You Want People To Have Strong Passwords? What Are You, Some Kind Of Communist?
from the rights-and-responsibilities dept
Passwords are a pain. If they are strong, they are hard to remember, and if you can remember them they probably aren’t strong. Of course, there are all those excellent password managers out there, but using them requires an even stronger password…. No wonder, then, that time and again we hear of people giving up and using simple-to-guess passwords, and of the awful consequences that result.
Stefania Maurizi points us to an Italian journalist, Nicola Porro, who’s also had enough. He’s written a blog for the newspaper Il Giornale, in which he describes tech people who keep giving him a hard time over his weak passwords as the “new communists” (original in Italian):
So why do I say they are communists, and not just idiots? For the simple reason that they don’t believe in free will, or in individual freedom. Can’t I be free not to change my password every month? Can’t I be free to use a simple password? Can’t I be free to choose whatever the devil I like? Can’t I be free to consider it irrelevant whether somebody steals my data? Isn’t it an option that whenever I’m online they screw me over and steal precious information from yours truly and that I’m not at liberty to put myself intentionally in danger in order to have an convenient password?
He goes on to say:
and as for anyone who dares to say something about the risks of getting conned blah blah blah, I am quite happy to sign online once and for all that I accept full responsibility for any password theft.
I wonder if he’s considered what might happen if his system were taken over as part of a botnet that took out a hospital’s computer system, say, or were used to host and distribute child pornography: would he be happy about accepting responsibility for those too?
Maybe those sysadmins who keep bothering him to choose a decent password aren’t “new communists”, just concerned, responsible people who understand that every computer user connected to the Internet is necessarily part of an online community with responsibilities to everyone else there, just like in ordinary life. Choosing a good password is really no different from following the basic rules of the road: it’s not a question of losing your personal freedom, but of showing consideration for your fellow human beings who may be harmed if you don’t.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: communism, italy, nicola porro, passwords
Comments on “You Want People To Have Strong Passwords? What Are You, Some Kind Of Communist?”
His childhood must have been a fun one...
‘Now don’t go playing in traffic.’
‘I’ll play in traffic if I want to you commie’
‘Make sure to look both ways before crossing the street.’
‘If I want to get hit by a passing car because I’m too stupid to take basic precautions, that’s my right you communist!’
‘When driving, signal, look, and then move over.’
‘If I want to ignore common sense and cause a car crash it’s my freedom to do so!’
Re: His childhood must have been a fun one...
(parasitizing on your post)
1. as mentioned numerous times, this idiotic practice of ‘signing up’ or making an ‘account’ for EVERY two-bit website in the universe is EXTREMELY tiresome…
(how many dozens/hundreds have i been forced to sign up for, and NEVER went there again ? )
2. when i got a disqus ‘account’, i was hoping it would alleviate this type of crap; but, evidently, i have to get a dozen disqus-like accounts, and STILL will be ‘forced’ to sign up at every site in the universe…
3. for non-critical sites/’accounts’, i use a simple pattern: prefix + site/org name + suffix
e.g. 57techdirt89
i simply have to ‘remember’ the prefix/suffix (57/89), then insert the site/org name in the middle, and i’m good to go…
somebody cracks my ‘account’ at some non-critical website ? ? ?
yawn
Wow. Someone who understands neither simplistic Communism nor rational arguments.
Oh, wait, no. That other thing.
Moron. That’s it!
…but it’s for the children….
The guy is a moron. But the password issue remains. I’m using lastpass and my life has become easier after it. My main password is one hell long phrase followed by Google authenticator for multi-step win and I DON’T use it outside of my own machines (which I trust more than others) relying on disposable one-use passwords. It’s way easier if you only need to remember one giant password rather than a whole load of them.
I don’t like storing my passwords elsewhere even if the service has a reputation but seriously, my brain fails at memorizing several strings and I’m inclined to believe only a few gifted people can do without a password manager.
Which reminds me I have to update the USB key I have in case shit hits the fan at the site.
Re: Re:
There are several tools that can make easily memorable but secure passwords.
For example I use apg to generate passwords but there are countless other tools like this.
Re: Re:
what’s wrong with using a .txt file hidden in the middle of nowhere for easy copy and paste use ?
Re: Re: Re:
Aha, I admit that I do exactly that with sites I don’t mind if I forget the password.
Re: Re: Re: Re:
I don’t mind if someone gets the password*
Thought one thing wrote another.
