Changing Passwords Is Bad For Security

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
While Carnegie Mellon faculty and government agencies sweat and debate over the consequences of routinely coming up with new passcodes, all the rest of us with common sense just turn to password generators/managers.

…researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on. "The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," Cranor explained. "They take their old passwords, they change it in some small way, and they come up with a new password."
 
This is why I have a 4-element password schema... each element is 3 or 4 characters long and normally has something to do with what I am logging into. I tend to tack 4-5 of them together into a 13+char password..

This gives me a simple, easy-to-remember way to generate ~256 very different passwords that aren't that hard to remember and can be rotated every 3 months or so with ease.

You end up with stuff like <year><season><site initials><something else><something else> ie: a plausable for this site: 2k16sumHF.ac
 
While Carnegie Mellon faculty and government agencies sweat and debate over the consequences of routinely coming up with new passcodes, all the rest of us with common sense just turn to password generators/managers.

…researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on. "The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," Cranor explained. "They take their old passwords, they change it in some small way, and they come up with a new password."
I do exactly this with my stupid work password I have to keep changing. Screw them
 
I get really tired of the overly complicated password requirements a lot of sites are forcing on us lately. Now some are requiring the use of symbols. It's not practical for me to run around with a list of the 20 different passwords I need and I can't remember them when they have to have 2 upper case letters, 2 numbers, 3 symbols, a Batman symbol and a rectangle in them. Why can't I just use the password I wan't to use?
 
Try being an avid gamer, a casual tech junkie, and in the military. I have at least 60 passwords that I need to remember and their all just the same thing with a variant. and then 25 of them need to be changed every 90 days. half the time I say fuck it and work doesn't get done for the next 2 months. because oversight is non-existent.
 
Some of the systems I use have the brutal 60-90 day password changes and, yep, I definitely use a pattern. It's a decent pattern where half the characters change, no complete word is used, and it bears no relationship to the systems I'm using, but it's still pointless since I know none of these systems store passwords as clear text and no one else touches my work PC.

Much like what the TSA spends most of its time doing, it's security theater.

On the other hand, one of the systems never requires a password change (I still do change it once a year or so) and that's probably not great either.
 
... I have at least 60 passwords that I need to remember and their all just the same thing with a variant. and then 25 of them need to be changed every 90 days...

Only 60? I am about to start on the 3rd sheet of 8.5x11" paper for keeping my account info. Rough count is about a 100 or so. Many places demand a full account setup just to place an order. In many cases, it was some specialized gizmo that I am unlikely to repeat order but best to keep track of the account because a lot of sites get stubborn about "Account already exists for this email." forcing you to go through the lost account followed by the lost password process. Sadly, many of them force the use of email address as user id in violation of basic security rules. Plus the list makes it easier to match "Site X got hacked" notices to accounts I have to see if I need to take any action.
 
I get really tired of the overly complicated password requirements a lot of sites are forcing on us lately. Now some are requiring the use of symbols. It's not practical for me to run around with a list of the 20 different passwords I need and I can't remember them when they have to have 2 upper case letters, 2 numbers, 3 symbols, a Batman symbol and a rectangle in them. Why can't I just use the password I wan't to use?

I keep forgetting passwords cause i have to always change and remember all

When I graduated from college, my first job required us to change our passwords every 30 days, the passwords couldn't be similar to the past 15 passwords we used, they couldn't contain any word in the dictionary, and they had to include an upper case, a lower case, a special character, and a number. If you entered it wrong 3 times, you'd end up being locked out, and flagged by security. A few of us made a game of how long we could go before one of us was flagged. I believe the record was two weeks. Yet, at the physical gate to check in, I could have shown a badge with another person's picture, and been waved on through. It was a very penny wise dollar foolish approach.
 
I have seven passwords at work to keep track of, all of which require me to update them every 90 days, and all seven of them need changed on different days. On top of that pencils, paper, cell phones, Microsoft word, notepad, outside email. etc all banned on the premises so I have no allowed way to write down/record any of the passwords in case i forget.
 
Keepass. Free and easy. No more whining.

Roboforms. Cheap and robust. No more whining.

I do not get the point of this article though. The examples are different enough...
 
I have seven passwords at work to keep track of, all of which require me to update them every 90 days, and all seven of them need changed on different days. On top of that pencils, paper, cell phones, Microsoft word, notepad, outside email. etc all banned on the premises so I have no allowed way to write down/record any of the passwords in case i forget.

I have about 150, and I'm not kidding. Application passwords, database passwords, passwords for virtual servers in our webserver farm. The only way I can possibly keep track is to keep them all in KeePass. So functionally, I have one password.
 
"The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," Cranor explained. "They take their old passwords, they change it in some small way, and they come up with a new password."

That or they just write it down and stick it on their monitor or keyboard.
 
