Passwords, Security and Common Sense
 

First, here's the story that prompted this thread...


I recently ran a project for a very large company implementing a "strong complex password policy". We had to manage the update of over 50,000 accounts over a period of five days. Introducing such a policy (long passwords, with a mixture of lower case, upper case, numerical and extended characters and no dictionary words) greatly increases the security. I can't really go into too much more detail, but suffice it to say that mitigating security vulnerabilities forms a fundamental part of my job.

So, this coupled with the story above, got me to wondering about my fellow TFPers.

Would YOU share your password like those discussed above?

Do YOU have a secure password?

Do YOU use a dictionary word for a password?

Has one of YOUR passwords ever been compromised?

Do YOU share a password across multiple services?



Mr Mephisto

Re: Passwords, Security and Common Sense
 

First of all, the quote doesn't mention the questions used to derive the statistics, perhaps the answers were interpreted a little 'liberal'.

Now for my answers:
(note: I consider myself a fairly paranoid, fairly competent computer user)

Of course not, someone offering me a bar of chocolate is immediately suspicious (sp?), and would not hear my private password (or phone number for that matter).

Yes, several. They are easy to remember for me, but cannot be derived from any information about me.

Yes, some of my passwords are derived from dictionary words, but resemblance (sp?) decreases with needed security. I.e. the password for my account on my GF's pc is a dictionary word, but on my own PC it only resembles a (different ;) ) dictionary word. The root passwords to my servers are not in any way (that I know of) related to any dictionary words, and are all different.

Sadly, yes. I did not get to the bottom of it, but my fileserver was hacked by some scriptkiddie. Apparantly a SSH bug was used, and he/she did not 'guess' my password. However the password file could've been read by him/her, and so the passwords in it were compromised.

Yes, as I would need about 50 different passwords if I didn't. And writing them down is absolutely out of the question.
But once again, double password use decreases when the service(s) I used it for become more important.
For example, I use (nearly) the same password (and nearly the same usernames) for different file-sharing sites, like fileshack, happy puppy and the like.

Yes, though I made certain the password was changed (where possible) to something temporary and changed it again whenever it wasn't needed anymore. I used this for sharing dial-up accounts, and sharing files for lack of an alternative.

p.s. I made certain that my SSH daemon is up-to-date since :) as it compromised several passwords, and caused me days of headaches.

Would YOU share your password like those discussed above?
Unimportant stuff: with people I've known well and for a long time. Important stuff, never.

Do YOU have a secure password?
Only for really important things. I keep a simpler password for most things.

Do YOU use a dictionary word for a password?
never

Has one of YOUR passwords ever been compromised?
none so far. They didn't care enough to try probably.

Do YOU share a password across multiple services?
Again, for things like forums, yes. Although I use variations each time, like adding numbers, or using a weird keyboardlayout.
For other things, alarmsettings, passwords to systems, ... never.

Would YOU share your password like those discussed above? No

Do YOU have a secure password? Yes

Do YOU use a dictionary word for a password? No

Has one of YOUR passwords ever been compromised? No

Do YOU share a password across multiple services? Yes

My passwords are not based on dictionary words, are a minimum of 8 characters and use 3 out of 4 of the category types (lower case letters, caps, numbers and symbols). I try to change my password every 90 days.

Nope, I wouldn't share my password.
Yes, I have secure passwords (minimum of 14 characters, some are 30+ characters, all using random alphanumeric strings).
Nope, I don't use a dictionary word.
Nope, none of my passwords have been compromised.
Nope, I don't share passwords across systems.

But then again, I'm a network admin/engineer with a huge passion for security, so go figure.

bah....

I don't care so much, but no dictionary attacks, some shared passwords, but derivatives of the said passwords. figure them out, maybe, but highly unlikely.

I don't share my passwords, or anything silly like that, but, the sad thing is,
95% of all my Login names for the different services I use, MUDs, E-Mail, etc, all
contain the same exact password, and it's not entirely too hard to guess either,
being a dictionary word, simple, a word used alot...

If I ever do use new passwords, I always forget them, forget to write them down,
forget where I wrote them down, etc, I'd have to formulate a new system where
every single one of my passwords was complex, yet always the same for everything
I use...

I use common password for almost all logins. I know that's stupid but very few of systems I use can cause me harm.

However, I did work for several major wall street firms, and everyone had their passwords on the bottom of their keyboards. It's one thing to not be concerned at home, but something different when other people can be harmed.

I use a few passwords. One is for email, a couple for forums, one is for TFP, a few others for different things.

I've had passwords compromised, but that was in 6th grade

I have a few temporary passwords I'll change to if someone urgently needs to log into something I have.

No dictinary words, no names, and I often get pissed off at the 12-character limit on passwords.

Would YOU share your password like those discussed above?

Hell no. My wife doesn't even know my password.

Do YOU have a secure password?

Yes

Do YOU use a dictionary word for a password?

No

Has one of YOUR passwords ever been compromised?

No

Do YOU share a password across multiple services?

Unfortunately, yes. But, as stated above, it is secure.

I have many different passwords for many different programs.

