or less straight after gaining it. Usually it'll be used to gain a pivot point so that they can go after something more useful (like gaining domain admin or the like).

          So unless they get your password on day 89 of your 90 day rotation period, it doesn't actually offer that much protection. Especially when you factor in the fact that enforced rotations tend to lead to lower quality passwords, as users get sick of having to memorise a new one.

          Essentially, having an Intrusion Detection System on the network probably offers far better protection than rotating passwords ever did.

          1. sorry, what?
            Thumb Up

            @Ben Tasker...

            I wish I could upvote for each and every sound statement you made...

            It's great to see that I'm not alone in thinking that password expiry is overused to the detriment of security. I used to work somewhere that passwords had to change every 60 days. This meant my (otherwise secure, non-brute-forcable) password basically got a numeric index on the end for no good reason. If someone got hold of my base password they could easily have worked out my next one. But my point is it was secure and really didn't need this cycling.

            1. Anonymous Coward
              Anonymous Coward

              Re: Password rotation...

              I would assume 2-3 months expiry is for those Managers/IT bods* not bothered to revoke passwords/access rights to staff who have left/been fired.

              *The good IT staff do care, but possibly were never informed of the current staffing and access rotas.

          2. Adam 1

            > So unless they get your password on day 89 of your 90 day rotation period, it doesn't actually offer that much protection.

            I disagree. How many breaches have there been which surface literally years after the data had been compromised. Imgur the other day. Yahoo a few years back. And probably no less than half a dozen other publicly known breaches in the past few months that I can't be arsed googling for right now. How many have been stored inappropriately using unsalted hashes? Understanding your risk landscape is crucial. How many of your live passwords are sitting there on that not yet fully decommissioned server which hasn't been patched properly because it is running 2003 server or something. Or on that external HDD that the last IT guy cloned the server to during the last migration. Is that going to be diligently wiped? Or how many .bak files are sitting there on a misconfigured web server just waiting for shodan to index them.

            None of that eliminates the need for IDS or monitoring those 3am logins from Eastern Europe, but the best security approach we know of is a layered approach. One of those layers is to limit the ttl for a password itself. Every month is pretty stupid, but twice a year gets the security/convenience trade-off to a more reasonable point.

            Oh, and for the love of all things... Don't mandate special characters and numbers and the like. It's the size that counts. Not what you do with it.

            1. Tom -1

              @Adam 1

              > Oh, and for the love of all things... Don't mandate special characters and numbers and the like. It's the size that counts. Not what you do with it.

              Presumably you are aware that a 32 character password using letters, numbers, and assorted special characters so as to provide 8 bits per character is more than twice as long (since the useful measure of length is bit-count) as a 32 character password using only English alphabet upper and lower case characters? The rule has to be mandate nothing - permit the user to use whatever bit strings he likes and provide some reasonable charecter set that anables him to do that. Saying "don't mandate numbers etc is going to be interpreted by the averge user as "allow only alphabeitc characters" even is that's not wht yu intended when you say it.

              1. Charles 9

                Re: @Adam 1

                No, because not all keyboards are equal, and some users may travel a lot, meaning they may not have access to the characters they used to type their password. For example, how does one enter the British pound sign or the Euro sign on a US keyboard (especially one without a keypad, meaning the Alt trick doesn't work, either)?

        2. Lee D Silver badge

          "Hoping" that your password isn't compromised by changing it regularly (and on a pre-determined pattern for most people... people do NOT generate and memorise a long random password every 90 days, etc.) isn't security.

          You don't cycle passwords "in case someone knows them". In that case, it's game over. They can just get into everything you can anyway, how much time they have to exploit it is neither here nor there, it's game over. And they could just compromise one of your files to re-give them access whenever they like if they have got in.

          Rather than have a dubious "but it'll stop people having my access for 90 days rather than 89!" reasoning, just stop cycling passwords. It's a nonsense. If you're that worried, IDS/IPS is your friend here. Literally email people EVERY TIME they log onto a service and let them spot the rogue logins at 3am, etc. Though annoying that's much more "secure" in terms of detecting a breach than any password-reset nonsense.

          Once they're in, they're in. It takes seconds to type a command that will compromise a user's entire account.

          1. Anonymous Coward
            Anonymous Coward

            IF you are rotating passwords...

            You are already worried the users are loosing passwords! This is a good reason to change them. However, constantly changing a password is possibly the worse solution. If that kind of worry is there, then use 2 factor. It means the password alone is not enough, and while theft of the second factor is possible... It's physical access at that point, you know you've already lost if they can get that far with a user (getting both password and the generator).

            1. m0rt

              Re: IF you are rotating passwords...

              I thnk one thing that would help is not insisting on a upper case letter, number, character in each case, but allowing LONGER PASSWORDS so phrases can be typed in. The amount of sites, including banks, who seem to have an arbitrary limit of 9 characters. Also - who DONT TELL YOU when you have filled up the password field so you type passed this point, then wonder why you can't log in to your new subscription when the password you filled in TWICE fails to work.

              Obviously sucks on a mobile, but then so does having your accounts hacked.

          2. Anonymous Coward
            Anonymous Coward

            " Literally email people EVERY TIME they log onto a service and let them spot the rogue logins at 3am, etc. Though annoying that's much more "secure" in terms of detecting a breach than any password-reset nonsense."

            Wrong, wrong, a thousand times wrong.

            Any security system that generates thousands of time wasting false positives just conditions the recipient of the spam to ignore all such messages... if they are smart, they'll write an email rule to shuffle them straight to a spam folder, and delete after 72 hours.

            1. Anonymous Coward
              Anonymous Coward

              the recipient of the spam to ignore all such messages

              Not if you put a rude picture in each one...

      2. ilmari

        I think the biggest issue is the sheer number of passwords required. The average person probably struggles to remember more than 2 "difficult" passwords. Add to that, that every little thing wants you to make a user account and password, so you end up with hundreds.

        1. Anonymous Coward
          Anonymous Coward

          "I think the biggest issue is the sheer number of passwords required. The average person probably struggles to remember more than 2 "difficult" passwords. Add to that, that every little thing wants you to make a user account and password, so you end up with hundreds"

          Yes, which is why you need a searchable encrypted password repository and two or three passwords to get you into it.

          1. bombastic bob Silver badge
            Devil

            "a searchable encrypted password repository"

            like 'keepass', particularly the OLDER one (now maintained as KeePassXC), and NOT the one that uses C-pound and ".Not" (blechhhh)

            and, on a related note, a sequence from the movie 'hackers' (copied from IMDB)

            The Plague: Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...