I get really tired of the overly complicated password requirements a lot of sites are forcing on us lately. Now some are requiring the use of symbols. It's not practical for me to run around with a list of the 20 different passwords I need and I can't remember them when they have to have 2 upper case letters, 2 numbers, 3 symbols, a Batman symbol and a rectangle in them. Why can't I just use the password I wan't to use?

Because your account will be compromised in three seconds once the DB is inevitably stolen.

Just use a password manager and be done with it.
 
My passwords are impossible to remember because I don't use words, just random letters and numbers with a mixture of uppercase and lowercase. I use keepass and just have to remember master password.
 
correcthorsebatterystaple <- this makes the most sense.
Yeah, try remembering 300 of those as well as which one goes with which username for which website. Yes, I know there are some memory geniuses that can do it. Most cannot even remember their street address zip +4.
 
I think the worst I had was 30 different accounts and passwords for work, all with different change requirements and intervals. I got into the practice of... change one, change all. I did have a common method but I always moved the numbers and some characters around. One month MYpasswordSUCKS123!@# becomes next month's SUCKMYpassword456!@# etc.

For my personal stuff I keep a little paper notepad in my desk at home. I don't trust password managers.

I say just be done with it already, 2 step auth is easy enough and works well. I don't know how 3 step will work without carrying another device on my keychain or something (ala SecureID from the 90's)
 
I'm with Megalith. Just use a password generator. I like keepass. Sure someone could break my password into it at some point, but it'd be not different than if I made them up, because I know for a fact that I'd end up using the same PW over and over with an occasional variation. Friends and family do the same thing. Create a strongish windows PW and use keepass for the rest. If someone can crack my 20-30 char alpha numeric, special character and sometimes punctuation, then they've got me.

It's more likely that my PW is limited by the site than by me or keepass. Gotta love sites with a minimum of 8 characters and a max of 12 alphanumeric only :eek:
 
So retardedly true.... how do they limit you to something so incredibly stupid is beyond me.... 8 to 12? even 8 to 20 is pushing it.

I should probably use password managers but..... meh. I remember the ones i use, right now at least...
 
Only 60? I am about to start on the 3rd sheet of 8.5x11" paper for keeping my account info. Rough count is about a 100 or so. Many places demand a full account setup just to place an order. In many cases, it was some specialized gizmo that I am unlikely to repeat order but best to keep track of the account because a lot of sites get stubborn about "Account already exists for this email." forcing you to go through the lost account followed by the lost password process. Sadly, many of them force the use of email address as user id in violation of basic security rules. Plus the list makes it easier to match "Site X got hacked" notices to accounts I have to see if I need to take any action.

Might as well start using a proper password manager, dude. Completely random generated passwords you don't need to remember OR worry about patterns being found if any of the accounts become compromised.

Plus services like Lastpass will alert to you to compromised sites in your PW DB when you do a security check.
 
Might as well start using a proper password manager, dude. Completely random generated passwords you don't need to remember OR worry about patterns being found if any of the accounts become compromised.

Plus services like Lastpass will alert to you to compromised sites in your PW DB when you do a security check.

And how many articles have been posted here on Password Manger X getting compromised? No matter how much control a bad guy gets over my computer, the paper list will still be safe. If a bad guy gets to the list, probably don't need to worry about computer security until I purchase a new computer. The paper list isn't the best solution but it is good enough for me. And the UI is simple.
 
My current method is this for sites I visit in frequently

1) go to website
2) say forgot password
3) do a reset and make a new password by bashing a bunch of shit in notepad and pasting it over
4) do stuff on site

It also gives me plausible deniability because I really don't remember the password.
 
Keepass. Free and easy. No more whining.

Roboforms. Cheap and robust. No more whining.

I do not get the point of this article though. The examples are different enough...
My company will not impliment those for multiple reasons. Here is the main one. User's password gets compromised, its the user's fault & the legacy system's fault to a degree. If they implement a new system like a pw manager and If the user screws up bad enough, a big juicy honeypot is compromised. The possible damage is more per event. Someone in IT will be responsible for the increased implications of the compromise, the fact user screw ups are brought down by magnitudes won't be considered.
 
I have a bit of a mixed response to this. I believe that in a work environment changing passwords is a good thing and it is perhaps from personal experience. Hate me all you want, but I am one of those people that memorizes everything. I still remember people's iphone codes that I worked with five years ago. It is honestly something that I can't help and I have to force myself not to look at things when people login / unlock them. Forcing password changes does help with people like me.

On the other hand, forcing password changes does open up issues with people writing down their passwords and sticking them to things. At all of the places I've worked at we had policies against this. It wasn't very common, but it did happen a few times working at employee's desk to end up confiscating a sticky note with password information on it. The worst I ever saw was a woman in our Apps department who had a whole sheet of paper trimmed and taped to the bottom of her keyboard. It had her login information, bank, credit card, and healthcare login information written on the bottom... I took her keyboard away from her and got her a new one (without the paper attached to it). Changing / expiring passwords does also create a lot of lost hours dealing with locked out accounts, forgotten passwords, and resetting passwords. Every Monday, we knew that there was going to be an influx of people looking for resets because their password expired over the weekend and they ignored the queues for weeks.

