Slashdot Mirror
The Psychology of Passwords
afabbro writes "According to this study, people's password choices put them into four groups: "Family", "Fan", "Self-Obsessed", or "Cryptic". I'm sure we're all good Cryptics here...now if only my users would stop being "Family"." And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password",
all those 3733t h4x0r5 out there who use something like "733t"? Does that count as "cryptic", or is it "family" (for being a nickname)? I'd hate to think that the results included stuff as simple as that as "cryptic" - that would mean even fewer people have any security at all on their machines :(
I rather prefer to use stuff that's over 6 characters in length, and a mix of letters, numbers and symbols, ideally case-sensitive but that I cannot control. It's not uncrackable, but it'll sure take more effort... and, with all the other, more easily-cracked machines out there, I feel pretty safe (but, just to be sure I'm not standing up and asking to be hacked, I'll post this anonymously anyways. I'm not (quite) as stupid as I look).
I had a similar experience with an ISP that I no longer use. They required that I give them a password over the phone, so I told them to set it to 'changeme'. Then I found out there was no way to change the passwords except calling them again.
While working at a place I won't name, I was told to modify a switch configuration by a grossly fat and obnoxious asshole of an NT sysadmin, who, for whatever reason, thought it part of his job to make mine as difficult as possible.
naturally, since he didn't give me a password I assumed the switch didn't have one. No, he was just being an asshole. Made the long walk back across the building to Fatso's desk, "Uh, could you tell me the password please?"
"Forget it" he replied. "What?" "Forget it" he repeated. Oh. Just to be sure I asked "No space in that?" "Nope." shithead smirked.
Okay, stupid password, I though, hiking back to the switch. Password "forgetit" doesn't work. Hike back to Fatso's desk again. "Doesn't work" "Yes it does, he insists..."
After about 5 minutes of trying to get him to respond like a human being, he gives a great theatrical sigh and writes "4get1t" on a postit, shows it to me and tears it up.
Duh, I think to myself... and ask "Do you really think dopifying it like that will keep it from being cracked?" Well! Fatty give me a holier-than-thou look and says "You won't get very far working here with that kind of attitude..." Kee-rist...
Thats exactly what I did. I stored all of my passwords on my Palm Pilot in a (practically) unbreakable database. No problem with that right?
Well...then the database program needed a password...and I thought...I have to make this the most complex password of all...Because if it is cracked, they will have ALL my passwords...
So I made a completely random (yes truly random) password string. Then I was having problems remembering it...so I put it into the database on my palm. The problem is...The password to the database of passwords is in the database of passwords.
Now I can't login to slashdot, cause I don't know the password.
-tm
I got in by shooting a lone guard, then by severing his hand. From then on, I had a key to the whole place.
I beat end users with random flailings of my arms and watch for 'letter-like' shapes which rise as welt on thier bodies. Grab a new user, repeat.
I develop schemes now and again. I start with something easily recognizable, like 'So Long And Thanks For All The Fish'. Then I turn it into a 'random' password by a bunch of operations. For an example, I might take the second letter of each word (yielding oonholhi), then make characters 1 and 5 upper case, turn 2 and 6 into numbers (alphabetic value mod 10), then turn 3 and 7 into non-alphanumerics based on the keyboard layout. The pass would then be O5$hO2*i.
That is sufficiently random for 90 day use or so. It would be weakened if somebody somehow guessed my scheme, but I pick a new arbitrary scheme every 90 days when I change all my passwords. Then I just have to remember one scheme and a bunch of key phrases for all of them.
Spoilers below; look at the link value to see text. /. trims spaces from links, so there are underscores instead.
No; what they did was sneakier; pt 1 pt 2 pt 3 That's very good social engineering.
-----------
-----------
100% pure freak
We got our high-school computer labs admin password the old fashioned way too. By rifling through his desk. Sure enough, we found the words 'lunch' and 'dinner' written on the inside cover of one of the manuals for no apparent reason. Admin password? breakfast. From then on we played a lot of networked doom.
--
This swipe-card idea is called SecureID. Check out t ;this article</a> and the manufacturer's page: <a href="http://www.rsasecurity.com">RSA</>.
Basically, with these little keyfobs, you telnet into a server, type in your pin, then type in the number on the keyfob.
http://unxmaal.com
Take a made-up nonsense sound, like "kersplat" or "squish" or "blart" or "shazam" or something.
Capitalize the first letter, easy to remember because words are often capitalized in English (Kersplat, Squish, Blart, Shazam).
Pretend you're a l33t h4x0r and start replacing letters with numbers (K3rspl@t, Squ1sh, Bl4rt, Sh@z@m).
Add some punctuation, either in front or behind (K3rspl@t!, Squ1sh?!?, !Bl4rt, ??Sh@z@m).
Congratulations, you now have a reasonably secure password.
One of these is very similar to a password that I used to use. Can you guess A) which password is similar, B) what the real password was instead, and C) which systems that password was used on?
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
But don't count on me explaining it here. The enemy might be reading... The day that I die, the algorithm will die with me. Especially since those who find the paper are unlikely to know what it is.
--
Linux user since early January 1992.
So I've had to write them down "somewhere" bloody safe. As it happens, I ended up encrypting the piece of paper, such that the only thing that I definitely have to remember is the non-trivial decryption scheme. Of course, I also remember the passwords that I need most often, but for the others my encrypted paper has occasionally worked miracles.
--
Linux user since early January 1992.
Where do you work? :P
She should use a 5-digit password like I do.
"swordfish" is a bad choice for a password in any case because it is a word that can be found in the dictionary. Password crackers use dictionaries as sources of guessable passwords.
Posted by polar_bear:
... something damn difficult for a dictionary attack to crack, but easier for someone like me to remember. (BTW, no, I've never actually used that password.)
I probably fit into the "fan," "cryptic," and "family" groups - When I make up passwords I tend to start with either something from my early childhood - say, my dog's name - or some obscure reference to something that I'm a fan of like maybe a "supporting" character from the Godfather or whatnot - then add mixed case, punctuation, etc.
For example, I might pick Luca Brasi from the Godfather, but I wouldn't make a password "lucabrasi" or "LucaBrasi" -- It'd be something like "LuC4Br^$!#"
I can't go with a 100% cryptic password, b/c then I'd never remember the damn things - I don't use the same password on all of my systems or for online purchases, so I probably rotate about seven passwords and I change the ones I use with Barnes & Noble or Yahoo! Mail pretty regularly.
The study is pretty interesting, though.
that was popular when I was in school. Every time I came across someone who did that I just did a control-C and then rm -rf (opps, I mean whatever the dos equivelent was. deltree of some such) I always hoped the student has some assignment due the next day that was almost done...
I always said that when the program catches me like that, I don't trust it not to have logged someone else's password, and so my good dead for the day was to make sure no passwords were stolen.
Maybe I missed it, but it seems the obvious answer to stupid passwords is to use non-reusable passwords and two-factor authentication. Either use something like OPIE or tokens like RSA's Securid cards. Then all the user has to remember is to carry their token with them and remember a simple pin number to unlock the passcode on their token. The only problem is it can get expensive with hardware tokens at about $50 a piece.
Wouldn't work these days. If you said "So where's the lead?" and were overhead these days, they'd think you were talking about bullets and expel you.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
At my old HS they were runnint Novel Netware with one of those butt ugly login screens. All of the student accounts were locked down to a rediculesly low 500K of storage. I "needed" more ( to install wolfenstein ) so I wrote a pascal app that looked "just" like the novel login screen that logged usernames and passwords. Then would give a cookie.."wrong password" message and show the real loing screen.
After a week of going in just after class and starting it on every pc in the lab I had all of the privlidged account passwords.
If you just write it on a slip of paper and stick it in your pocket, you're probably really safe. It's rather unlikely that someone will mug you for it, and you can make it really hard to guess while not leaving it around the computer. Given the number of people who pick good passwords and then leave them where it's easy for an attacker to get at and obvious what it's for, you'd think people would think to carry them.
I mean, they tell you not to carry your ATM PIN with you, but that's because you'd have the card and the PIN in the same place. You're probably not carrying your work computer with you...
Also, you'll probably have memorized your password after using it a bunch of times by looking at the slip of paper, at which point, you can destroy it.
That's why we have npasswd configured to not allow password reuse within a one year period. I have already had people tell me that they had picked out five passwords that they intended to rotate as the last used expire away. Those users can rotate if they like, but after a year I imagine they'll be more likely to pick a genuinely new one, especially since npasswd is such a hard ass about approving password choices.
Ultimately, we hold the users responsible for maintaining reasonable security practices. My job in implementing npasswd was not to force everyone to do the right thing, it was to make it a lot harder to do something stupid. In the end, it comes down to the user.
We do master a lot of systems from our master account database, so the user's single password gets them email, dialup, UNIX, Windows NT, AppleShare, etc. If our users needed to remember a dozen very difficult passwords, we couldn't do this, but with only one password needed for most of our network services, we hope it is not too unreasonable to require them to use decent passwords.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
I tried setting my password to 'mypassword1', and it told me 'Password not acceptable, may be derived from word 'mypassword'.
npasswd may not be able to catch all variants of past passwords, but it is very very picky about what passwords are allowed, and if you choose a password that passes through npasswd, it is going to be a high quality password.
No, a piece of software can't do anything about a user writing their password down on their forehead. But we have managers, and they can discipline or fire users for putting the lab's security at risk, if they do something truly stupid/negligent.
Security is a process, and software's just a tool.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
The npasswd password history files are kept as a dbm of crypted password choices, so an intruder would have to find and crack that file, and by definition all of the passwords in that file would be hard to crack, as such things go.
The one thing I'm not sure of right now is whether or not npasswd can support the use of md5 passwords or not. If it can, that would add a significant boost to the difficulty of cracking its files.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
We recently implemented Clyde Hoover's npasswd password validation program, which does all kinds of password quality checks and a password history function, to prevent users from re-using their old passwords. We have incorporated npasswd into Ganymede here, along with a password aging function, and boy, what a change for our users. Users really can't have easy passwords any more, they have to change them regularly, and they can't re-use old passwords. The sysadmins in charge of network security here love it, because the odds that our users are using the same password for our network that they are using for Amazon and Slashdot is now dramatically reduced.
Npasswd is very good at what it does. Npasswd supports checks against account information and a wide variety of dictionary files, with character transpositions, reverals, etc. No more 'us3rname' passwords for our users. Here's a partial list of the dictionaries that Ganymede with npasswd checks against in our environment:
If anyone here wants to make sure your users are using strong passwords, run don't walk and get npasswd, I say.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Fortunatly, my typing managed to avoid becomming jibberish, and I still use Dvorak, but passwords that aren't quite that obscure.
I tend to configure /etc/issue so that it prints the root password just above the "login:" prompt.
Nice way to tease crackers. Too bad telnet doesn't allow root to login, but requires su'ing from a user account.
On some enterprise systems, the administrator has the option to have passwords checked against a dictionary for common words, palindromes or other easily guessed passwords. If you are interested in such "smart" password software, check out npasswd at: http://www.utexas.edu/cc/unix/software/npasswd/
- -----------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless
this sig limit is too small to put anything good h
Is there a category for the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?
Oh, so THAT's how my wife found all that pr0n on my private share...
Sanity.html - Error 404 not found
> severing his hand. From then on, I had a key to the whole place.
I realise you were joking, but: that's why they make hand and finger scanners that check for a warm hand with a pulse, and iris and retina scanners that check the eye responds normally to light (and has blood moving in the vessels in the case of retina scans).
--
rant
Of course, that was 14 years ago.
cb
cb
Oooh! What does this button do!?
So we were joking about the phone system manual which takes 3 pages to
explain how to dial a number. I was following the mock instructions and
dialing. "1-8-0-0...I don't know, dial something" so I continued with
"I don't know" Apparently I dialed more than seven numbers. Well, the
phone (on speaker) says, "You have not dialed the correct access number,
please try again." My mananger looks and me and says, "Great, now you
are going try to break in, aren't you?" "Of course," I say,
"1-2-3-4-5." "Ring...ring...Hello?" Sometimes, they make it too easy.
#!/bin/sh /dev/random | mmencode
/dev/random).
head -c 6
Much easier & faster, and certainly just as random as your cup of tea (of course, you have to be on a system with a reasonable
-"Zow"
I prefer to take stupid phrases that no one else would think of (something like making a phrase to remember quiz items) and take the first letters and sound out a word for it.
pretty easy to make up, easy to change, and easy to remember.
My winner under the Stupid category is the "admin" when I was in high school. He choose the great password of "none" for his personal account, which was easily cracked with a simple dictionary. Of course, he was really one of the biggest fools I have known in my life, so I am not really all that surprised...
Posted from the wireless couch.
Plus, all they really have to do is get you to touch something from which they can lift the prints. It probably wouldn't be too hard to fabricate a surface with the appropriate ridges and valleys.
You said it! I get awfully annoyed with people who think that "Friends" is the pinnacle of comedy.
I agree cryptic passwords are bad for users. But when I used to create user accounts I used a random password generator. They still weren't the best passwords, but better than they would choose on their own. And definatley better than the practice of the previous admin used to do... (companyname1) Besides they always changed them anyway, usually for the worse.
Granted for my user accounts and the root accounts I used passwords that looked like line noise. (Of course I kept a password list in my pilot in an encrypted area...god help if I forgot the password.) I unfortunatley found a problem with the HP9000's that they won't accept characters outside of a-Z and 0-9 on console. Not a great thing when needing to get logged in on console as root.
I also kept the users in check by once a quarter running john the ripper against the password file and then mailing the IT manager the list of compromized passwords. He then sent a politically correct e-mail to the users telling them to change their password, and gave suggestions on better passwords. Even then we always had the same people with stupid passwords, they usually changed them by adding 1 to the number in their password (ie pass1 became pass2).
It's one of those basic security principles, yet is sooo hard to get people to follow.
"If you insist on using Windoze you're on your own."
Ok: 2->4->8 is doubling 1 3 times, and 8-5 = 3. followed by s. followed by a 7 letter palindrome. Now think of the B52's, but add that magic number 3 back to the first digit.
See? Shouldn't be hard to think up a compressed hint for that ;)
I laughed at the entry that read:
MANIAC: Writes script that kills all the daemons, clears all the print queues, and maybe restarts the daemons. Runs it once a hour from cron.