If this were his own personal computer systems and accounts he was talking about, fine. Have a weak password or none at all if you want.
Thing is…he’s not. Can someone clarify if he’s complaining about the password policy at his workplace? Those systems aren’t his. If he has a weak password at his job, it wouldn’t just be himself affected, but all of his co-workers. I think it wouldn’t just be the sys-admins who would want to have a word with him at that point.
Re: Re:
A corollary to this is that for comment sites that have my email address and that’s it, why do I need a super strong password?
The password strength should be related to the importance of the data and some data just isn’t very important.
Re: Re: Re:
In my view, the importance of being secure is usually not so much about the data. It’s about access to the account or computer, and the potential for abuse of it.
“Can’t I be free not to change my password every month? Can’t I be free to use a simple password? Can’t I be free to choose whatever the devil I like? Can’t I be free to consider it irrelevant whether somebody steals my data?”
Yes, but I’m going to guess that you’re the sort of person who would also be free to sue banks and other institutions when your poor practices lead to suffer a tangible loss. To be free to berate and attack IT and other personnel for not “protecting” you when things go wrong, even though you willingly rejected their every word of advice. To be free to blame everybody but yourself when you realise why security is so important.
“I am quite happy to sign online once and for all that I accept full responsibility for any password theft”
I sincerely hope others take up this challenge. Reminds me of Jeremy Clarkson – http://news.bbc.co.uk/2/hi/7174760.stm. All bluster and “who cares?” until someone demonstrated to him why he should care.
Re: Re:
But the fact remains. If you left your house unlocked and someone went in and stole your stuff, they are still guilty of a crime and they are still liable to the authorities and to you for that crime.
If someone breaks your “easy” password and does harm to you they still are liable for the damage.
“You were asking for it” does not excuse the criminal of wrongdoing.
Re: Re: Re:
Nowhere did I say that the criminal should not be punished for his crime.
However, a person must also be responsible for their own security. If you’re in the habit of leaving your house with the doors and windows open, you still bear some responsibility no matter how wrong the person who robbed you was for doing so. People aren’t trying to take away your rights if they tell you to lock up when you leave.
Also, as noted several times elsewhere here, the implications of not taking care of security with a computer may have many implications beyond what happens to your own account, so any analogies related to burglary are horribly inaccurate.
Re: Re: Re:
He never said it was an excuse for criminal wrongdoing. To use your example, if you left your house unlocked and someone went in and stole your stuff, the person who did it can be punished, but you don’t get to sue the lock maker. The fact remains, if you live in a bad neighborhood and you don’t lock your doors, you’re an idiot, plain and simple. The internet is a bad neighborhood. Get used to it.
Re: Re:
Can’t I be free not to change my password every month?
Actually he has a point.
At least some of the policies imposed by sysadmins are not just pointless- they are actually counterproductive.
Changing your password every month is one of them.
(This pretty much guarantees that most people wil react by using simpler – related passwords).
Never writing them down is another.
Again encouraging weaker passwords – contrary to the advice it is quite safe to write down passwords in most circumstances.
Not using the same password for multiple sites is another.
Most sites are fairly non-critical (hacking my techdirt account would not be the end of the world) using a common password for large groups of similar non-financial sites is fine.
Always including a number or non-alphanumeric character is another. The amount of extra entropy associated with expanding the character set is modest compared to the extra effort required to memorise it. In addition most people make obvious substitutions (A->4 s->$ etc) which don’t trouble the average password cracking program even a little. Increasing password length is a much better solution.
All of these things are eminently practical in an environment where you have just one or two sites to find passwords for and use them frequently.
However in the modern world where you may have >>10 passwords it is simply impossible.
My advice is this – use the same short easy password for all non-critical sites. Ignore suggestions not to do this from the site. Most site owners believe their site is way more important to you than it actually is.
Use separate long (multi-word) passwords for the sites that matter. If you will only (or mostly) use them when at home then by all means write them down (at home only – if a burglar is rifling through your thingss then you have bigger problems than a cracked password and you will know to change it).
You are probably left with just one or two sites that demand you remember a secure password – hopefully that is not too hard.
Shorter Nicola Porro: “I am a moron, please hack me into next century.”
As a regular Techdirt reader, this piece disappoints me. Why the FUD? Everything doesnt end in child porn or a botnet taking out a hospital computer system.
