Jump to content

Really Unique Passwords

Erebus the Black

By Erebus the Black
in General

 Share

Recommended Posts

Erebus the Black
Ineffable Wingbolt

Erebus the Black

Posted
Posted

Monday, April 02, 2007

by Jake Vinson (not me)

 

Originally Posted By: Jake Vinson
We all know the rules for good passwords. They should be at least 90 characters long, have no recognizable words or phrases, consist of 30% lowercase characters, 30% uppercase characters, and 40% special characters, and they should be changed daily, if not hourly. Where I work, if you forget your password, you're fired on the spot and recommended for execution.

 

OK, maybe I'm exaggerating a little, but let's quit jerking each other around and get serious. Password security is a big deal. Enrique knows this as well as the rest of us. Sadly, two developers he worked with missed the message.

 

Enrique was doing maintenance work on an application that allows users to register to buy and sell antiques. The registration process was simple. Enter a username, address, phone number, email address, and password, and you're in. Of course, if the username is taken, you're asked to enter a different username. And of course, if the password you've chosen is in use by another user, your registration fails.

 

No, I'm not kidding. Passwords had to be unique throughout the system. And judging by lists of user passwords I've seen, many users probably encountered this issue when trying to use a password of "password." The password field of the user table was also the primary key field making it impossible to have duplicate passwords, and they were stored unencrypted to make the verification process easier.

 

On the bright side, the original developers hadn't forgotten to set a unique constraint on the username, but Enrique was intrigued enough to email them and ask them about the architecture. They sent back a database diagram, and what Enrique saw next chilled him to the bone. The password field was used as the foreign key throughout the system. To reiterate, every table that recorded a bit of user information used an unencrypted password to identify the user.

 

A lot of words ran through Enrique's head, most of which can't be printed here. His biggest concern, though, was "what if the user wants to change their password?" See, most users have grown accustomed to luxuries like the ability to change their password. He fired back another email asking this very question.

 

"Well, we'd first check that no one else was using that password. Then we run sp_change_password."

 

sp_change_password consisted of a long list of UPDATE statements; one for each table that had any user related information in it. Any time new tables were added, they'd have to remember to update sp_change_password. None of these updates were done within a transaction.

 

Enrique asked about referential integrity — if a field was updated, other tables would point to data that didn't exist anymore. "Oh, we had that problem the first time, so we removed all of the foreign key constraints in the database and it works now." Since referential integrity wasn't preserved, cascading updates were impossible, requiring sp_change_password to be built, but then referential integrity couldn't be preserved, and now the circle is complete.

 

Enrique knew he'd have to push the other developers and let them know how bad of a design this was, so he pointed out possible system exploits. "Say someone made a script that'd create accounts like crazy, guessing different passwords each time. If a password error came back, they'd have a user's password. If a username error came back, they'd have a user's username. Eventually a matrix of usernames and passwords would be compiled, then it'd be a simple matter of attempting to log in."

 

"Ohhh... umm... I guess you're right," was all the developer could muster. "But then we'd have to change every table to use a username as the foreign key, maybe even apply constraints on the server, and change the token each user carries throughout the application to be their username!" It was a major change, but Enrique insisted they do the work.

 

The next day, the boss summoned Enrique to his office. "I hear there might be some major delays in our project, and I heard a funny rumor that you have something to do with it."

..... if anyone is looking for employees , Enrique is looking for a job.

Link to comment
Share on other sites
Student of Trinity
Magnificent Ornk

Student of Trinity

Posted
Posted

There was an XKCD strip a while ago that implied that longish pass-phrases that don't make any sense are the best way to go. The idea is that a string of six random words is like a sequence of six characters, but each drawn from a set of around 100,000 possible characters (i.e. words). Whereas if you use special characters and upper and lower case and numbers and so on, you're getting a set of maybe only 100 possible characters. So six random words should be about as good as 15 random characters. They'd take longer to type, since after all your string of random words amounts to a string of correlated letters without special characters, so you're ultimately just getting a secure password by having a very long password. But it's a very long password that is much easier to remember than a much shorter string of random characters, because it's easy to make up a crazy but memorable little story in which the random string of words somehow makes sense.