The lpd daemons on the rh linux 6 boxen we had would mysteriously stop talking to the sun print server after awhile. Rather than figure out the problem like a good sysadm I wrote an hourly cronjob that restarted the daemons. I think they're still using it.
If anyone would like to hear an song inspired by this same subject, I would reccomend the band Barcelona and their song "Shell Account", a gripping tale of CS major trying obvious passwords and them working.
Seriously, though, good band, good songs. Ultimate Geek band.
Ack! I forgot the best part. For users who are really paranoid, you can, in the next-to-last step, convert the number into triplets instead of pairs:
633 436
And then you convert both triplets to their Unicode decimal equivalents. Thus, the high-security password in this case is:
This may not display properly on non-Unicode browsers/platforms. But those of you who can display them will see that they have the added advantage of not actually appearing on any keyboard, thus exponentially increasing the difficulty for anyone wishing to guess your password.
BTW, for those who can't display them, decimal 633 is an upside-down lower-case "r", and decimal 436 is described as "Latin small letter 'y' with hook".
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
That is not nearly random enough. You need an algorithmic process that'll give you something really random.
Here's what I do. First, you take a phrase, famous or obscure. For this example, I'll use a little Shakespeare - "He hath a daily beauty in his life that maketh mine ugly."
Then, you take the second letter of each word, ignoring any single-letter words, thus producing "eaaeniihaig" in this case.
Then, you convert each letter to its decimal ASCII equivalent, giving us:
101 97 97 101 110 105 105 104 97 105 103
Then squash that all into a single number in that order, producing:
101979710111010510510497105103
Then, you take the 5'th root of that number, and drop any decimal places:
101979710111010510510497105103^(1/5) = 633436.01848182821643020050352705 --> 633436
Then, you take THAT number, and break it into pairs thusly:
63 34 36
Finally, you take the first pair and convert it back to its ASCII decimal equivalent, and that's your password. In this case ASCII 63 is "?", so your password is "?" (without the quotes, naturally).
And that, my friend, is pretty damn random.
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
whups. missed a typo in the preview.
The yahoo example should be 'y5934o' *not* 'y5934a'
Sorry for any confusion.
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
The answer to this is quite easy by using a (simple) password algorithm:
;)
1) Take that random number, say 5934
2) Now for everyplace where you need a password, append/prepend the name of the site/computer to that string. So if you decided something like first and last letters, plus the random number, you'd get:
yahoo.com = y5934a
slashdot = s5934t
etc.
If that's too short (like for hotmail) use a full-name variant for those like ho59tm34ail.
For better security, always use caps for one of the ends, and/or tack on some (consistent) non-alpha at beginning or end, whatever rules you want to always use.
Benefits:
1) You never need to "remember" a password. Just the numeric bit, which you get to reuse everywhere, and the rule for picking the letters.
2) Unique password nearly everywhere. Getting one of them doesn't give access to the other sites, and pattern isn't obvious with just one.
3) If you ever are required to change a password (or just want to be safer anyway), ditch the first random number and select a new one, using the same basic scheme with it for all new passwords. Worst case scenario is you'll have to make 2, maybe 3 guesses, at a site you haven't been to for a while....
I've been doing this for about 4 years now and it works like a champ. I've lost track of how many times I've suggested this to users when they're griping about having to remember passwords, but they still give me a blank look and use something like their dog's name anyway. Lamers...
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
If someone other than me has access to the password manager data in my home directory and knows the password to the manager, having my Slashdot password available to them is the least of my concerns...
Ita erat quando hic adveni.
Of course, that would be silly.
I have used my PDA for password storage, but it proved somewhat tedious to go back and forth between computer and PDA to input them (whereas FPM can copy straight to X11's cut buffer with the hit of a button). It's not impossible for someone to break into my box, steal FPM's password file and somehow steal the password to decrypt it, but I consider that a possibility remote enough to fall within my level of tolerance.
I figure so long as the value of the passwords are less than the effort it would take someone to steal them, I'm protected from the most likely attacks.
Ita erat quando hic adveni.
I recommend a decent password manager for everybody, since there's just too damn many sites that require them.
Ita erat quando hic adveni.
Hey, a bunch of people in my HS did that too.
;)
You wouldn't happen to be in Surrey, UK would you?
Stuart.
The advice "never write down a password" dates from back when a secure-enough password could be remembered reliably.
This simply isn't true anymore. Any password that is easily remembered is likely to be easily crackable, because computer power is so cheap these days.
Even Bruce Schneier has reversed himself and now recommends that you write your passwords down on a piece of paper, and then treat that paper like it was a significant amount of cash or a credit card; keep it in your wallet, or locked in a safe, and be aware of it's location at all times.
Of course, people who write down their password on a sticky note and place it on their monitor are still idiots.
-
A friend of mine came up with a pretty nifty password creation scheme.. He lived on a rather busy street near a stop light.. So he would look out the window and pick out someone's licence plate number who was waiting at the light.....
Slashdot is like Playboy: I read it for the articles
in a previous academic situation keylogged one of the public labs for about 3months... it was pretty revealing to see what kids had as their passwords. "kill" "boobster", etc.
The thing that cracks me up, is that they obviously had researchers go ask people for their passwords, and they gave them to them!
I used to have an app on my PalmPilot that would generate random passwords and store them using IDEA. I was responsible for changing the root passwords at the ISP I worked at, and everyone hated it when I made them change.
Wasn't it Sierra's Hero Quest where you had to utter a password to enter a house, or cave, or something? The password, if I'm not mistaken, was "schwertfische"; If you said, "swordfish", it responded with something akin to "Wrong game!" before kicking you back to from whence you came.
Well, it was amusing... back in those EGA days...
Comment removed based on user account deletion
Are old addresses cryptic, or family? What about name + old telephone numbers? That way you get Alpha and numeric, and still can remember them.
And it shows that 4% use "tacosux!" as their password. Riiiight.
"Stronger Passwords Aren't"l umns_executive_view.shtml
http://www.infosecuritymag.com/articles/june01/co
I used to work for a very large US telecom, and one day out of boredom we ran a password cracker on our NT domain controller. Now, out of about 75 people in our department, there were only 2 passwords that could not be cracked... One was mine, the other one was our receptionist's.
I think we laughed for weeks about that one. But it was also kind of shameful that a group of engineers had such weak passwords.
When I worked as an intern in a rather big
corp which shall remain nameless all
passwords for all computer were "welcome".
The sysadmins claimed it made their jobs
easier because they didn't have to remember
passwords for all the machines.
I once read an interview with Clifford Stoll, who was speaking about another interview he did on camera in his apartment. Apparently, the camera crew set him up seated in front of his computer. By the time the interview was aired, he realized his monitor - and the Post-It (tm) note with his root password on it - was clearly visible in the shot.
No, the obvious retort is, "But anyone who can get inside the room can read it." At my place of bidnez, our administrative passwords all get written down, then placed in a fireproof safe, which is in our locked operations center. If you're confident that nobody is interested enough to read your passwords, that's fine. Just don't give any TV interviews.IMHO, this is a very serious problem, and almost everyone has it. It isn't realistic to expect anyone to memorize 20 different randomized passwords for 20 computers, 20 web sites, etc.
I think the Right Thing to do would be to memorize a single passphrase (that you never use as a real password for anything) and use it as a key, to encrypt the name whatever computer/site you're logging into, then hash the ciphertext down into some password-like form. Thus, the user would only have to memorize one secret, but his local login, Slashdot, and Amazon passwords would all be different.
Naturally, no person could do this kind of thing in their head, so maybe that's the final excuse for carrying around a PDA or something. (The PDA wouldn't store passwords, it would just be for converting combining the passphrase+identity into passwords. So all you'de have to worry about would be someone compromising the PDA to store/forward your passphrase.)
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This Slashdot Poll shows that 3% of slashdot users use "password" as their password.
Yeah, if they have physical access to your home and box anyway, passwords aren't really going to stop anyone.
-- Veni, vidi, dormivi
He built redundant Cisco router configs for Slashdot until June 23, 2001.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Ah, yes. @Home. I get service through Comcast Cable in Indianapolis. In trying to get them to actually provide service, rather than just leaving the modem, I ended up talking to a senior level tech. I had to tell her where I was, so I did:
@Home: Where are you located?
Me: 73rd & Hoover.
@Home: What is that near?
Me: About 1/2 west of Meridian St.
@Home: No, what's close to there on the map?
Me: It's Meridian, US 31, runs down the center of town.
@Home: I don't know where that is.
Me: The middle of Indianapolis!!
@Home: But what is that near?
Me: Plainfield, Carmel, Avon, it's a big city in the middle of the state!
@Home: What state is that?
Me: Huh?
@Home: What state is that?
Me: INDIANA!
@Home: What is that near?
Me: What the hell are you talking about?
@Home: We don't have any facilities there. What is that near?
Me: What? Do you mean what States are nearby? OH, IL, MI...
@Home: OK. We have service in Illinois. I put in a request for them to finish turning on your account.
Bear in mind that I called my LOCAL cable company for this support, and ended up, on the same call, talking to this wizard, who apparently flunked 1st grade geography, and was stuck on that asinine question, "What is that near?"
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
No, writing down your passwords is only stupid if all of your enemies will be able to find your written down password.
Like, if you post their location to a very public place...
--
There are no trails. There are no trees out here.
However, since I can't remember them all, I put them in my NotePad DA (Mac, not Windows)
No one else has access to my 'puter so I'm not worried... yet...
It doesn't mean much now, it's built for the future.
LOLOAQICI82QB4IP Just say it out loud, and no I no longer use it.
Fingerprints are not unique.
The thing that amazes me is when users boast about their passwords just out of the blue. One time I was helping a user who couldn't log in, and it took me about three seconds to spot the caps lock key that had been accidentally engaged.
"Thanks so much for fixing that," the user told me gratefully. "I couldn't understand why it wouldn't work. I typed in password just like I always do. You know, my niece's name -- 'brittani', spelled with an 'I'..."
I'm amazed on a daily basis at how differently some people's minds work.
- HH (proudly using 'lovesexgod' as a password since 1993).
*cough*
Like giving your password to someone doing a study on passwords?
--- Mercutio was right.
I agree.
When I used to teach beginning internet classes and manage the student lab at a community college, I made the same suggestion.
If I picked up that the students/users were savvy or interested, I also suggested adding other modifications to the acronymized sentence.
Substitute punctuation or numerals for words, suffixes, prefixes, etc.
@ = at
contempl8 = contempl(ate)
4nick8 = (for)nic(ate)
(Way too obvious, I know)
Alternate case in the acronymized sentence.
Now is the time for all good men to = NiTt4AgM2
If they insisted on using the 'family' category, I had them '1eet 5pe@k' the family name.
Where I work now, passwords must be changed monthly so I suggest all of the above with alternatingly prefixing or suffixing the two digit month offset by some number they can remember.
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
Actually it is, cause I don't give a damn about slashdot.
How many idiots actually gave their real passwords to this study. I hope to god the "cryptics" just gave them an example. Hmm how big was this study? Can I get the "results" hint hint, nudge nudge.
Passwords aren't always the limiting defense in security.
Back in the day, we had all the machines in the research lab have the root password of "Mr.Root" (or "Mr.System" for the VMS machines).
It was all pretty secure.
We were not connected to the outside world on a network, and you had to pass through two safe doors to get to the lab. The combination on those safe doors was swiping your badge in the reader and waving your ID to the guys with the guns.
Never had a single compromised system, either.
bukra fil mish mish
-
Monitor the Web, or Track your site!
Eloi, Eloi, lema sabachtani?
www.fogbound.net
Now, it's not necessarily stupidity... Sometimes there comes a point when you just don't care..
At work I've got database passwords, AIX and Solaris passwords (which the administrators have set up with mutually exclusive password rules), Linux on my laptop and at home, Exchange, VSS, NT and PBX passwords... So, when Novell asks you to enter a new unique password for the fiftieth time (it's obviously more secure to make you change it EVERY TWO WEEKS) security really isn't your top priority... Things like "novellsucks" and "password" start looking reasonable.
When I was able to do my own spam-armoring, you got a chance to email me. Now you can only hope I see your reply.
Why not? Just stick to a standard (or even better - slightly nonstandard) way of transliterating, and you shouldn't have any problem.
Of course, the downside of this approach is that if someone discovers your system, all the passwords you ever had are then known to them.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Steve:
/. to actually spell "mnemonic" correctly. When I read the horrible spelling and grammar on /. I fear for our future. Thanks for having a clue.
You're the first person I've seen on
Rick
You are in a maze of twisty little passages, all alike.
My user always try to use passwords that are too simple to warent post-its.
The two most common things in the Universe are hydrogen and stupidity. -- Harlan Ellison
I use sections from product keys on software. Those things look pretty damn random to me.
The two most common things in the Universe are hydrogen and stupidity. -- Harlan Ellison
Bah, I think we had the same system at my school. Except we just sorta reverse-engineered the encryption on the password system. We already knew one of the passwords, all it took was getting the password file and determining how the encryption worked. Turned out to only be a simple ROT- system. How pathetic.
"In case of emergency, break glass. Scream. Bleed to death."
This is the advantage of iris recognition. It's reliant on there being blood flowing through the eye when it's checked.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
Dude, who cracks passwords any more? These days, it's far more likely the bad guys will get a root shell on a particular box before they'll crack passwords. Then it doesn't really matter any more, does it?
IMNSHO, picking ridiculous passwords is a major waste of effort. All that is necessary is to "beat" all password guessers by a reasonable margin -- ie, stay well out of their dictionaries. As long as you'll make it so that dictionary attacks are no good, you'll have pushed the weakest link in your security on to something else.
This means that pseudo-random passwords are easily good enough. No, "s00P3rS3kr1t" isn't a good choice for a password, but "SdN4N.Stm" will probably foil any dictionary.
Heck, these days if someone manages to get a shadow file, then they're almost to the point where they don't need it any more.
In any field, find the strangest thing and then explore it. -John Archibald Wheeler
What, when someone bludgeons you with a dictionary until they tell you your password?
In high school, someone managed to get a copy of /etc/passwd when it was accidentally unshadowed for a day [NIS went down and it was a quick fix and no one realized it broke shadow until too late].
So we ran john (I think that's what it was called) on the password file to see what it could decrypt. All the important accounts had secure passwords, but lots of users had really stupid passwords. The most common ones were "password" and "hello123".
