back to article Israel cyber chief's 'pants' analogy for password security deemed, well, 'pants'

Israel's newly appointed cyber chief has raised eyebrows by offering questionable password advice during a high-profile presentation. Yigal Unna, Director General, Israel National Cyber Directorate, joked that passwords should be treated like underpants: changed often and never shared. His point was contained in a slide …

  1. Anonymous Coward
    Anonymous Coward

    passwords should be treated like underpants

    Twice a year is reasonable to me.

    1. Anonymous Coward
      Anonymous Coward

      Re: passwords should be treated like underpants

      6 months one way round, then 6 months turned inside out, surely!

      1. Anonymous Coward
        Anonymous Coward

        Re: passwords should be treated like underpants

        I like your thinking.

        1. Captain Scarlet Silver badge
          Coat

          Re: passwords should be treated like underpants

          Oh you are one of those types who can be smelt from the other side of the building.

          1. onefang

            Re: passwords should be treated like underpants

            Oh, you are one of those types that doesn't like the way humans smell.

            1. Captain Scarlet Silver badge

              Re: passwords should be treated like underpants

              Oddly I don't find the smell or urine that nice.

      2. qwertyuiop

        Re: passwords should be treated like underpants

        Two years! 6 months one way round, six months the other way round. Then turn them inside out and 6 months one way round, six months the other way round.

        Why doesn't anybody want to sit next to me?

        1. ravenviz Silver badge

          Re: passwords should be treated like underpants

          So something like this then:

          passw0rd

          dr0wssap

          dɐssʍ0ɹp

          pɹ0ʍssɐd

          1. Waseem Alkurdi

            Re: passwords should be treated like underpants

            How do you do the 180-degrees word flip? I looked it up with a character map but couldn't find it!

            1. Robert Helpmann??
              Boffin

              Re: passwords should be treated like underpants

              How do you do the 180-degrees word flip?

              /ɯoɔ˙ʇxǝʇuʍopǝpᴉsdn˙ʍʍʍ//:dʇʇɥ

    2. Alister

      Re: passwords should be treated like underpants

      Wrinkly and smelly, and crackle when you bend them?

  2. Anonymous Coward
    Anonymous Coward

    Password Security

    Now why would "Israel's newly appointed cyber chief" suggest, in public, a password process which is not secure?

    *

    Guess!!

    1. Waseem Alkurdi

      Re: Password Security

      Errrm, umm ... "thinking"

      .

      .

      Ah! Got it now!

      [SBILPS(0) redacted]!

      Wait, what the ...

      [SBILPS redacted]

      (0): Shin Bet Intelligence Leak Prevention System

  3. Woza
    Joke

    Pants, eh?

    So... where's the Government-mandated back door?

    1. Voland's right hand Silver badge

      Re: Pants, eh?

      Come on, not all of us buy pants from Ann Summers.

      1. thegroucho
        Coat

        Re: Pants, eh?

        I can always get you a pair for Christmas :-D

    2. Anonymous Coward
      Anonymous Coward

      Re: Pants, eh?

      If only there was some sort of plug to stop them.

      1. Scott Marshall

        Re: Pants, eh?

        Some sort of plug?

        Yep, you're right; no "butts" about it!

    3. Scott Marshall
      Joke

      Re: Pants, eh?

      The "back door" appears when you put the pants on backwards!

  4. Andy The Hat Silver badge
    Facepalm

    Advice: Use a password manager

    Oh goody, lots of password managers to choose from, all which promise to keep all my passwords nice and secure so they must be good ... I'll pick one ... eany meany miney doh!

    At which point do I trust one organisation, of which I have no specialist knowledge at all, with all my passwords? The only time this would be good advice is when I was running the password manager company and either I was (a) completely legit and wanted to help the world or (b) completely bogus and wanted to trawl as many passwords as possible. The third option is obviously good intentions plus more security holes than a Trump policy statement allowing access to miscreants anyway.

    I don't have a solution but tell me how to find a trustworthy password manager ... and, before someone says it, reading a.n.other's 'reviews' is not a good way of assessing data security, neither is having 'an encrypted database' if the NSA decode and clone it every day, nor is having a local database if the app "updates regularly" by uploading unencryped password data to a C&C server ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Advice: Use a password manager

      You don't trust them with everything, you ensure the route to changing the passwords is controlled by you e.g. you do not let them know your passwords for e-mail accounts, domain management etc.

