Mephisto2

First, here's the story that prompted this thread...


I recently ran a project for a very large company implementing a "strong complex password policy". We had to manage the update of over 50,000 accounts over a period of five days. Introducing such a policy (long passwords, with a mixture of lower case, upper case, numerical and extended characters and no dictionary words) greatly increases the security. I can't really go into too much more detail, but suffice it to say that mitigating security vulnerabilities forms a fundamental part of my job.

So, this coupled with the story above, got me to wondering about my fellow TFPers.

Would YOU share your password like those discussed above?

Do YOU have a secure password?

Do YOU use a dictionary word for a password?

Has one of YOUR passwords ever been compromised?

Do YOU share a password across multiple services?



Mr Mephisto

Silvy

First of all, the quote doesn't mention the questions used to derive the statistics, perhaps the answers were interpreted a little 'liberal'.

Now for my answers:
(note: I consider myself a fairly paranoid, fairly competent computer user)

Of course not, someone offering me a bar of chocolate is immediately suspicious (sp?), and would not hear my private password (or phone number for that matter).

Yes, several. They are easy to remember for me, but cannot be derived from any information about me.

Yes, some of my passwords are derived from dictionary words, but resemblance (sp?) decreases with needed security. I.e. the password for my account on my GF's pc is a dictionary word, but on my own PC it only resembles a (different ) dictionary word. The root passwords to my servers are not in any way (that I know of) related to any dictionary words, and are all different.

Sadly, yes. I did not get to the bottom of it, but my fileserver was hacked by some scriptkiddie. Apparantly a SSH bug was used, and he/she did not 'guess' my password. However the password file could've been read by him/her, and so the passwords in it were compromised.

Yes, as I would need about 50 different passwords if I didn't. And writing them down is absolutely out of the question.
But once again, double password use decreases when the service(s) I used it for become more important.
For example, I use (nearly) the same password (and nearly the same usernames) for different file-sharing sites, like fileshack, happy puppy and the like.

Yes, though I made certain the password was changed (where possible) to something temporary and changed it again whenever it wasn't needed anymore. I used this for sharing dial-up accounts, and sharing files for lack of an alternative.

p.s. I made certain that my SSH daemon is up-to-date since as it compromised several passwords, and caused me days of headaches.

__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. "
- Murphy MacManus (Boondock Saints)

Nisses

Would YOU share your password like those discussed above?
Unimportant stuff: with people I've known well and for a long time. Important stuff, never.

Do YOU have a secure password?
Only for really important things. I keep a simpler password for most things.

Do YOU use a dictionary word for a password?
never

Has one of YOUR passwords ever been compromised?
none so far. They didn't care enough to try probably.

Do YOU share a password across multiple services?
Again, for things like forums, yes. Although I use variations each time, like adding numbers, or using a weird keyboardlayout.
For other things, alarmsettings, passwords to systems, ... never.

__________________
Moderation should be moderately moderated.

Peetster

Would YOU share your password like those discussed above? No

Do YOU have a secure password? Yes

Do YOU use a dictionary word for a password? No

Has one of YOUR passwords ever been compromised? No

Do YOU share a password across multiple services? Yes

My passwords are not based on dictionary words, are a minimum of 8 characters and use 3 out of 4 of the category types (lower case letters, caps, numbers and symbols). I try to change my password every 90 days.

Pragma

Nope, I wouldn't share my password.
Yes, I have secure passwords (minimum of 14 characters, some are 30+ characters, all using random alphanumeric strings).
Nope, I don't use a dictionary word.
Nope, none of my passwords have been compromised.
Nope, I don't share passwords across systems.

But then again, I'm a network admin/engineer with a huge passion for security, so go figure.

__________________
Eat antimatter, Posleen-boy!

Cynthetiq

bah....

I don't care so much, but no dictionary attacks, some shared passwords, but derivatives of the said passwords. figure them out, maybe, but highly unlikely.

__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

Paradise Lost

I don't share my passwords, or anything silly like that, but, the sad thing is,
95% of all my Login names for the different services I use, MUDs, E-Mail, etc, all
contain the same exact password, and it's not entirely too hard to guess either,
being a dictionary word, simple, a word used alot...

If I ever do use new passwords, I always forget them, forget to write them down,
forget where I wrote them down, etc, I'd have to formulate a new system where
every single one of my passwords was complex, yet always the same for everything
I use...

__________________
"Marino could do it."

Warf Rat

I use common password for almost all logins. I know that's stupid but very few of systems I use can cause me harm.