I’ve used the same password since 1998 for a lot of things. I haven’t been assimilated.
I won’t sue banks, or get angry at IT people. I know full well I leave only myself to blame.
I’ve had my PayPal account hacked. That was 7 years ago. I got my money back. *shrug*
I know good and well what the risks are. Don’t tell me what my reaction is going to be.
Re: Re:
Agreed about the hospital botnet. The author cannot name one botnet that shuts down hospitals’ computer systems because they don’t exist. There’s no money to be made by attacking hospitals.
Re: Re: Re:
Re: Re: Re:
Even if he can’t name a botnet doesn’t mean his argument is invalid. On the other hand its impossible to prove that a botnet won’t shut down the system. That is the Devil’s Proof.
Re: Re:
Yeah you got your money back and because of idiots like you financial institutions expect to loose a certain amount of money due to this sort of thing. They factor this in when setting fees………..
i’ll agree with the point made above. if these passwords are made on another person/coorperation’s website/system then it is they who make the choices because it is their system that is endangered by bad passwords.
that is free market enconomy, as it is company policiy no government regulation.
The writing on the wall is that passwords are rapidly becoming insecure, and will be useless for authentication within a few years. On this trajectory, it’s not the end-user’s fault, it’s our fault as developers for not having something better already widely implemented. Once it’s known that human users consistently fail at a task, then it’s time to engineer that failure mode out of the system, we’ve been doing that with commercial pilots for 50 years.
There are dozens of suitable technologies, from smart cards to certificates to multi factor authentication, but they’re all obscure and hard to use for grandma.
Re: Re:
“The writing on the wall is that passwords are rapidly becoming insecure, and will be useless for authentication within a few years.”
I’ve been hearing this since about 1990. I don’t think the end of the password is any closer now than it was then. For all their faults, passwords have advantages that no other scheme can match.
For some things, I use certs. For other things, certs/smart cards/multifactor schemes are simply unworkable, and I see nothing on the horizon that will change that.
bad article
Second the disappointed comment above. A lot of the rules in place to ‘protect us’ are the same useless security theater that Techdirt usually rails against. Banks have so many passcodes and passwords and secret questions that I just end up
writing everything down anyway.
http://xkcd.com/936/
Re: bad article
That xkcd comic is a bit off. Both passwords are probably equally difficult to guess using dictionary attacks. Also, the brute-force time to crack assumes 1,000 guesses per second. Consumer hardware can easily get into the hundreds of millions or even billions of guesses per second (depending on the hash function, of course).
Re: Re: bad article
The comic counts each of the four words as having the same entropy, that yielded by a dictionary attack. The entropy is higher in a phrase. That said, applying the mutilation strategy to a phrase combines the entropy of both, if your brain can take it (sys admin here, I’ve maybe twenty or so passwords in active use, ranging from weak forum accounts with none of the profile filled in, to my strong as possible work passwords).
Number of guesses per second is only really an issue if the authenticator allows it to be. Enforce a small account wide delay between password attempts. Your users won’t be fast enough to run afoul of it, but the exponential increase in computer speed is no longer a concern. Sensitive destinations should include password lockout mechanisms. Sensitive administrative access requires certs/tokens/two-factor.
Re: Re: Re: bad article
True about guesses per second in an online attack. Heck, fail2ban is a great tool in this regard. You can block IP addresses after a set number of failed attempts (say, 5 failed attempts). Sure VPNs can be used to mask an IP, but the effort it would take to break into a system goes way up with fail2ban.
Offline attacks, are limited only by hashing algorithm and hardware (for example, WPA runs sha1 4096 times to make cracking slower), but then again, offline attacks involve other stuff like getting hashes, etc…
Re: bad article
There’s nothing wrong with writing passwords down and keeping them in your wallet (and a copy in a secure location). If your wallet is stolen, you have bigger problems than your passwords being compromised, and probably have enough time to change them all anyway.
What you shouldn’t do is write them on post-its and stick them to your monitor.
Re: Re: bad article
And don’t write down what the passwords are for.
I worry less about my password for a tech dirt account being hacked than I do about Target’s systems being compromised. Some accounts I consider low-affect-risk, such as a login to post comments on a site such as this. That should be my option.
…and so beginith the hacking of Stefania Maurizi.
Re: Re:
Hope not, the guy who wrote the piece was Nicola Porro.
AC is right
The FUD in this “article” is unlike what I’ve come to expect from Techdirt.