Link to comment
Share on other sites
Randomizer
Hatchling Cockatrice

Randomizer

Posted
Posted

For a while I used six letter names created by Tolkien. Then one day I forgot my password and found out how many names fit that requirement. smile

 

You are looking for a string that is long enough so a program can't get it my trying everything or running a table look up of all the words in a dictionary within a reasonable amount of time. However limiting the number of tries works just as well.

Link to comment
Share on other sites
Student of Trinity
Magnificent Ornk

Student of Trinity

Posted
Posted

No, but I'm thinking about it. It's essentially the strategy of putting all your eggs in one basket — and making sure it's a really good basket. You pick one master password, and you make it a real humdinger, probably by the XKCD method. Then this dedicated company generates tons of wacky gibberish passwords for you, and somehow keeps track of them all so that you don't have to. If that company ever gets cracked, you are toast, but as long as they stay secure, you're pretty much okay.

 

Frankly, the other option is to decide it doesn't matter too much, anyway. Watch your credit card bills, and report any mysterious expenses as fraud right away. Don't post anything online that you don't want the world to see. I'm not sure what a hacker could really do with my online identities, anyway. Post embarrassingly foolish things here, I suppose; but I doubt anyone would be able to tell if they did.

Link to comment
Share on other sites
BMA
Ineffable Wingbolt

BMA

Posted
Posted

That looks interesting; I'll try LastPass. UBB's random password generator had given me "iQrCFg" when I had forgotten mine. Not very creative, but I suppose with all those upper and lowercase letters it must be hard to get at.

 

I had read somewhere that websites and software have become so secure that they can no longer be dictionary-attacked or trial-and-errored, and that the only sure fire way of getting a person's password is through logging the person's keystrokes.

Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted

I know this story; I think it was on the Daily WTF some time back.

 

Quote:
The password field of the user table was also the primary key field making it impossible to have duplicate passwords, and they were stored unencrypted to make the verification process easier.

 

This is... awesome. The only way to improve on it would be to tell users which other account has the password they tried to enter.

Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
Posted

http://howsecureismypassword.net/

 

Personally, I have one to two passwords that I use regularly. Then, for stuff that like my domain registrar and some financial [censored], I use a more-complex and absurdly long password. I just adore how my online banking password is less secure than my SW password, due to lameass password limits (Only up to 12 chars? Are you [censored] kidding me?).

 

I use public-key authentication for all the important stuff, though. I actually started using the idea for more than email signing because it was more convenient. No passwords to dick with, just open ssh and it does the hoofwork.

Link to comment
Share on other sites
Erebus the Black
Ineffable Wingbolt

Erebus the Black

Posted
  • Author
Posted
Originally Posted By: Aʀᴀɴ
I know this story; I think it was on the Daily WTF some time back.

Quote:
The password field of the user table was also the primary key field making it impossible to have duplicate passwords, and they were stored unencrypted to make the verification process easier.


This is... awesome. The only way to improve on it would be to tell users which other account has the password they tried to enter.

Finally someone bothered reading beyond the first two paragraphs smile
Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted

I am required to have passwords with a company that has poor IT. So poor, in fact, that its online systems are fragmented and there are three separate accounts and passwords required. The account names all have different requirements. One is a string of numbers, one must be a full name, and one is a combination of initials and random number.

 

The password requirements range from 8 characters with no restrictions to the usual draconian "must have a number, a capital letter, a symbol, and at least 8 characters, no words." Fine; I set all my passwords to the same exacting string. But then I learned the horrible truth: required password changes. One every month, one every three months, and one doesn't.

 

Oh, and one of the things rejects new passwords if they match any previous password, but another rejects passwords for being similar to any of the last 50, by some arbitrary metric. Needless to say, this requires the password to be stored in plaintext somewhere. This is obviously the case, though, because the "I lost my password!" button just emails it back to you, again in plaintext.

 

—Alorael, who can now never log into any of these places on the first try. He'd accept this if there were decent security, but security is neither necessary (there is no private information or payment involved) nor present (passwords in plaintext!). He'd like to brain all those responsible.

Link to comment
Share on other sites
Dintiradan
Easygoing Eyebeast

Dintiradan

Posted
Posted

These are my favourite kind of DailyWTF stories. Most of them have just one simple facepalm moment, but ones like these are a cavalcade of catastrophe.

