Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei Florêncio, Cormac Herley, and Baris Coskun.
We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.
I think what users should really be made aware of is the URL. If the URL doesn't look right or is really long, or (the simplest) the company name.com then close the window. It's hard to believe people still fall for phishing websites, even after all the news articles and stories about them. But what can you do?
I use a few relatively strong passwords for websites I register on, depending on the type of site...but I have still had to change them because of websites being compromised by hackers *COUGH*
But some of the passwords I have heard come out of friends,family, and even my boss, are super simple, and just asking for hacks.
But I would have to agree, on a website, a brute force a attack is pretty uncommon, at least from what I have seen. Changing passwords often is probably enough for most common users, but then again, unless your force them to do that, they are unlikely to do it on there own.
Well i use strong password's for everything depending on what the site is. I dont use my personal password for forums and other miscellaneous site's that i have to register to but i think it's a great idea to avoid simple password's. And another suggestion is please for all you people who have a password and dont even know it please change it. It's not good to have a password that you dont even know and is saved on your desktop and you copy and paste it when ever needed because possibly your computer can be attacked by a trojan and you will be sorry... for example the gumblar exploit not only will affect your site/ but it's visitor's and their pc and even your pc and possibly get a hold of the saved password's you have on your computer so rethink about it if your one of those people. And please dont say ah ill never be attacked by anything cause you never know.
I think its more of different passwords, not so much strong ones. Especially when you signup with services that can see your pw in clear text. I THINK that the free hosting software I used 10+ years ago allowed that, I dont remember. But I do remember someone saying, I think on that forum, how people who signed up used the same password for the service as their email generally. I think you get what that implies. I am also REALLY digging this security device for paypal. A little more hassle, but now I really do not worry about it at all.
Here's an interesting slashdot article about strong passwords from last night:
Strong Passwords Not As Good As You Think
| | from the still-better-than-'password' dept. | |
posted by CmdrTaco on Monday July 13, @10:42 (Security) | | http://it.slashdot.org/article.pl?sid=09/07/13/1336235 |
Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.
Of course, in security you are only as strong as the weakest link, and what if that link is weak (non encrypted)? What about any potential currently running keyloggers (whats the point, they're seeing whats typed and where). What about the server itself? The site system. The database. The best thing one can do I believe is to mitigate the damage (damage control) is to use different passwords EVERYWHERE online. WHT is a prime example of this.
Originally Posted by hellind2
I am surprised a lot of systems don't implement this.
I really havent seen these systems much up until relatively recently (a few years). While I feel its something that should be implemented more widely, but it breaks down to whoever is doing the code. If they are a full-time programmer, large company, or whatever, then yes its no excuse for them not to implement it even on their legacy applications. Then you have the common joe, "whats the point?" why do I need to install a new program or roll my own for my guestbook.
In short... Do strong web passwords accomplish anything?
IMO: No, not really.