            Margo: [glares at The Plague]

            The Plague: god. So, would your holiness care to change her password?

            and also, an obligatory reference to "correct horse battery staple"

      3. Teknogrot

        You''re assuming a small time limit here, right? Because if you're not, you may want to sit down... I have bad news for you.

      4. Mike 137 Silver badge
        Stop

        "If your password is brute-forceable, you shouldn't be using it."

        Any password can be brute forced given the time and effort required. This is a completely incorrect way of thinking. All reports of 'weak' passwords obtained by brute forcing have been based on offline attacks on password databases. So what's the root problem here? That the password database got exfiltrated. It's both unreasonable and impractical to make the end user responsible for the entirety of password protection including the security of the authentication server.

        Most users aren't idiots when creating passwords - they're actually extremely clever, but at solving their own problem, not yours. You give them a set of complicated rules they have to remember despite only using it four times a year; they have to think up a new password without writing it down and can't see it when they type it in (even for the first time). Then they have to remember it for a minimum of 24 hours before using it again. That's the problem you give the user, and they solve it very well - Companyname123 or Pa55w0rd!

        BTW there is a huge amount of solid academic research into the psychology and practicality of password use, but of course nobody in IT has read it - or indeed ever heard of it. They just make up arbitrary rules for someone else to follow, based on unconsidered mantras.

        1. Adam 1

          Re: "If your password is brute-forceable, you shouldn't be using it."

          > Any password can be brute forced given the time and effort required. This is a completely incorrect way of thinking

          Only if you ignore the heat death of the universe. A 15 character random password made up of randomly chosen upper and lower case English characters, if brute forced at a leisurely 60 billion guesses per second will be brute forced in on average 14.5 billion years.

          1. Charles 9

            Re: "If your password is brute-forceable, you shouldn't be using it."

            "Only if you ignore the heat death of the universe."

            Unless you take scientific advances into consideration: advanced beyond our current scope and therefore ability to predict. Unless one can scientifically prove there will be no such thing as a password version of Shor's Algorithm or something more significant, then one cannot use computational infeasibility as a safety net.

            1. Lee D Silver badge

              Re: "If your password is brute-forceable, you shouldn't be using it."

              Computational feasbility is the only safety net you have.

              Whether that's password brute-forcing, prime-factorisation, elliptic-curve equation solving, or q-bit-based encryption.

              Literally the ONLY defence you have is how long it takes. When DES was "broken" (after 20 years of being "infeasible"), 3DES lasted until 2015 or so (another 20 years) without any significant changes (and is now only considered "weak" because of the fixed keysize - if you had a MASSIVE keysize DES it would still be feasible to use today).

              Sure, the underlying algorithms will be found to have holes. That's a given. What saves you from those holes cracking open immediately on release is computational infeasibility.

              Absent a major, dumbass flaw (WEP), the keysize (and thus the amount of brute-force required) is, simply-stated, the lifetime of the algorithm. DES was 56-bit which was fine in the Netscape era. Nowadays that doesn't even fill a processor register. But at no point was there anything stopping someone making a 4096-bit version and using that, only the time to encrypt and decrypt, and it would buy extra life.

              The reason is quite clear - even testing 2^56 combinations is miniscule by today's standards. That's 72 thousand million million. Do something a million times a second, that's a million seconds. A million seconds is 11 days. 72 thousands lots of 11 days isn't a lot when you have a datacenter of equipment that numbers in the thousands.

              But things rapidly get out of hand. 2^4096 is a number so unimaginably huge that only cryptographers really have a need for it. Physicists have absolutely no use for a number that big. It has (quite nicely) 1234 decimal digits in its expansion. A billion planets full of a billion people running a billion computers each at a billion attempts per seconds will still take not just BILLIONS of years, but... BILLIONS UPON COUNTLESS BILLIONS of years. It literally becomes infeasible.

              P.S. I have a 4096-bit SSH key. It logs me in in under a second. But if it takes a billionth of a billionth of a billionth of a percent of a billionth of that time I just listed to break it, I'm still safe for BILLIONS of years.

              Exponentation is your biggest defence against brute-force. Even if the algorithm is destroyed to be only a BILLIONTH as powerful as you think, you're still safe. Nobody can guarantee perfection, no, but exponentation and thus computational infeasibility is your only real defence at all.

              1. elgarak1

                Re: "If your password is brute-forceable, you shouldn't be using it."

                1. I doubt you have to type in the 2^4096 SSH key. Which is what we're talking about here.

                2. Even your "million second example" takes the wrong conclusion. Yes, if you really want to break into THAT ONE computer, it's not long. It is, however, very long for a lazy dumbass hacker out for a quick buck with some random poor sod's computer. The former is the problem for professional spies, which, frankly, I don't worry much that I'm a target of. The latter is the threat most everyday passwords aim to protect against.

        2. Anonymous Coward
          Anonymous Coward

          Re: "If your password is brute-forceable, you shouldn't be using it."

          I've written a new password policy which I'm fighting to get approved. It requires less frequent changes, longer passwords (with longer minimum) no numbers/ special character requirement or even upper/lower case.

          It's such a damn fight to get it approved though, people EXPECT those requirements and don't understand that encouraging people to use easier to remember passwords may actually improve the quality of them rather than them simply using their spouses/childs name and adding a number to the end.

    2. Anonymous Coward
      Anonymous Coward

      Why bother? Everything will be hacked! Might as well get it over with!

      1. Anonymous Coward
        Anonymous Coward

        Presumably you also use see-through envelopes and don't bother locking your door as you'll only get burgled regardless...

        1. Yet Another Anonymous coward Silver badge

          Presumably you also use see-through envelopes and don't bother locking your door as you'll only get burgled regardless...

          No but neither do I waste 2 hours every morning securing the front door and changing the lock every week

          1. Pascal Monett Silver badge

            Yeah, but you don't need to change the lock every week.

            First of all, you hardly have a burglar passing 25000 times a day to try to pick the lock, then there's the fact that picking a lock means the burglar is visible for as long as it takes, finally a secure lock is a lot harder to crack than an effin' password.

            Plus, if you leave the key in on the other side, there ain't any burglar in the world who'll be able to pick a security lock.

    3. BillG
      Facepalm

      Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else.

      According to Wikileaks, Hillary Clinton campaign chairman John Podesta’s password was "password".

      What makes this even funnier is that his password as initially "p@ssw0rd", and he changed it to make it easier.

      I think more along the lines of the Dunning-Kruger effect.

    4. Lotaresco

      "Well if you enforce a frequent change policy ,you can enforce a "not weak" policy cant you?

