Posted
by
Roblimo
from the was-it-123456-or-654321? dept.
Cy Guy writes "The NY Times has an article on how users are coping with an overload of passwords. Helpdesk costs related to lost passwords are $340/user/year according to the Gartner Group estimate cited." (Free NYT account required to read.)
This discussion has been archived.
No new comments can be posted.
I've been bitching about this for a while now. The sheer number of passwords one has to remember today to function is outrageous, and the amount of web pages that require you to log in (you're guilty too, Rob) doesn't help. I try to use the a-few-different-depending-on-security passwords approach, but because every password program has different restrictions it isn't always that easy. Usually I wind up recreating my accounts whenever I need access. And finally, don't forget with nearly each password comes a login name... There must be a better solution out there.
Finally, a little quote from the article I thought was fairly humorous:)
"Michael J. Koszenski, a computer technician in Lexington, spent 2,000 hours of his own time creating a password database software for his PC after being disappointed with various password tracking programs...who has 30 or so passwords and access codes to manage."
That's TWO HUNDRED AND FIFTY eight hour days! 66 days of work for each password! I hope that's a misprint:)
A combination of a single easy to remember password and a substitution cipher based on the name of the thing that the password is for. Example, NYT would be encoded by making the first version of the alphabet (for the first letter of the password) start with N, the second letter Y=A, the third letter T=A, and then back to N=A until all the letters of your password are encrypted.
Of course there are more high tech ways to do this but you better not lose the program you used to encrypt your passwords unless you know how to rebuild it from scratch. (Still, writing a password encrypting program is fun for a rainy day, I think.)
The more and more insignificant sites popping up that require login accounts, the more and more seldon my preferred login names (or any variant of any of them) are available.
So now regardless of how often I reuse a password or PIN, whether I can remember the login I chose for that site is hit/miss.
Actually I tend to fill in as many 'bla' as I can. For instance when dowloading software (for instance a plugin) companies ask you all sorts of stupid question to which i always answer bla. Sometimes a stupid javascript tells me bla won't do so I then make it bla@bla.com. I have registered for NYT the conventional way,though, since it frequently has interesting stuff to read.
It's called passface [id-arts.com] and it is password like in the sense that something needs to be remembered, but what you need to remember is very different.
The principle is that humans are very good at remembering faces, so you can select a face out of a series of faces, and then a second, and a third, and a fourth. That is your password. When you want to log on, you are greeted with the series of faces, and then you choose one, and then you get a second series of faces...et cetera.
You have to keep in mind that not all helpdesk people know the root password on the machines they maintain. For example, where I work, a lot of what we do is done through sudo and we don't even need to know the root password on the machines... however if sudo is not enabled for changing a users password, you will need to know teh root password on that machine, and if it s not yours, tehre is time involved with contacting the owner of that machine and having them change the password.
I've a little script called "ring" I use to look up phone lists. For passwords I just have a pgp encrypted file; I decrypt it and pipe it through ring to find the password I need for whatever obscure site I need to visit. I have a few shell aliases for storing (unexported) the passphrase for this file in my shell and for passing it to pgp for the pgp->ring lookup. Works just find. So I just make random passwords for sites and note 'em down. (md5 on an active log file is a handy way to get arbitrary strings for passwords).
What I usually do is have an easy to remember password that I use for things that I don't care much about the security of. Things like web based email accounts I signed up for and end up using as another address to use for those sites who make you fill out those surveys before you can download their product. For more secure things I usually make up random passwords in the form of three letters, two numbers, and then three more letters. I usually keep the case of the passwords mixed, but consistent so I can remember it. The result is a password that is fairly difficult to guess due to the mixed case and the numbers, but easy enough for me to remember since I know the pattern of the letters and numbers.
One of the biggest problems (for me, at least) is the differing 'security' requirements for how you should choose a password.
One system has a maximum length of eight characters, while a website has a minimum of ten. Some require mixed case, some don't. It would help enormously if webmasters were a little more relaxed and just allowed users to pick their own passwords - particularly for things like the NYT which are not exactly 'top secret'.
Yes, but what's the point of having really great and difficult to remember passwords for all these crappy accounts? You can use simple passwords for these (usually they don't check very much), and you can use the same one every time. So you can use your brainspace for the real passwords, that really have to be save.
Is it just me, or have others also noticed a couple other articles on this topic? It seems to me, all of these are just a preamble of a hype-storm for the Microsoft solution to this problem. go take a look at this [passport.com] Hotmail is already using this, but i don't know of any others yet. i am thinkink this could really become big, and could really give MS a monopoly on website user authentication. How about moving quickly, and developing an open source standard similar to this?
'Please enter all of your passwords, pin #'s, etc. into this form. Click the "OK" button to send this to^H^H^H^H^H^H^H^H^H^H^H^H store this information in encrypted form.' Any program I used for such a purpose I would want line-by-line audited, much like OpenBSD.