 

I also use public-key authentication when possible, but a problem I've had is trying to remember the login password when public key authentication is turned off (we had a hacking attempt in our department a while back). Remembering multiple passwords is easy when you use them on a regular basis, but if you haven't had to type in your password to log in for months, it's easy to forget.

 

Which brings me to a related point: what do people think about writing passwords down? People like Bruce Schneier seem to be okay with it. I keep my list at home, not in my wallet, and only write down my less vital passwords (no banking passwords, for example). If someone breaks into my house, I've got more important things to worry about than someone getting my WebDip login information.

Link to comment
Share on other sites
The Mystic
Easygoing Eyebeast

The Mystic

Posted
Posted

I have about a dozen different passwords on various sites ranging from [sorry, I'm not telling] to [my lips are sealed] to [you've got to be kidding me] to here. Good luck figuring out any of my passwords without software, or even what most of them are for. Despite being written down, everything's been coded using a somewhat complex set of rules only I know and understand.

 

Originally Posted By: !Pinkie Pie
How did you know that my password is password?

Nah. It's not. It would be too easy to have it like that tongue

Of course it's not. Everyone knows your username is "password," and your password is "username." tongue
Link to comment
Share on other sites
Dantius
Easygoing Eyebeast

Dantius

Posted
Posted
Originally Posted By: Ephee
My password is usually "incorrect", so that if I forgewt it and guess wrong, my computer will just tell me the answer.

(And, on the off-chance I stole this joke from here, pre-emptive apology postcards have been sent off.)


Did you know that UBB has a feature where it recognizes your password and, if you try to type it out on the boards, it blanks it out and replaces it with asterisks when you post it? It's true! Look, my password is ************. It shows up just fine in the "reply" box and the "Preview" window, but now it's been censored once I post.

Clever. Who would have though UBB had it in it?
Link to comment
Share on other sites
nikki.
Magnificent Ornk

nikki.

Posted
Posted
Originally Posted By: Dantius
Did you know that UBB has a feature where it recognizes your password and, if you try to type it out on the boards, it blanks it out and replaces it with asterisks when you post it? It's true! Look, my password is ************. It shows up just fine in the "reply" box and the "Preview" window, but now it's been censored once I post.

Clever. Who would have though UBB had it in it?


I've heard Facebook has a similar feature. Of course, typing in passwords is for chumps. I tend to just have my browser remember as many of mine as possible; the only one I ever have to manually type in is for my bank, but Firefox does remember my username for that.
Link to comment
Share on other sites
Lilith
Hatchling Cockatrice

Lilith

Posted
Posted
Originally Posted By: Dintiradan
Which brings me to a related point: what do people think about writing passwords down? People like Bruce Schneier seem to be okay with it. I keep my list at home, not in my wallet, and only write down my less vital passwords (no banking passwords, for example). If someone breaks into my house, I've got more important things to worry about than someone getting my WebDip login information.


If you're worried about having written passwords stolen but still want a reminder, you can always use steganography. My PIN for my old Visa card was stored in my desk drawer in the form of a short poem: the number of words in each line corresponded to a digit of the PIN.

Originally Posted By: Archives of the Annals of Review
—Alorael, who once used the same password on Desperance and Spiderweb. Alec gleefully then used his Spiderweb account. That particular password has long been retired.


are you sure it was alec because he doesn't remember doing this
Link to comment
Share on other sites
Dantius
Easygoing Eyebeast

Dantius

Posted
Posted
Originally Posted By: Lilith
Originally Posted By: Dintiradan
Which brings me to a related point: what do people think about writing passwords down? People like Bruce Schneier seem to be okay with it. I keep my list at home, not in my wallet, and only write down my less vital passwords (no banking passwords, for example). If someone breaks into my house, I've got more important things to worry about than someone getting my WebDip login information.


If you're worried about having written passwords stolen but still want a reminder, you can always use steganography. My PIN for my old Visa card was stored in my desk drawer in the form of a short poem: the number of words in each line corresponded to a digit of the PIN.