      .. and drop the frequent changes."

      Having being one of the people that advised NCSC on this I can say that it was really nice that they actually listened and came up with a policy that makes sense. They did approach most of the well known names in IT Security to ask for advice on password policy and the results were as close to unanimous as can be expected when talking to security people who generally disagree about *everything*.

      You can see the summary of NCSC recommendations here, because another change they have made is to publish their advice to the public both for consultation and to spread best practice. You can also download and print a nice purple poster to stick on your wall, or stick pretty much anywhere you please.

  2. Prst. V.Jeltz Silver badge

    pwd change gpo just means people increment the number on the end . The smart ones anyway.

    1. Spudley

      pwd change gpo just means people increment the number on the end . The smart ones anyway.

      The *really* smart ones decrement.

      1. Anonymous Coward
        Windows

        The *really* smart ones decrement.

        wooooaaaahhhhh!!!1 I didn't think that was possible???!

        1. Anonymous Coward
          Joke

          Why not play connections? Then when you forget your latest password you just need to remember the previous one and it's an instant reminder.

          M4ggot --> 4pple. --> P34rs. --> Funb4gs --> Bulg4ria --> T0bermory

          Perfectly acceptable to most automatic password checkers, and if you remember the previous one you can remember the one after it.

          1. Charles 9

            But what if you forget the previous one, too? Plus what if there's more than one possible association and you end up picking the wrong one? Some people have REALLY bad memories (Was it "correcthorsebatterystaple" or "donkeyenginepaperclipwrong"?).

            1. Anonymous Coward
              Anonymous Coward

              But what if you forget the previous one, too?

              No problem, just remember your employee ID (it's on your badge) and your mother's maiden name and they'll fit you out with a new password easy as anything.

              1. Tom -1

                Re: But what if you forget the previous one, too?

                @Mycho, the problem isn't remembering your mother's maiden name, it's remebering what you told this particular bunch of security wazzocks it was,

        2. Anonymous Coward
          Anonymous Coward

          What number do I start at?

          That's too difficult to work out but it's good to know I'm just like everyone else.

      2. Just Enough

        *Really* *really* smart ones follow the Fibonacci sequence.

        1. Tim Seventh

          And the really, really Really Crazy ones pick the next digit from pi as their next number. Let's see, last time I used the 10^-235 digit, time to use the 10^-236 digit!

        2. The First Dave

          *Really* *really* *really* *really* smart ones follow the digits of Pi, interleaved with the digits of Tau

        3. Tom -1

          @Just Enough

          Much more amusing is to add the number of digits differing between the octal representation of the highest prime below 3 to the power current number and the decimal repreenttion of fifth lowest prime greater than the current number to the current number.

          The really smart ones don't care what the number is as long as the real password (the bit before the number) is seriously secure. They like the number bit to be amusing, and also to spread it around the password rather than always putting it at the end.

          The really really genuinely smart people only have passwords for systems that have decent security (so they don't need to change their password frequently), use some sort of second factor authentication when a login is from an unknown device or an unknown location, or a lot of time has passed since last log in, and don't send pointless emails telling people they've logged in but do send messages when a login attempt has failed and been abandoned rather than retried successfully. Then the probably also use some sort of secure password store for most of their passwords, since remembering a hundred or so of the damned things is a pain in the butt.

    2. fobobob

      Another option, if you have the permissions needed, just change the password repeatedly until you have lapsed the historical passwords.

  3. Prst. V.Jeltz Silver badge
    Facepalm

    I've worked at places where the server team have made it literally impossible to choose a suitable password due to conflicting rules.

    That made for a busy helpdesk

    1. Nick Kew

      Can you make a good anecdote of that? Perhaps you should submit it as a story for the Friday "On Call" column?

    2. RustyNailed

      A few months ago I was forced to change my UPlay password (Ubisoft gaming platform) for some reason. I discovered their cunning system made it possible to set a new password via the web that their PC client apparently couldn't authenticate with.

      To be fair, I did use a character that (after hitting the problem) I discovered was not allowed by their rules, and in that case I expected the system to not let me use it in the first place. I was quite surprised at this state of affairs, and assume the client must be validating passwords for characters that were not allowed so it could fail without actually authenticating.

      What made this even more memorable, and annoying, was that after 3 failed requests, the account is locked until 'later' where 'later' is undefined. It's also undefined what happens if you try again before 'later' is reached - is the 'later' period reset? Who knows? Oh, and due to DRM I couldn't play what I wanted to play which is what I actually wanted to do rather than arse about with the UPlay password management system.

      Nice work Ubisoft!

      1. Prst. V.Jeltz Silver badge

        A few months ago I was forced to change my UPlay password (Ubisoft gaming platform) for some reason. I discovered their cunning system made it possible to set a new password via the web that their PC client apparently couldn't authenticate with.

        I've been through that rigmarole too, and it took extra long because i'd told the client to not bother authenticating to the web every day and had to dig to find where id set that.

      2. The Boojum

        It was Ubisoft.

        Why were you surprised?

        1. Humpty McNumpty

          Re: It was Ubisoft.

          You can add Gentings online casino to that, amongst others. That allows you to create a long password but then the standard login form, and mobile page tells you the maximum is 16 characters. Switch to an alternative login page (possibly the password reset one) instead of the popup and suddenly the long password is acceptable

      3. Anonymous Coward
        Anonymous Coward

        Ubisoft...

        Oh, I've had that one many a time, with a web client accepting special characters but the app/software not. I think I'm locked out of my Skype for that exact reason (reset of password depreciated in one or other of the client/site so I also cannot request a reset).

        The best one I saw, was a big insurer I worked for. The web client some how accepted a typo with numbers in a name (say "Smi5th" where a finger clips the 5 key) and this crashed their entire policy/account... Not allowing customer services to access, confirm, refund or anything. But it did charge their credit card first of cause. ;)

      4. JimC

        new password ... PC client apparently couldn't authenticate with.

        Its remarkable easy when you have a whole lot of linked systems, all with their own rules. You have to try and work out a set of rules for the web system that make every password viable for *every* downstream system. Unless you can get permission to really relax the rules on the downstream systems it can be suprisingly difficult to do. Ideally you also need something in the ID management that will alert the user if any of the cascading changes fail.

    3. Captain DaFt

      Oh, I think I know the place!

      I've worked at places where the server team have made it literally impossible to choose a suitable password due to conflicting rules.

      That made for a busy helpdesk

      RULES FOR THE SELECTION OF PASSWORDS:

      1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

      2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

      3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

      4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

      5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

      6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

      7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

      Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.