No. Which is why I said I'd never put a real system account into this, just all my crap webmail passwords that I really couldn't care less if they are compromised.:-)
as people have often access to more than one machines (shell), and sometimes more than one email address, it means one password for each of them! Even if i have about 15 sheel/email i use 4 or 5 passwords, easier... the poll are fucked, but here's a link [slashdot.org] of poll about number of email address, another link [slashdot.org] which is the same subject?!? and link [slashdot.org] to the password one. also what happened to this poll [slashdot.org] of Aug 4th? -- http://www.beroute.tzo.com
I wrote Strip [zetetic.net], the Password and Account manager for the Palm Pilot. I am not trying to plug the product but since its been mentioned twice already I feel more comfortable. Strip will protect against user stupidity. It encrypts EVERYTHING before it goes into the palm databases. Furthermore, if you leave it on in the back seat of the taxi it locks the program when the palm automatically powers off. Idea is the same algorithm used in PGP, so its heavily tested and secure. Its open source, so you can look at the crypto code and compile it yourself if you want to. Strip does specific and comprehensive memory wiping of unused data, so even if your would be attacker got an actual RAM image off your palm they would not find your key, or any of the data that has been displayed during Strip's use.
I do it the same way you do. Sometimes I recycle old high-security words and use them at the mid-security level. If I forget one, it makes it a little easier to guess.
At least with a Palm you can use physical security. I dunno about you, but I'd feel a lot safer cracking into a networked box somewhere than trying to take a Palm off of someone my size.;-)
We set up an new Intranet web server then gave folks their passwords. Afraid that they weren't going to remember that they could be mixed-case, I put the following on the entry page:
Remember: Your password is case-sensitive.
Looking through the logs a while later - I saw multiple entries of people trying to use "case-sensitive" as their password...
I can type fast and obscured enough so that noone can read, what Im typing. But if I have my pws on a PalmPilot or whatever I have to make them visible, at least long enough for me to read. Or do you hide under a newspaper everytime you want to enter a password:)
I remember reading this from a computer magazine about 5 years ago. The secret to maintaining password security is to store them in clear text, in a file which is globally readable, but pick a file that no one would ever bother opening.
Dowload some shareware, say, a typing tutor, or something equally useless. Install it. Go to the directory where the software is installed, and you'll find a file called ORDER.FRM or PURCHASE.TXT or something like that. Type whatever you want into the exact middle of the file. In clear text. No one else will ever see them. =)
The most effective password management idea that I've heard is the advice we gave to people using our lab---come up with "password themes". That is, pick some class of passwords that are related and enumerable, munged in a fairly consistent way, and wouldn't be well known to anyone but you; this way you don't have twenty distinct things to remember, just one pattern that ties into something you already know.
For instance, ``Last names of people in my boy scout troop, with the first two letters swapped''. Or, ``First names of people at my last job, spelled backwards and with the fourth letter capitalised''. This sort of a method tends to be very productive, easy to remember, but hard to guess; and even if someone gets one of your passwords, they won't be able to figure out the others, unless they know you really well. And if you still can't remember your scheme, it's much safer to write down a dummy password that obeys the scheme, or even to write down the scheme itself, than to write down each valid password next to your computer.
Of course, it's probably easier if this gets used in combination with some of the other suggestions on this board---I think even this scheme would peter out if I needed to use a separate password for every registrable site I belong to.;)
Where did 'great and difficult' enter? Most of these passwords are the same, or variations, based on what the length and other limits. Most of the time its the account name that I have to remember. Some times its the same one I like to use all over, sometimes its my 'quake' handle, some times it one of the dozen or so webmail accounts I have.
I'm not using keep it safe to lock up inner-sanctum passwords, just to have a moderately-secure place to keep track of all these accounts and passwords. I used to have them in a clear-text notepad file, this is a shade better.
Is it just me or does trying to read a story about the cost losing/having too many passwords which requires me to register with yet another password seem a bit ironic?
I'm beginning to use just two passwords, my main UNIX one at work, and another one everywhere else. I'm sorry, I just can't remember six dozen pseudo-random strings.
And don't get me started on PIN numbers... Bring on the biometrics, and fast...
Some security paranoids try and have every password different. Others make all their passwords the same. Both end up causing problems. I use a compromise. I have three passwords.
One is a 'high-security' password that I only use in trusted, secure situations. My root password falls into this category. This password NEVER goes over any clear channel, nor is it typed in when anyone is possibly watching.
The next level of password is the medium security password. This is for systems where I care about security, but compromising it wouldn't cause serious problems, the person would just be able to read some personal documents, and perhaps impersonate me.
The final password is the I-don't-give-a-rat's-ass-about-security password. This is for things like slashdot, NYT, and other web services. These are ones where I (or someone else) wants some kind of security, but I don't particularly care if it gets compromised, as the person couldn't do much with it (Oh no, they impersonated me while reading the NYT!).
Each password gets changed with a frequency tied to how important it is. For example, root gets changed every month or so. My regular login gets changed every few months, and I haven't changed the who gives a shit password in over a year.
