Kill The Password

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
I guess the author has a point when it comes to passwords being useless if there’s a breach. But he also seems to be complaining about trivial things that could be solved with password managers such as KeePass.

The static password sitting in a database, is perhaps the dumbest idea anyone ever came up with for security. As soon as a resourceful (or even not terribly bright) hacker finds his or her way into the database, as we’ve learned time and time again, the passwords are sitting there for the taking, a giant treasure chest, a hacker’s wet dream.
 
But he also seems to be complaining about trivial things that could be solved with password managers such as KeePass

Problem is 99 percent of people are not techies and aren't gonna use such tools.
 
Keepass is probably safer than an online version, but I assume if someone had a hack, they'd then try to figure out a way to remotely infiltrate PCs and then look for keepass. I'm not a security guy, so I don't know how likely that type of attack is. I think it'd depend on how many use keepass.
 
I guess the author has a point when it comes to passwords being useless if there’s a breach. But he also seems to be complaining about trivial things that could be solved with password managers such as KeePass.

The static password sitting in a database, is perhaps the dumbest idea anyone ever came up with for security. As soon as a resourceful (or even not terribly bright) hacker finds his or her way into the database, as we’ve learned time and time again, the passwords are sitting there for the taking, a giant treasure chest, a hacker’s wet dream.

Another trash article about passwords written by a moron. Don't even have to click it to know how wrong he is.
 
You would have to break the hashing of the passwords once you got access to them? Is this assuming passwords are stored as plain text? I'm sure some are, but not all of them.
 
Another trash article about passwords written by a moron. Don't even have to click it to know how wrong he is.

Try dealing with passwords as an IT person. The average user is not going to know how to use a password manager and no matter how much you tell them not to, they will continue to use bad passwords.

It is well past time for passwords to go in favor of *something* that is easier and more secure like smart cards.
 
I don't think password has to go to use smartcards. It's probably better to have both. Hell with a smart card, you can even keep the password to just one that you don't need to change.
 
Try dealing with passwords as an IT person. The average user is not going to know how to use a password manager and no matter how much you tell them not to, they will continue to use bad passwords.

It is well past time for passwords to go in favor of *something* that is easier and more secure like smart cards.

I am an IT person and i teach security to end users. I figured out how to teach people how to create easy to memorize and secure passwords years ago. It mostly requires IT people like yourself to admit we've done it wrong for decades and our policies are what needs to change. As of right now there is no other security means on the market that is anywhere as secure and affordable as properly taught passwords.

The short and easy is, if your policy resembles anything like "must contain 8-12 characters with at least one capital, a number and or symbol". That policy is exactly everything that is wrong.
 
I actually agree that most passwords need to go. Why not, when you log in to [H] or elsewhere just use your email address? Then [H] sends you a verification code or link via email or SMS which you type in or click. So the only password you have to remember is the one on your email account.
 
I am an IT person and i teach security to end users. I figured out how to teach people how to create easy to memorize and secure passwords years ago. It mostly requires IT people like yourself to admit we've done it wrong for decades and our policies are what needs to change. As of right now there is no other security means on the market that is anywhere as secure and affordable as properly taught passwords.

The short and easy is, if your policy resembles anything like "must contain 8-12 characters with at least one capital, a number and or symbol". That policy is exactly everything that is wrong.

I usually prefer pass phrases.

However, most modern programmers are mental midgets that couldn't program a VCR let alone a website. You wouldn't believe how many websites (especially banks, who must hire a special kind of moron since that is the one account you want to keep the most secure) make asinine requirements like you have to have between exactly 6 and 8 characters or you must have 1 letter and one number but no special characters allowed.
 
I usually prefer pass phrases.

However, most modern programmers are mental midgets that couldn't program a VCR let alone a website. You wouldn't believe how many websites (especially banks, who must hire a special kind of moron since that is the one account you want to keep the most secure) make asinine requirements like you have to have between exactly 6 and 8 characters or you must have 1 letter and one number but no special characters allowed.

Correct, pass phrases. Which are really just an evolution of the password. They are bar none the most secure and easy to remember things. The problem in this case as you verified in this post isn't he end user. It's the idiot admin sticking to outdated policies that were bad to begin with.
 
If a system is breached and the ID database accessed, it doesn't really matter if it is bits representing text passwords or bits representing a DNA scan. The bad guys have valid data streams to feed back into the authentication system. Rather then worrying about how the authentication bits are generated, it is far better to secure the database in the first place.
 
I usually prefer pass phrases.