If the Italian guy wants to have a weak password THAT IS HIS RIGHT. Sorry Mr. Moody that you don’t like it that other people have rights.
If his computer is used to host a botnet or attack a hospital (REALLY??? SERIOUSLY???) then that will be funny as hell because only an idiot would suggest that THAT is the reason for having a password or a secure one.
Computers are taken over all the time because Windows, not because insecure-password.
Get over yourself.
Ehud
oh yeah, don’t follow me on twitter. I am now going to check the byline on Techdirt articles. Masnick yes. Moody no.
Re: AC is right
if your account is on my system, your “right” to have a bad password doesn’t exist. my system, my rules. don’t like it? go to someone else.
Re: AC is right
“Sorry Mr. Moody that you don’t like it that other people have rights.”
Funny thing is, while Porro does have the right to be totally insecure and he has the right to put himself at unnecessary risk, Moody has equal rights to criticise and/or mock him for what he said. That’s the thing about rights – you can have the right to do something, but that neither shields you from the consequences nor criticism of those actions. I agree that hyperbole was used, but Porro is at least equally guilty of that sin.
Equally, the people who security policies he’s whining about are unlikely to relate to a system he personally controls – it sounds like a website or domain login policy. The people in charge of that system probably have more of a right to keep their systems secure than Porro has to access them. You may disagree that the security policy is necessary, but they have the right to secure their systems in the way they see fit. If someone’s rights have to trump another, I’ll go with professionals over someone whining that a password policy is “communism” any day, if only because the latter claim is idiotic.
“oh yeah, don’t follow me on twitter”
Isn’t it his “right” to follow the information you put out there for public consumption?
Re: AC is right
I don’t see the FUD at all. Insecure passwords are a genuine problem.
“If the Italian guy wants to have a weak password THAT IS HIS RIGHT.”
And where did he say otherwise? Everyone has the right to be stupid, and everyone else has the right to say “hey, look at the stupid guy!”
The case where you don’t have a right to any stupid password you want is when you have an account on someone else’s computer or service. A compromised account is a risk to the entire system, not just that account. But on your own machines, go nuts.
Re: AC is right
Ehud, you’re being unreasonable. Sooner or later someone else could be affected by his unwillingness to be responsible with his passwords. The man is a journalist. Password-guessing (the most frequent form of hacking) might not take out a hospital, but newspapers and agencies have been compromised before by weak security.
http://www.bbc.co.uk/news/technology-19280905
In the Reuters case it was SQL injection, but the principle is the same; others may be affected, don’t you care about them?
Il Giornale
Non-Italians have to understand where this is coming from. Il “Giornale” is a newspaper owned by Berlusconi, its general aim is to disseminate propaganda and discredit political rivals. I wouldn’t take seriously anything coming from it.
This wasn’t always the case as Il Giornale was founded in 1972 by the journalist Indro Montanelli, who is considered as perhaps the greatest Italian journalist of all times.
It is of course in no way possible that said journalist was being hyperbolic in the cause of humour. In the current uber right wing atmosphere abroad in most western countries, everything that people don’t like whether it’s a good thing or a bad thing in principle is considered to be socialist or communist by a lot of hyperventilating commentators.
I suggest that it’s just possible that was what the journalist was aiming at.
A genuine gripe about how secure systems often cause people to behave in insecure ways due to an insistence on a particular password format which they never can remember, especially if it’s only one of umpteen different secure and ever changing logins that they are required to have, played with tongue firmly in cheek as if fox news were reporting on it.
Re: Re:
Exactly. Demand for regular password changes and ridiculously restrictive “at least 2 large letters, 2 small letters, 2 numbers, 2 signs and 12 digits total”. Those are in no way fun to come up with, they are just as likely to get keylogged. In most cases, strong but forgettable passwords are bad since their security falls back on the password of the provided mail-service.
Re: Re: Re:
Exactly. If the password your system demands in complicated, then the attack vector for coming at your system quickly becomes attacking the password reset functionality.
By this logic, “slippery when wet” signs are communist. Are you not free to disregard the safety of yourself and others?
On another note, “communist” does not mean what he thinks it does.
I’d actually liken passwords to a vaccination. Do they help with the simple stuff? Absolutely. Will it keep you from getting serious stuff? Maybe, maybe not.