      1. Parash2

        Re: Oh, I think I know the place!

        I worked for a company that had somewhat similar terrible rules. A user eventually figured how to make it easy.

        Month 1 password = AAAAAAAA

        Month 2 password = BBBBBBBB

        Month 3 password = CCCCCCC

        and so on, worked a treat, even I could remember my password!

        After 12 months back to AAAAAAAA

        This was for the JDE accounting software on IBM.

  4. Jim 59

    Nice advertorial for Redacted Firm.

  5. Nick Kew

    Psychology? Maths? Technology? Education? Defence in depth?

    Why, here's an idea. Let's improve all of them. Each of us can contribute in our own fields of expertise, while bearing in mind the bigger picture.

    Now, here's a question for the commentariat. Is it helpful when journalists present these themes as an either/or and in opposition to each other?

  6. TrumpSlurp the Troll
    Trollface

    Frequent changing of strong passwords

    Correlates almost exactly with increased consumption of yellow Postit notes.

    1. DJO Silver badge

      Re: Frequent changing of strong passwords

      Correlates almost exactly with increased consumption of yellow Postit notes.

      Absolute twaddle.

      I use a green Postit note.

      1. Anonymous Coward
        Anonymous Coward

        Re: Frequent changing of strong passwords

        They're more environmentally friendly?

        1. Haku

          Re: Frequent changing of strong passwords

          The plain white Postit notes are more environmentally friendly due to no dyes being used.

          .

          I'm bullshitting here as I have no idea, but in a world where some meat flavoured crisps are suitable for vegetarians it make perfect sense :)

          1. Am

            Re: Frequent changing of strong passwords

            Chicken flavour(ed)(*) pot noodle has always been suitable for vegetarians - well, at least from the 80s it has been!

            (* I can't remember which one denotes it has been artificially flavoured to taste like the real thing, and which denotes it has been flavoured with the real thing. Which is annoying as we were having this discussion at work on Friday)

            1. Anonymous Coward
              Anonymous Coward

              Suitable for vegetarians

              I once asked a muslim colleague if there were actual rules on smoky bacon crisps since they didn't contain any animal products.

              He said he'd treat it like real bacon and make sure his mother never found out.

            2. Nick Ryan Silver badge

              Re: Frequent changing of strong passwords

              Flavoured = must contain a flavouring ingredient that is substantially the flavour intended

              Flavour = could be flipping anything and will depend on how the recipient's taste buds interpret the random cocktail of chemicals used to make up the flavouring ingredient. See "beef flavour crisps" for this in action - no real beef in them and generally tastes nothing like beef actually tastes. However are an institution on their own these days...

              1. Haku

                Re: Frequent changing of strong passwords

                @Nick Ryan, that makes sense, I was given (I think as a joke) a pack of Hedgehog Flavoured Crisps back in the 80s as a kid and I don't remember liking them much because I thought they were made using derivatives of actual hedgehogs, but it turns out they were flavoured crisps by a brand called Hedgehog and the word "Flavoured" got them into trouble so they changed it to "Flavour".

                https://www.doyouremember.co.uk/memory/hedgehog-flavoured-crisps

                1. Humpty McNumpty

                  Re: Frequent changing of strong passwords

                  Ahh Hedgehog crisps,a poorly recorded piece of History. I must say I never realised they made it into a supermarket. Growing up we bought ours in bulk from Survival Foods (no Americans that is not a place nutcases use to stock up their bunkers)

              2. Am

                Re: Frequent changing of strong passwords

                @Nick Ryan - thanks :-)

                I might even remember it for more than a day this time...

              3. Marcelo Rodrigues
                Trollface

                Re: Frequent changing of strong passwords

                "See "beef flavour crisps" for this in action - no real beef in them and generally tastes nothing like beef actually "

                Almost, but not quite, entirely unlike beef? The Sirius Cybernetics Corporation would be proud!

              4. ravenviz Silver badge

                Re: Frequent changing of strong passwords

                beef flavour crisps

                Well they do taste like beef flavour crisps if nothing else!

            3. Yet Another Anonymous coward Silver badge

              Re: Frequent changing of strong passwords

              suitable for vegetarians

              They aren't suitable for anyone who likes chicken

            4. Norman Nescio Silver badge

              Re: Chicken flavour vs Chicken flavoured

              I thought it was fairly simple:

              If it is chicken flavoured, it has been flavoured with real chicken.

              If it is chicken flavour, it has made with something that isn't chicken, but tastes like it might have been.

              Then I had a little run around Statutory instruments and got horribly confused, until I discovered

              REGULATION (EU) No 1169/2011 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

              of 25 October 2011

              on the provision of food information to consumers, amending Regulations (EC) No 1924/2006 and

              (EC) No 1925/2006 of the European Parliament and of the Council, and repealing Commission

              Directive 87/250/EEC, Council Directive 90/496/EEC, Commission Directive 1999/10/EC,

              Directive 2000/13/EC of the European Parliament and of the Council, Commission Directives

              2002/67/EC and 2008/5/EC and Commission Regulation (EC) No 608/2004

              where Article 7 (Fair information practices) states simply:

              1. Food information shall not be misleading, particularly:

              ...

              (d) by suggesting, by means of the appearance, the description or pictorial representations, the presence of a particular food or an ingredient, while in reality a component naturally present or an ingredient normally used in that food has been substituted with a different component or a different ingredient.

              There is also this: UK GUIDANCE ON PICTORIAL REPRESENTATION RELATING TO FLAVOURINGS AND INGREDIENTS THAT DELIVER FLAVOUR

              It discusses on page 6 'Flavoured' vs 'Flavour'

              The term ‘X-flavoured’ should be used in the naming of a food or drink where that food or drink contains the food ingredient of flavour X or where the food or drink contains a flavouring derived from the food ingredient flavour of X.

              For example:

              1. Where ‘natural X flavouring’ is used; or

              2. Where ‘natural X flavouring with other natural flavourings’

              is used; or

              3. Where ‘flavouring’ that is derived wholly or mainly from X flavour are used in the food/drink product.

              The term ‘X-flavour’ should be used in the naming of a food or drink where that food or drink has the flavour of X but does not contain X.

              For example:

              1. Where ‘natural flavouring’ is used or;

              2. Where ‘flavouring’ that is not derived wholly or mainly from X flavour is used in the food/drink product.

              Which is what I thought in the first place, but I don't know what that opinion is based on.

              It's not my area of expertise (if any is), and I don't want it to be!

          2. Just Enough

            Re: Frequent changing of strong passwords

            plain white = bleached.

            You want the off-grey ones.