However, I did work for several major wall street firms, and everyone had their passwords on the bottom of their keyboards. It's one thing to not be concerned at home, but something different when other people can be harmed.

__________________
A day late, and a dollar short.

MSD

I use a few passwords. One is for email, a couple for forums, one is for TFP, a few others for different things.

I've had passwords compromised, but that was in 6th grade

I have a few temporary passwords I'll change to if someone urgently needs to log into something I have.

No dictinary words, no names, and I often get pissed off at the 12-character limit on passwords.

God of Thunder

Would YOU share your password like those discussed above?

Hell no. My wife doesn't even know my password.

Do YOU have a secure password?

Yes

Do YOU use a dictionary word for a password?

No

Has one of YOUR passwords ever been compromised?

No

Do YOU share a password across multiple services?

Unfortunately, yes. But, as stated above, it is secure.

__________________
I reject your reality, and substitute my own

-- Adam Savage

bltzkriegmcanon

I have many different passwords for many different programs.

One for TFP, 2 different ones for AIM (login then encryption login)

I typically used the same pw for sites that i visit once and only once, because I'm never going to go to them again, and if I do go back to them again, it's easier for me to remember the pw if it's the same. None of my pw's have EVER been from the dictionary.

My e-mail password is different from those as well, and my Win Login PW is different from all the above as well. So that makes at least 5 different pw/user names that I have.

__________________
What do you say to one last showdown?
- Ocelot, Metal Gear Solid 3

The password is "Who are the Patriots?" and "La-Li-Lu-Le-Lo." "La-Li-Lu-Le-Lo." Gotcha.
- The Colonel and Snake, Metal Gear Solid 3

kutulu

That's classic. It reminds me of our alarm code at my work. So stupid.

Do YOU have a secure password?

Between all of the message boards, job sites, bill payment sites, etc, I have at least 50 sites to log in to.

Do YOU use a dictionary word for a password?

Some of them, yes

Has one of YOUR passwords ever been compromised?

Not to my knowledge

Do YOU share a password across multiple services?

I do for message boards, file swapping, and porn. I'm not worried about someone posing as me on those sites. I use different ones for job sites and paying bills.

laconic1

I have three passwords that I use on the internet. The one I use for TFP is probably the least secure, but the other two are very strong. No dictionary words or "password" as my password either. To my knowledge none of my passwords have ever been compromised.

denim

So instead of simple passwords, they'll all have them written on a sticky note under their keyboards, or in a desk drawer, or taped to the wall.

I sysadmin for a living. If it's too hard, people will write it down.

Mephisto2

Absolutely not.



We use a combination of standard AD based password controls, a layered security model, the use of OTP (One Time Passwords, ie SecureID) for access to network resources from remote locations, TACACS, and we are implementing identity based network security, network access based upon security posture, 802.1x and network access at layers 1 and 2 based on inherent network security.


Mr Mephisto

denim

At some point, if it comes down to the user typing something in, it can be written down. If they don't write down the password they used, they'll write down the next password because who can remember them all? Especially if they're only "one use". In that case, they'd write them all down, to make sure there's no repetition.

I can't say I'm familiar with everything you listed, but one thing I know: if there's a human involved, you've got a weak point.

Aletheia

I share my login password with my good friends because it is only used for just that. The only other password people know of mine is for a collective club account. As far as my others, no I would never share them unless I was planning on never using them again. My GF doesn't even know the majority of my passwords.

Mephisto2

Well of course.

But the use of OTP, for example, is considered extremely secure as not only are your passwords secure (they tend to be a long list of random characters) and of limited life-time (usually only valid for 30 to 180 seconds). The aim is to mitigate dictionary attackd, Man in the Middle attacks, sniffing and spoofing.

Additionally, the vast majority of users use a soft version of SecureID so access to the utility to provide the OTP is itself dependent upon successfully authenticating and accessing the user's laptop. Some users still use hard token-generators due to cross-platform requirements. And in both circumstances a PIN is required to generate the OTP.

So, if the user loses their token-generator or laptop, AND they have written the PIN and/or password on it, AND they fail to let Loss Prevention know, then yes... there is a risk.

But you never entirely avoid ALL risks, only mititage them.


They don't only "use one".

Having said that, there's nothing stopping your users from writing down their passwords apart from stringent policies. The biggest risk to an enterprise is not a ear-ring wearing, long-haired 17 year old hacker, but a "trusted" employee. Either they introduce viruses, fail to follow policy, become disgruntled etc.

Well, the use of layered security models, role and identity based network security and password control and management utilities prevent this most of the time.