On top of that, you can (if it’s YOUR hardware) make the choice to have a simple password (though, actually, with Windows, your machine is safer WITHOUT a password, than a weak password). If it’s not your system, then you don’t get that choice. Same goes with websites, too. You have the option to not use the site, if you don’t like their password policies – but that site is just covering their own butt, more so than they are covering yours.
To those griping about FUD? I’d agree with the fear bit. Not so sure about the UD parts though. Working in the information security world, you’d be surprised at the insanity I see. Maybe a bit of fear is needed for some of the PEBKACs out there.
A twit by any other name?
Whould a twit by any other name be so inane, even if they try to use ad hominem attack to cover their actions?
Password complexity isn’t a huge issue, Password REUSE is going to be a major Clu$t3rFuc|
Sure, you can be free to use a weak password and not change it for months, please sign here that you take full responsibility for everything that will happen if your access will be misused.
what do you mean, no way? we should do our job that this doesn’t happen? dude, making sure you follow the security rules is part of that job and if you don’t YOU are the reason if it fails.
It is quite simple, really. security is a matter of choice in a lot of situations, but making that choice also means it becomes your responsibility, especially if it fails. The problem is, that the people that can’t be bothered are the very same people that cry blue murder and demand “something be done” if their weak security doesn’t hold up. They want others to keep them safe even if they don’t want to contribute to it and they deny every responsibility at the same time, because it is “someone else job”. They have to either realize that they are part of the security process, or they need to be made to take the responsibility if they don’t want to be part of it.
They won’t learn without suffering from the consequences.
This guy apparently also wants the freedom to redefine the word “communist”.
Italian sarcasm perhaps?
I’m not sure why it’s the victims fault if their computer gets used in a botnet.
We don’t blame the homeowner when their house gets robbed… afterall most houses are protected by about a cubic inch of wood. Passwords and locks keep honest people out. Those that are really trying to cause harm are not going to be stopped by a password.
Re: Re:
“We don’t blame the homeowner when their house gets robbed”
I kinda do if the homeowner left the home protected by just a locked screen door.
Re: Re: Re:
Totally. It’s like when a girl wears a short skirt or something.. They are practically asking for it right? Not my fault if someone forgot to lock their door.. I can’t not rob them right?
Re: Re: Re: Re:
Lol! That dramatically overstates my point (why I included “kinda” in there).
If you leave your house for a few days with the front door open and the screen door locked, then you get robbed, it’s not exactly your fault — but you were a complete idiot.
Re: Re: Re:2 Re:
Good, dramatic overstatement is what I was going for.. hehe
I always think the blame lies on the criminal and not the victim.. I know many people who don’t lock their doors ever.. Comes with growing up in a small town. If someone with a locked door and a fancy alarm system gets robbed, they are certainly no less of an idiot than someone without one that gets robbed in my book. They are just an idiot with a broken window
Re: Re:
Simple answer: if your home is robbed, it’s only your property that gets taken. If your computer becomes part of a botnet, it starts attacking other peoples’ property on top of compromising your own data. Your house won’t suddenly start attacking businesses and try to rob other houses after the burglars get inside.
Re: Re:
Wrong analogy…
More like “We don’t blame the homeowner when their house is used as a methlab for several years and they claim they didn’t have any clue”.
Re: Re: Re:
An even better analogy is vermin infestations.
Say you live in an apartment, and your neighbor fills their apartment with trash. The trash attracts roaches, which then breed, and now your apartment is filled with roaches too. Most people would probably blame their neighbor.
Re: Re:
“We don’t blame the homeowner when their house gets robbed”
Fun fact, we do. The home owners insurance (and car insurance as well) will not cover losses due to negligence. You leave your door unlocked, you are responsible for the losses.
If (and that’s a big if) they catch the person who did it, then you can try to get your stuff back or compensation from them, but the insurance companies will do nothing.
I don’t see why shared blame is not a thing in some people’s worlds.
It’s rather a pain that every site you go onto and want to do something like write a comment (not this one, though) insists you register and get yet another password to keep track of.
Re: Re:
I was once purchasing something from an online store, but first I had to register, then they gradually revealed the password requirements to me, each time my choice of password failed that is, they’d tell me the biggest reason it failed.
Not long enough, no capitals, no numbers, no special characters.
By the time I had picked a password that it would accept, I cancelled the order on the basis that I was never going to remember that password with the passage of time. Ended up ordering from a site I was already registered with that had not made registering quite so irksome.
