next up previous
Next: Complex passwords Up: Changing Passwords Previous: User Problems:

User Solutions:

The user writes the password down. Sometimes this copy is placed in a fairly safe place, but often it is simply placed somewhere convenient for the user. For example, it tends to be fairly hard for an attacker to get into a locked file cabinet, but if the password is left in an unlocked top drawer or under a mouse pad, it is fairly simple to find and acquire. On top of this, users may write down their usernames and the systems so that they don't forget which password goes with which system. This makes it even easier for an attacker to use the information.

Writing a password down does not always imply that it will be written on paper. Users may also store passwords on their computers, often in an easily-readable file on the Windows desktop or in their Unix home directory. This may be even more dangerous because gaining access to a desktop machine can be fairly easy: if viruses and spyware can get in, then there's no reason a more dangerous attacker couldn't. For some systems, all it would take is a malicious email to gain access to all of the user's files.

Users may choose passwords that are simpler, but also easier to guess. Some, like the name of a spouse, child, pet, etc. will be fairly trivial for an attacker who knows the user to guess. Some users will simply use their own name or initials, favourite sport or team, things related to hobbies, artists, movie stars, birthdays or other significant dates. Simple knowledge of the gender of the user can limit the selections further: [Chick, 2003] claims that while women will use their wedding date or children's birthdays, men will rarely use those.

Other passwords are easily guessable even if the attacker doesn't know the user. In the movie Hackers [Moreu, 1995], they claimed that the four most commonly-used passwords were ``love", ``sex", ``secret", and ``god." Real passwords may not be quite so simple (although those words do appear in many password dictionaries), but other common choices include ``password" and the username.

Users make up schemes to make new passwords based on an older one. For example, a user might have the following sequence:

Month Password
January chipmunk1
February chipmunk2
March chipmunk3
... ...

Adams and Sasse note that while this would seem to increase memorability and thus security, in reality people often confuse the list (which would seldom be as nicely aligned with the months), which results in them having to write down their passwords [Adams and Sasse, 1999].

Even without that problem, none of these passwords is particularly hard to guess using a dictionary attack. If someone managed to find one password, it would be somewhat simple to guess what the next one would be, thus further limiting the effectiveness of changing passwords when it comes to stopping intruders who have already gained access.

next up previous
Next: Complex passwords Up: Changing Passwords Previous: User Problems:
Terri 2004-01-05