Passwords That Are Simple — and Safe

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

Write it down

[glittermage]

Just write down your password in a convenient & easily accessible location near entry point. Problem solved.

My favorite

[DNS-and-BIND]

I just love being required to use a SECURE PASSWORD for something totally meaningless like a forum or shopping cart. It usually goes like this: 1) Password rejected! All passwords must contain numbers. 2) Password rejected! All passwords must contain mixed case. 3) Password rejected! All passwords must contain at least one symbol. 4) Password rejected! Use only ASCII, ¥ and © are not allowed. 5) Password rejected! Your account has been disabled and a 24 hour block has been placed on your IP address. Please call customer service, the number is on another page of our website.

Re:My favorite

[boneclinkz]

Amen. I get so tired of that nonsense. Look, I really don't care if somebody breaks into my Bell Tire Discount Club forum account. I'd much rather just use "passw0rd" than have to come up with a 76-character string that includes both upper and lower-case, at least one special character, at least one numeral, a Latin proverb, the last four digits of my social security number, and a passage from the Necronomicon.

Re:SImple non-dictionary passwords

[alexo]

My wife won't go down on me since we got married! : Mww'tgdomswgm!

Bad password. Too common.

Re:changing passwords frequently makes no sense

[hal2814]

There's not always a sticky note on the monitor. Some people are security conscious. They hide the sticky under their mouse pad. Because really... who would ever think to look there?

Re:Simple

pneumonic

Its a system of password management based on lung disease.

Re:Compuserv had it right

[jandrese]

Interesting. According to the internet, the average educated adult knows about 20,000 words. Assuming a loose definition of "punctuation" we have about 32 punctuation keys on the keyboard. This means there are around 12,800,000,000 possible passwords under that system. That compares alright (but not spectacularly) to 8 random lowercase letters (208,827,064,576 combinations). It falls completely on its face against requirements like "add random punctuation, numbers, and at least one capital letter (6,095,689,385,410,816 combinations).

12 billion sounds like something a computer could brute force these days, although it depends a lot on the algorithm.

This is also why on Windows you want to have a 15+ character password. For 14 characters and below, Windows stores the passwords as two 7 byte fields for backwards compatibility purposes (darn Windows 95/98!). This is bad because a 7 byte field with just lowercase letters has only 8,031,810,176 combinations, 16 million if you use the full 14 characters, but most people have 8 character passwords for historical reasons (DES salt length of all things), and that last character is basically worthless. It's a bit of a pain, but 15 character passwords can be made reasonable (assuming your security policy doesn't require 25% punctuation or something) and will be stored a much more secure way on Windows hosts.

Best password ever.

[trevdak]

I set my password to "********". Eight asterisks. That way, if anyone ever cracks it or uses a keylogger or something, they'll say "What the hell? I still can't see it." If I need my password to be extra secure, I throw a few more asterisks in there.

Re:Best password ever.

Nah, your password really is "hunter2".

Re:Simple

[The+Clockwork+Troll]

consumption be done about it?

Re:deh.

[MrEricSir]

By any chance, is "deh" your password?