The upshot is that I never forget my passwords, and I haven't had to ask a sysadmin to change one in years. And none of my accounts have been compromised (yet).
Just make a list of all your passwords, put it in a text file, and encrypt it with PGP. Then you only need to remember one password -- your PGP password.
It might also be a good idea to encrypt the file with 2 separate keys & passwords so you have a backup in case you forget one of the PGP passwords.
Honestly, though, password list management programs are out there in droves. The problem with them though is that they are inherently insecure. E.G. one global password reveals all other passwords...
I'd like to see a password management system with a physical level of security. For example, you insert your smartcard or HASP key into a reader or the computer's serial, parallel, or usb port and then whammo your list is decrypted based on the private key in your physical device (or using the device itself in the case of smartcards)
I really think it's better to have a few passwords for various levels of importance than to write your passwords down. Important passwords shouldn't be written down under any circumstance, and unimportant ones, well just use the same password for all of them. Oh, and NY times remembers your password for you, w/ a cookie I assume, so it's not really ironic at all.
kmj The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
There's some sort of utility I saw a while ago that let you store your password and what site they're for in a file that is encrypted with {PGP|GPG}... so you only have to remember that one password to look up anything else.
Of course, if you loose or forget that one password then you're pretty much screwed.
My passwords are all fairly similar... they all come from a common source, but with vairences... for example, there's an inside joke I have with a long time friend... Using one of those words, the next word in another language, and a significant number, and capitalization changes I get a new password! Works very well...
Which reminds me.. I'm way over due for a password change..
I gave up on remembering all of my passwords. So I generate a different (random) password for every account I have and store them all in an encrypted database on my Palm Pilot. Works great, and if someone gets my TV Guide profile password, I don't have to fear for my online banking accounts.
"But since the introduction of the automated teller machine, people have accumulated an arsenal of passwords, access codes and personal identification numbers to use everything from answering machines to office bathrooms."
I'll be going home a little early today because I forgot my bathroom PIN and soiled my pants.
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd "usr" "somedummypswd" "somedummypswd"
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
To get those hidden passwords (******) that you have forgotten, but your programs remember, try Revelation http://www.snadboy.com/Revelation.shtml [snadboy.com]... it helps for getting your forgotten passwords out of your ftp program to be used for telnet or whatever...
It's an invaluable tool, I use it all the time.
Ok, so telling your program to remember your password isnt very secure... but that's your discretion.
And 90% of all stats are made up by operations managers looking for more budget for helpdesk functions.
And the other 90% are made up by consulting firms looking to court SSO (single-sign-on) product companies......
Let's look at the numbers, shall we? Let's say we work for a company that has 70,000 (I have one in mind) employees that use computer systems and have at least one password.
Let's also assume that the helpdesk function at this company spends a 50/50 ratio on personel and equipment for help desk functions, and the median help desk person gets $40k per year (which is actually high to account for HR costs and benefits).
Lets do some math:
70,000 employees x $340 = $23,800,000
1/2 half of that is $1,190,000. At the median salary of $40k per year, that means that the helpdesk for this company has 297 1/2 people doing nothing but password recovery functions every year. I know for a fact that this is not true.
Now, not having read the article (I refuse to register to news sites), I'm sure that they figure things in such as lost productivity, research time, and so on. But I sincerly doubt that the actual costs are even approaching what Gartner gives.
You should take these things with a grain of salt. Different environments have different costs associated with password management. A large mainframe-based company can handle thousands of users with a very small staff for password functions. A loosly networked company, where everyone has Administrator on his NT box, and 15 servers to log into, will have higher. A large company will have smaller costs per capita than a mid-sized company.
How secure is anything? If I leave my planner in the seat of a taxi or a restaraunt table the lucky person gets my money, my credit cards, my address, and knowledge of when I won't be home. To me, that's a lot scarier than someone finding out what my root password is. I can change that. Changing a business trip is a little harder.
It's almost impossible to protect yourself from your own stupidity. If you put your passwords in your pilot, just be sure to recognize it's value and don't leave it in the back of a taxi.
I know many of you will nearly die in a paranoia attack, but I believe that when the day comes that is cheap and reliable enough to have biometric access codes on everything that needs to be protected, this endless password dance will be reduced.
If I could simply get a retinal scan to log into my computer, the need to password protect much of it's content would be a great deal less.
Boy I wish it was that simple to reset a password in a large help desk enviroment. At least in the current large help desk I work at the poor fools over in user administration have to fill out a ticket first, then reset the password. Now due to security concerns nearly every password can NOT be given out directly over the phone. So they have to the End User on hold and call and leave the new temp password on the audix. Of course I hear people complaining all the time about how the end user can't seem to understand directions to not answer the phone and let it ring through the audix therefore a second call has to be made. Now if the end user doesn't have an audix, it has to be left with on thier managers audix, which means they call and if the manager answers explains what is going on and call back one more time to leave the password on an audix. Now after the end user manages to get the audix with the temp password. They have to be walked through changing the password. Of course they have to be reminded of the password policy even though it hasn't changed in about 16 months at this point. Also given that on average the end users have probally around 4-5 passwords and there are 30, 45, 60, and a couple of 90 days expiration times which makes it even more complex to the end users. So while I think the 340/user/year is high, it isn't to high of a number.
