the myth of strong passwords

Post Reply
User avatar
neil
Posts: 944
Joined: Mon Jan 22, 2007 5:50 pm

the myth of strong passwords

Post by neil » Fri Jul 17, 2009 1:43 pm

When signing up for the website, it pushes the user to choose a strong password. I think this is a bad thing and will discourage people from logging in because of problems with forgotten passwords. I have had this myself with sites that make me use a strong password. I end up not using it at all because it makes me deviate from my normal system of creating passwords, so I forget. Once I have had to reset my password a couple of time, I just don't bother with that site anymore - too much hassle.

I understand that the site does not force you to choose a strong password. I have ignored it's advice and used one of my usual ones. However, the first time I chose a password for the site, I thought it was requiring me to make a strong one. The interface is misleading in that way. So I chose a strong one and subsequently forgot it, requiring a reset which was a hassle.

I also understand that it may be seen as a good opportunity to teach people about strong passwords and encourage them to start using them. I think it would be fine to have a box on the sign-up page that gives information. But to have a box telling you "Your password is too weak" when you are choosing it is going too far.

Check this (pdf):
ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.
By all means give information about password strength, and why choosing a strong one may be good. But let's avoid discouraging people from using weak ones if they want. It is not a if the forest is a major hacking target.

ChaoticReality
Posts: 1113
Joined: Sun Nov 23, 2008 10:16 am
Location: Edinburgh!
Contact:

Re: the myth of strong passwords

Post by ChaoticReality » Fri Jul 17, 2009 9:07 pm

neil wrote:It is not a if the forest is a major hacking target.
Security through obscurity is bad practise.
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...

chombee
Posts: 1327
Joined: Thu Apr 20, 2006 3:01 pm

Re: the myth of strong passwords

Post by chombee » Sat Jul 18, 2009 11:28 am

Actually security by obscurity means something slightly different. Agree with Neil on this, I think we want simplicity all the way.
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!

User avatar
Jane
Posts: 1557
Joined: Thu Sep 16, 2004 3:10 pm

Re: the myth of strong passwords

Post by Jane » Sat Jul 18, 2009 12:10 pm

I HATE needing a strong password, when they make you use at least some caps and at least some numbers it means I have no way of remembering my thousand different passwords so have to write them down in giant permanent marker letters all over my web presence to remind me what they are. This is not good. xxXX
"We all tend to idealise kindness and tolerance, then wonder why we find ourselves infested with losers and nutcases." Sebastian Horsley

ChaoticReality
Posts: 1113
Joined: Sun Nov 23, 2008 10:16 am
Location: Edinburgh!
Contact:

Re: the myth of strong passwords

Post by ChaoticReality » Sat Jul 18, 2009 4:10 pm

chombee wrote:Actually security by obscurity means something slightly different.
Yeah, it wasn't exactly the term I was looking for, but you get the idea.

Just because we might not be a viable target for hackers, doesn't mean we can be lax about our security. There are boxes connected to the web that do nothing but spider sites until they find one that can potentially be exploited. I had to deal with an attack of spambots and hacking attempts on a website I ran which had a regular userbase of about 6 people.
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...

User avatar
neil
Posts: 944
Joined: Mon Jan 22, 2007 5:50 pm

Re: the myth of strong passwords

Post by neil » Sat Jul 18, 2009 5:00 pm

We have also had to deal with hacks at the forest. The bb has been taken down, so has the blog we used to run. It's fine; we dealt with it. What I'm saying is, it's not national security that's at stake. It's not worth causing people loads of hassle and putting them off from signing up & using the site.

chombee
Posts: 1327
Joined: Thu Apr 20, 2006 3:01 pm

Re: the myth of strong passwords

Post by chombee » Fri Jan 22, 2010 5:14 pm

I read a good idea about passwords today. It said that making people type both their username and a password is pointless typing. The username doesn't improve security any cause it's plainly visible and accessible to any observer. If the system made sure that everyone had a different password, then you could login by typing your password only. This'd mean that passwords could be longer (so more secure) and it would still be less typing cause you don't need to type a user name. To make sure everyone has a different password you don't ask users to come up with a password, instead the system generates a handful of passwords and lets the user choose the one they like. The passwords should be easy to remember. It suggested randomly generated combinations of English words like:

savory manlike oracle

exclusive malformed seal

old free papaya

blooming small labyrinth

rotten turnip sob story

There are trillions of possible passwords like this in English, making them much harder to guess.
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!

User avatar
neil
Posts: 944
Joined: Mon Jan 22, 2007 5:50 pm

Re: the myth of strong passwords

Post by neil » Fri Jan 22, 2010 5:48 pm

That's quite a good idea.

My first thought was what if someone mistypes and accidentally logs on as someone else? But this wouldn't happen with random groups of 3 words.

My second thought is what if someone starts randomly typing in groups of 3 words?

chombee
Posts: 1327
Joined: Thu Apr 20, 2006 3:01 pm

Re: the myth of strong passwords

Post by chombee » Sat Jan 23, 2010 4:00 pm

You'd be unlikely to hit anyone's password at random because the number of users is much smaller than the number of possible passwords (which is literally trillions). I think it's no different from taking a list of all our bb usernames (which is easy to get) and repeatedly pickling a random username and trying out a random password with it, but with the manlike oracles the passwords are much harder to guess than the kinds of passwords people usually come up with themselves.

Guessing someone's 4-digit internet banking pin is far easier, there are only 10,000 possible pins.

I admit the idea feels a little uncomfortable but it really is more secure, although I haven't actually done the math.
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!

joachim
Posts: 31
Joined: Sat Mar 13, 2010 7:39 pm

Re: the myth of strong passwords

Post by joachim » Sun Mar 14, 2010 10:49 am


chombee
Posts: 1327
Joined: Thu Apr 20, 2006 3:01 pm

Re: the myth of strong passwords

Post by chombee » Sun Mar 14, 2010 4:01 pm

No, it's not vulnerable to a dictionary attack.
I've had it with you. If I had an image of a laser gun I would absolutely position it right here in my hand...
Ha! I have a real laser absolutely positioned in my hand!

swithun
Posts: 2683
Joined: Wed Mar 29, 2006 12:24 pm

Re: the myth of strong passwords

Post by swithun » Sun Mar 14, 2010 6:35 pm

It would be vulnerable to a dictionary attack cubed. Mwahhhahha.

User avatar
Jane
Posts: 1557
Joined: Thu Sep 16, 2004 3:10 pm

Re: the myth of strong passwords

Post by Jane » Mon Aug 15, 2011 9:40 pm

Image

sean is so smart.
"We all tend to idealise kindness and tolerance, then wonder why we find ourselves infested with losers and nutcases." Sebastian Horsley

Post Reply