The research cited in the article doesn't quite sit well with me though. It is pretty widely known that a device for memorizing passwords is to make them follow a trend. In their research they took expired passwords and were able to predict future passwords from the hashes at a 17-41% rate depending on the system they were targetting. The research is solely based on the availability of 10,000 expired account. If you have that level of access to that many accounts, you can simply reset someone's password right there in AD or provide a much more efficient attack vector based off of your knowledge of the environment. The probability of an attacker having that level of access or simply looking over your shoulder as you login isn't even close to proportionate. Forcing password changes does bring about trending, but if you never know what the password is in the first place you aren't going to be able to predict what the future changes are going to be. It does mitigate shoulder creepers and does the best thing which is to force some semblance of responsibility on end users. You have to remember that computers are relatively new and Deb, Jackie, and Pam in accounting have been doing it for 30 years. They aren't used to changing and memorizing passwords. The more they get acclimated to it, the safer the environment becomes for everyone. I work with accountants, payroll, and HR personnel now and a lot of the older people I deal with really scare me with their lax views on security. "Oh, I forgot my login. Let me look at this giant unencrypted excel spreadsheet with all of my login information, passwords, and hyperlinks to the sites they allow me to access while you're RDP'd into my machine...."

Personally, I use a pattern of passwords based on multiple pieces of information. They all follow a similar trend, but are all different for every site. I believe this is the best way to do it as I can look at what I'm logging into and instantly know what the password is without exactly having to commit it to memory. There is an interesting bit of reasearch I read a while ago where they had people commit a pattern to memory and it was their password, but the end user never knew what the pattern correlated to so they never knew what the password was.
 
I get really tired of the overly complicated password requirements a lot of sites are forcing on us lately. Now some are requiring the use of symbols. It's not practical for me to run around with a list of the 20 different passwords I need and I can't remember them when they have to have 2 upper case letters, 2 numbers, 3 symbols, a Batman symbol and a rectangle in them. Why can't I just use the password I wan't to use?

And yet the DoD has been enforcing this for years, lower case, caps, numbers and special characters. Compound this by the fact that users frequently must have separate accounts on multiple systems and at different classification levels. And some users also work in IT departments where they have several addition accounts to manage. For instance, all in all, I probably have over a dozen different passwords I have to keep track off just for work and then there is my personal accounts. I the long run, this becomes unmanageable when you have to go through password changes all the time on all of these accounts. There becomes only one sane way to keep up with all of this. You have to do what they always tell you not to do, write them down. Then you have to keep them locked in a safe. Now all you have to do is remember the safe combo, and keep your password list in the safe when you aren't using it. It sucks but any other way is just unworkable.

What I get tired of is that they all can't decide on the same password scheme. Some want 8 characters some 14, some don't like some special characters others do. I just wish they would all settle on the basic requirements so we could get used to it.
 
Last edited:
I'm to paranoid to sue passwords manager i don't trust how they store my password or myself to not lose my password database, so i just use prehashing instead with pwdhash.
 
I'm to paranoid to sue passwords manager i don't trust how they store my password or myself to not lose my password database, so i just use prehashing instead with pwdhash.

Or use an open source one.
 
And how many articles have been posted here on Password Manger X getting compromised? No matter how much control a bad guy gets over my computer, the paper list will still be safe. If a bad guy gets to the list, probably don't need to worry about computer security until I purchase a new computer. The paper list isn't the best solution but it is good enough for me. And the UI is simple.
I don't know? How many times have you read about keepass being compromised? If you've got pages of passwords written down, you're better off memorizing a strong PW for keepass (or if you don't mind a cloud based system then lastpass.
 
Everyone at my work just posts a sticky on their monitor because they have to change every 60 days, and we're a government facility.
 
I wish I could actually program a computer in a way that, if anyone tried to log on using that very password, an alarm would alert you to the fact that someone has just tried to logon using the password that is written out in plain sight.

Writing down a password is fine, as long as it isn't the actual password when typed in letter for letter (IE the written down password is encoded, with a cipher only you'd know, or the cipher is in a completely different location).
 
I've seen it mentioned before... and I somewhat agree. Writing down a pass on a sticky isn't that unsafe as a whole. Because you need direct access to it to know the password and anyone who makes it into your area would have the same-ish access as you do. Of course, there are other caveats such as a visitor, or separate users getting into each other's shit.
 