However, most modern programmers are mental midgets that couldn't program a VCR let alone a website. You wouldn't believe how many websites (especially banks, who must hire a special kind of moron since that is the one account you want to keep the most secure) make asinine requirements like you have to have between exactly 6 and 8 characters or you must have 1 letter and one number but no special characters allowed.

It's not often the programmer that decides those silly things. Stupid password requirements are generally handed down from some pinhead at the top who thinks things like "all my passwords are 6 characters long and don't have punctuation, so that should work for everyone".
 
So basically, "I have no idea how any of this really works, but I can't understand why smart people haven't fixed it yet." Such brilliant analysis.
 
thats why no decent server contains a password list but a list of salted hashes from said password.
If a server is is breached no password can be retrieved.
 
I think a "hackers wet dream" would be more like a young Angelina Jolie, on top, riding the hacker. :D

Hacking a database? That's just a job.
 
If a system is breached and the ID database accessed, it doesn't really matter if it is bits representing text passwords or bits representing a DNA scan. The bad guys have valid data streams to feed back into the authentication system. Rather then worrying about how the authentication bits are generated, it is far better to secure the database in the first place.

Exactly. No need to even open the shitty article. I know I didn't.
 
I am an IT person and i teach security to end users. I figured out how to teach people how to create easy to memorize and secure passwords years ago. It mostly requires IT people like yourself to admit we've done it wrong for decades and our policies are what needs to change. As of right now there is no other security means on the market that is anywhere as secure and affordable as properly taught passwords.

The short and easy is, if your policy resembles anything like "must contain 8-12 characters with at least one capital, a number and or symbol". That policy is exactly everything that is wrong.

It's not often the programmer that decides those silly things. Stupid password requirements are generally handed down from some pinhead at the top who thinks things like "all my passwords are 6 characters long and don't have punctuation, so that should work for everyone".

Hey that means my institution is great and winning at life right?

I mean these are the Rule for passwords

-8 to 12 charachters
-Must contain a #
-Must contain a special char
-Must contain upper and lower case
-Must not be a repeat of a password previously ever used by the user
-Must not contain more than 3-consecutive characters used by the user in any previous password

I think I'm forgetting a few. You don't want to know what the "I Forgot My Password" submission rate is...
 
I usually prefer pass phrases.

However, most modern programmers are mental midgets that couldn't program a VCR let alone a website. You wouldn't believe how many websites (especially banks, who must hire a special kind of moron since that is the one account you want to keep the most secure) make asinine requirements like you have to have between exactly 6 and 8 characters or you must have 1 letter and one number but no special characters allowed.

THIS. It is getting better, but I'm shocked at how some bank/CC sites require weak passwords.

I will say, that while pass phrases are nice, I still think something like KeePass with a strong password/phrase is better. When allowed, I generate passwords that are over 200 bits. If sites allowed it, I'd use control characters.
 
Another trash article about passwords written by a moron. Don't even have to click it to know how wrong he is.

I will confirm the wisdom of your strategy. Useless click bait by a moron.
 
Hey that means my institution is great and winning at life right?

I mean these are the Rule for passwords

-8 to 12 charachters
-Must contain a #
-Must contain a special char
-Must contain upper and lower case
-Must not be a repeat of a password previously ever used by the user
-Must not contain more than 3-consecutive characters used by the user in any previous password

I think I'm forgetting a few. You don't want to know what the "I Forgot My Password" submission rate is...

Read what I wrote. I specifically pointed it that policy is flawed and the reason passwords are a problem. What I teach us admins and end users to adopt polices that encourage password phrasing and don't accept random combinations of numbers and letters. As from a security standpoint a 30 character phrase is infinitely more secure and easier to remember than a 12 character randomized number letter symbol password. People can easily memorize phrases.
 
Read what I wrote. I specifically pointed it that policy is flawed and the reason passwords are a problem. What I teach us admins and end users to adopt polices that encourage password phrasing and don't accept random combinations of numbers and letters. As from a security standpoint a 30 character phrase is infinitely more secure and easier to remember than a 12 character randomized number letter symbol password. People can easily memorize phrases.

Passwords are still obsolete, however, because you have no control over how people store your passwords (e.g. in plaintext). Passwords are also very easy to intercept with things like keyloggers and the like.

PKI + smartcard is the future. With PKI, everyone gets a personal certificate that verifies their identity from a CA. The certificate is then stored on the smartcard and the host computer never knows the private key because all cryptography and signing is done by the smartcard. No amount of keyloggers or rootkits on the host computer can compromise it and the user isn't required to remember any passwords. In the event that the smartcard is stolen, the certificate can be revoked by the CA.
 