Pick a theme. Something like "names of Star quarterbacks of the seventies reversed and with all vowels replaced with the number of letters in their team name".
I.e.: n7tgn7kr7T
That way, when you forget a password, you have a very limited number of things to try. I've done this and found it very useful when I forget which password I gave some web service eight months ago.
Of course, mneumonic devices (SP?) also help. Classic example: By the dawn's early light Btd'el! or Bill Clinton has 15 interns under his desk! BCh15iuhd! Then it just becomes a question of which is which. (Damn, did I bash Bill Clinton or Bill Gates in my foobar login? Or did I use the same line as on goober? Or do I still even have a goober account?) That's where the earlier suggestions (ie one high-security, one medium security, and one low-security (e.g. slashdot/nytimes/etc) password). I actually use three or four, but along the same lines. Of course, I suppose I should change them at some point....
A solution you can use is have one really strange password "ql69$!amzsefb" (not mine of course) and memorize this. When you need to create a new password create a variant => ql69$!anzsefb and ql69$!aozsefb this way you will never forget your password.
The encrypted passwords: ql69$!amzsefb -> OBLzco1HA9QN2 ql69$!anzsefb ->.5/ZI.2Wlfn0w
To me that gives good variance so it would be tough for password crackers.
If you have no choice about some passwords you should use a VERY secure password database. I don't personally use password databases but its better have a backup, then to be locked out of your accounts. --------------------------- ^_^ smile death approaches.
"Keep it Safe" [suxdorf.com] is a freeware program for W32 that does this. I use it at work to keep track of all the mail-lists, web-mail, web-shopping-accounts and stuff like that. Not sure I would ever really put a real system account there tho.
Wish there was a Linux port of this that I could use at home, it is pretty useful.
Ron Dilley is a network administrator. He maintains 129 active passwords using a Palm organizer to track his passwords.
I ain't got one (yet) so I've got to ask... How secure is that? Can you get PGP for the Palm? Seems to me he leaves his Palm Pilot on the seat of a taxi or on a restaurant table and he is going to be hating life very mucho a lot and a half.
If you think about it, how many of these systems really *need* to be secure? Do I really need to have a unique, six-digit, alphanumeric password just to read the NYT, or my e-mail for that matter? It's not as if it were my bank account or anything. If you want security, use strong encryption. Otherwise, don't waste my time.
Nope, there is a small utility for the palm called "Secret!", which does all this. It keeps all the stuff stored crypting it wiht TripleDes (yes, it's not that secure). It even has a TAN-Mode (for those of you into homebanking).
Neat, I keep all my passwords (and the root-passwords of our customers machines) stored in it.
Doing this is also quite a reminder to not forget your Palm anywhere;-)
Don't forget about desktop and laptop passwords, which aren't always easy to circumvent, and often require a call to the manufacturer's tech line and some sort of ID before you can get the magic incantation. Beyond that, you have password-protected applications, Office documents, db accounts, PGP, etc. which all require varying degrees of knowledge and/or hassle to bypass, or are so difficult to bypass that it isn't worth the effort required, thereby making the protected property, real or intellectual, worthless for all intents and purposes.
Then there are PDAs, door lock PINs, secure filing cabinet PINs, ATMs, etc.
The use of password protection has proliferated beyond out ability to manage it and it's not always cheap to bypass the protection.
I, of course, read the paper version this morning. Sure, it's backwards, but it doesn't have a password, and you wouldn't believe how fast the pages load.
And the NYT is much more interesting than most papers, unless your version of interesting is heavy on sports, sensationalism and/or local news.
And if you expanded the concept, it could include some management program to keep track of your real Verisign cert, your "free" certs and anything in between. I think it would be just awesome if someone came up with the "marketing cert". You put whatever personal information you feel comfortable with inside a cert, then the website that wants it can come and get it from you, instead of those @*#&ing forms you have to fill out (which is the prompt for the password issue, anyway)./m
I first heard about this through a marketing survey. It seems that you just give your information (Name, credit card number, etc.) and when you want to buy something, you just let your trusty third party company (and who is more trustworthy than Microsoft?) handle the dibursement of your name, credit card number, etc. for you.
Can you imagine the money you could make selling information on what products a person buys, if you know that person logs all exchanges through you? I think I can handle the burden of retyping my credit card number each time I use a different business.
An open source standard wouldn't do anything. This is pure capitalism.
OH MY GOD!!!! Can you imagine such a thing! Well, we used to have a metal key for the downstairs ladies, but mgmt finally got rid of it - we were losing one key a month and that was bad enough!
