Slashdot Mirror
Crappy Passwords Very Common
KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."
I've had good luck guessing passwords using the method of adding a number to the user's name: e.g. someGuy's password is probably someguy[0-9]+[0-9]*
What this is saying is that if you know something of the person you can work out what they will say. This is always going to be the case until it is something actually unique for the person (fingerprint, iris etc). While we all _know_ that we should have passwords like "sdf987*(&^JJHASBDjkasdjkh231*()&as" and every account should have a different one it tends to be simpler to use something you can remember easily.
So this isn't a suprise, and its what the Biometrics people have been saying for years.
An Eye for an Eye will make the whole world blind - Gandhi
... water found to be wet[1], sky found to be blue, Earth found to be round[2] and CNN found to be obvious.
[1] at certain temperatures
[2] well, almost
The best password ever is one my friend has. He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password. And after he told me this, he changed it. Because he changes his PGP keys every week.
If you are one of these people who has a stupid password, you deserve what you get.
I'm going to get the book of petnames now and write a brute force hack into paypal, wee! My money problems are solved. I don't do stuff like that, but someone should. Send all the money to me that is.
The GeekNights podcast is going strong. Listen!
Johnny Quest has two Daddies.
It's written in all the study books I have been reading about. Most people will use their first name, the name of their pet or their birthdate in the password field. Only recently, you start to see smart software that refuses to accept this type of entries. What would be neat is a global password database where all the passwords that have been entered are stored as MD5, and each new password entered is checked agains the digest form to see if it matches, and if it does is refused. The dictionary words and common words should all be part of this database as a starter.
PPA, the girl next door.
-- I feel better now. Thanks for asking.
A cracker friend of mine noted this way back in 1983. Another interesting tidbit: back then, at least, a fairly high percentage of admins used "god" for the root password.
The cake is a pie
... is usually a fucking nightmare. Good luck trying to guess anything by it.
[ note to self -- 3mptyC0k3C4n is not a good enough password anymore ]
The password policy where I work is 10 characters, mix of upper and lowercase, at least 1 non-alphabetic, expires every 6 weeks. So of course I write it down (indirectly) or put it in "logon.bat".
Because of Windows' stupid caching, I already have to phone the helpdesk every 6 weeks to get my account unlocked when windows somewhere decides to try my old password 5 times in succession.
My password is and always has been newline, newline, newline.
Gets me logged in quick, and noone seems to be able to guess those last two characters.
Anything you can do, I can do meta.
I went to my bank the other day to assign a PIN to my ATM card. For this you need to sit down with a bank person at their desk. Just to be a pain in the ass, I asked her how many numbers I could enter (it's 7). She said 4. I entered 7 and it took.
Then she went "How do you remember 7 numbers?" and I said "The same way I'd remember 4 numbers. It's not like remembering yet another set of numbers is going to be hard--I've memorized the passwords of at least 20 other services".
To which the lady at the bank said "See, the best way is to just use the same password for EVERYTHING. This way you only need to remember one!"
you know what my problem is??? i have dozens and dozens of passwords to remember...i have my work computer, my work e-mail, my home computer, my 2 home e-mail accounts, eBay, Slashdot, IM, etc...it's just too many passwords to remember...
because of that, i've fallen into a bad rut for my passwords, i only have like three that i use on a regular basis, and i just reuse them whenever i register for a new account...don't get me wrong, i know that's a terrible thing to do...but i just can't bother myself to rememeber more and more passwords...god forbid someone found one out...
does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?"Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
I realised this the moment the team leader of our software development project -- a woman who is about to graduate with a *degree* in *computer science* revealed that her password for nearly everything was her name, spelt backwards. *D'oh!*
Hey, the Brunching Shuttlecocks just published an article relevant to this one: The Twelve Least Surprising AP Headlines.
From Jakob Neilsen's UseIt column on usability and the Internet, comes this column on Security and Human Factors. His summary:
Sysadmins are fond of forcing users to use complex passwords. What happens then is that the user writes the password on a yellow adhesive note and sticks it on the monitor. Better to let the user use the first password that comes to mind, with possible gentle restrictions like no dictionary words, so that the user can hold the password in his or her head without writing it down -- or putting it in a "Passwords" file on the hard drive. How many theives really look up biographical information on computer users and find out all the names of their family members?
Fight for your right to read books!