Another trash article about passwords written by a moron. Don't even have to click it to know how wrong he is.

^^^ Agreed, he's an idiot, read this more carefully.

Think about the last time you got a new device and wanted to sign onto Facebook or other favorite online service. If you’re like me, and use different passwords across sites, you probably forgot yours. You could do what I always do and click Forgot Password, but that would mean changing the password across all devices. It’s a horrible system.

The idiot thinks the password for a site is only stored on his device, not that the device "may" store the password but what matters is the password that really matters is the one stored at the site.
 
Passwords are still obsolete, however, because you have no control over how people store your passwords (e.g. in plaintext). Passwords are also very easy to intercept with things like keyloggers and the like.

PKI + smartcard is the future. With PKI, everyone gets a personal certificate that verifies their identity from a CA. The certificate is then stored on the smartcard and the host computer never knows the private key because all cryptography and signing is done by the smartcard. No amount of keyloggers or rootkits on the host computer can compromise it and the user isn't required to remember any passwords. In the event that the smartcard is stolen, the certificate can be revoked by the CA.

You are correct, I was surprised as I read through these comments that it took so long to bring up multifactor authentication, as in a Password + a Smart Card + a Secure Token.
 
Read what I wrote. I specifically pointed it that policy is flawed and the reason passwords are a problem. What I teach us admins and end users to adopt polices that encourage password phrasing and don't accept random combinations of numbers and letters. As from a security standpoint a 30 character phrase is infinitely more secure and easier to remember than a 12 character randomized number letter symbol password. People can easily memorize phrases.

Why not use KeePass or something similar to generate a 30 character random password?
 
You are correct, I was surprised as I read through these comments that it took so long to bring up multifactor authentication, as in a Password + a Smart Card + a Secure Token.

I didn't know they had smart cards for PWs. We used to use cards that displayed an ever changing code that you entered before or after entering your PW
 
I didn't know they had smart cards for PWs. We used to use cards that displayed an ever changing code that you entered before or after entering your PW

Smart cards would replace the password. You would use a PKI certificate on the smartcard to prove your identity rather than a password.

The GSA already uses this system. When you login to the GSA website, there are no usernames or passwords. There are certificates.
 
Passwords are still obsolete, however, because you have no control over how people store your passwords (e.g. in plaintext). Passwords are also very easy to intercept with things like keyloggers and the like.

PKI + smartcard is the future. With PKI, everyone gets a personal certificate that verifies their identity from a CA. The certificate is then stored on the smartcard and the host computer never knows the private key because all cryptography and signing is done by the smartcard. No amount of keyloggers or rootkits on the host computer can compromise it and the user isn't required to remember any passwords. In the event that the smartcard is stolen, the certificate can be revoked by the CA.

People don't like to keep track of yet more crap and people lose things like this. Not to mention have you seen what he average person does to usb ports? Sorry but people bring something physical around to jam in a slot is a terrible idea.

Why not use KeePass or something similar to generate a 30 character random password?

Why on earth would I use a fallible piece of software to become a single point of failure for all my security? I'm sorry by that is indescribably lazy. No I don't use a password manager, no ill never use a password manager and I sure as heck won't be teaching people to use something I wouldn't.

Random number, letter, symbol passwords are indeed out and need to die. People and especially admins need to learn how to leverage pass phrases effectively and all this other less secure nonsense can take a flying leap. I can teach anyone to memorize a phrase of any length that will forever trump anything else in security. 30, 64, 128+ whatever it doesn't matter. You can't lose it and it can't be cracked. The only possible way it gets found is if outs stored in clear text on a server and that's just retarded IT who deserve to get fired.
 
Smart cards would replace the password. You would use a PKI certificate on the smartcard to prove your identity rather than a password.

The GSA already uses this system. When you login to the GSA website, there are no usernames or passwords. There are certificates.

What if you lose your card or leave it on your desk?
 
People don't like to keep track of yet more crap and people lose things like this. Not to mention have you seen what he average person does to usb ports? Sorry but people bring something physical around to jam in a slot is a terrible idea.



Why on earth would I use a fallible piece of software to become a single point of failure for all my security? I'm sorry by that is indescribably lazy. No I don't use a password manager, no ill never use a password manager and I sure as heck won't be teaching people to use something I wouldn't.