Unfortunately, I work for the help desk of a leading IT firm in Chicago. I would estimate that at least 50% of the time, the user's problem is either a request for a reset password or is solved by resetting the password. Think about the time (time=money) we could have back if there weren't so many password issues. We would have twice as much time/resources to devote to serious problems. Think of it this way -- with ~10 help desk employees responsible for 3500+ employees on billable consulting time at client sites around the world, a lot of money is lost to inactivity of the consultants due to thei computer problems. I will admit though, that supporting Winblows causes at least as many headaches... arrgghhh.. I thought I hated Windoze *before* I had to troubleshoot it all damn day. Tangent, sorry.
I'm going to start a consulting firm whose only service is changing passwords. I'll telnet in from home and take my 800-line calls in my pajamas, and for this remarkable service I'll charge $300 each, and call that a discount.
And for a volume discount, I'll personally rap lusers upside the head when they reach $3,000 or more in charges.
Is anyone else catching the irony, here? NYT is just adding to a vicious circle by requiring people like me, who don't have an NYT password, to *gasp* register for an NYT password!!!
I remember an article on/. a few weeks back. The NYT had an article on Online Privacy, but you had to register to read it. Now that's ironic.
Just waiting for MacOS 9's keychain. Let's you store all your various passwords in one, tightly encrypted and portable keychain which you can unlock with one master password. Just hope MacOS 9's vioce recognition passwords carry through to keychain!
Is usually not the password or the security system. Its the people who use them. For example , at work I have people everyday who tell me their passwords because they don't have the time of day to stay and login as Administrator on their NT boxes while I fix their dumbass problems. Further more, many passwords can ge guessed due to their simplicicty (almost half are the reverse of their login or their login + #). Of course, this is to be expected since the human brain is meant to generate and remember patterns, not random characters. Perhaps even more unbelievable is the fact that almost any employee can call the helpdesk and have their password reset. With _no_ ID check.
On top of that, the real problem is not people getting into a system with passwords. The real security problem is the idiot things people can do while logged in as a high security user. Its amazing what they do. Many people, mostly experienced techs (with high priviledges on the system), login outside the firewall and the secuity features therein, and access high risk sites (not pr0n but warez and other sites due to high access speeds). Therefore, the password security and access standards don't need to be revised, the user's intelligence does.
Much of this will change when things like retinal scanners, thumbprint scanners and infared face scanners come out. My I am waiting for voice print access that can filter out good copies of my voice. (possible even programmed to ask questions only I can answer such as what happened the night of June 28 1992?)(Answer: I lost "ScRaMbLeD ThE ReSt" )
When I played sysadmin, we ended up assigning passwords like 7fesy3q and let the user change them at their own risk. Of course we would run crack daily, so this would discourage this unless they follows the strict "acceptability" rules.
When I have to play the letters/numbers game, sometimes I pick a radio station as a password like 8950kbaq.
Glad to see this covered! (Score:1)
Finally, a little quote from the article I thought was fairly humorous
"Michael J. Koszenski, a computer technician in Lexington, spent 2,000 hours of his own time creating a password database software for his PC after being disappointed with various password tracking programs...who has 30 or so passwords and access codes to manage."
That's TWO HUNDRED AND FIFTY eight hour days! 66 days of work for each password! I hope that's a misprint
Re:New MacOS (on topic, really) (Score:1)
In case any of you are interested at all about the Keychain and MacOS 9's voice passwords, AppleInsider has it all in its MacOS 9.0 archive:
http://www.appleinsider.com/macos9.0.shtm l [appleinsider.com]
Just use... (Score:1)
Of course there are more high tech ways to do this but you better not lose the program you used to encrypt your passwords unless you know how to rebuild it from scratch. (Still, writing a password encrypting program is fun for a rainy day, I think.)
Closed source (Score:1)
unavailable logins (Score:1)
up that require login accounts, the more and
more seldon my preferred login names (or any
variant of any of them) are available.
So now regardless of how often I reuse a password
or PIN, whether I can remember the login I chose
for that site is hit/miss.
Re:Gartner Group (Score:1)
NYT Login/Password (Score:1)
password:slashdot
or
login:cypherpunks
password:cypherpunks
Re:Annoying free login thing (Score:1)
I have registered for NYT the conventional way
greetings, Jilles
a very different and cool solution (Score:1)
The principle is that humans are very good at remembering faces, so you can select a face out of a series of faces, and then a second, and a third, and a fourth. That is your password. When you want to log on, you are greeted with the series of faces, and then you choose one, and then you get a second series of faces...et cetera.
Re:340$ user/year? Ha! (Score:1)
my approach (Score:1)
So I just make random passwords for sites and note 'em down. (md5 on an active log file is a handy way to get arbitrary strings for passwords).
My solution to this problem (Score:1)
Re:One Problem... (Score:1)
I can rent a camcorder and single-step through your keystrokes.
Apple Keychain (Score:1)
Keychain would keep all your passwords super-secure in a little pop-up window and you only needed to remember the one Keychain password to access it.
Keychain was great software. Unfortunately Apple is too daft to recognize a good thing and axed Keychain from the MacOS.
Pfft.
Peace
Re:Glad to see this covered! (Score:1)
One system has a maximum length of eight characters, while a website has a minimum of ten. Some require mixed case, some don't. It would help enormously if webmasters were a little more relaxed and just allowed users to pick their own passwords - particularly for things like the NYT which are not exactly 'top secret'.
Re:Would you trust a closed source program for thi (Score:1)
So you can use your brainspace for the real passwords, that really have to be save.
M$'s solution to this problem (Score:1)
other articles on this topic? It seems to me, all of these
are just a preamble of a hype-storm for the Microsoft
solution to this problem. go take a look at this [passport.com]
Hotmail is already using this, but i don't know of any others yet.
i am thinkink this could really become big, and could really give MS
a monopoly on website user authentication. How about moving quickly, and developing an open source standard similar to this?
Linuxghoul
Re:340$ user/year? Ha! (Score:1)
Would you trust a closed source program for this? (Score:1)
Any program I used for such a purpose I would want line-by-line audited, much like OpenBSD.
Re:Uh, huh... (Score:2)
> um.... (no further commenting needed.)
Okay, so I forgot a '0'.. $11,900,000... The rest of the math was right...297 1/2 people changing passwords....
jf
Re:Would you trust a closed source program for thi (Score:2)
remind me some polls (Score:1)
the poll are fucked, but here's a link [slashdot.org] of poll about number of email address, another link [slashdot.org] which is the same subject?!? and link [slashdot.org] to the password one.
also what happened to this poll [slashdot.org] of Aug 4th?
--
http://www.beroute.tzo.com
Re:Multiple Passwords (Score:1)
Not sure if it would mess up search engines, but basically, a Cookie Monster that eats em as you go?
Re:I'd like to see this bathroom (Score:1)
Re:Someone Wanna Grab that Palm Pilot? (Score:1)
Re:Compromise solution (Score:1)
Re:Good use for a PalmPilot (Score:1)
Funny Story (Score:1)
Remember: Your password is case-sensitive.
Looking through the logs a while later - I saw multiple entries of people trying to use "case-sensitive" as their password...
Re:my solution (Score:1)
YM billg@microsoft.com. HTH. HAND.
You really want microsfot talking to your ISP about you forging billg's email?
One Problem... (Score:1)
But if I have my pws on a PalmPilot or whatever I have to make them visible, at least long enough for me to read. Or do you hide under a newspaper everytime you want to enter a password
Re: (Score:1)
How to secure passwords: (Score:1)
Dowload some shareware, say, a typing tutor, or something equally useless. Install it. Go to the directory where the software is installed, and you'll find a file called ORDER.FRM or PURCHASE.TXT or something like that. Type whatever you want into the exact middle of the file. In clear text. No one else will ever see them. =)
An effective pw management scheme... (Score:1)
The most effective password management idea that I've heard is the advice we gave to people using our lab---come up with "password themes". That is, pick some class of passwords that are related and enumerable, munged in a fairly consistent way, and wouldn't be well known to anyone but you; this way you don't have twenty distinct things to remember, just one pattern that ties into something you already know.
For instance, ``Last names of people in my boy scout troop, with the first two letters swapped''. Or, ``First names of people at my last job, spelled backwards and with the fourth letter capitalised''. This sort of a method tends to be very productive, easy to remember, but hard to guess; and even if someone gets one of your passwords, they won't be able to figure out the others, unless they know you really well. And if you still can't remember your scheme, it's much safer to write down a dummy password that obeys the scheme, or even to write down the scheme itself, than to write down each valid password next to your computer.
Of course, it's probably easier if this gets used in combination with some of the other suggestions on this board---I think even this scheme would peter out if I needed to use a separate password for every registrable site I belong to. ;)
Re:Would you trust a closed source program for thi (Score:2)
I'm not using keep it safe to lock up inner-sanctum passwords, just to have a moderately-secure place to keep track of all these accounts and passwords. I used to have them in a clear-text notepad file, this is a shade better.
STRIP (Score:1)
Re:Compromise solution (Score:1)
I think I'll document this now
Re:hrmm.. brute force finger attack on the ladies (Score:1)
ack! (Score:3)
/willhelm
Hmmm... (Score:1)
The NYT is just not that interesting....
Overload... (Score:1)
And don't get me started on PIN numbers... Bring on the biometrics, and fast...
Sorry... (Score:2)
Compromise solution (Score:2)
One is a 'high-security' password that I only use in trusted, secure situations. My root password falls into this category. This password NEVER goes over any clear channel, nor is it typed in when anyone is possibly watching.
The next level of password is the medium security password. This is for systems where I care about security, but compromising it wouldn't cause serious problems, the person would just be able to read some personal documents, and perhaps impersonate me.
The final password is the I-don't-give-a-rat's-ass-about-security password. This is for things like slashdot, NYT, and other web services. These are ones where I (or someone else) wants some kind of security, but I don't particularly care if it gets compromised, as the person couldn't do much with it (Oh no, they impersonated me while reading the NYT!).