The best way to think of a password is to conjure up a phrase that's random, but easy to memorize. Then, just use the first letter of each word as your password.
:: Imagine There's No Windows(tm). It's Easy If You Try.
For example, if you're told to pick a password with at least six characters, you could randomly come up with: Dubya Doesn't Know A Goddamn Thing
Then, you'll have a good, random password (ddkagt) and you'll remember it, too.
If there are other restrictions (you need numbers, mix of upper/lower cases), just adjust your random phrase to coincide.
m o n o l i n u x
Back in '94 when I took over as network admin for the stockbrokerage I worked for the only joy I found in the job was guessing passwords. I could usually do it on the first guess. A tip here is if it's not in the roledex under "password" then it's in the pictures on the desk. This is especially true if the only picture on the desk is the guy's sailboat.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
The best authentication schemes involve something you know (a PIN or password) and something you have (a smartcard, RSA key fob, or some other device that implements a challenge/response system to authentication queries).
~wally
Passwords often have to be at least 6 characters long which is just about the largest thing that people will be able to memorise. Often, drachonian admins force people to change their passwords every few months forcing users to commit yet another password to memory so they end up using things that they already know well as passwords. At least the people wern't writing them down on post it notes (even if they were doing the next worst thing). Jakob Nielsen wrote a bit about this in Security and Human Factors.
I remember reading about how one of the most popular passwords in the 80s was fred because it was easy to remember and all four keys were close together.
...or they can be handed over to you voluentarily, if you say you're doing research on passwords. :-P
This is the typical crap about passwords that gets handed around. PGP encoding and changing passwords weekly. As if. Looking at the number of sites I have passwords to, it numbers something like 60. People want usable computers not sophisticated mnemonics.
Not that I always agree with him but this article is ideal:
http://www.asktog.com/columns/026Security.html
Time to accept that this is the reality of existence. You will never get people to memorize hundreds of passwords. I've seen businesses lose tons of money because they require cryptic passwords and the user moves on to the competitor.
BTW the password nightmare is currently handing M$ a big victory in Passport. God knows I would love to have a single password...
What?! Are you moronic? Having a user account is the first step in getting administrator accounts. Much information about people can be gleaned from a user account. Couple with some social engineering and a little bit of luck and you have access to an admin account.
Of course, if someone has accesss to your dest, you've got bigger problems thatn just access to your compter account.
T Money
World Domination with a plastic spoon since 1984
They forgot to mention 'password'
When working an ISP, that was the most common password. Never really got the other 3 so much, probably because people don't want to say 'SEX' over the phone.
In high school, a friend of mine has "hoyas" as his password for the school network. Another friend guessed this easily when we were talking outside the computer lab one day. He looked the guy up and down. Then he bolted into the lab and the idiot ran into the lab after him, both of them racing to change his password.
Of course, my retarded friend was wearing a Georgetown hat, and a georgetown Tshirt.
Duh.
And with regard to pets....whenever someone asked what they should set their password to, I would always tell them, "use the name of a DEAD pet." Much harder to guess than a living one. Especially if it's long dead.
My solution is not to use hotmail although there is no reason for me to use hotmail in the first place, but I have so many non-techie friends who love hotmail and will never switch.
I'm currently running a network for about 60 people.
I constantly bump into people whose passwords are "Password", "Password2", the name of the company, their own name, etc.
Part of me wants to force them to use complex passwords. And part of me knows that if I did, I'd spend my whole time resetting passwords for people.
When we got the new printer/copiers in, they had protection on them, so everyone got a 4 digit user id, and a 4 digit password, to retrieve their prints when they got to the printer. They were told that printing would be monitored and charged to their departments, and that they should keep their passwords secret.
I wandered around a week later, and over half of them had little yellow post-its on their monitors, with their id/passwords on them. Because, for some reason, people can't remember an 8 digit number unless it's a phone number.
My Journal
So, why can't individual biometric devices also have a key, and only 'trusted' scanners are allowed to communicate?
Doesn't that solve your 'replay attack' scenario?
-Jerdenn
In Cliff Stoll's book "The Cuckoo's Egg" (it's about his experience as an astronomer/sysadmin chasing a cracker in the mid 80s), you get an entertaining window back into a very different era in computer security...and yet perhaps it wasn't all that different. At one point Stoll mentions changing the root password on a machine to something like "basilisk", because no one would ever think of trying the name of a mythological creature as a system password. =)
My own favorite piece of password advice came from the "Unix Handbook" that my university passed out to incoming students...a line in big, bold text:
Do not choose a password that is even remotely related to Star Trek of Monty Python.