One for TFP, 2 different ones for AIM (login then encryption login)

I typically used the same pw for sites that i visit once and only once, because I'm never going to go to them again, and if I do go back to them again, it's easier for me to remember the pw if it's the same. None of my pw's have EVER been from the dictionary.

My e-mail password is different from those as well, and my Win Login PW is different from all the above as well. So that makes at least 5 different pw/user names that I have.

That's classic. It reminds me of our alarm code at my work. So stupid.

Do YOU have a secure password?

Between all of the message boards, job sites, bill payment sites, etc, I have at least 50 sites to log in to.

Do YOU use a dictionary word for a password?

Some of them, yes

Has one of YOUR passwords ever been compromised?

Not to my knowledge

Do YOU share a password across multiple services?

I do for message boards, file swapping, and porn. I'm not worried about someone posing as me on those sites. I use different ones for job sites and paying bills.

I have three passwords that I use on the internet. The one I use for TFP is probably the least secure, but the other two are very strong. No dictionary words or "password" as my password either. To my knowledge none of my passwords have ever been compromised.

Re: Passwords, Security and Common Sense
 

So instead of simple passwords, they'll all have them written on a sticky note under their keyboards, or in a desk drawer, or taped to the wall.

I sysadmin for a living. If it's too hard, people will write it down.

Re: Re: Passwords, Security and Common Sense
 

Absolutely not.

:)

We use a combination of standard AD based password controls, a layered security model, the use of OTP (One Time Passwords, ie SecureID) for access to network resources from remote locations, TACACS, and we are implementing identity based network security, network access based upon security posture, 802.1x and network access at layers 1 and 2 based on inherent network security.


Mr Mephisto

At some point, if it comes down to the user typing something in, it can be written down. If they don't write down the password they used, they'll write down the next password because who can remember them all? Especially if they're only "one use". In that case, they'd write them all down, to make sure there's no repetition.

I can't say I'm familiar with everything you listed, but one thing I know: if there's a human involved, you've got a weak point.

I share my login password with my good friends because it is only used for just that. The only other password people know of mine is for a collective club account. As far as my others, no I would never share them unless I was planning on never using them again. My GF doesn't even know the majority of my passwords.

Well of course.

But the use of OTP, for example, is considered extremely secure as not only are your passwords secure (they tend to be a long list of random characters) and of limited life-time (usually only valid for 30 to 180 seconds). The aim is to mitigate dictionary attackd, Man in the Middle attacks, sniffing and spoofing.

Additionally, the vast majority of users use a soft version of SecureID so access to the utility to provide the OTP is itself dependent upon successfully authenticating and accessing the user's laptop. Some users still use hard token-generators due to cross-platform requirements. And in both circumstances a PIN is required to generate the OTP.

So, if the user loses their token-generator or laptop, AND they have written the PIN and/or password on it, AND they fail to let Loss Prevention know, then yes... there is a risk.

But you never entirely avoid ALL risks, only mititage them.


They don't only "use one".

Having said that, there's nothing stopping your users from writing down their passwords apart from stringent policies. The biggest risk to an enterprise is not a ear-ring wearing, long-haired 17 year old hacker, but a "trusted" employee. Either they introduce viruses, fail to follow policy, become disgruntled etc.

Well, the use of layered security models, role and identity based network security and password control and management utilities prevent this most of the time.

But you also have to remember that "single sign-on" is also a desireable goal for any large enterprise. You don't WANT your users to have to remember many passwords because (as you say) they will write them down. Using a single (or limited number of) passwords means you can control them easier. Relying on passwords alone is the ultimate in stupidity. You need a robust and scalable security architecture and different ways to control access to sensitive information. You should also dissassociate simple network and identity authentication from access to to particular areas of the network and from data security and encryption.


When has it ever been different?



Mr Mephisto

Yes. The biggest potential risk is that a trusted insider, such as you or I, goes bad. Good thing we have no intention of doing such an act.


Yes, and we've implemented it here.



Never. That's why it's such a strong argument. The best protection is to keep the trusted insiders happy and employed.

Hell no, you couldn't pay me for it

characters common to many of my passwords: _ , #, &, nonstandard spellings or things like 'fuc#_#ff'

hell no again. A great deal of my passwords are based on unique characters and ships from my sci-fi story or the actual names. If I ever write it to a point where it is published, many of them will have to be changed if still in use.

no

across my intranet systems yes. I have a list of five or six difficult common passwords on the internet as well as some that are only used for one site (like this site for instance, where I have to look it up on my paper with passwords if I have to enter it manually)

security has always been a concern of mine though; without my papers with my passwords (which would be difficult but not impossible to locate currently if you were in my apartment and really determined and had enough time to attempt numerous logons) you can not get past the windows/linux logon screens. My server was running win2k server with an active domain and DHCP until I moved here and was forced to downgrade to win2k pro and a workgroup :yuk: with my DSL setup.

edit2: I have been pondering typing out my handwritten password lists and just keeping a copy on my server while destroying the paper.

I think you and I are in agreement denim and should run out and setup a security consultancy start-up!

