An Idea For passwords

[+Daemon+]

I’ve been thinking about passwords and how ez they are to crack.

What if you created a program were when you set your password, you must give it 6 different passwords at least 7 chars long, must have at least 2 numbers in it for an account.

What happens is when you try to login with this account the passwords become random.

So let’s say a screen pops up it may give a little hint to what your password is, but if it was wrong it will go to another password on random.

the hint could be something like pass 1 pass 2 pass 3 etc.. Or it could be defined when the user creates the password. It’s a lot of work but I wonder if it would be more secure. Our it’s just a dumb idea

[Archer]

A lot of the time code cracking it is down to the user lasyness because they use a password that is either not random or is of a familiar subject or theme i.e cats/dogs/childrens/wifes name,passtime subject,birthday,social security number,favorite book/film/recipe etc or even to the point of writing it down and either leaving it in a nearby draw or worse still writing on the monitor or PC.
Perhaps it would be better if all systems had a random password generator installed with the added security mesure of making it unchangeable and the user had to remember it without the usual three free attempts.
It all depends on how secure you wish a system to be and as always no security is ever enough when you need it.
Newer UK parlimentry laptops are said to require a unique piece of hardware attached before the files are decrypted for use,this probably came into force when so many were getting lost or left in cabs by our masters

[edball]

The problem is users can't remember 1 password, forget about 6.

[Radical Dreamer]

Wouldnt 6 passwords make it easier to guess because there are more "right" answers?

[-Senectus-]

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Radical Dreamer:
<strong>Wouldnt 6 passwords make it easier to guess because there are more "right" answers?</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">This is a classicx example of what all sys admins battle with.
The more secure you make something, the harder it is to use.
The easier to use you make it, the less secure it is.

So your idea of 6 passwords of large size and variance is great except that now there are 6 possible right answers to the break in attempt instead of 1 possible answer.
There is NO WAY to make an ULTRA secure device/software and still make it very easy to use.
the closest I've ever seen that is the Lotus Notes .id file security certification setup.
Though that becomes very complex the more you need to use it. (ie : If your just using passwords then no problem, If you start getting into trusts and cross cirtification.. it get complex)

Keep thinking though.. its guys like you that will think of a new idea that re-shapes electronic security for the rest of the world. (let hope you don't get sanffled buy BillyG)

[Jester347]

I like the biometric soultions the best. retinal, facial or fingerprint. Those seem to me to be the most secure authentication methods.

[+Daemon+]

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Jester347:
<strong>I like the biometric soultions the best. retinal, facial or fingerprint. Those seem to me to be the most secure authentication methods.</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">ehhe but those seem eaiser to crack, for example finger prints

you can crack a finger print machine very ez.

one way is JELLO
another one is scotch Tape

you can get a finger print off a glass, table or were ever using jello and tape.

[+Daemon+]

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by -Senectus-:
<strong> </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Radical Dreamer:
<strong>Wouldnt 6 passwords make it easier to guess because there are more "right" answers?</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">This is a classicx example of what all sys admins battle with.
The more secure you make something, the harder it is to use.
The easier to use you make it, the less secure it is.

So your idea of 6 passwords of large size and variance is great except that now there are 6 possible right answers to the break in attempt instead of 1 possible answer.
There is NO WAY to make an ULTRA secure device/software and still make it very easy to use.
the closest I've ever seen that is the Lotus Notes .id file security certification setup.
Though that becomes very complex the more you need to use it. (ie : If your just using passwords then no problem, If you start getting into trusts and cross cirtification.. it get complex)

Keep thinking though.. its guys like you that will think of a new idea that re-shapes electronic security for the rest of the world. (let hope you don't get sanffled buy BillyG)</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">hummm, I wonder how good the idea that microsofts password clicking will be. Its were there is a image and you click on diffrent spots of the image. hummm wonder how good it is.

[Poseidon]

Originally posted by Radical Dreamer
Wouldnt 6 passwords make it easier to guess because there are more "right" answers?

Yeah, but what if you had to enter all six passwords each time?

It might work for people with high sercurity clearance but not the everyday user.

[Chris_MacMahon]

http://developers.slashdot.org/artic.../01/16/1530202


the best secret is the secret that isn't there

[Outcoded]

Originally posted by +Daemon+
hummm, I wonder how good the idea that microsofts password clicking will be. Its were there is a image and you click on diffrent spots of the image. hummm wonder how good it is.

Very, very easy to shoulder surf. I know a guy who can memorise a full Netware login (to tree level) and 12 letter password, just by watching you type it, he would find this easy.

[NooNoo]

I came to the conclusion it doesn't matter how secure the passwording system should be or could be, most users just cannot cope with remembering passwords and feel that they shouldn't have to.

[Lowland]

And most of the problems are due to the fact that most Users aren't told why security is important.

I came to the conclusion that the only way to secure these things is to enshrine security in the contract with the employee. It's odd that most people can remember telephone numbers and addresses, PIN numbers, car index numbers, but Admins say they can't remember passwords.

Get passwords ISSUED and audit trail them through robust policies and procedures. Unfortunately, for real robustness, Admins have to be prepared to be audited too.

How many organisations devolve security to Users, through Admins only to have managers buck the system? How many have one person tasked with security at Owner/Board level, written into contract?

And I think changing passwords regularly is less safe than having a single password issued in the same way as a PIN number.

Being secure is about allocating sufficient resources. If you ain't been burgled, or no-one in your neighbourhood has, do you fit an alarm anyway? If you've never had a fire, do you have a fire action plan?

It's like driving a car. You can cut any amount of corners, break speed limits all the time, and feel like you're charmed, because most of the time you get away with it. In fact, you encourage yourself that you are invincible, and it's other peoples stupidity that causes accidents. Until the day your luck runs out

End of rant!!!

And...Good Luck!!

[silencio]

My secure passwords are all at least 8 charachters and a mix of upper/lower/numbers and one non-standard charachter. I make a new one every month and write it on my hand for a couple days until it's securely fastened in my memory. They say you have to read/hear something seven times before it's committed to memory.

Maybe we should logoff users every 30 minutes on the day they change their passwords And people who put them on a sticky note, why, have them shot of course!

More people are spacial learners, I think the clickable image will come into effect one day but retinal seems like the most secure.

[CeeBee]

Did an audit on the passwords of the users in our network.
-50% of the passwords were obtained in less than 3 minutes.
-after 15 minutes I had 75%
-after 1 hour 95%
-all passwords in less than 12 hours
...and the "cracking" machine was only a 800MHz PIII running the task at low priority...

If you are using WinNT you should know that only the first 7 characters of the password are really encrypted...
As far as it concerns me I like nonsense combinations of letters and numbers, something like "e5gw3nrt21fe8a" at least 8 characters long... I have a good memory though... however my boss has them writted down...