* * *
It is a dada story -- it has no moral.
Enforce password conventions the way NASA does... Epasswd
A good password is not necessarily one that is random characters. In my experience, an easy to remember one that is difficult to crack involves building one from common terms.
Let's take for example a Hitchiker's Guide to the Galaxy theme.
Take a 2 syllable word, say "zaphod"
Take a number, of course "42"
Put the number between the syllables word: zaph42od. It is still pronouncable, and you know where it came from, but now it is a common word that has numbers not at the end, but inside it, so even cracking programs will have a significantly more difficult time randomly generating it.
The other technique I use is to also hit the last key twice: zaph42odd. It ofuscates it further but at the same time has a minimal cost to you for remembering it.
So, even if you're a lamer whose password is "password," changing it to pass43wordd makes it significantly harder to crack but just as easy to remember.
--------
It's OK to be social, just don't tell anyone about it.
I once named a pet (it was a fish, in fact) after one of my passwords. Shame it wasn't one of the more pronounceable ones.
Slashdot? Oh, I just read it for the articles.
To run the script, click here.
You know, this sounds a lot like the 20/20 hindsight problem: Things become obvious after you know about them. If you know my passwords, it would be very easy for you to figure out how I came up with them. However, there are thousands upon thousands of ways I could come up with my
passwords, so the chance that somebody will come up with what one of them is at the right time on the right computer is rather low. For example, I
might have a slinky sitting on my desk, but that doesn't mean somebody will immediately think of my password as being "metalSlinky" or "51inky"
or "rollsdownstairs". They will be even more confused when they find out my password is actually created from the name of my dog. Since I might have a picture of my dog on my desk, they could then say "Oh, yeah, I knew that," but we both know they were really focusing on my slinky.
Of course, at the same time I would never underestimate the ability of people to come up with really, really bad passwords...
"The combination is: 1. 2. 3. 4. 5."
...
"Remind me to change the combination on my luggage."
Posted from the wireless couch.
"Good" passwords impossible to remember.
sulli
RTFJ.
I think my passwords are usually pretty difficult to figure out...
::Colz Grigor
I pick some lyrics to a song that I know:
"Penny Lane is in my ears and in my eyes."
(I usually pick more obscure songs, but this is an example...)
I then (sometimes) swap two words...
"Penny Ears is in my lane and in my eyes."
Then I convert it to a lower-case acronym...
"peiimlaime"
Convert every other character to 'leet (sometimes starting with the first, sometimes starting with the second)...
"p3i!m1a!m3"
This password is too repetitive... it's got two !s, two ms, and two 3s. I unconvert some of the 'leet to help out...
"p3iim1a!m3"
Now I convert some of the letters to upper-case...
"p3iIm1A!m3"
Looking at that password and not knowing how it was derived, you might think it's pretty random. But if you were a big Beatles fan, it'd be pretty easy for you to remember this one.
One big problem with lyrical passwords, though:
Don't hum the tune while you're typing in the password!!!
Welcome to the Slashdot Server
Login: CmdrTaco
Password: Kathleen
"Whoohoo! I'm in!"
It may solve this specific problem, but it doesn't change the fact that there is no easy way to recover from a compromised biometric. You can't exactly ask your admin to change your fingerprints :P
Every semester we run crack on Unix passwds at my university. Number one: "Princess." Number two: "GoVols." :-) We enforce no dictionary words, etc. now and shut down the offending accounts. We also moved away from Unix based mail to IMAP with a Webmail interface running on SIMS off LDAP. They don't even get Unix accounts anymore unless they ask. Well, excuse me, your worshipfulness!!!!
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Lotus Notes mail has a cool password generator. I converted it to Javascript once and use it for all my passwords:
I can't post it here because it won't go past the lameness filter, but you can find it here.
It produces nonsense passwords, but they are easy to remember because they come out like pseudo-words. e.g. jenzog72, or slocrip16. It's about the only thing useful I ever got out of Notes.