My company will not impliment those for multiple reasons. Here is the main one. User's password gets compromised, its the user's fault & the legacy system's fault to a degree. If they implement a new system like a pw manager and If the user screws up bad enough, a big juicy honeypot is compromised. The possible damage is more per event. Someone in IT will be responsible for the increased implications of the compromise, the fact user screw ups are brought down by magnitudes won't be considered.

Would you prefer that they store them on a network drive in a Word doc or even better Outlook notes? I promise you that is what they are doing if they aren't writing them down. At least if I beat into their heads enough times to use a VERY complex easy to remember pw for Keepass (I give them simple examples of strong passwords) I have fewer worries. Plus they aren't going to use that complex, aka long, a pw for Windows login with a 5 minute timeout.
 
Would you prefer that they store them on a network drive in a Word doc or even better Outlook notes? I promise you that is what they are doing if they aren't writing them down. At least if I beat into their heads enough times to use a VERY complex easy to remember pw for Keepass (I give them simple examples of strong passwords) I have fewer worries. Plus they aren't going to use that complex, aka long, a pw for Windows login with a 5 minute timeout.
I did this for internal websites. For everything else, I literally synced my PW to whatever it was on Windows. If I have to change windows, I change the PW on every single app to that password. For servers, however, I just save the passwords in the term program.

Now I do have some places where passwords aren't strong, but those are always sites that I don't care about. I've got junk email accounts that I couldn't care less if someone hijacks. I use them to sign up for sites I don't care about and don't want them to ahve any of my real accounts.

I definitely think a PW manager is much better. If you've got a strong password, nobodies going to break it other than the feds and if they want it, then they're going to get it one way or another.
 
I'm to paranoid to sue passwords manager i don't trust how they store my password or myself to not lose my password database, so i just use prehashing instead with pwdhash.

keepass is stored on your computer and not remotely. I use a notebook too as a backup.
 
These practices as described tend to create relatively easy passwords to crack, especially with rainbow tables or similar. Good dictionary attacks with a ton of permutations, or even bruteforcing many of these aren't too difficult. There are many theories that a longer, simpler password is more mathematically viable and harder to crack versus a shorter one that's hard and complex (ie the XKDC comic that spawned "correct horse battery staple" example - xkcd: Password Strength ). Though of coruse this has its own drawbacks if a user uses a commonly used phrase, as lots of cracking lists are adding phrases like "happy birthday to you happy birthday to you" and whatnot, so try to make it reasonably personal or at least not ultra common.

These days, the best thing you can do is use a password utility and bolster your security by using NON-biometric 2-factor authentication (you can always get another 2FA token and disable the old if necessary, but cant' do the same with a finger or iris. Not to mention applications gathering your biometric data...but that's another issue), if possible. Free and Open Source utilities are best for a number of reasons, not the least of which is knowing the cryptography is solid, backdoors are much less likely etc. Here are a few of the best of each type..

Password Manager - "Keepass" - www.keepass.info - One of the best "traditional" (ie user has complete control over both database file and client used to access it.) password managers, this FOSS utility has tons and tons of functionality, from generating per-site passwords to copying/pasting login info for you and much much mroe. It can be further expanded with a ton of useful plugins. It works on Win/Linux/Mac and there are plenty of iOS and Android apps that can open the Keepass 2.x style database .kdbx files, such as "Keepass2Android".

Online Password Service - "Encryptr" - www.spideroak.com/solutions/encryptr - THird party password management services trade some security for accessibility and convenience; factors important to many. Built by SpiderOak through their open source Crypton framework, Encryptr is probably one of the best examples of this type of service at the moment. Similar to their privacy-focused file sync/backup, they use zero knowledge encryption. Unlike LassPass or 1Password, Encryptr is not vulnerable to a group of recent, high profile exploits.

Multi Factor Authentication Token - "YubiKey" - www.yubico.com - Yubico provides hardware tokens for multi-factor authentication, notably their YubiKey line of products. They can use a ton of open formats, such as HOTP / TOTP / OpenPGP and can be configured with an open source utility provided. They work with practically all devices, so long as it has a USB port and/or NFC. Note that right now the "YubiKey Neo" is NOT of the same 'generation' as the YubiKey 4, but it will be soon and thus have all the features of the YubiKey 4 plus NFC use, so if this is important to you hold off purchase until the next revision.

Hope this helps!
 
Been suggested here, pass sentences make sense to me. Changing it I guess is a necessary evil.
Finger scan for stuff at work should be common place.. arent those scanners cheap and fast by now?
 
still don't get why passwords are still a thing...

society has had the ability to achieve multifactor authentication for decades, and yet here we are, at 2016/08/11 16:30 EDT, stuck with most things relying simply on passwords. can't sites/companies just invest in transitioning people to use soft-tokens (RSA software based tokens, for example) coupled with biometrics (voice/facial/finger print reco)

soft-tokens cover "something you have"
biometrics cover "something you are"
 
Back
Top