Random number, letter, symbol passwords are indeed out and need to die. People and especially admins need to learn how to leverage pass phrases effectively and all this other less secure nonsense can take a flying leap. I can teach anyone to memorize a phrase of any length that will forever trump anything else in security. 30, 64, 128+ whatever it doesn't matter. You can't lose it and it can't be cracked. The only possible way it gets found is if outs stored in clear text on a server and that's just retarded IT who deserve to get fired.

IME, most system passwords used by developers as set up by admins are not difficult passwords. Granted, you have to have access to the system to use them, but they're not difficult.

That's the real world. I still don't see how KeePass is better or worse than what you suggest. If I use a 30 character passphrase (and in my case, that phrase has nonwords in it), the only way you crack it is if there's a key logger or you're watching me type it. Either of those will work for getting my password to individual systems.

So what makes your method better. Saying I can't lose the software is irrelevant. I can back up the database. If I lose it and you feel they could steal it, then why couldn't they do the same with the passphrases you're encouraging?

Yes, I'm arguing, but I don't see how your logic works. I've probably got 50 or 100 different passwords. There's absolutely no way I'm going to remember that many pass phrases and for banking and credit cards, I will not use the same one for 2 accounts.
 
IME, most system passwords used by developers as set up by admins are not difficult passwords. Granted, you have to have access to the system to use them, but they're not difficult.

That's the real world. I still don't see how KeePass is better or worse than what you suggest. If I use a 30 character passphrase (and in my case, that phrase has nonwords in it), the only way you crack it is if there's a key logger or you're watching me type it. Either of those will work for getting my password to individual systems.

So what makes your method better. Saying I can't lose the software is irrelevant. I can back up the database. If I lose it and you feel they could steal it, then why couldn't they do the same with the passphrases you're encouraging?

Yes, I'm arguing, but I don't see how your logic works. I've probably got 50 or 100 different passwords. There's absolutely no way I'm going to remember that many pass phrases and for banking and credit cards, I will not use the same one for 2 accounts.
You don't see how a single piece of software getting hacked for one password that gives up every single password and the site it's associated with is less secure than......I don't even..

Single.. point.. of.. failure.

As for memorizing more than one phrase, it's a little thing we humans are particularly good at. So good in fact that you can get into really interesting conversations with psychologists about it. Pattern recognition. By this you can take a certain phrase and simply change its pattern based on where it's being used. Be that a different word at a certain point, moving a word around any number of changes you can make to the pattern of the phrase. It's something you as the individual come up with and it's something only you can m figure out. Best of all, because you know the pattern you used, it's insanely easy to memorize. So yes, if we change the thinking of those who administrate security and change how we teach people. We teach them to do something that is natural to how our brains evolved and actually function. Then all this other crap becomes obsolete. Because even 80 year old grandmas can memorize patterns.
 
You don't see how a single piece of software getting hacked for one password that gives up every single password and the site it's associated with is less secure than......I don't even..

OK, so how do they get the master PW or even just the DB, without having access to my computer?


As for memorizing more than one phrase, it's a little thing we humans are particularly good at. So good in fact that you can get into really interesting conversations with psychologists about it. Pattern recognition. By this you can take a certain phrase and simply change its pattern based on where it's being used. Be that a different word at a certain point, moving a word around any number of changes you can make to the pattern of the phrase. It's something you as the individual come up with and it's something only you can m figure out. Best of all, because you know the pattern you used, it's insanely easy to memorize. So yes, if we change the thinking of those who administrate security and change how we teach people. We teach them to do something that is natural to how our brains evolved and actually function. Then all this other crap becomes obsolete. Because even 80 year old grandmas can memorize patterns.

I guess, but I can't imagine memorizing 50-100 different phrases for all my the sites I have PWs for. I've got some sites that I didn't migrate and they typically use one of a handful of PW variations that I used back when I assume that was enough and I still don't remember what those PWs are.

If I had 100 variations, I'd never figure it out. Post how you'd come up with passwords using 10 or 20 sites (don't use [H]...no https=weakest link here). If it works for everyone, then you're helping your fellow [H] members :D
 
Smart cards would replace the password. You would use a PKI certificate on the smartcard to prove your identity rather than a password.

The GSA already uses this system. When you login to the GSA website, there are no usernames or passwords. There are certificates.

Not always, instead the Smart Card accompanies the password and even other authentication means.

It's like this, a Smart Card is "something you have", like a badge. Of course somone could possibly copy it or steal it. So add it to a password, which is "something you know", and you add a second layer of security and help minimize the weakneses of each. Lastly you can add other factors, like biometrics, "something you are". A fingerprint or iris scan can act as a third factor again increasing the depth of your security while minimizing the weaknesses of the others.
 
Back
Top