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
Heh. When I *have* to write passwords down (I've got at least 20 completely different work-related passwords that I use maybe once a week if I'm lucky, and then they change in 6 weeks) I never write down the actual usernames. Now, all the really important and immediately obvious accounts are memorized because I use them a lot, so these aren't going to be easy to find accounts for.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
They'll let you complete a PhD with that stance?
Compare this to mathematics. Why would anyone need to know how to prove the Pythagorean theorem? It was already proven thousands of years ago! Stuck in the past indeed...
Win dain a lotica, en vai tu ri silota
I used to get by on the net with just one password. It was very secure in that it was nice and random and not likely to appear in any cracker's dictionarys. I never really thought about security much... until a web based forum I was subscribed to was cracked. At the time I was an administrator on one of the largest online gaming forums in Europe (now sadly no longer with us), and another regular from those forums got hold of my password. Luckily he merely posted a few "hahaha I've got Skunk's password" posts and didn't do any damage, but the potentail was there.
:)
Since that incident I've instituted a strict policy of having at least 4 different "main" passwords, each with a different security level. I look at any site I sign up for very carefully - do es it look trustworthy? Do I trust the owner of the site (chances are my password will be stored in their database in plain text)? My "low level" passwords are used for unimportant sites while I save my "high level" ones for e-commerce and administrator functions.
All this should have been obvious from the start, but then that's the benefit of hindsight
The root cause of all this, IMHO, is the "expert" advice to "never write down your password". What nonsense! Real security experts understand that there are about 3 things that can be used as authenticators for you: something you know, something you have, something you are. The problem is that a ton of cognitive research and computing experience over twenty years has failed to demonstrate that you can know something complicated enough to serve by itself as a secure password!
Much more sensible is to randomly generate a password (using as much of the keyspace as reasonably possible), write it down, and stick it in your wallet or purse. Now it is something you have: a perfectly good authenticator that is as secure as the keys to your home and car.
Insufficient security? Combine it with something you know by not writing down the last four randomly-generated characters: you can probably remember those, and a hundred thousand combinations to try will at least force the person who stole your password to have a means of rapidly checking alternatives.
Alternatively, what I do is store the passwords on my PalmOS PDA, with a free app that lets me protect them with a "master password". Again, the master password is insecure, as it needs to be memorized, but it can be fairly strong, since it is all I need to memorize, and in any case it is only the second line of defense. In a more security-serious environment, you could combine this with the previous scheme.
Note that you will eventually memorize frequently-used randomly-generated passwords: these can then be thrown away.
Note also that the conventional advice to "change your password often" is a contributor to the problem here: it virtually guarantees that weak passwords will be chosen or that passwords will be written in too-convenient places. If your system is reasonably secured, there is no reason to ever change a password. Finally, if you do need to change a password for some reason, the "something you have" scheme described above works much better than memorization.
Want "line noise"-looking passwords ?
I sometimes "play a tune" on the keyboard, using the old Amiga OctaMED or Protracker music software keyboard mapping (sometimes shifted to the left or right for variety's sake).
So even I can't immediately tell what my password is, since I'm not using the "remembering words" bit of my mind. The fastest way for me to find out the password as a series of letters and numbers is to retype it in a shell window...
Alternatively, I mentally superimpose a simple outline image of something onto the keyboard, and trace that outline, pressing keys...
Choice of masters is not freedom.
Most of the passwords I use are in fact quite weak. Why? Because I don't really care if someone hacks into my spam account and if there is no one I know who would have the patience or know how to hack into the Linux partition I have. The fact is that the vast majority people don't have the ability to crack even the simplest of passwords (with the exception of "password"), and any one who does has a lot better things to do than screw around with some of my accounts. True the important passwords I have are still strong (I don't want someone breaking into my university account) but feel free to screw around with my hotmail account.
I stole this Sig
"Of course my password is the same as my pet's name.
My cat's name was Q47pY!3, but I change it every 90 days." - Roddy Vagg
Didn't /. already run something about secure password schemes? Anyhoo, I usually strive for easy to remember, yet hard to dictionary attack. The easiest ways are:
l33t-speak: replace letters with numbers. So your wife's name of Kathleen becomes "K@thl33n"
inserting numbers for syllables of a word like: "x10u8" (extenuate)
Using directions and keyboard geometry. (For my pin number I would use something like 36987, which is a backwards L on the keypad.)
Inserting a number sequence inside of a word. r3o1v4e1r5 = rover + pi
Using these methods, it's pretty easy to come up with a word that's relatively secure to a dictionary attack yet is as simple to remember as a much easier word.
(One thing: PLEASE don't use your SS# in any of these!)
Where the wind blows, the tumbleweed goes.
I thought it was common knowledge among sysadmins that people's passwords WILL suck.
One of my friends had a clever way of thinking up passwords. She would take her high school class schedule, say:
Study Hall
Calculus
Physics
Chemistry
Band
Literature
Biology
She would then alternate between the floor it was on and then the first letter of the class: 5c4p2c5b3l7s2b
It's something you did for a year of your life, so not that easy to forget, and you could always look it up.
----------
I am an expert in electricity. My father held the chair of applied electricity at the state prision.
You can get at least a little bit more secure by using MD5. Pick a master password - a really good master password. Something relatively long, that you've never used before. Something that you'll never forget. Now, find a javascript MD5 site. here's one. Type your master password in, and then type in the name of the site (all into the "Enter your message:"). Hit "run MD5". There's your password. Use the first 8 characters, or the last 8 characters, or something like that. The two advantages of this solution is that 1) you only have to memorize one password and 2) no one has your master password except you (and anyone looking over your shoulder). I wouldn't suggest using this technique for your really important passwords, but it's good enough for the medium important ones.
Shure and supose they didn't teach you about parsers, just because there is already plenty of parser ready to use. no fast forward 50/100 years. Everyone uses the parsers that were already made in the last century, and some one found a security flaw in one of those ancient parses, but no one living has any idea on how to make a parser, after all there were parsers already made...
Seriously you NEED to teach people how stuff is build and how they work. It's not enougth to simply step up to the next level of abstraction (that is suposed to be simpler). Following the same reasoning I could rant about how CS schools is teaching "C" when there is already "visual basic" witch is simpler and it is probably what you would need in the future.
[]'s Victor Bogado da Silva Lins
^[:wq
Like the obvious? If they have access to your desk, they have access to your diary, your wallet, and your credit card ;-)
You only have to remember 2 (or however many area codes for the area) combinations for the first 3 digits. Thus you are really recalling 7 digits, then associating whatever area the number is in with its area code.
-
Please type your password:
"your password"
I think even people with crap passwords (especially people with crap passwords) will either shield their typing or give you an evil stare until you look away when they're typing it.
That's the other advantage of keeping the same password for years... you can type it in a blur of fingers, and nobody'll ever see it.
...bigfartingfatguy.
Comment removed based on user account deletion
SecurityFocus has an article on passwords, while it has a NT focus (Lanmanager myths and such) it touches on lots of the same thoughts. Of interest is the use of high ASCII and/or Unicode in passwords.
Bleh!
Not everyone uses weak passwords, I have seen some STRONG passwords at my workplace, usually on a post-it stuck to the monitor.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
I use the same crummy word for a lot of my passwords. If the service makes me use upper case, I capitalize the first letter. If they demand numbers, I turn the 'e' into a '3'. That's because all of these accounts are passwords that I DON'T MIND IF PEOPLE CRACK.
You're not going to do ANY damage if you somehow managed to crack into my NewYorkTimes account.
ICQ makes me create a password that half the clients out there don't authenticate. If you got in, you'd suddenly be able to forge messages from me. Just as you could before.
For real accounts (root, stuff involving my credit-card, etc.) I use simple hash involving the name of the service and a secure string of letters and numbers. But there are a lot of accounts that won't bother me if they get cracked, but WILL be a pain if I forget the password.
In my work as system administrator I have found that no matter one says, cries or yells, people keep using dumb passwords. First of all people do love to use the infamous "1234" password. Such password can be found in such interesting places like the main accountant network access on a commercial bank, on a door to a restricted area and, the most amazing of all on a half-forgotten sysadmin account into a backbone network (one guy just forgot a test account with such password). But that's not the worst. The worst is when your computer carries your account name, and your password is the same as your login.
The general claim that "50% of passwords are bad" is too optimistic. I prefer to risk my reputation and claim that more than 90% of passwords are worse than bad. Most people use Windows and this system carries so many holes that is easy to catch a few password hashes just by sniffing a network. Besides, most people don't have even a basic knowledge of security so it is tremendously easy to catch an account with administrator's rights. Once you get one, you are on the free road - all depends on your knowledge and experience.
But not only Windows is on the black road. UNIX also. Most people have a high tendency to call for trouble. Many don't even read in front of their eyes THOSE BIG WARNINGS STATING THAT IF YOU TURN ON THIS THING YOU ARE ON YOUR OWN! And so we get telnets, ftps and many other daemons running with SUIDS, root network accesses and "come in and get what you want! Bye and come again!!!" In result most netowrks are completely open to any attacks from outside. A black hat hacker needs only patience, accuracy and cold-blood to create havock. No one would even get a hint that someone is one their nets...
Not long ago I was asked to test one network. I roam the whole thing, reaching the most holy of the net and catching tons of sysadmin info just by grabbing network packages. Some passwords were so easy to calculate/guess that it took only minutes to become sysadmin. With them I went further and started to take control of the whole net. I was a few minutes of destroying the whole network when I stopped all tests. I tested the net for a few days. All that could be detected was that one sysadmin saw a "small" problem when I mistakenly sent ssh to another location (no matter that I sent tens of provocative actions over their net to get their attention). However this was too small info to check the author of the work. Their luck was that they had a greyer hacker in their nets... A Cyberpunker would not be so humble.
That's not the exclusion. That's the state of thousands of critical networks. That's the common denominator.
"There's nothing more useless than a lock with a voice imprint."
Except maybe a password policy. The overhead on keeping people in line, especially with draconian software that enforces password selection policies and aging, is more costly than the problem for all but the crown-jewel servers.
Security that prevents black-hats from getting cyphertext passwords in crackable codes is the only security that improves the bottom line rather than making it worse.
--Blair
Everyone should go out and buy some dice and use them.
http://www.diceware.com/
I remember working as a sysadmin for a company where the CEO was... a little less then brilliant... after setting up his new computer for him I set his local login password to "password" and had it force him to change it on first login so that nobody else would know the password yet it would be simple enough that even he could remember it the first time, when he came in the following conversation ensued:
ceo: what's the password to my new computer?
me: password
ceo: I know that but what is it?
me: password
ceo: of course it is but what IS the password?
me: the password is "password"
ceo: would you quit that and just tell me what the password is!?!
me: the password is "P - A - S - S - W - O - R - D"
ceo: don't get smart with me young man! you don't want to make the person who signs your paycheques angry!!!!!
(meanwhile in the other corner of the room the accountant and receptionist were just howling with laughter and the ceo couldn't understand why...)
I finally led him over to the machine and made him watch the keyboard as I typed in "p - a - s - s - w - o - r - d" he suddenly changed his tune and was extremely appologetic and suitably embarrased... I didn't have quite so many run-ins with him after that... and it provided a much needed comedic break for the rest of the office.
side note: I've since switched from that to using other simple words as initial passwords making sure to AVOID the word "password" (and after that initial password people were forced to use minimum 6 characters, not dictionary based)
you can pick your friends, you can pick your nose, you can't however, pick your friends' nose.
That's the boring version. Here's my personal rendition:
Free Mac Mini. Yes, I'm
(No, I'm not (that much of) an idiot and those are not my actual passwords)
I've found that by using passwords based on keystroke patterns (with a random key at the beginning, end or middle) to be easily remembered *by my hands* though I couldn't tell you the actual passwords myself without some serious thought. The random non-pattern key is important since there are crack dictionaries that try things like "qwertyuiop" etc.
:)
One example of a pattern I've used in the past: BNGHTY%^~
Try typing it in and see how easy it is for you to "remember"
Do not taunt Happy-Fun Ball
Any system that lets you log 1,000 attempts a minute (or more than 3-10 attempts before locking the account) is poorly designed and should be rooted by one of those l33t h4x0rs to teach the sysadmin a lesson.
However, locking accounts after n attempts opens up a new denial of service: flooding the auth server with requests on known users but purposely invalid passwords to prevent the real user from being able to get in. Imagine what would happen if somebody tried to su with password "DoS" 20 times; the administrator would be locked out.
Will I retire or break 10K?
It's not perfect, of course, but I wouldn't want one compromised web site to compromise the rest of them (the trouble with using one password for everything) and I'm reasonably sure I can keep my own box secured from attack. And it beats using sticky notes :)
Ita erat quando hic adveni.
I can change them for you. Where did I put that cheese grater...