Each password gets changed with a frequency tied to how important it is. For example, root gets changed every month or so. My regular login gets changed every few months, and I haven't changed the who gives a shit password in over a year.
The upshot is that I never forget my passwords, and I haven't had to ask a sysadmin to change one in years. And none of my accounts have been compromised (yet).
passwords (Score:1)
Then what do I do with the list?
Easy Solution (Score:1)
It might also be a good idea to encrypt the file with 2 separate keys & passwords so you have a backup in case you forget one of the PGP passwords.
Re:ack! (Score:1)
Re:passwords (Score:1)
Honestly, though, password list management programs are out there in droves. The problem with them though is that they are inherently insecure. E.G. one global password reveals all other passwords...
I'd like to see a password management system with a physical level of security. For example, you insert your smartcard or HASP key into a reader or the computer's serial, parallel, or usb port and then whammo your list is decrypted based on the private key in your physical device (or using the device itself in the case of smartcards)
~GoRK
Multiple Passwords (Score:1)
kmj
The only reason I keep my ms-dos partition is so I can mount it like the b*tch it is.
340$ user/year? Ha! (Score:1)
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
Re:passwords (Score:1)
Of course, if you loose or forget that one password then you're pretty much screwed.
My passwords are all fairly similar... they all come from a common source, but with vairences... for example, there's an inside joke I have with a long time friend... Using one of those words, the next word in another language, and a significant number, and capitalization changes I get a new password! Works very well...
Which reminds me.. I'm way over due for a password change..
Guh... (Score:1)
-----
Good use for a PalmPilot (Score:1)
Works great for me...
I'd like to see this bathroom (Score:1)
I'll be going home a little early today because I forgot my bathroom PIN and soiled my pants.
340$ user/year? Ha! - oops (Score:1)
What the heck is going on that makes the help desk cost that much to fix a password? Come on!
Either someone doesn't know how to estimate, there is _far_ too much bloat in the organization or some wacky combo of both.
In UNIX, doesn't helpdesk just have to:
passwd "usr"
"somedummypswd"
"somedummypswd"
give the dummy password to the user? Unless the (l)user looses the password twenty times or more a year, I can't see how password fixing is really a problem. The only thing is things lost because superuser can't remember password, then you're screwed out of much invested data in the system, even then, there are quick work arounds.
Clue stick anyone? (I don't want to login NYT, so I haven't read it)
I forgot my password but my program remembers it.. (Score:1)
To get those hidden passwords (******) that you have forgotten, but your programs remember, try
Revelation http://www.snadboy.com/Revelation.shtml [snadboy.com]
It's an invaluable tool, I use it all the time.
Ok, so telling your program to remember your password isnt very secure... but that's your discretion.
Uh, huh... (Score:2)
And the other 90% are made up by consulting firms looking to court SSO (single-sign-on) product companies......
Let's look at the numbers, shall we? Let's say we work for a company that has 70,000 (I have one in mind) employees that use computer systems and have at least one password.
Let's also assume that the helpdesk function at this company spends a 50/50 ratio on personel and equipment for help desk functions, and the median help desk person gets $40k per year (which is actually high to account for HR costs and benefits).
Lets do some math:
70,000 employees x $340 = $23,800,000
1/2 half of that is $1,190,000. At the median salary of $40k per year, that means that the helpdesk for this company has 297 1/2 people doing nothing but password recovery functions every year. I know for a fact that this is not true.
Now, not having read the article (I refuse to register to news sites), I'm sure that they figure things in such as lost productivity, research time, and so on. But I sincerly doubt that the actual costs are even approaching what Gartner gives.
You should take these things with a grain of salt. Different environments have different costs associated with password management. A large mainframe-based company can handle thousands of users with a very small staff for password functions. A loosly networked company, where everyone has Administrator on his NT box, and 15 servers to log into, will have higher. A large company will have smaller costs per capita than a mid-sized company.
jf
Re:Someone Wanna Grab that Palm Pilot? (Score:1)
pilot call cipher. It uses IDEA (128 bit keys).
I use it to encrypt passwords on my pilot
Re:Good use for a PalmPilot (Score:1)
Keep it locked up with a
combination lock.
DOH! a number to remeber!
it's a viscuous circle!
cypherpunk/cypherpunk works (Score:1)
Re:Someone Wanna Grab that Palm Pilot? (Score:1)
It's almost impossible to protect yourself from your own stupidity. If you put your passwords in your pilot, just be sure to recognize it's value and don't leave it in the back of a taxi.
Biometrics the answer? (Score:1)
If I could simply get a retinal scan to log into my computer, the need to password protect much of it's content would be a great deal less.
- Raider
Re:340$ user/year? Ha! (Score:1)
Nice way to remember multiple passwords (Score:1)
I.e.: n7tgn7kr7T
That way, when you forget a password, you have a very limited number of things to try. I've done this and found it very useful when I forget which password I gave some web service eight months ago.
(I do use a different theme.)