      2. Anonymous Coward
        Trollface

        Re: Frequent changing of strong passwords

        I use green pen on a green Postit note!

        *I am torn between troll, joke or "Mine is the one with the pack of Postits and *all* my passwords on it for when the servers/pc/power cuts out" icons.

  7. CustardGannet

    "focus on positives, confront stereotypes and prime people to make better security choices"

    Sounds wonderful, but unfortunately without concrete examples of how to do this, it sounds just like every other buzzword-bingo management presentation I've ever attended, where they exhort us drones to "maximise this, synergise that, and leverage the other", then leave us to work out the actual mechanics of implementing their fluffy ideals.

    (To be fair to Doctor B, I didn't attend the presentation at the IRISSCERT conference in Dublin, Ireland last week, so it may be the article that lacks the information, rather than her presentation. But lacking the information still is </yodamode> )

  8. Anonymous Coward
    Anonymous Coward

    Does anybody know where the sysadmin goes to get Best Practice information on stuff like this?

    how long? funny chars? history length?

    And not just for passwords - my current administration commander in chief has decided that all the useful I.T engineer techniques and tools are now problems that need to be disabled. I'm talking:

    Mapping to C$

    using "Connect to another computer" on:

    regedit

    services.msc

    compmgmt.msc

    printmanagement.msc

    eventviewer

    etc

    getting info from WMI..

    PStools

    in fact any method of logging on that is not through the main session logon box is blocked. (which is how they have achieved this) Even if you are admin of the machine.

    The reason for this? "Best Practice"

    This is why I'd like to see where this "Best Practice" is written down. Is it just word of mouth between sysadmins?

    Its sounding a bit like "Best Practice" in this case is being used the same way "Health and safety" or "Data Protection" are trotted out when someone just dosent want do / change / explain anything.

    1. Anonymous Coward
      Anonymous Coward

      Why, XKCD of course.

      1. AndyD 8-)&#8377;

        Subtle reminders and behavioural priming have been shown in experiments to be a way to get developers to produce more secure XXXcodeXXX methods to de-fenestrate HR wonks, for example.

        fixed that....

    2. Am

      I'm pretty sure most sysadmins(*) wouldn't consider this best practice over, say, making sure no-one has admin access who doesn't need it.

      Our auditors have no problem with this, either.

      (* Source: myself and all the ones I know)

    3. Naselus

      Depends. What's your job role? Best practice in this particular case is least privilege. So if you're an accountant who just happens to know about this stuff, then you shouldn't really have access to any of it. On the other hand, if you're a sys admin or something, then you should have access to a domain admin account that has access to these things - though, in line with best practices, your general day-to-day user account should not. You should be elevating when required rather than running root all the time. And if you were a certified sys admin, you'd know that.

      Generally, you'll find best practice outlined in the written guidelines for any piece of software, which you're required to read and regurgitate during mid-level certifications. A mid-level security practitioner needs to know general security best practice. An MCSE needs to answer questions on Microsoft best practices during his exams, since he is expected to be able to design a Microsoft network from scratch if required. The same is true for other vendors - usually their 2nd or 3rd tier certs are very heavily based on knowing best practices, rather than just knowing where things are and what they do.

      You then need to keep up with best practice by reading white papers published by the vendors, and attending conferences hosted by them. This is all very available to IT pros as they get older - you start getting bombarded with invitations to conferences more or less as soon as you wield the slightest hint of power, and IT pros have a great deal of influence on expensive kit purchases - and tends to become increasingly what you spend your time doing as you progress from supporting other people's work to actual design and implementation. I spend as much time reading as actually working in a given week, these days.

      It's not mythical, or just word-of-mouth, and tbh if you've never seen best practice anywhere and have no idea where to find it, then you're likely in a fairly junior role. You'll find you're drowning in endless white papers soon enough.

      1. Lysenko

        Generally, you'll find best practice outlined in the written guidelines for any piece of software, which you're required to read and regurgitate during mid-level certifications.

        You appear to be conflating best practice with vendor recommendations. They aren't synonyms. Taking Microsoft (since you mentioned them) recommendations and defaults to be "best practice" is how we ended up with open NetBIOS ports, ActiveX browser plugins, Adobe Flash dependent configuration systems, Exchange servers based on JET etc. etc.

        Best practice is to keep up with an evolving threat landscape which may mean disregarding vendor advice as obsolete or self-serving. For example, it was best practice to eradicate Flash and Silverlight long before Adobe and Microsoft would officially endorse such a policy.

      2. Prst. V.Jeltz Silver badge

        " A mid-level security practitioner needs to know general security best practice"

        And where will he find that?

        in the "Microsoft security certificate" revision book ?

        "you'll find best practice outlined in the written guidelines for any piece of software" Yeah fine , for applications , but an entire network isnt a piece of software that has a manual.

  9. steelpillow Silver badge

    Mostly

    Far the commonest attack vector on passwords is to watch over the user's shoulder as they type it. Strong passwords make that harder.

    Frequent changes of password are pointless, as any exploit on your account is likely to happen soon after it has been stolen. You will have no idea it has been stolen until too late.

    Trying to get users with a careless nature to be a lot more careful is impossible. You can employ an expert psychologist/manipulator and that may help a little, but you can't beat mandatory strength checkers and a written copy in an old-fashioned notebook in the same old-fashioned pocket or handbag where you keep your plastic.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mostly

      "Far the commonest attack vector on passwords is to watch over the user's shoulder as they type it."

      Bollocks.

      The End

      1. Anonymous Coward
        Anonymous Coward

        Re: "watch over the user's shoulder" ... Bollocks.

        I can't even begin to imagine the contortions required to snoop passwords while peering over a users bollocks.

      2. ShadowDragon8685

        Re: Mostly

        Not necessarily.

        I do my own checking out at the supermarket's self-checkout things. Very frequently, because of how sodding paranoid the system is, an employee will have to come over and make the machine continue the transaction. (Things like "oh, you didn't place that on the scale! This is the second item in the transaction you didn't put on the scale! HELP! I NEED A HUMAN TO MAKE SURE THIS GUY ISN'T THIEVING!")

        They have a post at the self-checkout that someone is SUPPOSED to be manning all the time, but very frequently it goes unmanned. The employee logins are a four-digit number, and so is the employee password. Literally anyone with rapid recall - or who can observe one employee plugging in and telling the sodding thing to let you go a few times - could memorize these numbers, then make use of those times when the system is unguarded to do some shenanigans with the machine.

        Pointlessly, most likely since security cameras are a thing, but it seems probable that the employee login ID is used for other things to, and if it happens to be used for something web-facing, bam, you're compromised.

