In many cases, it is. See dictionary attack for the details. If I can get a collection of password hashes, from the password file on your server or by sniffing your network. It is trivial to crack any passwords that are short, common names, common words, or are predictable in some other way.
Numerous studies have shown that users are lousy at picking good passwords. Half of them would use “sex” if the system let them.
I’m in the military and my password must be FIFTEEN fucking characters long, have 1 uppercase and 1 lower case letter AND 1 special character, can’t have any words in it and it can’t “look like a word” like 100k or other leet gibberish.
Oh, we have to change them every 90 days 2 and can’t reuse the same password within 20 changes.
I forgot to add, if you think I work on some classified system you’re wrong. I’m in grad school at AFIT and these computers are stictly on the .edu domain.
Fucking retarded.
What, you have just one password and you’re complaining?
Not quite. NASA was aware of the recurring problems with foam fragments and aware of concurrent problems with tile damage. They knew they had problems. The failure was in how those problems were prioritized and addressed, especially higher up the chain of command.
Not the same thing as denying a problem.
Sailboat
In many cases, it is “equivalent to handing the terrorists keys and a map”? I don’t see how that follows.
If IT departments would come up with some useful password training (such as how to construct a strong password from an easily memorized phrase using some simple rule – e.g. take the first letter of each word followed by the number of letters in the word, and so on for each word in the phrase) instead of the silly hectoring they actually do, the problem might actually get solved.
I think mks57 was treating Dr. Drake’s phrase as the gentle hyperbole it was. And yes, a real-word codebook is many orders of magnitude smaller than one containing arbitrary alphanumeric strings. This could very easily be the difference between a system being cracked or not; particularly since the cost of a dictionary attack is directly proportional to the number of possible passwords.
There are about 1,000,000 English words, depending on whose estimate you believe. The number of possible 8-character case-sensitive passwords with numbers allowed is (26*2 + 10)^8 = 2.2 * 10^14. So that’s about 8 orders of magnitude difference; a huge margin when you’re trying a brute-force attack on a system. As noted, these are pretty rare (and can be protected against in a number of ways), but still. By voluntarily restricting yourself to barely 1 billionth of the possible passwords available to you, you are most certainly handing a huge advantage to anyone intending to find out your password by brute force.
Obviously, setting unreasonable password requirements that cause even well-meaning users to resort to writing down their passwords is just as stupid, but setting real-word passwords (even if you’re allowed to) is still pretty silly.
This is the dumbest thing. Yeah, passwords need to be secure. But if a user can’t remember their password, they’re going to write it down. It is GUARANTEED that they will write it down. And if you make it a firing offense to write down a password, they’ll just write it down but not stick it too their monitor. And if you require a dozen passwords, all system generated, all changing every 30 days, there’s absolutely no way for a normal human being to memorize them. It can’t be done. One user-generated strong password that changes every 90 days is within human limits. A dozen system generated strong passwords are not.
And then you’ve got a situation comparable to buying the strongest vault on the market, with totally unbreakable locks, and then having the employees leave the bank vault open all the time because it’s too much trouble to have to open and close it all the time. If people can’t do their jobs because “security” is too stringent, they’ll figure out ways to bypass the security so they can actually get work done. The more you “tighten” security, the more security holes the users will create. The only secure system would be one with no users.
The logic of saying you “can’t use a word”–even some really random word, like “zoetrope”–is that it would be vulnerable to a “brute force dictionary attack”. But with any password system worth jack shit, wouldn’t that go something like “aardvark…aardwolf…Aaronic…aasvogel…abacus…You’re account has been locked for repeated password violations. Please contact the system administrator to have your password reset”?
Yep; that and limiting the rate at which login attempts can be made. However attacks of this nature need not only be made by simply inputting the password; should the attacker be able to get hold of the encrypted version of the password (which is transmitted by many network authentication schemes), he can then use that to try and work out the original password. Having a reduced dictionary of candidate passwords greatly simplifies this sort of attack too.
Plus, having your accounts automatically lock out after three failures becomes a fairly attractive way of attacking your system itself; if a hacker only wants to cause mischief, locking everyone out of their computers simultaneously sounds like a great wheeze.
Accursed new page. My reply, of course, is to MEBuckner.
Incidentally, and totally off the subject, but every time I see this thread title, I read it as “Grrl! Do I REALLY need a case sensitive password 8 characters long?”
I’m sure you’ve heard of the kid who created the password “SupermanSpidermanBatmanGreenLanternWonderWoman.”
Because he was told it had to be at least five characters long.
Anyhoo… my department just adopted a new password policy. All passwords must henceforth be at least EIGHT characters long, have at least one uppercase and at least one lowercase character, at least three numbers, and have no more than three sequential numbers or letters in a row (no “1234” or “abcd,” etc.). Oh, and the passwords must be changed every 90 days.
Fucking pain in the ass.
1A2b3C4d and change to A2b3C4d1 then 2b3C4d1A etc.
StandardPassword001, StandardPassword002, StandardPassword003…
You’ll hit a problem at 12, 123, 234, etc, but you can just skip those.
I think in this day and age, passwords shouldn’t have those strict requirements. Say make them six or more character long, but beyond that, do what you like. When I log in to the payroll system at work, it must be a password of exactly six characters, and no numbers or special characters. Other systems say you MUST have numbers in them. It’s a pain in the arse.
Anyway, I have to change my password every six weeks, so I just reverse it, then put it the right way around six weeks later.
Ouch! Except for the “no 3 characters may form a word” I was thinking that I’d win: ours have to be 14 characters and all the other stuff applies as well. Interestingly, when they first changed it from 8 (or whatever) to 14, the instructions still said 8… so we were extra-special-frustrated with that first password change when the damn system wouldn’t TAKE the new passwords.
So I have the following when I log in to work every day:
hard drive
PGP
Windows
email
intranet
client network (Citrix)
Client task-tracking tool
Client Unix box
Database account
Several different user accounts on each of several different databases (as in, up to 4 users on one, up to 4 on the next, etc.)
Timesheet tool
Then there are all the assorted personal logins.
I may win for sheer number of passwords I might have to enter in any given day (this is ignoring the personal ones).
Only works if your system doesn’t prevent re-use (all of mine now do this).
The “standard001, standard002” format sometimes fails too - some systems look for even partial matches on reuse.
Very easy.
“June2010”
“July2010”
“Augu2010”
etcetera
One capital letter, four numbers, changed every month, easily remembered.