But you also have to remember that "single sign-on" is also a desireable goal for any large enterprise. You don't WANT your users to have to remember many passwords because (as you say) they will write them down. Using a single (or limited number of) passwords means you can control them easier. Relying on passwords alone is the ultimate in stupidity. You need a robust and scalable security architecture and different ways to control access to sensitive information. You should also dissassociate simple network and identity authentication from access to to particular areas of the network and from data security and encryption.


When has it ever been different?



Mr Mephisto

denim

Yes. The biggest potential risk is that a trusted insider, such as you or I, goes bad. Good thing we have no intention of doing such an act.


Yes, and we've implemented it here.



Never. That's why it's such a strong argument. The best protection is to keep the trusted insiders happy and employed.

Speed_Gibson

Hell no, you couldn't pay me for it

characters common to many of my passwords: _ , #, &, nonstandard spellings or things like 'fuc#_#ff'

hell no again. A great deal of my passwords are based on unique characters and ships from my sci-fi story or the actual names. If I ever write it to a point where it is published, many of them will have to be changed if still in use.

no

across my intranet systems yes. I have a list of five or six difficult common passwords on the internet as well as some that are only used for one site (like this site for instance, where I have to look it up on my paper with passwords if I have to enter it manually)

security has always been a concern of mine though; without my papers with my passwords (which would be difficult but not impossible to locate currently if you were in my apartment and really determined and had enough time to attempt numerous logons) you can not get past the windows/linux logon screens. My server was running win2k server with an active domain and DHCP until I moved here and was forced to downgrade to win2k pro and a workgroup :yuk: with my DSL setup.

edit2: I have been pondering typing out my handwritten password lists and just keeping a copy on my server while destroying the paper.

__________________
Started talking to yourself I see.
Yes, it's the only way I can be certain of an intelligent conversation.

Black Adder

Mephisto2

I think you and I are in agreement denim and should run out and setup a security consultancy start-up!

Mr Mephisto

shakran

What kind of chocolate? Seriously, anyone who gives up their password for a bar of chocolate is a moron.

yE5


does the klingon dictionary count? Some of those words make GREAT passwords, especially if no one knows you're into star trek, and especially if you take 2 or 3 of them and combine them randomly to make gibberishy gibberish. I only do that for stuff that I don't particularly care if it gets compromised though (fake yahoo address for spammers, etc)



no, but several of my coworkers' have. Of course, when your password is "password" that tends to happen.



nope. Each pw is unique, which is a royal PITA based on how many password protected services I use.

animosity

Would YOU share your password like those discussed above? No

Do YOU have a secure password? Yes

Do YOU use a dictionary word for a password? No

Has one of YOUR passwords ever been compromised? No(though my brother knows my passwords.. but for good reason)

Do YOU share a password across multiple services? Yes( i have 2 passwords & i am comfortable how i use them)

*edit* when i was 15 i came up with a clever way to get peoples hotmail passwords...(when they clicked on my email it would redirect them to a mirror site that my cousin set up and ask them to log back into hotmail) it worked quite well, im not sure why i stopped doing it except i didnt have the need for it.

Holo

So, this coupled with the story above, got me to wondering about my fellow TFPers.

Would YOU share your password like those discussed above?

for candy-no. For a blowjob with swallow, yes.

Do YOU have a secure password?

not really, but it's just my own box and if you can navigate the clutter that is my filesystem have at it.

Do YOU use a dictionary word for a password?

kinda sorta maybe, but not really

Has one of YOUR passwords ever been compromised?

Not that I know of

Do YOU share a password across multiple services?

only on trusted sites, places I know the owner. Others I use a variant of it or a totally different one

__________________
I happen to like the words "fuck", "cock", "pussy", "tits", "cunt", "twat", "shit" and even "bitch". As long as I am not using them to describe you, don't go telling me whether or not I can/should use them...that is, if you want me to continue refraining from using them to describe you. ~Prince

KellyC

Only to people I trust..fuck with my online account and WHAM!! I bust a cap on their ass..ok..not literally..but I will throw a fit.

Yes, I do..its *********

Yeah..its from A - Z

No, not that I know of

Sometimes, I'm just too lazy to think up and remember a new password.

__________________
Him: Ok, I have to ask, what do you believe?
Me: Shit happens.

Mephisto2

How about it because it was illegal, immoral and a gross invasion of people's privacy?