        1. MJI Silver badge

          Re: Mostly

          I refuse to use those things. They are slower, less pleasant and encourage dumping employees.

          And I have ONE item I am NOT putting it in the bag it can go in my pocket thanks!

          As I told a manager once, just easier to shoplift an item than use those tills.

          1. ShadowDragon8685

            Re: Mostly

            I use them because I am never, *ever* satisfied with the way the shop's employees bag my goods; this is especially problematic if I'm doing shopping for two households at once and need to keep two separate sets of bags and two separate receipts.

            That, and I just like doing it my own dratted self.

          2. Charles 9

            Re: Mostly

            "And I have ONE item I am NOT putting it in the bag it can go in my pocket thanks!"

            You don't have to put it in the bag persay, just put it on the platform where the bags hang (which is actually a scale). Then when you're done, you can just pick it up again and pocket it. That's what I do at Walmart since self-checkout is 9 times out of 10 much faster than relying on a cashier (the tenth time is because it's payday/EBT drop day and the lines are long no matter which choice you make).

    2. Prst. V.Jeltz Silver badge

      Re: Mostly

      "written copy in an old-fashioned notebook in the same old-fashioned pocket or handbag where you keep your plastic."

      Well , I'm not against writing passwords on paper in your house , in a drawer. This means every hacker in the world cannot access them without coming to your house, which they tend to draw the line at.

      However " the same old-fashioned pocket or handbag where you keep your plastic. " sounds like its going to travel every place that you do and could get lost at any minute in a public place . Or worse , stolen.

      Therefore this is a bad idea for the same reasons its a bad idea to write your pin on your plastic

      1. AndyD 8-)&#8377;

        Re: Mostly

        "written copy in an old-fashioned notebook in the same old-fashioned pocket or handbag where you keep your plastic."

        Haven't done that since the 80's when I got home from a PC conference (of all places) to find find my note replaced by one that just said 'wanker'

  10. Charlie Clark Silver badge

    Who?

    Dr Jessica Barker is…

    Okay, but who is the Dr Radcliffe also quoted in the article?

    I'd suggest rewriting the article beginning with the conference then the speakers, then the recommendations…

    …but pointing out sloppy article writing to journos is unlikely to help… ;-)

    1. frank ly

      Re: Who?

      Also, the article doesn't have any numeric characters in it.

  11. adam payne

    Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive

    I don't try to scare people I try to educate people, using real life examples to illustrate the point.

    1. Anonymous Coward
      Anonymous Coward

      Trouble is, real life is SCARY...and it's considered bad form to scare someone who can sack you...

  12. Outski
    Headmaster

    One way of doing it...

    By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.

    “Don’t spread fear - spread hope,” Dr Radcliffe concluded.

    I guess changing your name midway through a presentation would frustrate a fair few hackers

    1. Solarflare

      Re: One way of doing it...

      Did you just assume her name? You chauvinist pig.

    2. Charlie Clark Silver badge
      Coat

      Re: One way of doing it...

      I guess changing your name midway through a presentation would frustrate a fair few hackers

      Maybe she has a scrambler suit?

      Mine's the one with red, no yellow, no blue, no red stripes…

  13. Anonymous Coward
    Anonymous Coward

    "Don’t spread fear - spread hope"

    Oh my god.... what we really need in security, some hippy/new age movement...

    "Let's hope you won't be demoted to changing printer toners next time you use a six letter password which is your birth date..."

    1. Hollerithevo

      Re: "Don’t spread fear - spread hope"

      Given the constant war on bad passwords and the resentment users have about them, hippy/new-age seems a little less than useful. Doing the same thing over and over and expecting the outcome suddenly to be different is a definition of madness. I would say also of contempt. Help them out fer crissakes.

      1. Charles 9

        Re: "Don’t spread fear - spread hope"

        "Doing the same thing over and over and expecting the outcome suddenly to be different is a definition of madness."

        But don't forget. Doing the same thing over and over and actually getting a different outcome is a definition of persistence.

  14. Justicesays
    Devil

    "Gameify" it

    Your password scored 57 password points today.

    You need another 47 points to unlock 12 character passwords *and* two new login images!

    1. Anonymous Coward
      Anonymous Coward

      Re: "Gameify" it

      I know when they don't really care about security in the way they say they do, when they limit my password to 8 characters!

    2. Adam 1

      Re: "Gameify" it

      > You need another 47 points to unlock 12 character passwords *and* two new login images!

      Cyber Monday special: Unlock 12 character passwords *and* two new login images for only $3.99

      Offer may not be used in conjunction with any other offer. Individual images may differ from store to store. While stocks last. Any similarities with offers in EA games are purely coincidental.

  15. Anonymous Coward
    Windows

    Here's looking at you!

    I'm moving 4,000 users to Windows Hello with new laptop roll-out of Windows 10. They can't thank me enough.

    1. Dan 55 Silver badge

      Re: Here's looking at you!

      Well, at least the ones who don't change their hairstyle, facial hair, eyeware, or makeup.

      Coming soon stuck to the side of a computer monitor near you... a polarioid selfie.

      1. Anonymous Coward
        Anonymous Coward

        Re: Here's looking at you!

        We're not going with gender-benders

        1. Anonymous Coward
          Facepalm

          Re: Here's looking at you!

          Identification =/= security

  16. DuchessofDukeStreet

    With my user head on, I am currently in debate with the administrators of our ERP system (payroll, procurement, timesheets, etc). The password is set to change every 30 days, subject to all manner of complexity rules and, worse of all, has a no-reuse parameter set. So every 4 weeks I have to think of a new complex password I've never used before. In a previous life I used to implement this system, I *know* exactly what the parameter is and how to set it better; the admin team continue to tell me it doesn't exist. I could even show them how to set up single sign-on if they'd let me...

    1. handleoclast

      @DuchessofDukeStreet

      Perhaps you should show them this advice from NCSC. Which is a wholly-owned subsidiary of GCHQ. And then sweetly point out that their enforced password changes go against the advice of the UK's top (in terms of statutory powers, not necessarily in competence) comcyber-security organization.

      1. Lotaresco

        Re: @DuchessofDukeStreet

        "enforced password changes go against the advice of the UK's top (in terms of statutory powers..."

        I'm intrigued. Which "statutory powers" do you imagine NCSC has?

  17. Joe Harrison

    I had to choose 8 characters for my password so I went with Snow White and the 7 Dwarfs

    1. Alister

      Aha! so your password is SW, D, G, H, S, B, S, D

      See if you recognise this one:

      P, P, B McG, C, D, G.