Con men and phishing and so on work, because they exploit the weakest part of any system, the way people actually behave and respond. When systems security is designed around an idealised method of how people behave, people will remain the weakest part of the system.
Re: Re: Re:
They weren’t really trying to sell you something, they just wanted a list of all the passwords you use.
The stupidity is strong in this one
But this does illustrate something that I’ve been saying for a long time: mere users should not be permitted to make security decisions: they’re far too lazy and incompetent. Security policy should be decided by people with education and experience (LOTS of both) and imposed from above.
That’s not democratic. That’s not egalitarian. I opposed it for a very long time (as in “decades”). But my Internet/ARPAnet experience, which now spans four decades, has taught me that it’s unfortunately necessary. Everyone who has run the experiment of letting users have control has paid for it with failure. Everyone.
And users have not yet learned that they have a responsibility to each other. Being on the Internet is an enormous privilege. But it comes with enormous responsibility, something that most users don’t comprehend and few actually shoulder. We are all responsible for each others’ security, and a breach of one of us can and DOES affect all of us. So when I read comments like Porro’s — short-sighted, ignorant, asinine, selfish, idiotic — my response is that he should be forbidden for life from being on the Internet. I judge him unworthy of the privilege because he is refusing the responsibility.
Re: The stupidity is strong in this one
And here we are. A post advocating the return of the old days with the “High Priests of Computing” that control the mainframe dictating how everyone should interact with the system.
Sorry, cats out of the bag. You can wish on a star for the power to control the internet (your seriously asking for precisely that) but you aren’t going to get it. No one will give it to you (or anyone else for that matter) and the engineering of the internet itself will fight back against trying to get that type of control.
And while I won’t call your argument communist, it sure as hell sounds a lot like “we need to control you for your own good” progressive bullshit.
Re: Re: The stupidity is strong in this one
Why do people who so completely miss the point really love to come up with stupid names to call people?
Re: Re: The stupidity is strong in this one
You can wish on a star for the power to control the internet (your seriously asking for precisely that) but you aren’t going to get it. No one will give it to you (or anyone else for that matter) and the engineering of the internet itself will fight back against trying to get that type of control.
Congratulations. You completely missed the point.
I’ve spent an entire career helping build and advocating for a free, open network built on free, open standards, using free, open code. So I think it’s safe to say I’m pretty familiar with “the engineering of the Internet”.
However, I also understand that making the Internet free and open REQUIRES making it secure. Haven’t you been paying attention? Haven’t you noticed that the security problems we face at all levels are enablers for spammers and the NSA, phishers and blackmailers, con men and GCHQ, and every other kind of bad actor out there? Don’t you understand that unless we can solve those security problems, all the high-minded prose (e.g. “information wants to be free”) will remain a hypothetical, an unrealized dream?
And “making the Internet secure” is, unfortunately, not possible if the task is handed over to end users because they don’t know and they will never, ever learn. As Marcus Ranum points out in “The Six Dumbest Ideas in Computer Security” (which is flat-out brilliant, by the way, see http://www.ranum.com/security/computer_security/editorials/dumb/), “if it was going to work, it would have worked by now”.
So please, don’t give me any flack about “high priests”. We tried “educating users”, in fact, sometimes we still try it even though it’s pretty obvious by now that it’s a strategic failure. Yes, we DO have to do it for you because you won’t do it for yourselves. And while we don’t always do it perfectly (in fact: sometimes we suck) we have a hell of a lot better chance of pulling it off than you do.
You’re welcome.
That would imply he obeys the rules of the road. I have been to Napoly, Italy once, and judging from the traffic there I’d draw the conclusion that Italy has no traffic rules any day….
this guy has every right to use weak passwords, just like his bank has every right to enforce strong passwords.
if he don’t like it, let him open his own bank and allow weak passwords.
what’s the problem?
Re: Re:
just like his bank has every right to enforce strong passwords
Provided they really are strong. I object, however to a bank enforcing rules that seem like a good idea but actually do not improve the password strength at all.
Free to cost other's money
If he wants to be free to let other’s steal his data, he should be full responsible for all ramifications, including any debt they create in his name and the entire cost to fix any issues and the lost time of other’s receiving spam email because his contact list was acquired.
Cue Jokes
Journalism schools must be the intellectual bottom feeders below education schools. First I do not care what passwords he is using nor I will review his choices. The reason the advice of long, difficult passwords for each and use a password manager is given by most security aware people is to protect very confidential information.