So what we did was hash each of those, and then hash the hashes. We then ran the program to brute-force the double hash, and lo and behold, it said the password was "password" or "hello123". But neither password nor hello123 would be valid.
I just really liked that method, because it's a sneaky way of creating a pseudo-random password, and if you use it correctly, you can screw with people's minds. Of course, as soon as someone realizes that this is what you've done, it's very easy to get around. But that's not the point =]
P.S. if you can't figre out what I'm talking about, I'm sorry for the incoherent babbling, I barely got any sleep.
---
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
Works wvery time, wasy to remember, noone can read it over my shoulder.....
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
'Post-its'?
My Dad writes them on the monitor itself, or infact anywhere in reach. The computer room is decorated by thousands of passwords written in strange locations on the walls of the room.
One example is a list of a hundred-or-so seemingly random letters, which are in fact the passwords to Lemmings on the Amiga version.
The Guy: 'What is your @home password?
Me: 'excuse me?
TG: 'Oh, we have to make sure it's you.
Me: 'But I havn't set a password.
TG: 'Yes, you have.
Me: 'Um, I don't remember TELLING anyone my password.
TG: 'Oh wait, you do have the default. Do you want to set a password?
Me: 'What?!
TG: 'You tell me the password, i'll put it in for you.
Me: 'I don't really feel comfortable with that.
TG: 'Just give me any old password.
Me: 'Okay. F. &. 9..
TG: No, do you have a regular word you could use?
Me: What, like 'bob'?
TG: Okay i've set it to 'bob', how can I help you?
I was about ready to kill him at that point. Slight alterations in the passwords, but that's pretty much how it went. I was not happy.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
One of my more clever friends who was a skilled pianist used to pick a bar from a familiar piece of music for his passwords. I remember one time he needed to give his password to a trusted friend and he really couldn't remember it. All he knew was the manner in which his fingers moved over the keyboard.
-Jennifer
Ha. When I was sysadmining, I added Hindi, Mandarin, and Cantonese dictionaries to my regular Crack run. I caught quite a few.
ok, but you forgot something, as I recall:
Roland: 5
Helmet: 5
(slams up visor) 1 2 3 4 5!! that's the stupidest combination I have ever heard. it is the kind of thing an idiot would have on his luggage.
(snip couple seconds/minutes)
President Spaceball: What is the combination?
Helmet: 12345
PS: Amazing! that is the same combination I have on my luggage
I know I missed some details but at least it is a bit closer to the original.
ej
I'm afraid not. It's a bad idea to use dictionary words as passwords.
For more information, click here.
I think I've figured it out! Welcome to Whitehouse.gov login: jennabush password: budlight Login accepted yada, yada ...
This is a boring sig
> ...comes from a marx brothers movie. it's the password to get into the speakeasy. how it became
> a completely unrelated travolta title, I'll never know...
I'll second that.
Harpo, the silent Marx Brother, says "swordfish" by pulling out a large fish and inserting a sword into it.
If only we could enter our passwords in a similar fashion...
---
"He may look like an idiot, and talk like an idiot, but don't let that fool you. He really is an idiot." - Duck Soup
Too bad most people have never heard of the Marx Brothers, or at least they don't *think* that they have ever heard of them. (Think Bugs Bunny for a moment...)
---
"He may look like an idiot, and talk like an idiot, but don't let that fool you. He really is an idiot." - Duck Soup
Essentually I think you are more right then you might realize. Think about it, security is a as good as the physical access level. When someone has physical access to your keyboard it can get bugged since your keyboard is a trusted machine (always take your keyboard with you!!!).
nosig today
You can make the case mixing in the mnemonic device too. For example, if you were to think the Too Many was loud, it could be mshTMp2d.
One scheme I heard of (I don't use it :) )
is a semi-Cryptic mnemonic system:
it's based off an old program called
Alien Names, which would generate
scifi-ish sounding names out of english letters.
They were designed around english phonetics,
so you could pronouce them, but they
were still pretty much random line noise.
Strangley enough, it works quite well...
Though I only saw it used in one place,
when I was setting up some free shell accounts
someone gave my HS, their default password
was 'qedovako', which I _still_ haven't forgotten.
Yes, that's the password. If they haven't changed
it by now, they deserve what they get.
(why didn't _I_ change it?
prohibited by School Officials. Gotta love'em.)
anyways, just wanted to share that scheme.
Me, I use a chant... say a word,
and chant a series of numbers that fit the word's
intonation. All I have to remember is the word,
intersperse the numbers.
-Slackergod
Here's what I use: [snip] ...3. Use a person's last name (like Rucker) and 4 digits (say 3120). In your DayTimer or PDA, record it as a name and phone (Bill Rucker 275-3120)...
Hm. This method is quite common, but perhaps not so secure. Banks in my country have issued warnings about using this method for storing PIN codes for ATM cards, since "all" pickpockets seems to know this scheme, and therefore scans all dayplanners for "fishy" name and number entries. Apparantly quite a few bank accounts have been emptied this way.
Another problem with this scheme is, that it is "easy" to verify what is real names and telephone numbers.
]305] ?
its late in the day on a friday... give me a break
... hi bingo
*cough* And then Robby banned you from the system. ;-) Hmmmm... I wonder how many of the passwords were "sendit2me", corresponding to the password used to get into the account registration system.
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
"The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password."
Brrrnnnggg!!!
Brrrnnnggg!!!
"Good morning and thank you for calling the sales department at ACME Widget Corporation. My name is Janet. How can I help you today?"
"Good morning, ma'am. This is the tech support department. We're currently installing quizzards for the loopstep stabilizers on your PC and we need your password."
"Oh, OK. My password is J-A-N-E-T."
(tapping sounds)
"Ummm... No, ma'am. That's your login name. We need your password. The thing that you type in after your login name."
"You mean that box underneath my name?"
"Yes, ma'am. The box that says "Password" next to it..."
"Oh it's B-U-S-T-E-R. That's my puppy's name."
(tapping sounds)
"No ma'am, that isn't it either."
"Yes it is. When the 'Password' box comes up I type that in or else I can't get my e-mail."
"That's the password to your e-mail account, Janet. When you FIRST turn the computer on, a box comes up that has a text entry field... err... I mean a little white rectangular box that you can type in, underneath your login name. What do you type in that box?"
"Nothing."
(silence)
"What do you mean 'nothing'?"
"I kept forgetting my password so one of the boys from the IT department set it to Auto Save so I wouldn't have to type it in."
(silence)
"Janet, can you please transfer me to the accounting department?"
"Don't you want to place an orde..."
"SILENCE, DUNCE! TRANSFER ME NOW!!!"
"Study your math, kids. Key to the universe." -The Archangel Gabriel
Where I work, I've seen it written directly ON the monitor.
If someone finds the password to one of your root machines, then the rest are all toast.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Biometrics is coming... and it's going to replace passwords. You can kiss your privacy goodby... but you will never be embarrassed by having a crappy password or even worse, forgetting your password.
Thalia
Back in high school, when SNES was big-time, my favorite password was "PotassiumIodide". See, Killer Instinct was one of my favorite games, and abbreviates to KI (all the chemists out there are shaking their heads at me)...
------------------------
Co-founder of GerbilMechs
So many people neglect the meatspace security.
------------------------
Co-founder of GerbilMechs
There are mnemonic tricks to help (e.g. first letters of the words of an easily-remembered phrase, perhaps with a few complications thrown in along the lines of "capitalize the letter if the word is a noun; take the number of letters in the word if the word is a verb"). For instance, "Not all the water in the rough rude sea can wash the balm off from an anointed king" keyes the reasonably cryptic "natWitrrS34tBofaaK" -- which can be keyed in at close to normal typing speed with a bit of practice.
/.
/. If the government wants us to respect the law, it should set a better example.
Everybody just needs to email their slashdot username/password to me
Sure! Just put your email, unfudged, in a reply to this and I'm sure lots of people will be emailing you real soon, with emails that will 'CHANGE YOUR LIFE BY MAKING $MILLIONS WHILE SVCRATCHING YOUR ARSE'.
EZ
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
I specifically choose old, archaic, non-signifigant words in my native language, that are very hard to pronounce. (My language is tone-based.)
I then mix in alphabetic and numeric characters, along with non-alphanumeric characters, and mix the case-- but I use a pattern.
The advantage is this: I'll never forget the word, becuase it's a word from my language.. I can easily speak the word out loud, and becaue my language is tone-based, no one will ever crack it, and despite the mixture of all the characters and cases, because there is a pattern, I won't forget the password.
For example, let's say that I was using the word "carpet" (but in my language, obviously)....
but the time I was done with it, the pass word would look something like:
_C7arpE7t_
see the pattern?
pretty nifty, eh?
i want to live life, not just go through the motions
Wasting your time burning up cycles for some moronic activity?
????
The difference between Joe User and yourself, or myself for that matter, is that we often use our computers for nothing other than the actual use of them. Tweaking our operating system, working on new programming projects, and just general geekotry.
Joe User uses his machine as a tool. I really can't help but think that you're a troll (despite your current modded up status) if you're saying that we should just forget about Joe User and return computers back to the "One, True, and Rightful User, namely ME and those just like me". Sorry bub, ain't gonna happen.
Your choice is either:
A) Continue with the current password scheme and have Joe Users forever abuse it, for Joe User will never, as a whole body of Joe Users, learn better practice. Never ever.
B) Think up a better scheme for Joe User to identify himself to his machine so that he can get his work done. Whether that be check up on medical records, enter standard secretarial work, or do research for a paper. You know, typical Joe User things for which the actual operation of the computer and its security paradigms should be invisible.
if you ask me.
;), well, just to be a nuisance I told another friend of mine to try a password to see if we could log in when he was away.
It's amazing to me that people in such an intellectually demanding field as programming computers have for YEARS relied upon what could possibly be the most inefficient form of personal security available: a secret word. I mean really.
Complaints aside of "stupid users!" and "idiots deserved to have their account cracked with a foolish password like that!", what do you expect? It's the same thing as the whole "Well duh, to use Linux well you need to LEARN it, it's not my fault if you're too STUPID to learn something NEW!" argument; it just doesn't hold water when applied to the general populace.
You or I may be capable of mastering every arcane command our operating system affords us, memorizing every minor inconsistancy between BSD flavor or Linux distribution, programming in fixes when we need them, etc, but JOE USER NEVER, EVER WILL. It's the same with passwords. You or I may realize the importance of a unique alpha-numeric password for each of our important sites, and have a nice table of "xreF249sfj2r43's" and "248sT358ugtds's" memorized in our head, but JOE USER NEVER EVER WILL.
So when confronted with that box that says "Choose a password, and CHOOSE ONE YOU WILL REMEMBER, PASSWORD RETRIEVAL IS VERY DIFFICULT, please enter in your password hint in case you forget it", Joe User is not only inclined, but DIRECTED to select an easily-rememberable password.
Someone please tell me how the fsck you have a "hint" to remind you the password you selected is "24885sfjsfsjf82's"?
So Joe User sees that box, thinks "oh cool" and types in for the hint "Mom's maiden name" and his password ends up being "johnson", and that's that. It works for him, he remembers it, and even if he does forget it, it's right there for him to retrieve via his hint. Joe User doesn't realize that someone with half a brain will probably guess his mother's maiden name as his password within the first ten attempts to break into his account/machine/whatever.
Also notice Microsoft and countless third parties developing programs to auto-remember and auto-insert passwords on sites you've visited before. One wonders why they don't just tie access to a unique browser hash if it's going to be that straightforward.
An example of the type of thing I'm referring to: One time I had a few friends over spending the night with me, and when we got up the next morning we all had logged onto our messengers of choice to talk to friends and see what the plans were for that day. One friend had logged off of his AOL IM account to go to the bathroom (for he knew that if he left it up, we all would've lunged at his machine to enter the standard requisite "Sup, slut?" messages to his girlfriend and mother and etc etc
To my astonishment, it worked. My FIRST GUESS. It just goes to show that most "regular people" pick a password that is so easily rememberable (a word? is now.) by them and so related to who they are that those who know them well can probably pick it out just as easily. Another one of my friend's passwords, discovered via the same method, is simply his girlfriend's name with an "i" replaced with a "1".
(btw, the password for the aformentioned friend was "bigblack", he'd been a fan of that character on the Howard Stern show)
So please, someone more intelligent than I, come along and invent a better personal identification system that doesn't rely on the good practices or intelligence of the end user.
-Chris
If you have giant lists of different passwords, you're insane. I have (at any one time, changed regularly) just three:
I'm old enough to remember when discussions on Slashdot were well informed.
Sure. There are something over 2,000 natural languages, with an average of 250,000 words in each. That's 5*10^8, which will take you a while. And, although the method I gave is analogous to my method, this attack still won't get you any of my passwords.
I'm old enough to remember when discussions on Slashdot were well informed.
Amen to that. I remember a time when I was phoned up by a former employer nine months after I had left their employ, what the root password for a particular machine was (because the person I had handed over to had also left and was unreachable).
You need a systematic way of generating passwords, where the key knowledge is the system, not the individual password. Then, if you forget a past password, you can work progressively back through the system until you recover it.
As an example, you might choose a particular book, ideally in a foreign language, and use the longest word in the fifth line of each successive right hand page as successive passwords (that isn't my system, but it's analogous to my system). If you forget your current password, just look in the book. If you forget an earlier password, work progressively backwards though the book.
You can, if you want, substitute some letters with some numbers in a systematic fashion known to yourself, but IMHO that trick is now so well known as to add little extra value. I know some good geeks who always systematically replace all vowels with numbers... so if you were trying to crack their passwords, you would do the same.
And yes, I was able to tell my former employer their password, there and then on the phone, although I had changed all my passwords several times since then. Systems are good provided only you know the logic of the system.
I'm old enough to remember when discussions on Slashdot were well informed.
pfft. Here's a tip, no-one is guessing passwords on your Microsoft domain server, except maybe the guys who are always standing in the kitchen drinking coffee and giggling. Back when I used to see a lot of passwords I noted two types. Dictionary words with numbers or punctuation replacing vowels and totally random passwords of the cryptic variety. Of the later, almost all of them rhymed. Ie, the 4th letter would rhyme with the 8th letter or the 3rd with the 6th. I believe these types of passwords are attacked by Crack quite effectively.
How we know is more important than what we know.