Mr Mephisto

Halx

i use 20 character passwords of random numbers and letters... i actually memorize each one that I use for various situations...

then again, I could be lying

__________________
You have found this post informative.
-The Administrator
[Don't Feed The Animals]

sadistikdreams

Would YOU share your password like those discussed above?

Nope.

Do YOU have a secure password?

Yep

Do YOU use a dictionary word for a password?

Nope. It's mixy6405

Has one of YOUR passwords ever been compromised?

D'OH!

Do YOU share a password across multiple services?

Noooooooo.

__________________
"Besides the noble art of getting things done, there is the noble art of leaving things undone.
The wisdom of life consists in the elimination of non-essentials."
-Lin Yutang

hearts, by d.a.

Mephisto2

You're kidding, right?


Aha, but kidding about which statement?!

I'm guilty myself of using a common password for many websites. It's no big deal if this is compromised.

But for work, and online banking etc, I use a long complex password with a mixture of upper, lower, numeric and extended characters.

For those of you who are interested, a 14char complex password has 94 ^ 14 possibilities. That equates to 4,205,231,901,698,742,834,534,301,696 different passwords.

Using a standard dictionary lookup tool, with a speed of 25M checks per second, this would require approximately ~1.9*108yrs to search an entire dictionary.


Mr Mephisto

denim

Neat!

Actually, I'm a simple sysmangler. A decent system mangler will know about these security issues. A good system mangler would know about all the stuff you posted.

analog

I don't think the questions matter. People are either willign to give up their passwords, or they're not (short of thumbscrews and torture).

For me, I have several that i use. contains no actual word and has numbers. no way in hell anyone could crack it.

Mephisto2

Well, if it only uses alpha-numeric characters, then there are 61 options for each octet.

If your password is 8 characters long, this means there are 191707312997281 possibilities. Using brute force alone, this could be cracked by a desktop PC in 84.49 days.

Not likely, but far from "no way in hell".

Oh, and this doesn't take into account heuristics and statistical probabilities of the string location within the "database" of possible alternatives.




Mr Mephisto


EDIT: Of course, this time will increase dramatically for each additional character above 8...

Drider_it

well take yahoo for instance.. yahoo chat.. all you need is a zip, dob, and the answer to the secret question..

in the voice fight rooms.. we take about 30 nicks a day , besides bootin them lol..

it isnt that hard.. info crackin is a synch if you know what you are doin

__________________
It means only one thing, and everything: Cut. Once committed to fight, Cut. Everything else is secondary. Cut. That is your duty, your purpose, your hunger. There is no rule more important, no commitment that overrides that one. Cut. The lines are a portrayal of the dance. Cut from the void, not from bewilderment. Cut the enemy as quickly and directly as possible. Cut with certainty. Cut decisively, resoultely. Cut into his strength. Flow through the gaps in his guard. Cut him. Cut him down utterly. Don't allow him a breath. Crush him. Cut him without mercy to the depth of his spirit. It is the balance to life: death. It is the dance with death. It is the law a war wizard lives by, or he dies.

H12

No, screw that.

For two of my three main passwords, yes.

Only for one of my passwords.

Not to my knowledge.

I switch between three passwords for all of my online stuff.

__________________
"We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."
--Aristotle

BigGov

Would YOU share your password like those discussed above?
Depends, if it's a password for a Yahoo account I don't use and I was really hungry...

Do YOU have a secure password?
For important sites, yes. For sites where there would be no damage if someone got ahold of the password, I just use a simple password I can remember and that no one will probably ever guess.

Do YOU use a dictionary word for a password?
For the simple one, yes.

Has one of YOUR passwords ever been compromised?
Not that I know of.

Do YOU share a password across multiple services?
Yes, but only across things like Hotmail, TFP, Yahoo, etc.

__________________
One day an Englishman, a Scotsman, and an Irishman walked into a pub together. They each bought a pint of Guinness. Just as they were about to enjoy their creamy beverage, three flies landed in each of their pints. The Englishman pushed his beer away in disgust. The Scotsman fished the fly out of his beer and continued drinking it, as if nothing had happened. The Irishman, too, picked the fly out of his drink but then held it out over the beer and yelled "SPIT IT OUT, SPIT IT OUT, YOU BASTARD!"

Kaos

Would YOU share your password like those discussed above? No. And it would certainly take a hell of a lot more than a chocolate bar to get me to tell. And right after I told, I'd go and change all my passwords immediately.

Do YOU have a secure password? For the important things yes

Do YOU use a dictionary word for a password? Obscure dictionary words, or words that ony mean something to me

Has one of YOUR passwords ever been compromised? No

Do YOU share a password across multiple services? Nope