Mea navis aericumbens anguillis abundat
Any password that fits this criteria will take a long time to crack and even longer to figure out by looking over someone's shoulder.
ObTrivia: at a place I used to work, 246 out of 780 user accounts had a password of "", "pass", or "password". Before I convinced the IT director to let me implement strong passwords, anyway.
A couple of months ago, I called up the Wall Street Journal to get my password for the web site changed (I almost never use it, and so had long since forgotten what I'd used). I began to tell the lady on the phone the password I wanted (which I intended to change immediately through their online system, since I have no desire for another human being to know any of my passwords). Of course, the password I started to give her was a "good" password, with a mix of case, and non-alphanumeric characters. When I told her the first case change, she interrupted me, and told me that I should use a password of all the same case, so that it would be easier to remember. I responded by giving her a short lecture on computer security, and continued with my "good" password.
I think it's a general problem that people aren't trained properly in what would constitute a "good" password.
"If English was good enough for Jesus, it's good enough for everyone else."
One sunny day last summer I was out for a stroll along the scenic pathways of our fair city. As I was crossing the foot bridge across the river, I came upon two men doing some work on the river monitoring equipment. One man was at the control box on the shore, the other was at mid-bridge, fussing with the monitors. As I passed them, I was audience to this shouted exchange:
Man #1: WHAT'S THE PASSWORD?
Man #2: WHAT?
Man #1: WHAT'S THE PASSWORD?
Man #2: UH, I THINK IT'S SPACE, ENTER!
I briefly considered coming back sometime to see if I might crack into the system, but decided not to since there just wasn't any challenge.
Trickster Coyote
Living the illusion of reality.
Ideology is for ideots.
NEWSFLASH!!!
Many nerds* use 1701 as an ATM pin number.
*in addition to Wil Wheaton.
He must be really serious about his wife/girlfriend not finding his pr0n.
Pen-15
One trick for having many different passwords is to make them related. E.g. set aside one character in the password (3rd character, or whatever). Make that character "o" on your office computer (or "0", since I usually mix letters and numbers like "L" and "1" to make the passwords harder to guess). Then use the same password on your laptop, but make that character the letter "l". On your firewall, make it "f". And so on.
:-)
Sure, it's not as secure as a bunch of completely different passwords. But if you've come up with a really good password that's hard to crack, then all those permutations should be equally hard to crack, and if by some miracle someone does get one of them, they probably won't know which character to permute and what one-character abbreviations you've used for the various systems you use that password on. Of course, if everyone starts using this trick, then it won't be as secure.
It's worked for me. I can remember a couple of very good passwords, and the various permutations. There's probably no way I'd remember 8 different good passwords.
I haven't logged in as root on my box since I installed linux, thanks to sudo. My root password is a rather complicated string of characters that bears no resemblance to any words. My user password is similarly strong. Unfortunately, remembering lots of strong passwords isn't exactly easy. So, I've gotten lazy and reused some of them. Based on my tech support experience, I would guess that most people only have one or two passwords that they reuse. Snoop their plaintext logins to thespark.com or something like that, and you've got them. I've never made an unencrypted login to my box, and my passwords are strong, but that doesn't make them secure. Excuse me while I go change them...
WARNING: there is a trojan on your
Backwards link
Forwards link
Slashdot? Oh, I just read it for the articles.
There was some show on TLC once, and I only caught the end of it, but the part I did catch made me laugh. (memory fuzzy, so if I get a detail wrong sorry)
These guys were hackers turned security consultants and were consulting for a financial company. They were "wardialing" the company's phone service looking for a computer that would answer, and when they got one, they entered "root" for the username, and (get this) "password" (!!!) for the password... and got in.
You would think anybody who has the semi-intelligence to be a Unix sysadmin for that company would know to NOT USE "password" AS YOUR ROOT PASSWORD!
I hope somebody got fired for that... sheesh
There are only 10 kinds of people in this world... those who understand binary and those who don't
HELMET It worked, sir. We have the combination.
SKROOB Great. Now we can take every last breath
fresh air from planet Druidia. What's the combination?
SANDURZ One, two, three, four, five.
SKROOB One, two, three, four, five?
SANDURZ That's amazing. I've got the same combination
on my luggage. Prepare Spaceball 1 for immediate departure.
SANDURZ Yes, sir.
SKROOB, SANDURZ, and HELMET start walking out
the door.
SKROOB And change the combination on my luggage.
Build Your Own PVR/HTPC news, reviews, &
Thanks, you're right, I suppose I was thinking [0-9]{1,} which as you say would simply be [0-9]+.
That policy is a sign of incompetence in the IT department.
If strong passwords are used, they should long expiration periods. It's not unreasonable to memorize a truly random password if you only have to do it once a year. If passwords are expiring every six weeks, you *have* to write it down (on a card in your wallet, on your PDA or celphone, etc.) because it's impossible to remember them otherwise.
Another good trick is to generate a list of a few dozen candidates and look for one with good "muscle memory." E.g., my main password now has a pattern of L-RR^-LL^-LRL where ^ means it's a key "straight above" the last key.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
enter old password, some random data from /dev/random and whatever else is handy, and SHA-1 it.
get milliseconds component of current time. Add PID. Recursively apply SHA-1 this many times. XOR in a byte or two from /dev/random each time.
Now the fun part. Strip the high bit and treat the first 8 bytes as an ASCII string. If it matches the password policy (e.g., 2 upper, 2 lower, 1 special, 1 digit, 2 wildcards) print it and increment counter.
Repeat prior step until counter hits 50 or so.
It usually takes 5-10 seconds to generate a list of candidate passwords. I pick one that's easy to remember because of "muscle memory." To guess my new password, you need to know both my old password and the contents of /dev/random.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Cryptic passwords aren't all THAT hard to come up with. Weird thing about memory - if a group of words has rhythm or is rhymes (or both), then it's almost impossible to forget (everyone here remembers the theme to Gilligan's Island, right?).
:-)
Back at DEC, the max password lengths were ridiculously long (128 chars? someone out there remembers). So, my passwords were usually something like:
onceuponamindightdreary - next month was twiceuponamidnightdreary and then thrice..., and then I went to the next verse.
Not terribly cryptic, but nowadays, I typically use the first characters of each word in a poem, or whatever. Example above yields Ouamd - which is a reasonable start - add a number and increment, and you're set for a while until you move to the next line. Song lyrics work just as well as old Edgar Allen's stuff of course.
Oh, and of course, I strive to use song lyrics I'm not listening to at the time
Shoot them.
We use pseudo-random strings for passwords that can't be remembered and have to be written down. We each have a copy of the password book, a small, black notebook, and they are kept locked when not on our person.
We use a little proggie that I wrote in C to generate these pseudo-random passwords.
Yeah, I know all about the dangers of writing passwords in books, but when you have close to 100 machines that you need to keep passwords for, you've really got no other choice. You need to make sure that security policy (keeping the password book locked up) is maintained at all times, which isn't so hard when there's only 2-3 admins who need the passwords.
Whenever somebody leaves, we change all the passwords for root and our admin user on all the machines. A bit tedious, but necessary.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
With this program, it is easy to keep track of a separate password for each web site, and there is a unlimited?) notes field for keeping track of extra account details or any extra challenge+response (You don't give every site your real mother's real maiden name, do you? Insanity!)
PSafe will generate random 'strong' passwords. For the really important systems, I use the 'strong' 8-character random password generated, but when I go to log in, paste the 8-characters from PSafe, and append a four-to-six letter string I keep in my head.
Voila --- Poor man's two-factor authentication!
I do not deploy Linux. Ever.
could be yellow and have a "3M" watermark.
There's no difference between a smartcard and a password, except the input device (keyboard or mag reader) -- both of which can be bypassed.
I used a random password generator to pick out about 60 random passwords, then picked one.
I have about 50 or so accounts on various servers that I use frequently. I use about 10 passwords on those various services. Half of them would be considered 'strong'... liberal use of the shift key, number keys, etc. The other half are middling to weak.
On most of the sites, I use a single, weak password... on every site that I do not trust, or do not care about. On the important ones, I use one of the strong passwords, or a variation (shifted in different spot, etc).
As I am assigned passwords at work, I add them to my list of 'strong' passwords. I get a new random password yearly, so I have a long time to memorize it. Once it is no longer my work password, I add it to my farm of passwords I use elsewhere.
So for sites that don't matter, I use the poorest password manners possible... one weak password shared all over. But for important stuff (paypal, online banking, email, shells, etc) I use strong passwords that rarely duplicate.
For me, this is the best combination of convenience and security.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.