Mr Mephisto

What kind of chocolate? :D Seriously, anyone who gives up their password for a bar of chocolate is a moron.

yE5


does the klingon dictionary count? Some of those words make GREAT passwords, especially if no one knows you're into star trek, and especially if you take 2 or 3 of them and combine them randomly to make gibberishy gibberish. I only do that for stuff that I don't particularly care if it gets compromised though (fake yahoo address for spammers, etc)



no, but several of my coworkers' have. Of course, when your password is "password" that tends to happen.



nope. Each pw is unique, which is a royal PITA based on how many password protected services I use.

Would YOU share your password like those discussed above? No

Do YOU have a secure password? Yes

Do YOU use a dictionary word for a password? No

Has one of YOUR passwords ever been compromised? No(though my brother knows my passwords.. but for good reason)

Do YOU share a password across multiple services? Yes( i have 2 passwords & i am comfortable how i use them)

*edit* when i was 15 i came up with a clever way to get peoples hotmail passwords...(when they clicked on my email it would redirect them to a mirror site that my cousin set up and ask them to log back into hotmail) it worked quite well, im not sure why i stopped doing it except i didnt have the need for it.

So, this coupled with the story above, got me to wondering about my fellow TFPers.

Would YOU share your password like those discussed above?

for candy-no. For a blowjob with swallow, yes.

Do YOU have a secure password?

not really, but it's just my own box and if you can navigate the clutter that is my filesystem have at it.

Do YOU use a dictionary word for a password?

kinda sorta maybe, but not really

Has one of YOUR passwords ever been compromised?

Not that I know of

Do YOU share a password across multiple services?

only on trusted sites, places I know the owner. Others I use a variant of it or a totally different one

Re: Passwords, Security and Common Sense
 

Only to people I trust..fuck with my online account and WHAM!! I bust a cap on their ass..ok..not literally..but I will throw a fit.

Yes, I do..its *********

Yeah..its from A - Z

No, not that I know of

Sometimes, I'm just too lazy to think up and remember a new password.

How about it because it was illegal, immoral and a gross invasion of people's privacy?

Mr Mephisto

i use 20 character passwords of random numbers and letters... i actually memorize each one that I use for various situations...

then again, I could be lying

Re: Passwords, Security and Common Sense
 

Would YOU share your password like those discussed above?

Nope.

Do YOU have a secure password?

Yep

Do YOU use a dictionary word for a password?

Nope. It's mixy6405

Has one of YOUR passwords ever been compromised?

D'OH!

Do YOU share a password across multiple services?

Noooooooo.

You're kidding, right?


Aha, but kidding about which statement?! :)

I'm guilty myself of using a common password for many websites. It's no big deal if this is compromised.

But for work, and online banking etc, I use a long complex password with a mixture of upper, lower, numeric and extended characters.

For those of you who are interested, a 14char complex password has 94 ^ 14 possibilities. That equates to 4,205,231,901,698,742,834,534,301,696 different passwords.

Using a standard dictionary lookup tool, with a speed of 25M checks per second, this would require approximately ~1.9*108yrs to search an entire dictionary.


Mr Mephisto

Neat!

Actually, I'm a simple sysmangler. A decent system mangler will know about these security issues. A good system mangler would know about all the stuff you posted.

I don't think the questions matter. People are either willign to give up their passwords, or they're not (short of thumbscrews and torture).

For me, I have several that i use. contains no actual word and has numbers. no way in hell anyone could crack it.

Well, if it only uses alpha-numeric characters, then there are 61 options for each octet.

If your password is 8 characters long, this means there are 191707312997281 possibilities. Using brute force alone, this could be cracked by a desktop PC in 84.49 days.

Not likely, but far from "no way in hell".

Oh, and this doesn't take into account heuristics and statistical probabilities of the string location within the "database" of possible alternatives.

:)


Mr Mephisto


EDIT: Of course, this time will increase dramatically for each additional character above 8...

well take yahoo for instance.. yahoo chat.. all you need is a zip, dob, and the answer to the secret question..

in the voice fight rooms.. we take about 30 nicks a day , besides bootin them lol..

it isnt that hard.. info crackin is a synch if you know what you are doin

No, screw that.

For two of my three main passwords, yes.

Only for one of my passwords.

Not to my knowledge.

I switch between three passwords for all of my online stuff.

Would YOU share your password like those discussed above?
Depends, if it's a password for a Yahoo account I don't use and I was really hungry...

Do YOU have a secure password?
For important sites, yes. For sites where there would be no damage if someone got ahold of the password, I just use a simple password I can remember and that no one will probably ever guess.

Do YOU use a dictionary word for a password?
For the simple one, yes.

Has one of YOUR passwords ever been compromised?
Not that I know of.

Do YOU share a password across multiple services?
Yes, but only across things like Hotmail, TFP, Yahoo, etc.

Would YOU share your password like those discussed above? No. And it would certainly take a hell of a lot more than a chocolate bar to get me to tell. And right after I told, I'd go and change all my passwords immediately.

Do YOU have a secure password? For the important things yes

Do YOU use a dictionary word for a password? Obscure dictionary words, or words that ony mean something to me

Has one of YOUR passwords ever been compromised? No

Do YOU share a password across multiple services? Nope