      That way should/when they are breached you are able to chance those passwords without too much hassle, you should also have a separate list of what services you change first kept offline e.g. banks, insurance companies, utilities, shopping accounts, healthcare services etc.

      It's about risk, there's less risk with using a password manager, but the type of risks change.

    2. Captain Scarlet Silver badge
      Pint

      Re: Advice: Use a password manager

      Yes its called a paper book, its not convenient compared to software but actually its what I recommend to older computer users (As password software tends to confuse).

      Sorry I just realised I called you old, have a beer icon.

    3. ds6 Silver badge

      Re: Advice: Use a password manager

      You seem to assume "password manager" means a central server. It is terrifying and depressing to me that is anyone's first thought.

      Rather, use a local solution. Use KeePass (open source, audited clients for all systems, including Windows, macOS, Linux, BSDs, Solaris, Android, iPhones; and no, all the clients I can think of either work entirely offline or can be configured to never connect out) and sync your database physically, with SCP on a cron job, or with Syncthing using a TLS certificate.

      Alternatively, use a script, mobile app, or application that takes a site name and master password, generates a salt using the two, and then generates a password using all 3... Now you don't even need to save your passwords anywhere!

      You could also write a shell script to encrypt/decrypt a json/etc. file using a secure technology of your choice (eg. something based on OpenPGP) and forego any fancy technology. Simplicity keeps the attack surface lower.

      Or, you know, use a pen and paper, and rather than just writing down passwords, transmutate them using a shared secret present only in your brain, eg. always add a character to position X if Y is Z... Or, only write down hints, only to be used if you forget.

      Password management doesn't have to be difficult, and "password manager" should not ever ever never ever mean giving your passwords to some company. Look at LastPass, bastards got compromised and they're somehow still in business and promise to keep your data safe. Not to mention, it's still not open source. Tsk.

    4. hitchslap

      Re: Advice: Use a password manager

      I've 13+ years working in InfoSec for all manner of organisations.

      In my experience there used to be a 50/50 split on InfoSec peeps who trust password managers of any stripe. Some of the most impressive people I've every worked with just point blank refuse to use password managers.

      I can see both sides of the argument but in the last couple of years InfoSec people, in my experience, are trending towards password managers now...

      Personally...I'll use my brain and continue to get pissed off every time I have to reset a password I've forgotten...

      And yes I wear a tinfoil hat but only when I sleep.

  5. onefang

    First of all, about your bootnote El Reg, if you have to explain a joke...

    Secondly, I don't own any underpants, but I have plenty of passwords. Make of that what you will.

    Thirdly, I guess now we are a little closer to figuring out how the South Park underpants gnomes end up with profit.

    1. anothercynic Silver badge

      Remind me...

      ... To never sit on a chair you sat on first. Going commando? Eww.

      1. Anonymous Coward
        Anonymous Coward

        Re: Remind me...

        It is my unfortunate observation ( albeit on a small sample size ) that people who don't wear underpants are the same group that don't wipe their arse.

    2. Excellentsword (Written by Reg staff)

      A significant proportion of our readers aren't Brits. I guarantee you someone would have moaned. You know these threads well enough.

  6. Anonymous Coward
    Coat

    In the north, pants are kecks.

    1. Anonymous Coward
      Anonymous Coward

      North of the north, they're pants.

      1. Pete 2 Silver badge

        > North of the north, they're pants.

        And if you wear a kilt you don't need any passwords.

        P.S. pants are what dogs do when it's hot.

    2. thegroucho
      Joke

      @disgusted:

      What do you know, according to your username you live south of M25

      1. Anonymous Coward
        Anonymous Coward

        https://en.wikipedia.org/wiki/Disgusted_of_Tunbridge_Wells

        I'm from't north.

        1. thegroucho
          FAIL

          Clearly 'JOKE ALERT' doesn't mean anything these days.

          Username checks out ...

        2. frank ly

          It's "... from t'north.", as you'd know if you really were or understood the use of the apostrophe.

          1. Anonymous Coward
            Anonymous Coward

            It's not, it's I'm going t' pub, where t' is an contraction of 'to the'

            1. Alister

              It's not, it's I'm going t' pub, where t' is an contraction of 'to the'

              Yes, that's right, but frank ly is also correct, as you originally wrote I'm from't north.