Are you the type who refused to ever say a password out loud, or even subvocalise it? Remember the BBS days when everyone was warned "Never use the same password for two BBSes cause the Sysop can read your password and log into other BBSes as you"? Remember Remote Access was the first BBS to implement hashed passwords (actually they were CRCed which is easier to crack) and every Sysop added an extra question to the registration procedure to make people enter their password again which would be stored in a file as plaintext?
How we know is more important than what we know.
Of course, anyone who has 'swordfish' as their password deserves to have their account cracked.
Head cracked more like it.
How we know is more important than what we know.
Bobby Martin aka Wurp
Cosm Development Team
Sure you can write uour passwords without any errors, just practive it a bit. It's easy.. And it also looks cool when you have a 35 chars longs password and you log in with it :) and this message is really written blindfolfed :P
- Raynet --> .
Uh, and this is insightful?
Not especially so. I just figured someone might like a tip on how to produce a password that is actually random.
As I mentioned in a different reply, the truly random passwords have patterns that can actually
make them easier to remember than something you make up that seems random.
A dingo ate my sig...
For all my passwords (and I have a lot of them), the only acceptable way is to pick them randomly.
And I don't mean pseudo-random, like a computer generated password, or "sounds random", from just
making up letters and digits out of my head.
I have a cup full of small squares, each one with a letter or digit on them. Pull one out, put it
back in, shake, and repeat 7 or 8 times.
A dingo ate my sig...
Whats the swordfish password all about? From the movie? Or is there more history?
JOhn
Campaign for Liberty
My password is *******
1 4
http://ars.userfriendly.org/cartoons/?id=199908
Are there also categories for systems administrators?
Like...
Life's Lance Corporal: Makes sure that nobody uses any software or operating system other than that used approved by the CTO. Zealously enforces the use of anti-virus software on every boot. In marketing, his tread is greeted with trembling... in engineering, with stifled laughter.
Just a Sad Bastard: Has such a pathetic life that he needs to reaffirm his own cleverness by making lists categorizing those sheep-like lusers. Not quite competent, but it's too difficult to fire him because he won't tell anyone else the root passwords of the systems he controls.
:-)
Any more?
Some Unices have problems with certain characters, such as the octothorpe. You can put one in your passwd, but /bin/login uses a very primitive terminal profile under which # translates into a backspace, which means you can't enter the character at login time, effectively locking you out of the system. This problem exists in HP-UX at least as recently as 10.2.
A good habit after resetting one's password is to telnet localhost and try it on for size. This has kept me from losing the root account at least once--on an HP-UX box where I'd tried to use a hashmark in the new pw.
--
This is not my sandwich.
Keeping a strong enough password is an uphill battle that really can't be won, because the cracker's tools are going to keep getting better at a rate faster than users can be reasonably expected to remember them. Even your elite haxxor mixed case alpha / numeric / symbolic max length password can't stand up to the scrutiny if someone with the right tools wanted it badly enough.
Your best bet is to make it reasonably obscure & just try to prevent the casual cracker from getting it. The casual cracker had meant someone enterprising enough to look for a post-it note, but with the tools getting better the barriers to entry are falling, to the point that you don't know that some little snotnosed 13 year old with a downloaded rootkit (or Back Orifice, or whatever) couldn't count as "casual" these days.
"You can't win, but there are alternatives to fighting..."
DO NOT LEAVE IT IS NOT REAL
the most common type of password attack comes in the form of "social engineering"
*cough*
Like giving your password to someone doing a study on passwords?
I figured someone would catch that. B-)
Which brings up the question of how many "cryptics", confonted with such an obvious piece of social engineering as asking you to disclose your password for a survey, would lie, masquerading as one of the other categories.
It's just like someone asking for information about whether you own a gun, what kind, where you keep it, etc. in a situation where the person giving the answer can be identified. Even if you are otherwise scrupulously honest, the canonical thing to do is to lie. No one else has a right to that information, revealing it reduces your security, anyone asking is suspect, and refusing to answer leaks part of the information you want hidden (because people who DON'T own one generally won't refuse).
Pollsters asking how you voted/will vote is a similar situation. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I don't know about you, but I always use secretpassword. Nobody would guess that, right?
--
microsoft, it's what's for dinner
bq--3b7y4vyll6xi5x2rnrj7q.com
it's a sig, wtf?
Strong passwords like all other secure-business practice, if for no other reason, provide a legal basis to fire someone. If an employee writes down their password, neglects to lock or logout of their workstation, or tells other folks their password(s), they are in violation of company policy and it possibly is putting the companies clients at risk. Every person who reads this site knows damned well that a lot of users don't give two shits about IT policy, at least until they lose their job because of it. If you as a user have a problem with strong-password policies, you need to find a job that doesn't tax your brain so much.
Also, if accounts get hacked, and your biometric becomes known, do you have have a new thumb grafted on to get a new password?
ostiguy
In my high school computer class, we all wrote fake TRS-80 command prompts.
The cake is a pie
Here's what I use: 1. Use obscure brand names like Caldera. They don't appear on the naughty lists. Then add your area code. 2. Write them down in a DayTimer or the like but don't write down the login id. This only works if you can remember the login id. 3. Use a person's last name (like Rucker) and 4 digits (say 3120). In your DayTimer or PDA, record it as a name and phone (Bill Rucker 275-3120). The older you get, the worse it gets.
If you aren't part of the solution, there is good money to be made prolonging the problem
Bottom of their keyboards?
My users stick them on their monitors!
Hehe, You know the algorithm. The entire strength of my password lies in the private keys.
good luck getting those, because I don't even remember them. Those goddamn uptimes.
I can throw myself at the ground, and miss.
Mike.
--Ask a silly person, get a silly answer.
One trick I was taught many years ago is to (if you can) put your passwords in a language other than English. This not only makes the password cracking programs work harder, but it tends to confuse shoulder surfers as well.
Thus, an example password I might use would be
yUEh@lIAng
(Mandarin speakers may notice the full moon in the middle of the password)
Another trick which was used in a shop where we had to issue passwords to users (thus we had to make passwords the users could remember, not just the admins) was to use close-by keyboard patterns. An example might be frdU*8 .
This opens up a whole new realm of moderation. In addition to Troll, Redundant, Flamebait, etc., we could have a 'Hacked' option for those comments which we feel should have been posted by an Anonymous Coward, but have somehow been ascribed to a real account. (and just for the mod-down ...) You know, for those posts coming from that Jon Katz fellow? (God, what was his password? /.4ever?)
~~~~~~
under-paid karma whore
But when I ask people to back off when entering my password/PIN, they stare at me as if I'm a madman! Then they grumble something about 'paranoia' as they finally back away.
It would appear that their own lax security affects how they think everyone else should act. I don't much mind their own obliviousness, which is what this article is about, so much as the creation of social norms around it.
~~~~~~
under-paid karma whore
I encourage song lyrics...think of a favourite song, take memorable phrase, first letter of each word in phrase. This gives you the basics, then make one or two letters upper-case, add at least one number, and one punctuation, and presto!...half-decent password. Most people I've suggested this to are willing to do it, because it's still easy to remember, but more secure at the same time.
-Ben
Say what you mean, mean what you say! But please know what #$@% you are talking about!
LOL! That made my day!
"Don't mind me cutting myself on Occam's Razor"
On my network. I found it quite humorous that one of the heads of the companies password was "womanizer". For you network admins on NT networks, all you've got to do is use the handy dandy L0phtcrack and dump them from you PDC. I guess NT is good for something(password auditing surveys)
Jason
An example for June of 2001 being "aPr19(9" or apr1999 with the caps, the scheme being two months and two years ago. (Obviously not the one I use...) I've also split the month abreviation before, something like "jU19%7Ly" would be july 1957, for another example.
---
Linux: The world's best text-adventure game.
Two "stupid password system" stories: one work, one school
The work story:
I used to work for a retail company where who used the same root password for the POS (cash register) LAN in every store. Not only was it easy to dictionary-attack (a single five letter word), they published it in the employee newsletter whenever Daylight Savings Time switched, so employees in the store could reset the system clock.
Keep in mind, each local network is storing 30 days worth of sales receipts, including customer's names, credit card numbers, and expiration dates. An employee with the password could have dumped the whole mess to a floppy. Fortunately for that company, most retail employees aren't that clever.
(The primary terminal on each LAN had a password-protected "manager menu" that was used for payroll and staffing functions. With those, you could add or subtract hours on people's timecards, give individual passwords to employees, or even delete other employee's payroll records. Every manager in the company was assigned the same password, and there was no userid.)
The college story:
My alma mater didn't use individual userids for most "paperwork" accounts, like the system the registration department used to adjust student's schedules, or the one librarians used to look up people's library fines. The department userids for those accounts were all exactly three letters long (and based on the department name, like REG), and the passwords were all exactly four letters long (usually English words like "book").
All of these systems were available by dial-up. As you can imagine, the students who figured this system out had a much easier life than the rest of us, because they always got the classes they wanted, and they never had overdue library books.
Proud to be / Smiley-free / Since Nineteen / Ninety-Three
...comes from a marx brothers movie. it's the password to get into the speakeasy. how it became a completely unrelated travolta title, I'll never know...
Nah, nah. I never liked my computer teacher in school, so I made my password: mrdinnagefeastsdailyondonutsandrockseverynight.
Rather difficult, I believe.
Every 90 days? ALL your passwords?
If I was to try this, it would eat up a good day of work.
"Then I just have to remember one scheme and a bunch of key phrases for all of them"
Yeah - those key phrases? That's what us normal people use AS passwords.
As much as I hate the idea of biometrics, I'm really getting fed up with the need to memorize giant lists of passwords, pins, etc. just to identify that I am in fact me. Nothing is more random or harder to produce than your thumb print or iris pattern - perfect, non-stealable, unique identifiers.
This is similar to what happens where I work...
1) Each password must have at least four letters, two numbers and one symbol, or else the system will not accept it as a valid password. Err, maybe I'm not so good on statistics, but doesn't enforcing a policy like this actually make it easier for password scanners?
2) You must change your password every 90 days. That wouldn't be so bad, if not for the fact that:
3) Every time you attempt to change your password, it is checked against a list of your previous passwords. To make sure, of course, that you actually are following the 90-day rule. Mind you that this is on a 100% Windows network, so the relative chance of security intrusions is high enough without storing all current and previous passwords in a database somewhere.
To put it simply: boneheads. Absolute boneheads. As if security weren't awful, the network is usually down anywhere from one to four hours every day, causing a work stoppage for most of us. It might as well be admined by monkeys.
Except that you have to get a PDA password app that sports decent encryption, or else all those passwords are backed up onto your desktop everytime you sync.
I personally store my passwords on my TRGPro with a program called Cryptopad. It has an interface identical to MemoPad except that it uses blowfish encryption.
And, to be on the even-safer side, I went ahead and bought a 32-MB CompactFlash card to back up the PDA so I never have to sync my data to a PC. If I want to add a program to my TRGpro, I simply employ that nifty $10 CompactFlash -> PCMCIA adapter. Long as the OS has PCMCIA support, it looks like a regular IDE drive!
If I ever lost the TRGpro itself, well I guess I'd be up a creek. But then, I'd be much more saddened by the lost of my $350 geek toy than a couple dozen seldom-used passwords.
Hey thanks! I'd been looking for something like this that was "free." The closest I got was a (very nice) app called CyptoPad which is just like Palm's MemoPad except it's got really decent encryption.
in his book 'Secrets and Lies'. Use random password, write them down on a piece of paper, and keep it securely in your pocket.
I kinda agree with him. For those who're saying 'what about people looking over your shoulder?', I think you'll automatically memorize the password after you've typed it 3-4 times.
It's not that hard at all.
I use them all over. You just have to repeat them enough to remember them. I used to use my CueCat (Cracked, naturally) to scan barcodes on common desktop items for my passwords. Eventually, I gave up on that and moved to just typing in the numeric string. I have yet to forget one of the 7 passwords I use in this method.
Actually, Robby didn't ban us for that. A few weeks later he said that the password file would be shadowed. So I waited a few weeks and then went to check the file to see if it was done yet before I changed my password and that's when I got banned. Then Robbie divorced Tommy's sister and then he just became a jerk from that point on.
Back in high school (6 years ago) we got the password file for a BBS we were on. Took a cracker program and gave it a list of common first names, sports teams, cheezy stuff (opensesame, secret), and all the previous with '1' appended (because you always here people say to put a number, so people think they're sneaky and put a 1 at the end. Never a 2 or 48). Doing that, I'd say we got about 60% of the passwords. Also, "catLight" was one of them because when you sign up, it said to use a combination of words, such as catLight.
The comment about "So many people tend to subconsciously believe that their password has to sum up the very essence of their being in one word," reminds me of the Orson Scott Card short story, The Dogwalker. Basically, a password thief discovers by psychoanalysis of sorts what a password is... it is basically derived from someone's personality.
o rt-story.html if anyone's interested.
Kind of interesting, I think. The story's at http://www.frescopictures.com/movies/dogwalker/sh
-- "Those who cast the votes decide nothing. Those who count the votes decide everything." -Joseph Stalin
I've found that where i work the new important passwords everymonth is usally the hax0rized version of someone who quits, name. IE.. Colin would be (0|_||\|
:)
pissed the hell out of our NOC when they gotta remember that crazt stuff
Hey! That's the secret code I use on my luggage!
This is a manual virus. Copy it to your sig and help me spread!
Oh! Did I say that out loud, or did I just think it?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
but I really prefer rot13!
I would recommend double-rot13 for extra security.
Somebody hacks my machine across the internet and I'm toast.
/bin/login and ssh/sshd to email the passwords you use to log in to wherever (bonus points to those who replace Mozilla/Netscape with a trojaned copy that sends transcripts of SSL sessions too) to some address at hotmail, they can obviously copy any files you have on your home machine, they can probably do a lot of other nasty things.
Of course:
A) You can always encrypt something stored on a computer with GnuPG or simliar, and keep that password either in your head (preferable), or written down somewhere, or maybe write down a hint for yourself on paper but keep the actual password only in your head.
B) If someone cracks you're machine, they probably won't need anything else. They can trojan your
It's tucked in a relatively obscure location in my files.
This obscure location isn't "it's taped onto the side of my monitor", is it? If you're keeping it someplace hard to find (or better yet, a safe), then no problem. However, most people who write down passwords don't do that. I live with 3 non-techie people, and they do things like use their birthdays as passwords (literally). These people are well educated (in their fields) and certainly no fools. But people just don't get security. That's all there is to it. For every one person writing down their passwords in a safe place, there are 100 putting it on the side of their monitors.
For a while I learned how to type using a Dvorak keyboard layout. So what I'd do is use a common phrase for me, but type the letters in the Dvorak sequence on a Qwerty keyboard. Or the reverse. Bingo, a relatively simple passphrase became jibberish.
Unfortunately, it was too hard to switch back and forth between Dvorak and Qwerty, and my regular typing became jibberish as well. So I quit doing that, and went back to the slow ol' Qwerty way.
It was a cool system while it lasted.
Insert simplistic political, ideological, or personal proselytization here.
I wonder what percentage of those polled refused to participate out of fear that it would give out too much information.
I probably would have (I fear I may be getting to paranoid).
"You like Chinese food." -Fortune Cookie
You know what I hate? Sites that don't allow cryptic passwords. Especially the ones that hold precious data. Just yesterday I went to get a login at banks webpage, but it didn't allow "special characters" (this site also didn't allow a user name less than 6 chars, but that's another story).
... I think that is rediculous.
And there are those that restrict the number of characters in the password. I figure they don't want you filling up the database with 100 char passwords (not that would), but limiting it to 8
\end rant
"You like Chinese food." -Fortune Cookie
Nothing is more random or harder to produce than your thumb print or iris pattern - perfect, non-stealable, unique identifiers.
When is the last time you have ever heard of someone getting their thumbs or eyes stolen?? If all you need to get at someone's bank account is a thumbprint, muggers would start ripping off people's thumbs. Personally, I would prefer it if someone just mugs me and gets me to tell them my PIN.
-rt-
-rt-
** Evil Canadians are taking over the world. Learn about the conspiracy
huh... thats exactly the same thing i use... another good one is "iwontsayit" hehe
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
d7f8g8h9
j9f4h8g5
ascg6888
Can you see the logic?
Just put your hands on the keyboard and find something you can type quickly, and that's it. Very useful for root passwords and such, which you need to write often. Just don't use qwer1234 or any other trivial combination, and you're probably safe.
I'm not sure how easy it would be to make an algorithm to create such patterns. I hope not too easy.
In any case, I usually try to force nonregularity by deliberately making a word that has some crypting meaning. For example, bo0bsiii (self-explanatory) or vivaiv111 (long live IV beer !!!).
Sure, using a password generator would be safer, but those passwords are horribly slow to type.It's no good to have a cryptic password unless it makes some sort of sense to the user. If it's too complicated, the user has to write it down, thereby breaching security. Considering most security breaches are from inside sources, guarding against your co-workers should be a priority for most people (unless they enjoy getting framed). So go with a password that is simple and easy to for you to remember, and make sure that it's really hard for anyone else to guess it.
I was under the impression that Swordfish was the only password I needed to go anywhere.
but at least Tron and War Games had an excuse - in the early 80s -I- could hack into most systems, given some effort. Nowadays I'm lucky if I can hack into my desk drawer.
Hackers. Sneakers. any other 1 word title.
I'd tell you how I came up with mine. But then it would be easier for you to guess. Then I'd have to change it in the 200 places where it is the same. I'm gonna learn some day.
Pair up in threes. - Yogi Berra
Well it's not always stupid, but maybe unnecessary. Basically all you need is a secure (4096-Bit) PGP Key with a long and very secure password. Then make a list of all other less important passwords and gpg-encrypt them. So all you need to remember is that one password. In case you're a little more paranoid, get the int'l kernel patch and create an AES or RC6 encrypted loopmount, and put the gpg-encrypted password list on that. Should be safe enough for most cases.
Can't we all get along and trust that even those really moronic people who shouldn't alter cfg files should have ROOT ACCESS! If you love something (your cfg files) set them free.
believing the big bang requires a certain amount of supernatural faith
This can be a good thing...I am a sysadmin who practices this...but ONLY, and I repeat ONLY if only a select group of people know the machine password. In the Universtiy we don't allow Faculty/Staff to have admin priviliges on boxes unless they need it. We hold the local admin account and rename it. Also, you should just make sure that it is not held by anyone who would give it out... *cough, cough* look up *cough, cough*. In my organization you must have been there for 6 months before you get it.
------ This has been provided as a public service! ------
Which of the 4 categories does "old D&D character name" go into?
--
-- SIGFPE
(*putting on flameproof suit*)
If you go to SF conventions every year dressed in a Star Trek uniform, poor passwords are the least of your problems. :)
-Legion
-Legion
-Legion
Brian Griffin : Peter, those are Cheerios.
Education is the silver bullet.
psxndc
The emacs religion: to be saved, control excess.
Those numbers are kind of low, are you sure you're a geek?
I'm the big fish in the big pond bitch.
is to use a combination of family, fan, whatever + cryptic. That is, Come up with a sentence such as "my 2nd Sister was Born on April 23rd" and then take the first letters/numbers of each word like this "m2SwBoA23" to create a cryptic password. This makes it easier to remember the password while also creating a mixed case and combo letter/number password. I've found that the key to remember which letters are uppercase is to make those words which are "more important". In this example I consider "Sister, Born, and April" to be of greater importance than "my, was, and on". Anyway, works for me!
Yeah, they're called MY BOSSES :-)
If a password is based on your innermost secrets, doesn't that make it hard to guess?
Dear Personnel, our security department has exhaustively analyzed our password usage, and determined that most of them are high risk, in that they are easy to crack. For example, words in the dictionary, family member names, numbers, etc. Because of this, we have created a list of ten passwords which we believe will provide the utmost security. From now on, you are required to use one of the following passwords. Please forward this around, so that the message gets out.
1. jfkasjdfa23r@#$@#
2. aFAWJF@#F23jkf3f23
3. FJsdafj23ifj23fjfe
4. if23F@#Jf23fj2i3fji
5. @#F23kfjfjdkfjdfkj
6. afj28fjfsdFAJSDffd
7. F@j3fj8dsjfasdflkjf
8. jaF@#FJdkfjalofiwed
9. aAJSDFIEifjefijefiej
10. FJAIEFKfjdfojiaejfoije
Thanks,
Human Resources
heheh
-jc
"'I don't want to have to remember 18 different passwords.' You don't Genuis, give the same password if you must, but make them tough."
my general password is some really cryptic (l33t) phrase. that's my password for everything not linked to $$$. my trick is that I add a hash of the site I'm at (using a common scheme) to make the password unique. I've got something hard to crack, unique per site, and if somebody gets ahold of one password, they have no others. my scheme is complex enough that they shouldn't find it even with three or four passwords (or so I'd like to think).
Use my userscript to add story images to Slashdot. There's no going back.
--Fesh
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
Yeah, it's from Horse Feathers:
CHICO: You can't come in unless you give the password.
GROUCHO: Well, what is the password?
CHICO: Aw, no! You gotta tell me. Hey, I tell what I do. I give you three guesses. It's the name of a fish.
[...]
CHICO: You can't come in here unless you say 'swordfish.' Now I'll give you one more guess.
(Harpo gets in by displaying a mounted swordfish trophy.)
Corollary to Moore's Law: The IQ of new computer owners is declining.
I have looked for a system that would use cards, fingers, eyes, etc... to idintify users to the system and thus make our office more secure, but ther doesn't seem to be anything out there the fit our criteria. If any R&D folks are reading this and think they can make a system like this theres a wide oben market.
JFMILLER
If you can do this You can make a lot of money.Strive to make your client happy, not necessarly give them what they ask for
I am doomed, I can never remember to click on the "No Score +1 Bonus" message and thus keep posting drivel at +1.
maru
The post to which I was replying essentially asked why a longer password was more secure. My reply was obviously noninformative for most of us, who already knew the answer. Not sure why you couldn't figure that out.
maru
About a year ago there was some sort of discussion here about methods of password generation. Someone had the best system I have seen, and I have been using it ever since. It's based on the use of simple math formulas, such as 8+7=fifteen or 24/8=three . It has many advantages. It's relatively long, uses shifted characters, and isn't hard to remember. Another advantage I discovered after we started using it regularly is that you can verbally relay the password to another admin who might have forgotten it and that admin (who knows that the answer to the equation is spelled out) can then use it but others within earshot who heard it will not understand how to use it.
A tip of the hat to whomever it was here that originally posted that method a year or so ago.
maru
Ugh, that's the kind of password that an idiot president would have.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Of course, I'm reminded of a manifesto which said something to the effect of "If we wanted to make the crappiest communications protocol imaginable, we'd give people random numeric addresses and force them to be at a specific physical location to send or receive messages..."
Users, generally, have too many passwords to remember. And no one wants to subscribe to MS Passport. Writing down the password, as well, is equally foolish.
- -----------
However, to be a good SysAdmin, you really need to try to find SOME way for your users to have both a secure password, and one the can remember. (OR you'll be resetting it constantly).
I advise my users to think of a sentence to use as a mnemonic device, and make their password off that. ie, "My Sysadmin Has Too Many Piercings Today" - their PW would be mshtmp2d. I know, it's not as good as, say, "54kaSgHJ3", but most crack programs will take a hell of a long time on a NICE computer to break it, and the users feel more comfortable with it.
Really, the point is to make the password not easily guessable, not write it down, but easy for the user to remember.
--------------------------------------
Mine does, to my users' surprise. Don't assume that crackers are less clever than you are. My crack list has all sorts of bizarre things in it, and it gets permuted by 'John The Ripper'.
If the language has a dictionary, then do not use that language. I think this falls under not using published materials for passwords...
This
Most everyone has to learn the basics of a foreign language in school. I've always just used a handful of easy-to-remember words from one of the ones I studied. No automated cracking scheme goes through foreign dictionaries too. :-)
some other stupid ones
change_on_install
manager
blank
And I see these a lot at customers, for whom I have to sign a contract that all information, especially passwords, is confidential.
Mike
The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password.
Another option is to pretend to be doing a study of such things, and ask thousands of companies for their user's passwords.
Any sufficiently well-organized community is indistinguishable from Government.
I use Secret, myself, because it has a desktop companion app.
Vintage computer games and RPG books available. Email me if you're interested.
when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password.
Are you sure this is not some reprint of a BOFH episode?
--
Marcelo Vanzin
Marcelo Vanzin
determined hackers will get in the system, yes. most of us have accepted that fact. who we don't want on the systems are those joy riding skript kiddies. they make large messes and don't even do anything all that interesting. at least with a determined hacker you can watch and be amused/amazed/not notice until you main competator was an identical product as your's out.
Life is a disease, sexually transmitted and fatal.
Relatively simple really. Pick two words that are related, but unrelated to you. For example, I'm not into fishing. I could pick the words "bait" and "tackle". Now that you have those words, stick them together. But wait, there is more....
Okay, now you have baittackle. Here are the other things you can do to it. Capitalize the first letter of each word. You have BaitTackle. Capitalize the last letter too if you like, for BaiTTacklE. Or just the last letter, or whatever. But then, the real cincher is add some sort of unusual symbol between the two words, such as + or = or - or / or whatever. Not all systems allow all symbols, but chances are you can figure out at least a few good unusual symbols your system allows.
The end result could be something like BaiT+TacklE. Easy to remember, hard to crack.
I got a kick out of it.
--
I have post-its with fake passwords scattered all over my office. I figure anyone who tries to hack my machine will waste a lot of time trying them, and will be so absolutely sure that one of them must work that in the end he will be too emotionally exhausted from frustration to try a more intelligent approach.
InstaPundit! Ahead of the Curve Since 30 Minutes Ago
Why bother with a decent password on your account, when sysadmins all over the world make all the workstations have the same easy password?
_ALL_ of the NT workstations where I work have the administrator password 'password'. Fortunately my NT is a vmware install running under Debian...maybe I should change my root password from password tho...
Yeah, God forbid if someone broke into my slashdot account and posted a message as me. I use easy to guess passwords intentionally. This way, if I ever post something I regret, I can just say my password was stolen.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
If your system is really that valuable, though, you should invest some money in better security than passwords. Try as you may, passwords are never going to be really, really secure because users tend to subvert them. If you want real security you're going to need to add an extra level to the system, like smart cards or biometrics. Doing otherwise is like locking up your valuables with a skeleton key.
There's no point in questioning authority if you aren't going to listen to the answers.
A trick I use keep track of all my passwords is to combine a local and global pass phrase.
My global pass phrase is common to all my passwords. For example: "A big blue monster ate all my cookies" becomes "Abbm8amc". When I log onto a site like slashdot, I create a simple association with the site. For example: "Slashdot is news for nerds" turns into "$dinfn"
If I concatenate this local pass phrase with my global pass phase, I get "$dinfnAbbm8amc".
This is a much easier way to remember multiple passwords so you won't be tempted to use the same one on different sites (not that I don't trust CmdrTaco).
BTW, this is NOT my slashdot password.
"He was a wise man who invented beer." -- Plato
2b|!2b
(Don't bother, I don't use it for web sites)
yes, 1337 w0rdz are in the passwd dictionaries... so are a lot of Star Wars, Toliken and Star Trek terms, names and variations.. wonder why.. :) .*shrc is
--
$HOME is where the
$HOME is where the
-- silver_p
...the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?
BlackNova Traders
I like the cartoon of this smartass sitting at a computer - "Enter Password"
Penis
"Password not long enough. Please enter another."
The first thing we do, let's kill all the lawyers. Shakespeare, Henry VI, Part 2, Act 4, Scene 2
As if cracker programs don't try their entire wordlist with the A replaced by a 4, the o by a 0, ...
Passwords can get safer tham that and should ... p455w0rd is about as safe as ncc1701 ...
The band Barcelona has an entertaining song about password security entitled "I Have the Password to Your Shell Account". Find it at http://www.barcelonadc.com/frame.asp?p=sounds.
GollyGee Blocks -- 3D creativity software for kids.
---
Easy actualy, something that dictionary attacks are almost compleatly useless against, and that you will be able to remember no matter how many passwords you may have! Of course constant PW rotation can make this more difficult, but. . . .
:)
:), but the method that I just outlined above is highly useful for those sites that want insansly long passwords, and for ones that want immensly short passwords. You can easily use a shorter class/teacher name for the shorter less security required sites, and longer class/teacher name for the more secure sites.
:) Granted, alot easier then if it was a purly random sequence, but shit, with random sequences, ya got the post it note thing going against ya :)
Take your favorite class, perferably _NOT_ from a major collage or such, pick a high school or middle school class that you took in the past.
Abreviate the subject if necciary or depending on the length needed of the PW. So WorldHistory could become WrldHis. Now then, append the room number that you took it in, say you took it in portable 14.
WrldHisP14 Add the teachers name. WrldHisP14Smith
Tada, NOBODY would guess that password, ever. Not only is it long, but a dictionary attack would have a bitch of a time going through it even if it was programmed to use abbreviations. The more obscure the refrence and class of course, the better the password.
ChmySci278Tugure.
Soot, who'd guess something like that, eh? Hell, notice the cutsie abbrevation of chemistry, instead of the obvious chem or chemi, replace the 'i' with a 'y'.
Once again, such passwords are easy to remember because that are CLOSE TO YOU, but they are something that almost nobody would guess. Shoot, even if they know what scheme your using for your passwords, not only have you taken alot of courses in your life, but there are MANY ways to abbreviate them. Granted if your scheme is known it signifigantly reduces the number of words that a person has to try, and if they get ahold of your class transcripts then they would have a listing of teachers names and such to go along with the class, and the only thing protecting you would be odd spellings and abbrevations, but shit. . . .
If somebody can get ahold of ALL your personal information, then your fucked anyways
I myself of course have a few added twists to that scheme, and I use more then one scheme to come up with my passwords (depending on the security of the site, and my own box of course has a compleatly different PW then anything else that I ever use
Or hell, you can implement this as part of your 1337 u/\/#@ck@b13 password scheme and append a few dozen other phrases to the end of the ones created by my idea. As it is, easy to think up of, easy to remember, and easy to generate new ones as you need to change your passwords. And a total bitch to break
Need help treating your acne? Come here!
This reminds me of an old security program I used to use (way back in my MS-DOS days.) It was called PC-LOCK, and the default password was "PASSWORD". Installed lightning fast--even considering all it did was rewrite the partition IDs, update the bootsector on the active primary partition, and add a TSR device driver to config.sys (which allowed you to hit the shift key 3 times in rapid succession to lock the system.)
I used to work for a hulking great multinational company; let's call them CompanyName Limited. I was not in the IT department, I hasten to add, but was let in on the top-secret root/NT domain administrator/whatever you call it on that platform password.
You guessed it: CompanyName
After I wiped the tears from my eyes, and my sides stopped hurting, I let some other people in on the secret and it was hastily changed. It's amazing what you won't learn in the process of getting your MCSE.
--As a Sys Admin I have a sort of love/hate relationship with passwords. My users are required to remember no less than 3. (NW, Notes, Sabre.) Some of the savvier have managed to use the same password everywhere. Recently an edict was passed down from the PHBs to make everyone's password the same. Mostly so the PHBs could access anything. I showed them the error of this thought process.
--"Then they can get eachother's stuff and yours!"
--"But, they're not me, how could they get in?"
--"If I have the keys to your house I could get in to it."
--"Oh. But they'd have to sit at my desk!"
--"Not really." (Of course I could restrict where users can log in from but they don't need to know that!)
--But honestly I feel for these people. I have a ton of passwords too. Some are hard some are easy some I don't know thanks to cookies. The point being ther ARE far too many passwords.
--I have been trying to envision a swipe card system wherein all a user's passwords are stored yadda yadda. Clearly theft of this would be bad, but so is losing your work ID swipe card. Perhaps this is coupled to a typed password for the card. (Which my users would write onto the card with a Sharpie.)
--Of course the promise of fingerprint recognition (lop off the finger trick?) and retinal scans would make this idea obsolete in several years but something has to be attempted to lessen the password load.
---
This
It seems I am a self-obsessed, cryptic, family password creator. Life is good.
Of course, that's just my opinion, I could be wrong.
I wonder what percentage of people who were security conscious enough to use cryptic passwords were also security conscious enough to give them a false password. How many people reading /. now have another idea for a method of social engineering? "I'm doing a survey. What's your password?"
No lie, the manager of the store had all employee login passwords to our AS/400 server changed to "swordfish" the same week the movie with the same title came out. Also, attached to the terminals in plain view is the entire login information for anyone to use. If that isn't sad enough, he gets paid more than us too.
A password technique I enjoy to throw off over the shoulder reading is to use capital and lowercase letters side by side that are hard to visibily distingush like "iIlL0oOxX", "0Oo" being my favorite.
- Don't anthropomorphize computers, they don't like it.
Phone numbers are memorable because people can associate simple patterns to them. They remember that a number has a repeating sequence, except for one number. One friend remembers my phone number because part of it is like a cross, only one of the numbers is off the cross. My passwords are memorable because I know the patterns that my fingers cover on the keyboard, and I know from the simple feeling of the placement of my fingers that I mistyped something.
One of my users was an amateur astronomer, and used *1t in her password. She remembered it as "starlight". Phoneticization is an old trick, but I was impressed that she (a simple secretary and not very good with computers) used it.
You can never go home again... but I guess you can shop there.
More information (like the words) can be found elsewhere.
My mod points, please :)
--
You are in a maze of twisty little relative jumps, all alike.
Yep, that's what I do. I found a really good one too. I used to make up cryptic ones, but after discovering ones that type quickly and easily, and are still reasonably obscure/secure, I'm not going back.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Two words: House fire.
Slashdot: come for the pedantry, stay for the condescension.
This friend of mine had Pabst Blue Ribbon memorabilia all over his room -- signs bottles, etc. He wouldn't shut up about how great PBR is. This other friend of mine guessed his password in exactly two tries -- first try: 'pabst'. second try 'pabst1'. He couldn't figure out how in the world someone guessed his password. Heinekin!? Fuck that shit! Pabst Blue Ribbon!
Eric's Method of Generating Random, Easy-to-remember Passwords: 1. Start surfing the web. Find something arcane (ring-tailed lemur mating habits, for example). 2. Scroll down so the screen is as full of text as possible. 3. Point your finger at a random point on the screen that isn't the middle. 4. The word or phrase that is closest to the chosen point and also closest to your desired password length is your new password!
This
If you are one of the people who has to help people when they forget their password, you wouldn't be suggesting people do that.
...MAYBE their close friends and family to guess.
I always tell people "use the name of a dead pet." Easy to remember, hard for anyone but MAYBE
Otherwise, I tell people to do "fan" passwords. That's pretty stupid, though, if you pick something EVERYONE KNOWS YOU ARE A FAN OF. Like my friend who liked to wear Georgetown shirts and hats, and whose password was "hoyas." Moron.
If you're someone who goes to SF conventions every year dressed in a Star Trek uniform, "picard" would be a lame ass password.
login: dbolger
pw: StalkingNataliePortman
My mom uses the same 4-digit year for all her passwords: PIN, AOL, hotmail, etc. She doesn't understand why I think it's stupid.
I still use my same password from my BBS days for a LOT of stuff I shouldn't. It's just SO hard for me not to type basic1992 whenever prompted for a password.
Uh.. yeah.. there *have* been some problems at OSDN lately, but don't worry we're working on the problem. Everybody just needs to email their slashdot username/password to me and I'll check to make sure it hasn't been 'compromised'.. Have a nice day!
air and light and time and space
As ManDude said "Part of the problem is stupid admins. They want strong passwords changed every 3 days for internal joe average accounts. What else can they do but post it to their keyboard?" In 2 years I went from 0 to >10 pisswords. Most are written in my brainbook. [Bound, holds pens, no battery failures!] In case. My answer is to partition them into several parts: WHERE [eg: osU, TR]. WHAT [eg: unIversity, business]. DIGITS/SYMBOLS [314 (pi), 1414(sroot2, 981 (mm/s^2)]. So the Thomas Register password might be "TrBusi2718". The Windos NT5 Server at the college forces change of >8 char pw every 6 wks, and remembers up to 24 for uniqueness. All I gotta do is remember the few new digits, and apply them as I visit the sites. Since June the field orders are different.
The wheel it turns, around and around, with an ancient rumbling sound.
I'm with ZDnet. We're conducting a survey to discover the hidden meanings behind a person's password and what it reveals about that person. Please post your password as a reply to this thread. It's for science.
Thank you.
--
--
#nohup cat
1... 2... 3... 4... 5...
I specifically chose it because that's what I have on my luggage.
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
Not at all. In Secrets & Lies Bruce Schneier actually recommends putting your passwords on paper in some situations. Random passwords that are long enough to withstand brute force attacks by todays computers are also too long to fit into the human brain, unless you start fiddling with Hannibal style memory palaces.
Now Schneier doesnt recommend you to stick the note on your monitor. But in a lot of situations Id say that even that is not such a big deal (No I dont do that myself. Its just too counterintuitive.) The security risk in my workplace is not my ten coworkers or the cleaning lady that comes in once a week. The script kiddies that want to fill my server with warez are the risk and the likelyhood of d00z sneaking into my office or even looking through my waste paper is about as large as that of SÄPO (Swedish secret police) launching a TEMPEST attack against me.
I work in the IT department of a huge Hospital "chain", if you will. I estimate over 90% of the passwords are either "password" or the six letter name of the company. The users that have actually changed their password have gone to other words, for example, jones or celtics. Nothing tricky at all. While we don't allow any "generic" accounts, if you know the first initial, middle initial, and their lastname there is a good chance you can login as them just by using password. How ironic, eh? Makes it easier for us IT folks, but does nothing for our security. Currently my service area is migrating to Lotus Notes for our messaging platform, moving from Microsoft Exchange. I have heard that the main reason for this was the increased security LN provides. The user ids come with wonderful upper and lower case 8 digit long passwords. What do we do when we get the id and start setting up the user? Change the password for a cryptic one, to, can you guess, "password". Thus defeating the whole benefit of going to lotus notes. Ah, well, whatever administration wants.
Similarly, after I'm forced to change my many passwords at work (*), I write the new one down on a slip of paper which I keep briefly in my wallet. My wallet is always in the pocket of the pants I'm wearing unless I'm performing a monetary transaction or sleeping at home (or otherwise not wearing pants). If that piece of paper gets stolen, I've got bigger problems!
(*) Every 180 days, to something significantly enough different from your old one to cause trouble remembering
And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password".
Yeah, those stupid people. Haha, they're so dumb.
*Quickly loads preferences page to change password*
unless you work in helpdesk...
The slashdot 2 minute between postings limit: /.'ers since Spring 2001.
Pissing off coffee drinking
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Please tell me you do that with a script.
"The words of the prophets are written on the Slashdot walls."
I expected this request a _long_ time ago, AC's must be getting a little sluggish.
It was 127.0.0.1, hack to your heart's content.
"The words of the prophets are written on the Slashdot walls."
I'll give you that, but in a business? In a business who's business is e-com? Or a business who's hosting other company's sites and databases?
I don't think so.
Sure my passwords for my home box aren't the greatest, but my firewall/router's sure is.
"The words of the prophets are written on the Slashdot walls."
Or I was I should say. One of my previous employers had fourteen NT/Win2K and 4 Solaris boxes all with the combos of administrator/password and root/password. Nice eh? Their web server, ftp servers, domain controllers, everything. I tried twice to get them changed. I even started to put better passwords on new machines, but the CTO kept changing them.
"I don't want to have to remember 18 different passwords." You don't Genuis, give the same password if you must, but make them tough.
To this day, if I want to call an old co-worker, but can't remember their number, I look it up on their intranet.
"The words of the prophets are written on the Slashdot walls."
I bet a good number of U.S. Congressmen do.
When my sysadmin would change pass words every thirty days, I used to do acronyms of songs - er, dinosaur songs at that.
Here, guess this Led Zep tune and win a prize.
wfsteen
kmlad
idttr
irbtbtbof
idwicb
cilybhily
lglg
bbsiblyy
iatliatl
lmwmoy
etttm
tydmng
...
etc...
(Since I've Been Loving You)
It helps on a Monday morning to log in with a little soul on your fingertips.
Oh, and if it's too short? Just add bbboy ("baby baby baby oooh yeah") or some other Plantism.
This way, I could remember the pw 'cuz I only had to remember the song. When people asked me which song it was, I'd reply by singing "...a three hour tour..." It was the Song that became Ultra Super Double Top Secret!
SDMI: Finally! Music that won't rip or burn! Brought to you by the fine folks at RIAA.
C) Store them in a 128-bit DES encrypted database on their Palm pilot.
---
My employer recently abandoned using passwords for the laptops. Instead each user is issued an IR device the size of a remore car alarm dongle and a PIN. To log in to the laptop they have to type in their personal PIN and complete the sequence by beaming a hard-coded signal from the IR device to the laptop. Not difficult to break using a Palm hand-held if you have access to the original IR device, but at least the average joe who breaks into cars won't get anything useful off the machine.
My father used this password for years, it only took 5 years or so for him to change it.
qwertyWhen will people learn ?
until (succeed) try { again(); }
until (succeed) try { again(); }
I have several password types of my own:
I, at least, find this a practical system, there being a time and a place for all levels of goodness.
--
With any luck he's a Microsoft programmer right about now.
Which would explain alot of stuff.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
As seen on Computer Stupidities:
Student: "Hey, how do I lodge in to Hotmail?"
Me: "You've got to type in your username and password in those fields that say 'username' and 'password'."
Student: "I don't have one of those."
Me: "You need one to log in to Hotmail."
Student: "It's 'LODGE' in."
Me: "The term is 'log in,' and you can't log in without a username and password. I can help you create one if you'd like."
Student: "Um, excuse me, but I THINK I know what I'm talking about. It's LODGE in, and I don't want a username and password, I just want to get some email!"
I just went back to working after that, and he left complaining about how "crappy" the computers in the lab were, after trying to "lodge in" for ten more minutes.
Of course, there are hundreds of stories out there just like that one.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
If you need significant security, it's a stupid password because it's guessable. If you don't need significant security, it's a stupid password because it's (relatively) long. You might as well go with "1234". It's equally guessable, but more than twice as easy to type (if you factor in both length and the ease of typing something sequential).
Obviously, most people won't put up with the hassle, but I've taken to using the GNU Keyring for PalmOS. It stores everything with 3DES and will generate random passwords for you. All I really have to remember is the one password to unlock it. You might think that (in my case) a twelve-character strong random mixed-case alphanumeric password would be hard to remember, but I enter it so many times a day it's easier if I don't think about it.
Before that, I would use something like this:
...and keep the result in my wallet. I figured that, if my wallet got lost or stolen, I was screwed anyway, and loosing the passwords would be the least of my worries.
b&
All but God can prove this sentence true.
"Password" does not necessarily need to be a "stupid" password. I've used it on systems that have little access to anything else, or have meaningless data.Things that require passwords, yet don't have anything meaningful related to me. (i.e., "free" online services...) Alternately, I've used it in places that "casual" users wouldn't need access to, yet did not need full security (or main security was handled somewhere else). ex: password on a print server in a remote office.... for an account that only exists on that box, and has some local admin privledges, related to printing.
Now, using it for passwords on things I actually care about... that's completely different.
I am dyslexia of borg - your ass will be laminated.
Every damn website wants a different password. For maximum security every password should be completely random and different.
Back in the real world....
I say, you have to know the level of importance of what the password is for. There's obviously a difference in importance to the root password for the database server you admin. at work and the password for your slashdot account. There's nothing wrong with using more easily remembered passwords for the low level stuff (various web sites and such) and only the highest level for the important stuff.
One thing that I do for the "huge sea of moderately unimportant passwords that I don't need to use often" is put them in a text file and encrypt it using pgp. On the rare occasions when I need the password I can unencrypt it and copy/paste.
Results:
40% had passwords falling into categories "Cryptic, Family, Friends, Sex, Geeky, Miscellaneous."
60% told us to fuck off. (correct answer)
sulli
RTFJ.
I have a cue cat. I used it for the admin password on my Win2k box and such. Incredibly secure. So secure, *I* don't even know my own Admin password. God that'll suck when my cue cat decides to break. Or I loose the barcode.
Non impediti ratione cogitationus.
Don't feel so bad, I thought the same thing! I also thought that FUD stood for fucked-up disinformation.
Numbers 31:17,18 Now kill all the boys. And kill every woman who has slept with a man,but save for yourselves every virg
Actually at work I always use a large injury (with a number so I don't have to change it completely): fuckWorkAgain12 or so.... ;-)
Really is a good start in the morning, believe me
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
I often choose a password based on how easy it is to type. Then I make sure that I type it a lot for a few days. After that, it's all muscle memory.
password: ilovetux
Linux eviltactics 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i586 unknown
Welcome.
billgates@eviltactics:~ $
Pick a pass phrase, and use the 1st letter of each word as your password. If you're paranoid, do some 4@x0r char-number substitution on the result.
Ok, so someone here thought of that, but then did something supremely goofy and added a couple of insane rules to it. Really!
Maybe it's just the places I've worked, but they had requirements for passwords... For example, one company required that your password begin with a letter, end with a letter and have at least 1 number in it, and be no less than 6 characters. Passwords were changed every 3 months, and any given password could have no more than 2 character sub-strings in common with the last two passwords. Another company requires your PIN for certain online tools cannot start with 0 (zero), as all employee numbers start with said character. They both had tools in place to insure these parameters were met.
It seems to me everybody should have such restrictions on passwords, to keep the family dog's name out of passwords.
Kit
I pray to God that nobody spent millions on that study.
I'd also like to have a copy of that "hey, buddy! I'm doing a research project, could you tell me what your passwords are?" list.
Ed R.Zahurak
Ed R.Zahurak
You know, oblivion keeps looking better every day.
Well, the jury is still out on whether fingerprints are unique. But, just like MD5 sums, although there may be collisions, the difficulty of finding constructing a collision is prohibitive to cracking the system. That is
Given f(m1), it is very difficult to find an m2 such that f(m1)=f(m2) in a reasonable amount of time, where f(x) can be the taking the fingerprint or the hash of x. (Ironically, maybe that's why hashing is sometimes called "fingerprinting"...)
Do the karma whore dance!
Abbott: I'm having a problem logging onto your network.
Costello: Well then what's your password?
Abbott: Yes!
Costello: I mean the text of the password!
Abbott: What!
Costello: Your password!
Abbott: What!
Costello: The thing you type to gain access to our network!
Abbott: What!
Costello: The text of your password!
Abbott: What is my password!
Costello: Now whaddya askin' me for?
Abbott: I'm telling you What is my password.
Costello: Well, I'm asking YOU what's your password!
Abbott: That's text of the password.
Costello: That's what's text?
Abbott: Yes.
Costello: Well go ahead and tell me.
Abbott: What.
Costello: Your password.
Abbott: What!
Costello: The text of your password.
Abbott: What is my password!
...
"And like that
I use a little PalmOs utility to store passwords. Its name is Strip. It stores all your passwords encripted with DES or Idea encription algorithms. It's GPLes and very useful.
But don't use the password generator tool. It has a big security flaw.
---
MOD THE CHILD UP!
D00d, I tr13d the 5, god, sex, secret, password and love, and I hacked a gibson!!
How Jaded Are You?
I'm sure we're all good cryptics here
Do we really know that /. passwords are more secure than average. Everybody e-mail me your /. password. I'll summarize the results.
Bruce Perens: Don't bother; I have yours already.
Yeah I feel the same sometimes.
How I come up with my passwords: Just keep a hand on the keyboard, close my eyes and hit 8 random keys and throw a SHIFT in there a couple of times. The result is something like "gT4sF5G5".
Then I write it down, and after a couple of times use I remember it and burn the note.
I use Dvorak too, at home, and of course am stuck with Qwerty at work. What's weird is I can switch between them easily (like if I have my laptop next to my Dvorak desktop), but for some reason I can't type Dvorak on Qwerty, or Qwerty on Dvorak. I'm a touch typist and don't even look at the keys when I type normally. I guess it's some psychological block.
I only use decent passwords for SSL.
On an unrelated note, back in the '80s when I first started calling BBSes, I used to use colours as passwords. Like, green, orange, yellow. Nobody ever figured them out. Were they cryptics? :) (I picked the colour of something I happened to be looking at at the time I picked the password.)
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
here is the password of my unix account : #fsb,avd Now you just have to guess where to use it ...
Men are born ignorant, not stupid; they are made stupid by education. Bertrand Russel
Sometimes no password is better than a easy password. :) of course this was on test setups where it really didn't matter. :-)
Many times i have seen people try to guess a password when there were none.
--------
For best security: Choose a password you'll likely forget and absolutely have no chance of ever remember or re-discovery.
-- .sig are belong to us!
All your
A feeling of having made the same mistake before: Deja Foobar
Great...it'll be another couple of weeks 'til I can come up with something even more creative.
I use it always:
/dev/null | uuencode -m /dev/stdout | grep -v begin-base64 | dd bs=1 count=8 2> /dev/null
dd if=/dev/urandom bs=1 count=8 2>
I am sure there are a million ways to do this better, but this is the way to do it that occured to me at the time I wrote the script.
As you can see, my english is as verbose and cryptic as my shell scripting.
First Post happens to be my Password of choice as well..
'mmmmmmmmm.... forbidden donut'
The article seems to imply that they had every password in the study, and that they also knew the names of the users. Therefore, isn't the biggest security threat that the users gave up their passwords? No matter how "secure" the password is, if you just tell someone because they say they are doing a study then that password is as insecure as "god".
Social Engineering is a much bigger treat than hard-to-guess passwords...
-Kallahar
Although it's admittedly stupid, I find that using simple-to-remember passwords is far more effective than coming up with a "cryptic" one for each and every site on the 'Net that requires user registration. A quick mental count tells me that I have registered with over 30 web based services that require a password and login. I don't want to use the same password (see below) and remembering not only 30 passwords but which one I used on which site is absurd.
I've come up with several cryptics which I use for sites that require high security - for a lot of these free web "services" that only require login to verify identity and get at bookmarks, I tend to use simple passwords that I can remember in order to not have to continually recall which password I used where.
Also, I'm always worried about what happens if someone hacks these most likely not-so-secure sites and downloads a pwd file. At that point they'd have my most common username and password, and I'd be ripe for the picking.
feelafel
Because I often get on my local library's system to check my account or place holds on books, I use my library card number for my password. 9 digits long.
But wait, you say, isn't that insecure? I could lose your card, or an evil librarian could get into all my accounts. AND it's a number so it could possibly be brute-forced.
Not exactly. First of all, I substitute letters for some of the numbers. Another fun thing to do is to hold down shift while typing some of the numbers (maybe the first three). I'm pretty secure by that point.
Also, I don't use my current card. I use the one I got at age 8 or something and lost about ten years ago...but not before the number was burned onto my consciousness. ;)
People are always horrified when they say, "type in your password" and I sit down and type a nine-character password. Or when, due to some system stupidity, it echos my password to me and someone's looking over my shoulder, they see a big fatty wad of gibberish that's almost impossible to read at a glance, and even harder to remember (you could remember "five-six-seven-nine", maybe, but how about "percent-china_hat-ampersand-left-paren"?). :)
The only thing that sucks is having to quote a password to someone. And sometimes poorly written (i.e. non-Unix) programs won't take non-alphanumeric characters. But other than that, it takes the best of both worlds; an easy-to-remember number and an extremely difficult password. Understandably, this approach might not please the ultra-paranoid, or people who change their passwords often (I alternate between different card numbers), but it's pretty decent when you want a secure password to memorize.
-Andy Schmitt
There's no sig like this sig anywhere near this sig, so this must be the sig.
for passwords, but then I found out I just can't spell...
+++ UGUCAUCGUAUUUCU
Why does everyone think it's hard to remember more than one random alpha numeric sequence?
Off the top of my head: 7 cryptic passwords
4 internet IP addresses
10 phone numbers
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
For the legion of sites where logins are necessary or desirable (/., NYT, etc.) I have two "core" passwords. When I register on the site, I pick a core and then a suffix that's somewhat related to the site, hopefully separated by at least one abstracion layer (New York Times -> NYT -> nit)
That way, in theory, if someone hacks/engineers/takes at gunpoint one PW form one site, it's no good elsewhere as the core may or may not match and they still don't know the suffix.
For net access I have a set of foreign words, some misspelled and laced with a numeric index and punctuation and mixed casing. Every 42 days (!) I advance the index, go to the next word and voila'!
Has anyone noticed websites that only take 8 character PWs even if the input accepts more? My-Deja mail will let you type like 20 chars but it only validates the first 8!
OK, now everyone tell me how lame and insecure my scheme is, IF YOU CAN !
GTRacer
- Social Engineering for Fun and Profit
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
I've never understood this and maybe somebody can engage. Isn't it really just a matter of how you implement?
I am assuming that most randomizers use chaotic formulas which means we don't need to worry about predictable patterns (In the topological sense there are patterns, but you can't determine what the next number will be without running through the equations yourself)
Of course if you continually seed the pattern with the same number, your starting value will always be the same.
My perspective:
I use python whrandom as an example
x=whrandom.whrandom(1,1,1)
int(x.random*100)
>1
int(x.random*100)
>89
now set y-whrandom.wharandom(1,1,1) and you get the same values for the same steps.
If I can predict how you seed, I've got your sequence. I can also chart out the number the 16 million start combinations and the first couple of thousand iterations to perform statistical analysis on what is more likely to pop up.
But:
But what about this.
RandomVal=''
x=whrandom.whrandom()
while len(RandomVal) 10:
y=whrandon.whrandom()
selectChoice=int(y.random()*100)
# 44 arbitrarily chosen
if selectChoice == 44:
# you could replace int(..) with a function that gives you alpha numerics
RandomVal=int(x*10)
You now run along one sequence line, but the start and stop points are based on multiple datetime seedings. Obviously this could be made more complex making statistical prediction as well as seed guessing a moot point.
Basically randomize your radomize selector which selects the next randomize selector, etc... This methodology, while slow, eventually gets affected by processor temperature, other processes, etc...
Go easy on my, I'm just an amateur.
Note whrandom.whrandom() without seed numbers uses a time based seed.
-Nuke the moon
If you've ever played the "guess that vanity licence plate" game, this is an automatic way to come up with good passwords. You take a phrase or expression you know you can remember and obfuscate it as you might if you wanted that same phrase on a vanity licence plate but need to squash out characters so it will fit. For example, you might take the phrase "rose garden" - you could write it out as "rOzgRdN" ( where password is case sensitive of course ) so that when you read it you pronounce the upper case letters as the name of the letter and the lower case as the sound the letter makes. Of course 1337-ifying your passwords has a similar effect.
Of course the nice thing about this is you can keep all your goofy old passwords - family names, celebrities and ego-boosting cliches, just make them difficult for a password cracker to grab out of lists of plain-text.
Another trick that I've always liked is to use chess notation. Think of any move in a game of chess, one that you can remember easily and write it out using one of the conventional chess notations. For example the move "white queen captures kings rook 3" would be "wQxKr3".
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
HJ Hornbeck
Nonsensical == bad, but cryptic == good. Cryptic passwords which make sense are good because they are easy to remember but hard to break.
LedgerSMB: Open source Accounting/ERP
For the insecure category, I use common a common dictionary word. For the midrange category, I use a derivative of a non-standard transliteration of a Middle Irish word.
For the most secure, I will use a phrase from some other dead language, spaces omited, important words capitalized, punctuation included along sometimes with numbers. (Example I don't use: Cogito,ErgoSum).
But what if you share root administration with one assistant? How about the following scheme: Each person comes up with a four character alphanumeric password and then the two passwords are put together. For instance if I come up with Lvx8 and the assistant comes up with Ek93, we get Lvx8Ek93--easy to remember because it is Lvx8 + Ek93, but hard to break. Since the 4 digit ones are often abreviated, this furthermore makes them easy to remember but hard to break.
Thought I would share some tactics I have found useful.
Also when I have too many passwords to keep in my head, I will leave myself a sheet of mnemonic devices for each password which is specifically designed so that others will be mislead... (Another unused example: Password is Thelema-- Mnemonic phrase is Will/Love. I will let the Thelemites figure this one out...).
Golley, gee-- I must really be in the cryptic category....
LedgerSMB: Open source Accounting/ERP
"Oh... uh... yeah..."
... a majority of Mac users use love,sex and god for passwords. HACK THE PLANET!
Str8Dog
using System.Darkside; public
Everybody keeps suggesting that writing down passwords is 'stupid' and something an 'idiot' would do. This is not always the case.
Here, in my home office, I have every single password I need (about 20 of them) written down in pencil on a single sheet of notebook paper. It's tucked in a relatively obscure location in my files.
Is this a security threat? Not really. Somebody would have to bust into my house and ruffle through my paper files in order to find them. Unlikely, at best.
What would be considerably more insecure than writing them down is to keep them in a text file on my machine. Somebody hacks my machine across the internet and I'm toast.
So next time you folks start throwing out terms like 'stupid' and 'idiot', think it through a little bit, OK? Saves you from the embarrasment of being the stupid one.
I have about 20 passwords to rember for things like work, ATM, voice mail, back accounts. A lot of these also have some account name also ascociated with it. I don't know about you but I have to write these down or I will forget.
For extra security use black ink and turn the lights down a bit.
I use keyboard sequences for less-secure (i.e. non-root) situations. Pick a rememberable repeating pattern of keys such as 4z5x6c7v; all I have to remember are the first two characters and the last.
Cheers, PJ Dougherty
Ratguy
Name as many films with the "super-access everything" password as you can...
(I can only think of 2 right now - Tron and War Games)
Two wrongs may not make a right, but three
My way is less secure, but far easier to remember. I randomly pick a decent length word from the dictionary. Some word that relates to nothing you would normally think of. Then I use synonyms or similar sounding words for other passwords. It's very easy to remember...
...and now that I think about it, it's educational as well! Damn, I should be really smart and use lots of complicated words in my posts, but I forget my old passwords, which probably makes for even better security.
---
Developers: We can use your help.
The problem with passwords is that they are not authentication of identity.
The best secured system usually relies on passwords, somewhere, and of course, a chain is only as strong as its weakest link.
--- it's pelvis to be cube
I think someone discovered the password to my other account, 'Anonymous Coward'. People keep using it to post annoying messages under every article.
I once found out two male users who had as password $GIRLNAME . $NUMBER, where $GIRLNAME had the same value for both of them. I don't remember the number. I know them, so I am sure they are two different ppl. Well, that's not password psychology, that's pure gossip...
How easy would it be for them to keep a database - someone from IP 1.2.3.4 tried "p4ssw0rd" and we said it was secure; and then log into that IP, and try common account names using that password?
Again, not that I'm accusing them or anything...
________________________________________________
________________________________________________
suwain_2
Talk about "social engineering"... ;)
________________________________________________
________________________________________________
suwain_2
I read a lot of posts, but not all 400, so sorry if this has been said.
The last company I worked for was a free hosting company. Passwords were stored as plain text in a database(I did not set this up.) Once I selected out the 10 most common just for fun. 1 out of 40 people used 'password'. This was out of 50,000 users. I cannot remember the rest but the top 10 accounted for about 35-45% of all the passwords.
I personally don't have trouble remember a number of passwords because I usually use these passwords nearly every day. (Actually a lot of my passwords are more in finger-memory than brain-memory. Can't for the life of me recall what the exact sequence is unless I am typing it!)
Most people tend to use their passwords much less than that, though, and if you don't use them on a regular basis it can be pretty tough to recall, even if your memory for such things is generally good.
A) use the same password everywhere. Which is pretty stupid or
B) Write their passwords down in a list somewhere, which is also stupid.
No kidding. This actually happens.
Wroot
so "p9R14Tl7" (which is old) would or wouldn't qualify me for geekdom?
-----
-----
so i says to mable, i says
While I'm not a sysadmin, and nothing particularly disastrous would happen if my passwords were compromised, I do like to keep them somewhat secure, and would like to place myself somewhat of a crpyic.
Since I use a mac, I use Apple's Keychain system for password management. From the surface, it looks fairly secure as long as no one figures out your master passphrase. From there you can set access controls to allow none/some/all applications to have access to individual entries.
I was wondering if anyone here had any experience on how secure Keychain is, such as how strong it's encryption is compared to how strong it should be to be reasonably crack-proof if someone managed to get their hands on the file.
njiuhb? or qwertz? or a 'cryptic' one, XdRgBhU8... ;)
A better system would be that same chip, only instead of storing fixed passwords, it conducts a conversation with the server, proving it's identity in a way that a snooper cannot replicate. E.g., the server sends out a random number. Your smartcard checks your thumb is there and has a pulse, then encrypts the random number with a 4096 bit private key and sends it back. The server uses the corresponding public key to decrypt and check. Line snooping does no good, because the challenge (random #) and response (encrypted #) are different every time, and that private key never leaves the chip.
dude, they did cover it:
4 4&mode=nested
http://slashdot.org/article.pl?sid=01/06/27/17102
I'm going to go out ass-first on a limb and suggest that Stupid probably hasn't applied the latest patches...
--
Caveat Emptor is not a business model.
--
Caveat Emptor is not a business model.
I use the Dvorak layout on my keyboard, and that is a pretty good password protection scheme in an of itself! I'll use easy to remember words, like linuxrules, and convert them to the qwerty layout. So, linuxrules would be pglfbofpd; Plus, it freaks people out to start typing at the machine, so that is a pretty good protection mechanism!
I believe this idea was explored in the Michael Douglas thriller The Game, in which -- in one of the indistinguishable layers of reality and truth, anyway -- a psychologist gives said Douglas many hours of physiological and psychological exams for the surreptitious purpose of successfully guessing all of his passwords.
Isn't everyone's password CPE1704TKS?
You want a safe & simple password? Use whatever you want, written in lame-language e.g password--->p455w0rd Can't get any safer than that, and your Windows friends will admire you for your wisdom and coolness!
There is no such thing as 'world peace'.
While I'm here on the redundancy bandwagon I shall further take your time to post, in pursuit of equally belaboured drivel, that the Gameboy Advance has a screen that can only be seen by certain breeds of Canadian Arctic Spotted Owl because battery life is more important than being able to perceive what is going on in a computer game and, further, conclude with an agonizing rebuttal, reading that The Gameboy Advance may only be 15MHz, but it uses a highly optimised(tm) RISC CPU (Q: as opposed to a highly de-optimised RISC CPU?) which is as fast as an SNES. I would go on about Linux vs. BSD and Macs: are they still viable? but this would eventually necessitate that I summarily smash my head directly through my monitor in a desperate last-ditch effort to end the horror slowly enveloping me.
Don't forget the all-mighty "Peekaboo" password.
creating passwords from equations or inequations... Like five+3=8 or five+3!=225
--- lm747
Kinda makes you wonder how many AOL users have "A/S/L" or "ASL" as their password?
-----
Bow before my sig, for it is good.
Maybe they choose not to.
There's an anecdote that Albert Einstein did not commit his telephone number to memory - asked why not, he explained that if he needed to know it, he could look it up in the book...
<-- You are here.
Back in the day when I ran a highly unsuccessful BBS in High School, we had a problem with certain users (well, a certain user) getting local access and deleting all the executables on the computer, severly crippling the whole system. Needless to say we set up a password sytem and just set the password to nothing. Since it was high school, it confused the hell out of people even if they managed to hear someone talking about it.
'course now it's just one of those that's rediculously easy in the real world. Oh well. maybe I'll just set mine to something nobody'll ever guess. asdf123 sounds pretty good. And nobody'll ever think of it!
- Relativistic? That's barely Newtonian!
Do you really want to hax0r my Macintosh 7200/120 running Mac OS 8.1?
- idspispopd
- iddqd
- idchopper
- idclip
- idkfa
etc.... those great movie hackers will find it out anyway, just a few seconds before your evil plans will succeed. That's why hollywood rules this world :)
I have a friend who ran Linux for awhile, Slackware 3.6. One night in a friendly mood after she'd just sent me an email message (she uses Earthlink) I read the header on the message to figure out what her IP was for the moment. I telnetted to that IP, but discovered that due to a reinstall that she'd recently done I no longer had an account to log on the machine and request a 'talk' session with her.
I tried 'root' at login: instead.
Yep. She had no root password at all. I quickly changed that by giving root a password, then (of course) created an account for myself. Then I logged off as root (this was a friend, remember) logged on as myself with the newly created account, and requested a 'talk' session to mention to her that her security had been, umm, a little lax.
Slackware 3.6 didn't require you to (or even mention to you that you should) establish a root password, and of course the default is a root account with no password whatever.
She'd been browsing the web rather actively for about a week in that state.
Fun with Linux.
Multiply the number of obsessive-compulsives (including me ;) who just had to tell us their "magical formula" for getting a password, by your karma. Make that number negative (if your karma didn't do it already ;). Multiply that by the number of characters in your most recent post.
Some company asked a bunch of people what
there passwords were, and people replied back?
Am I the only one who has problems with this?
Degauss
...If you're gonna be dumb, you'd better be tough...
If you want into someone's network, why mess around sniffing and cracking, when a bit of well placed social engineering gets a result 95% of the time. Examine the facts 1. Most helpdesk staff are underpaid, underworked and only doing it get to the "next level", whatever that might be. 2. Most mid-high level suits have bad tempers and little patience with underlings and technology. 3. Jo/Joleen average when faced with angry people who can have direct input on their future cave in faster under pressure than a bathysphere with a broken seal. Result, the CEO's account details with a changed password of your choice in double-quick time......... It does not matter how strong the password is if you can replace it with one of your choosing for the price of a phone call.........
top -l|grep $SUITS
Yet another brilliant post by our fearless leader. Maybe he should change his password to something other than password *grin*
I just use "a" as my password. That way when someone launches a dictionary attack against my system it doesn't waste as much bandwidth as my old "zenzebrazygotes" password.
Peter
Downsize DC Today!
with password choice are brain-dead forms for entering passwords.
Take slashdot for instance:
You can enter more characters than the 12 limit in its password selection box. So when I entered my password:
RAS_macintosh
it left off the h. It wasn't until I had my password emailed to me did I realize what happened and start leaving off teh h when I logged in.
No wonder peopel pick simple passwords...
I'm a consultant - I convert gibberish into cash-flow.
Even after my repeated protests, my boss insisted I give a user the root pswd to the RHL machine in his office which he uses to check compatibility of journal papers we post online. His arguement? He has many years of experience with computers including work with the military. So I hand him a small slip of paper with the pswd on it. I tell him to memorize it and then "you know what to do with it" meaning of course to dispose of it properly. What to I watch this military man do? He looks at it briefly, then tapes it to the underside of the pencil tray in his desk! Doh!
Am I Over-Moderating??
-- MarkusQ
http://www.counterpane.net/passsafe.html
I am not with the company or anything. Just wanted to pass it on because it helps for easily generating and maintaining passwords.
"There ought to be limits to freedom"
The most popular password was, according to studies, 'mozart'.
Of course, anyone who has 'swordfish' as their password deserves to have their account cracked.
I truly believe that I have the best random method for finding a password. When I was in THIRD GRADE, I turned on the TV and the first word I heard became my password. Nine years later, I still have the same password. No person would listen to the TV shows from an entire year and try every word there just to get into my account.
And, should my account ever be compromised, I'll break out an old Simpsons episode and pick the first word I hear.
Anyone who knows my password may email me now, and I will begin worshipping you ASAP.
-BaV
Another good way to pick a pw is to use a number that once meant something to you, but is no longer associated with you. 40-15-40 is my high school locker combo. No-one else knows that this number has any importance to me. But 4 years of remembering it on a daily basis has permanently engraved in in to my gray matter. Then 1337 it (4ols4o). Now you have a pw that has no connection with you, is alphanumeric, and unforgettable. I could probably even tell someone and they will forget it because to THEM it is just a meaningless string of numbers. PS: That is not my pw. I use my Student ID#, not my locker combo (the same logic applies to both). I also lied about my combo # (might need to change my combo some day)
------- I saw a VW Beatle the other day. The vanity Plates said "FEATURE"
the problem with having these sorts of studies is that I could call up some one I hate and ask: "Which of the following catagories would your password fall in?" Easy hack. People should have learned to use random number sequences by now.
You can't judge a book by the way it wears its hair.
Enter Password: no. or how about, "fuck you i want my lawyer!" so you can pass the lie detector test....
The Ludwig von Mises Institute. The reasoning individuals economics
Dont forget the geniuises who buy a $million dollar computer$ Vax setup and then forget to change the stock sysAdmin password. Thats another kind of password idiot altogether -- the default password idiot.
We used this technique to enter our local (huge) school districts Vax setup, authorize our own accounts and play for a few weeks.
In the end, the members of our hacking troop who were over 18 years enjoyed an entirely different conclusion to the fun than the two of us who were juveniles.
"And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password""
...and M$ Passport....
What were you expecting?
I choose my passwords based on ease of typing. No, I don't use "fred" - I choose phrases that are easy for a touch-typist, because the keys alternate back and forth between the hands.
:)
Example: pqv0m3N
This is "hard" to remember, but it's not hard to remember how to type it, because it's very natural to type if you're a touch-typist. Once my fingers remember the pattern, I don't have to remember what the actual letters are.
I suppose I'd be in trouble if I ever had to enter it on a Dvork keyboard, or if I broke my left hand and had to type it all with my right
I used to program an IBM 370 in COBOL and I discovered one day that I could use a search routine to search for my password on all disks, which told me where passwords were kept (in clear - duh!) Browsed around a little and found the sysadmin's password: DAYOFF. Yep, that reflected his personality all right :)
on our university, the server was constantly running a run-of-the-mill password cracker program (dictionary, names, replace i with 1, o with 0 and all sorts of other "tricks"), which would send offending users a not saying basically "your password is stupid. reset it or you will be kicked". the nicely explained how to create safe passwords first of course. since i would classify as the cryptic type, mine was never cracked. since i can't remember tons of passwords, i have several categorized ones i use over and over again. categories go from low security (from sites that will lose the pwd anyways or store it unencrypted or for pwds that go over IP unencrypted (POP email, /.), to high security.
I was fooling around in VB (yeah, be quiet) recently and wrote a program that takes three words (username, keyword1, keyword2), combines them, and munges the result to generate an alphanumeric password that no-one will ever guess, and even if you gave it to them they'd forget it after a few min.
Y2K Compliant since the late 1890s
Another decent way to get a fairly cryptic password that is easy to remember is to make some sort of pattern on the keyboard. Make sure you hit a number or two and some punctuation and you've got a nice, cryptic easy to remember password. I wouldn't guard the pentagon with it though.
i cant figure what group i belong to. im obsessed with my goldfish, but i consider it a part of my family. im confused. somebody help me. oh, by the way, its name isnt swordfish. it's "im a big stupid idiot"
- That the numbers totaled up to 103%
- People actually gave their passwords out to the people doing the survey!!
I'd guess this means that only the real dumb were included in the survey!-- I thought I was wrong once, but I was mistaken