views:

294

answers:

6

You've all encountered the various websites that force you to have a password that is 6 characters long, must have 1 number, and must rhyme with 'annoying.'

Obviously there are legacy reasons why sometimes this is necessary but other times it's all for security. I find that it's rather annoying because I have a standard set of passwords that often don't match these peculiar rules so I have to make and remember a new one.

It seems that there are more important things to worry about in terms of security if you're worrying about how complex the user's password is. If someone can actually get a hold of that password then you clearly have larger problems to worry about. Do your part and lock down your end of the system before relying on the user to worry about YOUR security.

My actual question is: What are the alternatives to these complex password rules to mitigate the risk of rainbow tables or brute force hash reversers without relying on the user to carry the weight of remembering something complicated?

Some ideas: salting, ...

+1  A: 

Use KeePass

http://keepass.info/

It sure will minimize the hassle.

Otávio Décio
The issue with that, and that I'm having right now, is that I am on multiple machines so it seems like it could end up more work than just remembering or writing down the passwords.
Joe Philllips
I use KeePass, and I agree - I have been caught out because my OpenID password is complex and I didn't get it quite right on our laptop... had to run downstairs, fire up the desktop, look up the password... so close!
Software Monkey
Use KeePass in combination with Dropbox so they are on all of your machines and always synched. Be sure to use the Private Key file on your machines to keep it more secure and not password-dependent on the KeyPass itself.
Turnkey
http://stackoverflow.com/questions/310929/where-do-you-record-your-authentication-information-urls-ips-usernames-passwords
P Daddy
+8  A: 

Almost every site will be salting and encrypting your password regardless of what you choose. The issue isn't legacy code, database security on the server side or anything like that, the developers will have that covered in most cases. The problem is dumb users submitting retarded passwords that get broken quite easily. The point of the rules is to FORCE you to not choose too stupid of a password.

Here's a reference link. http://www.codinghorror.com/blog/archives/001206.html

I understand the reasons but is it really necessary? Saying your password should be 6+ characters seems good to me as long as you implement a system to keep brute forcers or dictionary attackers from easily trying every password.
Joe Philllips
FWIW, I highly doubt that almost every site is properly salting/encrypting stored passwords... there remains a surprising (stunning?) lack of understanding of security in the typical web/application developer. For example, how long did it take Amazon to give you the option to not store your CC info?
Software Monkey
@Software Monkey, well a long password certainly is not going to save anyone then.
Joe Philllips
@Software Monkey: I'd say that the typical [Web] developer's lack of security understanding is, yes, stunning, but surprising? No. I'm not trying to open up the "most programmers are stupid, especially Web developers" discussion here, but good security is a complex topic, even for the best of us.
P Daddy
The thing of it is, on asp.net, the flipping' salting/hashing stuff is BUILT-IN. People still don't use it. It's so sad. I had a boss at one place insist that passwords not be encrypted/hashed. I was like, whaaaaaaaa? Nuts. It's not always the developer's fault.
Robert C. Barth
If proper salting and hashing techniques are being used then why does it matter what password the user uses? If the hacker can only try a few passwords per minute then brute forcing is really out of the question. I'm still not convinced that an "easy" password is the weakest link.
Joe Philllips
+5  A: 

The reason for the password rules is to try and ensure a "stronger" password, which means, in effect, that it takes more trials on average to find the password with a brute force attack. Most people, even after the many examples, like the recent Twitter mess, will use a Joe password, or a dictionary word that's vulnerable to a feasible brute-force attack.

The best thing to do is to ask what the value of the data behind the password is, and then what the cost (effort) of cracking the password would be. If the value is small, you dn't need complicated rules, and maybe you don't need a password at all. If the value is high, then you need to make it more difficult.

Charlie Martin
A: 

Keepass also has the advantage that it will run directly (eg not even have to install it) from a USB flash drive in most cases in windows. Put both keepass and your database file on the USB key and u have a quick and easy portable password reference database. Make sure u secure keepass with a nice strong password though as if u loose your USB drive u don't want all and sundry getting into your password database.

Jayden
+1  A: 
Charlie Martin
A: 

Anything an untrained user (the normal type for most web applications) will find natural and easy to remember will be easy to crack. It doesn't matter what you do to store it, because cracking software can go through all passwords an untrained user is likely to use. Salting and hashing are effective only when the users have good passwords.

The solution is either to ask the user to remember something more complicated (which you are rejecting) or to base verification on something the user has, rather than what the user can remember. This can be a written-down password, one of those security fobs that generate unpredictable numbers that change every few seconds, or something more esoteric.

What a website can do is allow all sorts of strong passwords. I detest sites where I want to use strong passwords (typically financial or medical) that have rules like "no special characters". (Of course, I don't like reusing strong passwords; I don't want anybody who cracks my HMO security to order freely from my Barnes & Noble account.)

This probably isn't the answer you wanted, but the bad guys have capabilities that will overwhelm the sort of casual security most people are comfortable with.

David Thornley
1. The cracker would have to get the hashes which generally proves to be difficult.2. Some rainbow tables have the ability to find passwords that are 60 characters long, all character types.I think relying on the user to use a complicated password is the weakest way to beef up security IMO.
Joe Philllips