Like many posters here I use and teach the use a password manager with every log in having a separate password. If someone got my password to my Twitter account they do not have my credentials to my bank.
Calling this clown a moron is an insult to morons.
expiry
perhaps we could reward users for making a stronger password by expiring it less often
Re: expiry
You’d have to talk with your IT guy about that. Here’s what my answer would be: strong passwords by themselves don’t mean that they’d have to be changed less often. You’d also have to be sure that people aren’t using the same password for multiple purposes.
In fact, password reuse is arguably an even greater problem than having a weak password. If a password is cracked and the damage is limited to access to a single service, that’s manageable. If that password is also used for other services, that’s a much bigger problem.
Re: Re: expiry
You know, back in one of my previous lives I was a sysadmin for a small cluster of Unix nodes. I dealt with the problem the following way, and let everyone know I was doing it:
I never asked anyone to change their password. I simply ran every cracking program I could find, in background, on every account, over and over. When I cracked someone’s password, I told them and their boss. And I sent them the password to prove it.
Worked pretty well. But of course that was early days, and it wasn’t even my primary job. Maybe if I’d have a lot of formal training I could have come up with something way better. Like a bunch of increasingly angry memos about password safety from something called the “IT Department”.
First: Communism doesn’t mean what this guy thinks it does
Second: Anyone who has worked in an office should know forcing stronger passwords inevitably means weaker security. If your average worker can’t remember their passwords easily, they write them on a sticky note on their monitor.
Re: Re:
I think he’s using “communist” in the modern slang sense, meaning “something I hate”.
Your second point is not universally true. In my workplace, very strong passwords are strictly enforced and have to be changed frequently. Nobody writes them on sticky notes on their monitors. In practice, once you’ve typed a new password all day long, you have it memorized regardless of how complex it it.
Re: Re: Re:
Writing it on a sticky note is an exaggeration, that would be an extreme case that rarely happens but the concept is generally true. The harder it is to remember, the more reminders are floating around in emails, written down, etc for hackers to find.
Re: Re: Re: Re:
Also, when they make you change it all the time, if you don’t have a log written down for them, then you are just incrementing a number, month, or whatever else each time anyway
Re: Re: Re:2 Re:
Not here — the system checks for that kind of nonsense. The new password has to be sufficiently different from the old one, and the passwords must be pretty close to entirely random.
People do keep logs of old passwords, but that’s acceptable so long as they’re kept in a secure fashion (not kept on the computers you use the passwords on, under strict physical control or encrypted, etc.)
Re: Re: Re:3 Re:
Not here — the system checks for that kind of nonsense. The new password has to be sufficiently different from the old one, and the passwords must be pretty close to entirely random.
Frankly the nonsense of requiring regular password change has been debunked long ago.
Here http://all.net/Analyst/netsec/1997-09.html
for example.
Re: Re: Re: Re:
Yes, I understood. 🙂
Re: Re: Re:
In my workplace, very strong passwords are strictly enforced and have to be changed frequently. Nobody writes them on sticky notes on their monitors. In practice, once you’ve typed a new password all day long, you have it memorized regardless of how complex it it.
Works if you only have one or two passwords – however most people these days have many services that require a password (often for no good reason). Often we use these services quite infrequently so “once you’ve typed a new password all daylong” doesn’t apply.
My 4 important passwords are all different and all reasonably strong – but the 15 or so other ones are all the same. Making them different and changing them every few weeks would be just about impossible – I would be constantly using password reset.
Wasn’t RMS a big advocate for null passwords in the 70s?
Ridiculous
This article is the biggest piece of shit ever posted on Techdirt. It feels almost like a parody of the scare pieces Techdirt loves to mock with such hysterical lines as “I wonder if he’s considered what might happen if his system were taken over as part of a botnet that took out a hospital’s computer system, say, or were used to host and distribute child pornography: would he be happy about accepting responsibility for those too?“
Or how about hey, maybe the dude just doesn’t care if his Techirt password is stolen. Or NYTimes password. Or the password for any of a million other sites that pose no risk to the user if stolen. Nope, making that logical inference would require more common sense than Mr. Moody could possibly muster.
Someone needs to introduce him to Matt Honan.
“steals my data”
“password theft”
Copying is not theft.
So, what’s wrong with KeePass again?
If you don’t want to use a complex password to protect a database, then have more than one database.