Re:Nice way to remember multiple passwords (Score:1)
By the dawn's early light
Btd'el!
or
Bill Clinton has 15 interns under his desk!
BCh15iuhd!
Then it just becomes a question of which is which.
(Damn, did I bash Bill Clinton or Bill Gates in my foobar login? Or did I use the same line as on goober? Or do I still even have a goober account?)
That's where the earlier suggestions (ie one high-security, one medium security, and one low-security (e.g. slashdot/nytimes/etc) password). I actually use three or four, but along the same lines. Of course, I suppose I should change them at some point....
Re:Uh, huh... (Score:2)
You may notice that MY numbers were just as abitrary and meaningless...
jf
Re:Closed source (Score:1)
How many "hail linus's" must I say?
Actually it's the only one I knew of, therefore
I had to use it instead of another, better, open-sourced one.
Re: (Score:1)
My solution! (Score:1)
The encrypted passwords:
ql69$!amzsefb -> OBLzco1HA9QN2
ql69$!anzsefb ->
To me that gives good variance so it would be tough for password crackers.
If you have no choice about some passwords you should use a VERY secure password database. I don't personally use password databases but its better have a backup, then to be locked out of your accounts.
---------------------------
^_^ smile death approaches.
Re:Open source program (Score:1)
Re:passwords (Score:2)
Wish there was a Linux port of this that I could use at home, it is pretty useful.
Someone Wanna Grab that Palm Pilot? (Score:1)
I ain't got one (yet) so I've got to ask... How secure is that? Can you get PGP for the Palm? Seems to me he leaves his Palm Pilot on the seat of a taxi or on a restaurant table and he is going to be hating life very mucho a lot and a half.
Why bother? (Score:1)
Re:passwords (Score:1)
I'm still not certain of it's security, but its a start.
Why Don't We Make A Slashdot NYT Account? (Score:1)
Just an idea.
Plankeye
Re:Someone Wanna Grab that Palm Pilot? (Score:1)
Nope, there is a small utility for the palm called "Secret!", which does all this. It keeps all the stuff stored crypting it wiht TripleDes (yes, it's not that secure).
It even has a TAN-Mode (for those of you into homebanking).
Neat, I keep all my passwords (and the root-passwords of our customers machines) stored in it.
Doing this is also quite a reminder to not forget your Palm anywhere ;-)
Ralph
Re:340$ user/year? Ha! (Score:2)
Don't forget about desktop and laptop passwords, which aren't always easy to circumvent, and often require a call to the manufacturer's tech line and some sort of ID before you can get the magic incantation. Beyond that, you have password-protected applications, Office documents, db accounts, PGP, etc. which all require varying degrees of knowledge and/or hassle to bypass, or are so difficult to bypass that it isn't worth the effort required, thereby making the protected property, real or intellectual, worthless for all intents and purposes.
Then there are PDAs, door lock PINs, secure filing cabinet PINs, ATMs, etc.
The use of password protection has proliferated beyond out ability to manage it and it's not always cheap to bypass the protection.
Re:Uh, huh... (Score:1)
>70,000 employees x $340 = $23,800,000
>1/2 half of that is $1,190,000.
um.... (no further commenting needed.)
Re:Hmmm... (Score:1)
And the NYT is much more interesting than most papers, unless your version of interesting is heavy on sports, sensationalism and/or local news.
Re:Personal Certificates are the answer! (Score:1)
Re:M$'s solution to this problem (Score:1)
Can you imagine the money you could make selling information on what products a person buys, if you know that person logs all exchanges through you? I think I can handle the burden of retyping my credit card number each time I use a different business.
An open source standard wouldn't do anything. This is pure capitalism.
RrrrrrOFL! (Score:1)
Re:Uh, huh... (Score:1)
Re:Uh, huh... (Score:1)
And for a volume discount, I'll personally rap lusers upside the head when they reach $3,000 or more in charges.
/m
Irony (Score:1)
Is anyone else catching the irony, here? NYT is just adding to a vicious circle by requiring people like me, who don't have an NYT password, to *gasp* register for an NYT password!!!
I remember an article on /. a few weeks back. The NYT had an article on Online Privacy, but you had to register to read it. Now that's ironic.
Just waiting for MacOS 9's keychain. Let's you store all your various passwords in one, tightly encrypted and portable keychain which you can unlock with one master password. Just hope MacOS 9's vioce recognition passwords carry through to keychain!
The problems with passwords... (Score:1)
On top of that, the real problem is not people getting into a system with passwords. The real security problem is the idiot things people can do while logged in as a high security user. Its amazing what they do. Many people, mostly experienced techs (with high priviledges on the system), login outside the firewall and the secuity features therein, and access high risk sites (not pr0n but warez and other sites due to high access speeds). Therefore, the password security and access standards don't need to be revised, the user's intelligence does.
Passwords... (Score:1)
Garbage, secure ID, and biometrics (Score:1)
When I have to play the letters/numbers game, sometimes I pick a radio station as a password like 8950kbaq.
I've also seen secure ID badges too.
What we really need is biometrics everywhere.