That's kind of similar to how I store my passwords at work- I write them in Chinese numerals on a slip of paper, write an English version of some famous Chinese quote by Confucius or somebody, source it in English, and tack it up on my bulletin board. Then I just stick a post it note with a phone number over half of it, and nobody's the wiser. Hidden in plain sight.
Link to comment
Share on other sites
Tyranicus
Understated Ur-Drakon

Tyranicus

Posted
Posted
Originally Posted By: Rowen is off to the coast
In high school I was able to get the lock on my locker set so that it would open anytime for anyone. I never even bothered knowing my combo past day 1. Everyone I knew did the same things to their lockers too.
You could do this at my high school too, but people would walk down the hall turning the locks just to mess with everyone.
Link to comment
Share on other sites
Erebus the Black
Ineffable Wingbolt

Erebus the Black

Posted
  • Author
Posted
Originally Posted By: Rowen is off to the coast
In high school I was able to get the lock on my locker set so that it would open anytime for anyone. I never even bothered knowing my combo past day 1. Everyone I knew did the same things to their lockers too.

In high school I didn't have a locker
Link to comment
Share on other sites
Alorael at Large
Hatchling Cockatrice

Alorael at Large

Posted
Posted
Originally Posted By: Lilith
Originally Posted By: Archives of the Annals of Review
—Alorael, who once used the same password on Desperance and Spiderweb. Alec gleefully then used his Spiderweb account. That particular password has long been retired.


are you sure it was alec because he doesn't remember doing this

I'm pretty sure it was Alec. I may have overstated a bit: his gleeful use was, if I remember right, one odd but not awful post before he let me know over AIM that I'd failed password security 101. It wasn't a particularly big incident.

—Alorael, who used a strategy similar to Lilith's, except he made his passwords the first two or three words of lines of a poem he kept above his desk. He wasn't sure what he would do when he ran out of lines, but he stopped needing access to that particular system before he hit the last line.
Link to comment
Share on other sites
Harehunter
Well-Actually War Trall

Harehunter

Posted
Posted

I have found that the acronyms I used in the army are quite cryptic appearing, yet easy for me to remember. Changing case and adding numbers satisfies most security auditing algorithms. Then I would set up a repeating series off 5 or 6 variations.

The trick is remembering which version of which acronym went with which application.

Link to comment
Share on other sites
JamesMighty
Garrulous Glaahk

JamesMighty

Posted
Posted

Originally Posted By: Harehunter
Changing case and adding numbers satisfies most security auditing algorithms. Then I would set up a repeating series of 5 or 6 variations.

 

The trick is remembering which version went with which application.

 

That's the same problem I have. My password is *(Capital if required)*******(and if requires 1 number)*(if more)** Excetera.

 

But usually I enter random versions until it accepts.

Link to comment
Share on other sites
The Mystic
Easygoing Eyebeast

The Mystic

Posted
Posted
Originally Posted By: Lilith
If you're worried about having written passwords stolen but still want a reminder, you can always use steganography. My PIN for my old Visa card was stored in my desk drawer in the form of a short poem: the number of words in each line corresponded to a digit of the PIN.
You know, that sounds pretty cool. I'm curious as to how you'd handle zero, though.

Originally Posted By: Rowen is off to the coast
In high school I was able to get the lock on my locker set so that it would open anytime for anyone. I never even bothered knowing my combo past day 1. Everyone I knew did the same things to their lockers too.
I couldn't do this with my locker; I had to buy a combination lock. However, I found that if I slammed my locker door a certain way, I could just pull the lock open. I didn't do this too often, because one of the teachers hated loud noises, and my locker was near his classroom.
Link to comment
Share on other sites
VCH
Easygoing Eyebeast

VCH

Posted
Posted

Are you guys talking half lockers or full lockers? My high-school had half lockers that were I'd guess 3 feet in height. It was really awkward when someone tried to get to their locker which just so happens to be at about your crotch height.

 

What's worse though is that nothing much fits in a half locker.

Link to comment
Share on other sites
A less presumptuous name.
Well-Actually War Trall

A less presumptuous name.

Posted
Posted

My high school had really narrow full lockers, for the most part. Of course, you got a locker close to (or almost close to) your homeroom class in freshman year and kept it for all four years. I knew which hallway mine was in, but since I was only in that part of the building for my freshman homeroom class and never again, it was never useful. I carried everything with me. Only a few people I knew used lockers.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...