      1. Charlie Clark Silver badge
        Coat

        Half-Man Half-Biscuit

        P, P, B McG, C, D, G.

        Is it Dusty Miller? Dr Mopp? Pugh?

        Mine's the 2017 "Trumpton Riots" jacket, the one with the mop of orange hair on it…

  18. sammy_mac

    an approach that worked for me

    Someone I care about used the same pattern for all passwords, and calling the pattern weak would be generous. Discussions didn't help, until I started asking about what would be required after a breach. In other words, imagine someone had enough knowledge to guess her favorite <fill in the blank>, monkeyed with it, guessed her password, and then pwned her banking and credit accounts. How much damage could the invader do, how much could the person take, and how much of a headache for the repairs? Imagining the consequences after often makes protective steps easier to embrace.

  19. Anonymous Coward
    Anonymous Coward

    scott

    tiger

    1. Alistair
      Windows

      Re: scott

      No, leopard.

      Bathroom.

  20. MJI Silver badge

    Forcing regular changes weakens passwords

    Had this at a previous job.

    So as a railway enthusiast I used a loco book and just used the names, first class I chose had 50 nice easy to remember passwords.

    Started with Dreadnought got somewhere into the teens when policy stopped or I left (can't remember)

  21. Version 1.0 Silver badge

    My password is ...

    "badpassword" because nobody would ever suspect that I was using a bad password.

    1. Captain DaFt

      Re: My password is ...

      "badpassword" because nobody would ever suspect that I was using a bad password.

      All the really Leet admins use "password' as their login name, and 'admin' as the password. It's fool proof I tells ya!

  22. Anonymous Coward
    Anonymous Coward

    haxxor your system

    Pay an infosec agency to hack your system - any password they can hack gets reset. recidivists get a written disciplinary.

    1. Daedalus

      Re: haxxor your system

      That works as long as they don't catch the boss out - and they always do.

  23. Long John Brass
    Mushroom

    users are stupid

    By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.

    I suspect a few weeks at the coalface in the hell desk (Or any actual IT role for that matter) would help disabuse her of the notion that users are not stupid. Or even human for that matter.

  24. Colin Tree

    have they seen what a password might be ?

    I give people examples of what a password might look like, use one or make up your own

    e.g. $ pwgen -y 10

    IuGhii"sh2 eP$oo6Iuz6 Au;nai4yoh Ka|D6aij3K Phoh`y4egh kae%K7Eido mi%e8ooVoh

    aeM4no]ba5 kah-wuShe3 foo;Shu-d2 beeL>iej6k eeSu0Hof'o Im#oihai8H EiTh.ai2qu

    aiXie@d5sh eKah*Ng2oo Cei|b+u6wa Ujieh^oh9J sooM_oa0si Oos4zoh$H] Me6obeil>u

    Aiph2gah-d aeXeg#ab2u joP?ie7toh Coo0Ha6li; Maej`ooG9N Juk0roh=vu heeg$ai6Oi

    aep5aGae~j gai~Z2haey goshia0Pu' pei"Th7ahr iv8ta{Y7mo lofoh=Xi7J oD1uF.ei1u

    Ook1shea+d ta7ii`vuVo ohvuV}ah6a Ooring'e0b boo9Rieng= ohYee<ch6j Aebai.joh4

    osod7FeJ;u oZ|ahz7mah Wa0uay=uci oht$ayoV2c fae4Kaish) EiP.oo.z2t Gah*Naing8

    Choc0iv'ei Ev1zee|gae izahY>ai1h ob"oiQuio8 ni9Ooc&a]m oom]ohP0OK up4oa*T6xe

    lae#S4mi:o ChieH<eix2 omie5An=ah oa9ip-ie8O AiN"oo6Hae Zooc=a3tij Ei8ahw@oh0

    Aeng2aek{o Zua(soh3ba Xais5shoh' ling!ei8Gu eisah>x1La ioQu!oh5Th iZ1daud.ai

    aL}oh1gez3 tiph1coDa: aiX&iir3la ooF&ae2wah xee5au@Woi puacai8Ku/ Aequ[eiga9

    eeru6Bu!j2 Pheigei=m8 vie3tuuX'o koaX!i5oor thie:ng8Ku eetheco=T1 ou7nuo&Thu

    yu|Koobie1 fa9voo=Gh7 ech)ait9Ee kiPi1tho|X mie9IeR^iz Iy2Uloh@ki heir+oo7Hi

    iaF=oC0an0 oong2Ya,r4 Coo9egai,r ov2uefee.L Eish9iegh" ohxa?Ree2i ba7eeNg'ai

    Agu6jeid^e xu]Rai7ar\ oNgo4OG.ee ohCh`ohph2 UtiS_oh9ad aeJ!oo9io. beeW.ai8ku

    Aequ5Foo|p eeJ4Xeec^e os4Iechic( ei%Geiv3ah ais4Ahk@ee iey=ai2ohD aek4Ait?oh

    cah*ba~Ri2 od#oo"g4Ph uu2Vaequ[e miejib-o4G uP0tohg#a7 ooz>u6ahDa cu:ib6Ai`S

    iP@aeb>ee5 Iu(ke1Ohv9 hoo8oojuX! uS|ievie7j eek0eiQu:a ku~a[pae2N Hai1fau;gh

    eePi5eici@ iu{so0Eeth Iipi=v1udi wu9yoh^Sho eeD5Quod}a ia7uRa_o9i jee4koh}Bo

    Oif;ik6zee iePi=thoh9 fee^Foh3ae gei;n0yooC Uk7kah"gua eihoo8aF$u dei%Poe3be

  25. Anonymous Coward
    Anonymous Coward

    password vs pass-phrase

    Move to pass-phrases and don't have to concern yourself with regular password rotations. A solid, looong pass-phrase is easier for users to remember and way more difficult to brute-force attack.!!!

    But - I'm still hanging in there for biometric authentication....

    1. Charles 9

      Re: password vs pass-phrase

      But still easy to get mixed up, especially after you repeat it a hundred times or so. Now, was it "correcthorsebatterystaple" or "donkeyenginepaperclipwrong"?

      1. elgarak1

        Re: password vs pass-phrase

        Why not "Correct Horse Battery Staple"?

        Quick psychology lesson: If you say "password", people avoid the space like the plague. But for the machine, the space character is a special character just like !@#$ etc.

        If you go over to the various "check the security of your password" web sites, you can easily achieve a very secure password just by using space, i.e. passphrase. As long as the hackers use the same thinking as those web sites, this password is even secure for realz.