              1. Anonymous Coward
                Anonymous Coward

                I can't explain the logic behind that, but that's my interpretation of how it's pronounced.

    3. eldakka

      > In the north, pants are kecks.

      What are kecks?

      1. Anonymous Coward
        Anonymous Coward

        Trousers.

  7. Anonymous Coward
    Anonymous Coward

    Post it notes in a locked draw, I challenge anyone to defeat this fool proof method over the internet.

    1. Waseem Alkurdi

      On the top of my dizzy head after a looooong day explaining Visual Basic (eww) to fellow first-year-meds (translates as: as brainfucked as brainfucked could be):

      Tiny infrared camera.

      Pick the lock w/ a non-destructive object like a hairpin.

      A secret camera to shoot the paper in transit to eye or while being returned back to the drawer.

      1. Anonymous Coward
        Anonymous Coward

        Did I mention the passwords are in braille?

      2. onefang
        Devil

        "explaining Visual Basic (eww) to fellow first-year-meds (translates as: as brainfucked as brainfucked could be):"

        Nah, for the ultimate brainfucking, teach them the programming language BrainFuck. Muahahahaha!

      3. ravenviz Silver badge

        Re: Visual Basic

        I use VBA a lot in Office and it gets me out of all sorts of pickles, there are many use cases, it gets an unfair press I think!

    2. Claptrap314 Silver badge

      > Post it notes in a locked draw, I challenge anyone to defeat this fool proof method over the internet.

      You're using an internet-connected lock, correct? All the cool kids are doing it!

  8. Anonymous Coward
    Anonymous Coward

    I have a password manager.

    It's called a notebook.

    It doesn't require a battery, has no operating system, and is not connected to the internet.

    It's a collection of folded pieces of paper, within a cardboard binding.

    It's the latest thing, honestly.

    1. Martin
      Thumb Down

      But if someone else gets hold of it, it's not exactly hard to break into....

      1. Anonymous Coward
        Holmes

        Ah, but he uses security through obscurity. He writes all his passwords on the last page.

      2. Andrew Barr

        Once physical access has been gained your screwed!

      3. Anonymous Coward
        Anonymous Coward

        But if someone else gets hold of it, it's not exactly hard to break into....

        Ah but it's encrypted... No-one can read my handwriting!

        1. Joe Werner Silver badge

          If you are a medical doctor, this is certainly true (except for pharmacists who have to be able to decipher the prescriptions...)

          1. Waseem Alkurdi
            Trollface

            If you are a medical doctor, this is certainly true (except for pharmacists who have to be able to decipher the prescriptions...)

            Why is it assumed that medical doctors write English?

            1. onefang

              I assume medical doctors write Medicalese, but I do sometimes compare the scrawl of my doctors prescription to the labels on the drugs my pharmacist sells me. I can only assume my doctor got high grades in his Medicalese Scrawl class at medical school, and so did my pharmacist.

              1. Waseem Alkurdi
                Pint

                Medicalese Scrawl

                Have one on me!

                Ahhh, Medicalese Scrawl! I passed that with flying colors! My own Medicalese Scrawl also has the double feature of being interpretable as hieroglyphics or Greek, depending on the angle of the light.

        2. Cuddles

          "Ah but it's encrypted... No-one can read my handwriting!"

          Unfortunately that's the fatal flaw with this method - I can't read my handwriting either.

  9. hitchslap

    Just checked.

    I literally do have more passwords than underpants...or as we say in Scotland....undies pronounced "undees"

  10. Anonymous Coward
    Anonymous Coward

    Paper-based notebook for passwords.....

    .....but with the passwords written out as though for a game of hangman.

    *

    Sorry if this reference ("hangman") is unknown to readers of The Register.

    Anyway, it means using underscore characters for missing letters. Example:

    - Notebook entry reads: V _ _ _ _ Y F _ _ _ T _ _ _ _ _ _ Y

    - Literate user knows: VANITYFAIRTHACKERAY

    *

    Another tip is to repeat some long word, and also use the hangman technique:

    - Notebook entry reads: R _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ T S _ _ _ _ _ _ _ _ _ _ T

    - Art lover knows: REMBRANDTREMBRANDTSELFPORTRAIT

    *

    Foreign language words, upper and lower case, numbers, parentheses.....all this can make these notes very difficult for a bad actor to interpret, while being reasonably transparent to the legitimate user.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon