Confession:
I also have a "Password Tree"... and I'm proud to say that it's a good two feet from my computer. The alternative to the tree is a universal password that you use for everything, that is easy to remember. And that ends up being your birthday, your child's name, etc which is also very easy for someone to figure out.

Good article to pose some thought provoking comments, Larry. The solutions are not simple (install this product) -- like we're used to sometimes.

Another problem to consider is the idea of solution providers managing hundreds or thousands of passwords for client networks, too. Where is the info stored? Who has access? Is the access logged? What if an engineer leaves and has malicious intent?

Food for thought, Larry. I just called someone I know at Buckmaster Publishing in Virginia to see whether they offered a form of randomly created, high security caps, lower case, alphanumeric passwords. If I didn't have to create such as list I might change everything at random intervals.

I was just talking about this issue at lunch today!

I try to force our customers to change passwords, to use strong passwords and to keep their passwords to themselves. They look at me like I am crazy and tell me:

1. I am too paranoid
2. It is too much work to change passwords
3 I am too paranoid and I am trying to scare them

Would you leave your car key on the roof of your car while you shop at the mall? Would you wear earrings or a necktie with your Social Security number written on them?

No Way!
Then why make a Sunflower of post-its with your passwords and log in information?

Thanks for the article, I will be sharing it with my customers who think I just make this stuff up.

You know these excuse simply remind me of the security axiom: "Security is inversely proportional to functionality/useability/productivity." A simpler way of putting it is the more secure something is, the less user-friendly it becomes. But then again, users tend to find excuses for circumventing security regardless of the risk exposure.

Wouldn't the creation of such a list just create another security vulnerability? Why use L0pht Crack when you could just run through the list (which is what Lopht and other password crackers essentially do). Good password management systems do have auto-password generators.

What many this author, vendors, developers of applications, and IT departments don't realize is that this is **their** fault and not users. Inconsistent password rules, forcing frequent changes in passwords, and lack of single sign-on integration is the problem.

Furthermore the author provides no proof that even with poor password practices that its more of a problem than malware. After all - good password practices are meaningless if malware installed a keyboard logger on your machine.

The common sense solution in the article is simple garbage. Every idea that the so called experts come up with exacerbates the problem: mixed case, numerics, frequent changes: they all contribute to no one knowing their own passwords for the many systems that they have to log in to. Simply choosing a password that isn't in the dictionary and isn't based on something personal, such as your child's name, is all that's necessary, and far better.

I don't necesssarily disagree. An uncommon password is better than a common password any day of the week. A mixed alphanumeric password is better than an uncommon password. The problem, I think, is not the type of passwords, but the complexity of the management of passwords.

Second is the number of passwords we are required to use. Yes, SSO has been available for years, but too few organizations use it. Even many all-Windows shops aren't using scripting to synchronize passwords across disparate network assets and applications.

Third, of course, is users assigning too much faith in the protection provided by passwords. How many times have we heard that data is protected because there's a password. Just a couple of months ago, a electric generation company in Ireland lost a laptop that contained employee records. The CEO said in a statement the data was fine because you needed a password to access it.

I thought you might make mention of the dynamic password method PassWindow, no electronics or memorization needed. Keylogging trojans wont work and the key patterns are difficult to phish out of users.

There have been several products to come to market like this. The one I'm most familar with is PassFaces, which required users to correctly select the correct pictures of people from a series of line-ups. While testing of such products showed they work relatively well, they all failed to win commercial success.

Simplified PW management for users:
It's not really SIMPLE, but it reduces the number of unique passwords a user has to remember, keeps them in sync, and generally maintains consistent security levels so that a compromise of a non-critical system doesn't lead to the compromise of a critical one.
1) classify your accounts as to the security of the information contained. So financial systems would be highest security, while miscellaneous web accounts might be the lowest. Although, note that Facebook can contain enough personal information that it probably should be considered as a medium security level.
2) within each class, identify the accounts that have expiring passwords and those that don't. Identify the account within each group that has the shortest expiration time.
3) Within each security level: for accounts with expiring passwords, pick a password that's compliant with as many of the account requirements as possible. With luck you can find one that's compliant for all. Otherwise, you may have to group the accounts within a security level according to common password requirements, and pick a relevant password for each sub-group.
4) For accounts with non-expiring passwords, pick a distinct password from the expiring ones, that is also distinct for the security level.
Again, you may have to use multiple passwords if the requirements are different between accounts.
5) Repeat 3 and 4 for each security level, so that accounts with different security levels have different passwords.
Optional: Keep a separate password at each security level for accessing shared documents that you distribute to co-workers.
Maintenance:
When the first password expires within the security level, change the corresponding password for ALL the sites within that security level. Don't put it off. You can also use the opportunity to update the other expiring passwords at that security level as well.

Update your non-expiring passwords on a set schedule, as frequently as you can stand. Every 90 days is reasonable. Once a year is minimal.

Ideally, change your passwords early in the workday and not on a Friday. That way, the password will be used repeatedly and reinforce the memorization.

As a ballpark, this will probably reduce the number of passwords to memorize to about the square root of the number of accounts (counting single signon accounts as a single account). So instead of having 36 distinct passwords, a user might have around 6. The user WILL need to remember which security group each site is in, and whether it's an expiring or non-expiring password.

I'll be the first to admit that this is a compromise to security. But the point of this isn't the tightest security possible, it's to find the tightest security humanly possible for the average user without having them create sunflowers.

Great article Larry; I don't believe it's practical to get a large number of people to juggle multiple passwords. You get the majority of people solving the password problem for themselves with horrible ideas like you mentioned or worse ones like using the same password everywhere or a tier password set. The tier based systems are also quite insecure and yet they make the person employing them feel safe.

I started LastPass.com after spending 4 years working in computer labs in academia and 11 years in the corporate world watching every password policy fail miserably at the goal of securing the organization.

From an enterprise point of view even if you have SSO, the user still has to remember the other passwords in their life so they'll tend to compromise security by using the same password they use for their yahoo.com email account. Plus many SSO's fail at a few sites as you mentioned.

The best solution we came up with is a single password that will work everywhere and which includes multi-factor options to increase security. That's what we built.

Our goal at LastPass is to be the last password you'll have to remember -- we're close to completing that for web based logins, and will be releasing a version soon that starts handling windows applications. We're not really a full solution yet for the enterprise, but we're headed that way.

Joe Siegrist
LastPass.com

I've been using Joe Siegrist's LastPass on my home, non-business computer for a long time now (so long, I can't remember). It has simplified my password management to a no-brainer. I feel lucky that I learned about it soon after Joe opened it to the public.

How suitable it is for the enterprise is not up to me to judge, but in my opinion it should be considered by anyone serious about online security.

And, Joe, I'm happy to give your product an endorsement.

Passwords should have been end-of-lifed ten years ago. How many people today utilize 15 character passwords or longer? How do you remember all of the, and then again for every website, subscription service, your Exchange password (and personal IMAP, POP3, etc.), plus, plus, plus? You don't, period. Users will always have a workaround. It's just to hard to keep track of them, never mind the fact that anything less 14 characters or less is considered by many security pros to be unsafe.

Let me also chime in on LastPass... I'm not a user. I checked out the website. Comments are based solely on the content of the website and video, not from it's use.

LastPass at first glance appears to be an application service provider which stores all of your password/account information, retrieving from a centralized location when needed. The question is this.. "Do you feel comfortable asking someone else to store all of your credentials?" I don't. There's not a certification out there that would make me feel comfortable allowing LastPass to store my identity.

Alternative options? The Blackberry has a password safe, there are several local applications that run on either PC or Mac, and never phone home. These aren't perfect either, but the closer my credentials can be to an address book locked in the safe on my desk, the better.

Bottom line? NOBODY should manage your identity information, and passwords should be end-of-lifed at all costs.

J. Stutzman

for personal use you can get biometric scanners relatively cheap nowadays and i use a handy little app that manages all my passwords called
roboform
www.roboform.com
a simple alternative to the sunflower problem

One of the problems I find with password policy is something you've touched on here - the balance between complexity and usability. It needs to hit that sweet spot where it's not easy to guess, but not too difficult to remember.

One of our systems at work recently switched to these requirements:

2 upper case characters.
2 lower case characters.
2 numerical.
2 special characters.

Note, not 'at least', the password has to be 8 characters long and have those components. People can't remember what they've used, so the 'sunflowers' are starting to sprout. It would be a lot more secure to loosen the requirements, and to have people actually able to remember their logon details.

Larry, very useful article and much to think about it.

I also have been using and liking lastpass (after using others). I too am anxious about synchronizing passwords through someone else's server, but it boils down to trusting someone somewhere. Apropos Larry's comment earlier in this thread ("Security is inversely proportional to functionality/useability/productivity."). With lastpass, I find myself have more "strong" passwords than before and nothing written down on paper.

Larry suggests that the problem is that password files can be cracked which is why we need strong passwords. Presumably as computer power increases infinitely we will have to remember infinite length passwords.

The answer is pretty simple: protect the password hashes by protecting a file, adding salt, etc. If the password hashes are properly protected, then a "trivial" password is just as strong as a "complex" password. If the same effort that has been wasted on password complexity rules, password resets, etc were instead spent on password hash protection, this problem would have been solved long ago.

Let's put the blame where it belongs, 100% on the system implementors, 0% on the users.

Eric, I couldn't agree more. You have a couple of simple choice here. One, as you suggest, is better ways of protecting the password. Two is multifactor authentication that would augment the strength of the password with a second form factor, such as a token, certificate or biometric. While some high-value systems -- such as in government agencies -- use multifactor authentication, such systems have failed to make it at lower levels because of cost and user acceptance. American Express' Blue card was the first major experiment of a widespread deployment of multifactor authentication. The Blue card was essentially a smart card that contained a certificate. Amex gave away USB-based card readers that users could easily plug into their PCs to make secure purchase online. How did users react? They rejected the system even when it was free because it was too difficult. So, I agree with Eric that administrators and solution providers need to do better in protecting the passwords, but users are not absolved of responsibility, either.

There are two logical and easy alternatives that work well for users and are also secure. The first is anagraming and the second is pass-phrasing. I won't stick a bunch of links in here to all the security experts that are behind these two alternatives; rather, I'll just explain them. Common sense should prevail.

First, the anagraming: Have your users try this, come up with a saying or line and put it to the anagram. E.g., "Simple Simon met a pieman going to the fair." becomes: SSmaPg2tf. It's nonsensical and fairly immune to brute force attacks.
Second, pass-phrasing: Have the users pick a lyric from their favorite song or a line from their favorite movie-- it's long and (again) nigh impossible to brute force or dictionary attack.

The only drawback to either of these methods is if the password security policy requires symbols or numbers. The anagram version is a little easier to slip numbers and symbols into.

This is an issue that needs an innovation coming from IT people. And not more changes with more complexity...Our lives are a maze of passwords and access codes. If we do not make it less work for clients and customers to practise greater security its going to only get worse. I personally I have over 10 passwords: home vm, work vm, cell vm, work computer, home computer, blackberry (ontop of the vm password) bank card, entrust password , admin password - server passwords, test account password. Two of these, my admin password and work computer are force changed each 90 days and have done so for at least 5 years. What's that 8 a year for 5 years...40 different ones, with no repeats upto 11, no language phrases, etc. Its too much. We also have actual door and vehicle keys, punch codes for doors, swipe cards for telecom rooms. Sheesh...is anyone making any progress with retinal scans?

I'm constantly amazed that even after SO many discussions over SOOOO many years that passwords haven't been end-of-lifed in the mainstream products.

We're stuck in a quandry... first, users use simple passwords to make them easy to remember. The other end of the quandry is users who use multiple complex passwords write them down somewhere to make them manageable.
Today it doesn't really matter anyway since passwords are captured using key loggers, pulled from running memory, or simple created once a mal-user has access on a system.

So where should we go? Encrypted, one time use credentials? Other forced interactivity measures to ensure validation of the user --i.e.: multiple authentications into each layer of the network? Role Based access?

Jeff

Hi Larry, good comments. We have said the same thing to our customers regarding Single-Sign-On solutions.

The fundamental problem is that the received wisdom password rules are based on a misunderstanding of the real exposures we currently face. The received wisdom is then propagated and followed by people who don't have the faintest idea or the least interest in why the rules are what they are. Result: dumb password policies that don't actually deliver but annoy people.

If we're talking about individual use of login credentials and attackers at that interface, provided your interface has a robust retry lockout like 3-5 retries (and if it doesn't it's rubbish), extending the character set to include "specials" doesn't help very much. Nor does a pseudo-random sequence. The essence of a good password in this context is that it is adequately long (8-10 characters for now), easy for the owner to remember but difficult for the attacker to guess.

That means one of the best strategies is the acronym of a pass phrase - select a private phrase at least 8 words long and use the first letter of each word from it. To the attacker that's pretty good entropy, provided the phrase is not well known.

The "rules" we mostly take for granted really hark back to the 1980s, when everyone was obsessed with offline brute forcing of UNIX password files. But that's a completely different problem. These days, after sharing or displaying passwords in full view, the biggest hazard we face today is malware-driven keystroke logging. If that's happening, the strength of the password is immaterial. So the bottom line is that password strength is not an isolated phenomenon - it's one component of a security regime in which systems robustness, malware control and user policies.

Thanks for recommending us ulitmax :-)

FYI We have an Enterprise version available here: http://roboform.com/enterprise

We have Fortune 500 companies that are already using RoboForm in production with great success after having difficulty implementing complex Single-Sign Solutions.

In addition we also have a beta version that can handle logins for non-web applications as well Active Directory Integration.

Simon Davis
Marketing Manager/Siber Systems
s2davis (at) roboform [dot] com

I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.

Susan

Good Post Larry!

To recover your Passwords and to maintain Help Desk and Active Directory, Techblue Promote some good tools that makes less burden on the manager.

Our Active Directory Password Reset Solution will save your company time and money by relieving your Help Desk and Network Administrators of fielding password calls and allowing your users to reset their own passwords without having to sit on hold with your Help Desk line. ADPR provides a secure way for password reset, password change and account unlock capabilities.
Active Directory Help Desk Management has a lot of importance in the Active Directory Management process. As organizations grow, additional resources like networks, system maintenance, and admin tasks also grow at a similar pace. It becomes difficult to manage Active directory in efficient and timely manner.

Fortunately, Active Directory Manager provides the much-needed ability to assign routine Active Directory Management and support tasks throughout the organization with its powerful ' Techblue Help Desk' feature. It allows the Active Directory administrator to assign all the tasks to non-administrative users like employees that are working for help desk technicians, with limited or full authentication and authorization controls as per administrator requirement that will reduce the workload on the Administrator (ADPR).