        My personal rules: 1: make it as long as possible. 2. make it nonsensical. 3. use space – for now.

        These are the important ones. Additionally, you can advice people to use wrong spelling, or special characters, or replacement of characters (! for i, @ for a), but keep it memorable. All those techniques won't do if you cannot remember if you exchanged the second i with ! or the first the next time you log on. Or did I replace the i with |?

        1. Charles 9

          Re: password vs pass-phrase

          Why not? Because you can't tell if the site in question silently fails over it or not, causing authentication hiccups later on as you swear you typed the password as registered but it doesn't work. Space is an inbuilt delimiter for many libararies and so on, so unless they explicitly say they support or require it, it's not considered sound practice to use the space. There are plenty of other characters one can use to separate words if you wish like the hyphen. I simply use concatenated words to defeat attempts to guess the words by delimiter, making any brute force system work harder because they can't rule out any number of words of any length up to the length of the entire phrase.

  26. JBowler

    Who says dumb passwords aren't secure

    Hum... I was recently watching an old "modern" beeb Sherlock Holmes esipod in which our Sherly was trying to guess the 4 digit password of The Woman. He had three tries. While he was trying, which took most of the esipod (seriously) I kept on shouting "1234". Well, think about it; if you have three tries and you know that the crimorist is really intelligent (or so) would you try a dumb password? After all, there's also "1111" and "9999" and you don't want to try the last one only to be told, over the exploding phone, that it was "0000".

    Works for me, I'm out there on the innernet databases of people with really dumb password (sic). Not on a site I care about of course (I think the one in question was Forbes) but the fact that I actually use randomly generated 63 ASCII character strings on those sites which allow it (I use LastPass) doesn't mean that if I am faced with a UI which requires a 4 character pisswod (even if it includes capital letters, as in the beeb esipod in question) I have any chance of security. 4^36 anyone? Oh, only three tries...

    But yes; the problem is not the user (me), it's the idiot software engineer savants who should know better. (Honest, me? Write software? What, NO!, you must be thinking of some other John Bowler with the eponymous password.)

    John Bowler

  27. allegoricus

    Christ, it's 1998 all over again!

    1. ShadowDragon8685

      Oh god, don't tell me we have to go through that whole Y2K rigamarole again in another two years.

  28. Anonymous Coward
    Anonymous Coward

    Same as it ever was....

    20 years ago when BT launched their dial up internet service they gave me a password for my POP3 mail account. It is two random words separated by a number - 16 characters in total. I have never written it down, changed it and use it for all my financial logins. Maybe they got it right first time?

  29. nijam Silver badge

    > perpetuate a stereotype

    Perhaps it's a stereotype for a reason.

  30. Norman Nescio Silver badge

    'Good enough' passwords

    I think that using an offline password manager protected by a standard Diceware passphrase should be good enough for a while*. If you want longer than 'a while', add another Diceware word.

    I say offline, because even though having the ability to cut and paste is extraordinarily convenient, and a distributed version via 'the cloud' is even more convenient, both features are susceptible to implementation flaws that could compromise the entire database. I am not skilled enough to audit password managers and the operating systems they run on, and also the communications protocols used through the cloud, so for safety's sake, I forego them.

    The Diceware website is here: http://world.std.com/~reinhold/diceware.html - do follow its advice and use multiple real dice rolls. Don't be tempted to use a convenient computer simulation.

    *a while: the security of a Diceware password will depend on the security of how the password is verified. If the system you are using stores your password in plain text and is compromised, it doesn't matter how strong the password is, you are toast. This is why it is an excellent idea to use different passwords for different systems so that a compromise of a single one does't compromise them all. If the Diceware password is simply MD5 hashed, then the speed of compromise depends on how fast someone can run an MD5 check of all possible Diceware passwords - and this is dropping all the time. Storing password information needs to be done properly - best practice calls for random salts and using functions like scrypt, PBKDF2, or Argon2 - but many, many websites don't do this - and also many people who should know better don't do this. If password information storage is done properly, then barring any major mathematical breakthrough in cryptanalysis or quantum computing, and standard Diceware password is probably good for a decade or so's security. YMMV

  31. haloburn

    Sorry. But isn’t the real issue that people are people and you can’t mandate a technical solution for human behaviour. Instead of berating people for using simple passwords or forcing them down the road of ultimately recording (usually on a post-it note) their complex password why not try providing them with a personal way they can create and remember their own complex password.

    Ask them to create their own personal cypher. For example a three letter easy to remember word or name that means something to them. Let’s use “car” in this example to create a nine letter complex password.

    Let’s break the nine characters down to a 4-2-3 code where the “c” in car is the first four characters and is the first four characters of the persons car registration with the first character always replaced with a $ i.e. $A65. The next two characters “a” are your current age 45. The final three characters “r” for revision are a lowercase letter for the month and the final two characters represent the year n17. So in this example the full complex password is $A6545n17. You would then change the sections as appropriate the next time you are asked to change the password – usually only the final three characters in this example.

    The point is the cypher and how it is broken down and incremented should be the province of the person and be personal to them. It will be memorable to them as they should come up with their own little bit of James Bond style code that only they can break and it uses techniques that will help them remember their own complex password because they can always break their own code and will remember every password they would have used. This is of course assuming they don’t just use the example above or given to them to generate their passwords.

    1. Charles 9

      Or they simply have terrible memories and couldn't remember a mnemonic, let alone a PIN or safe combination, to save their lives. I've yet to see a system that is effective for people with REALLY BAD memories: such that "correcthorsebatterystaple" easily becomes "donkeyenginepaperclipwrong" or any of a million other permutations they constantly get mixed up.

      1. Kiwi
        WTF?

        "donkeyenginepaperclipwrong"

        El Reg, we could use a "scratched record" icon.

        1. Charles 9
          Unhappy

          It's easy to imagine how it can happen with a bad memory:

          Correct -> Wrong

          Horse -> Donkey

          Battery -> Engine

          Staple -> Paperclip

          Then just put them in the wrong order and you find out how easily someone can mess up even a passphrase when they can't remember a safe combination to save their lives. And I have to deal with them everyday.

          1. This post has been deleted by its author

  32. Chris Walsh

    My 20 character randomly generated strong passwords curtosy of LastPass is no match against stupid websites that (no word of a lie) require your password to be "between 6 and 8 digits" (yes 0-9 only!)

    1. Charles 9

      Worse, it happens to be your bank, there are no local branches, and you can't move due to some long-standing obligation. Perhaps it's time for a new acronym JFIYS--Just Face It, You're Screwed...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like