Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords That Are Simple — and Safe (?)

Posted by CmdrTaco on from the pardon-my-skepticism dept.

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

7 of 563 comments (clear)

  1. deh. by Anonymous Coward · · Score: 5, Insightful

    Why don't use simple words that can't easily be found using dictionnary bruteforce ?

    And most hacked account come from shitty secret question/answer that can let you change password.

  2. don't ever use the word "password" by Anonymous Coward · · Score: 5, Insightful

    Call it a "passphrase." Ban that other word.

    1. Re:don't ever use the word "password" by swilly · · Score: 5, Insightful

      I agree. There is only so much entropy the human brain can remember, but I can remember phrases quite well. Throw in a few digits and special characters instead of letters and you have the perfect balance between security and ease of use. Unfortunately I keep seeing maximum passwords lengths, which is just stupid. I suspect maximum password lengths are caused by lazy developers and web sites that store passwords instead of hashes of passwords.

      Don't know if typing phrases would be better for everyone though. Interested to know how non-touch typists would deal with something like "It w@s the b3st of times, It was the worst of times".

  3. Write it down by glittermage · · Score: 5, Funny

    Just write down your password in a convenient & easily accessible location near entry point. Problem solved.

  4. Pass Phrases by Lifyre · · Score: 5, Informative

    Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.

    Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"

    It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.

    --
    I'll meet you at the intersection of "Should be" and "Reality"
  5. Re:SImple non-dictionary passwords by ArcherB · · Score: 5, Informative

    The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

    The best passwords I've found are sentences translated into passwords. For example:

    My phone number is 555-234-2344 : Mp#i555-234-2344
    I live at 2202 Park Street : Il@2202PSt
    Four score and seven years ago : 4Sa7ya...
    My wife won't go down on me since we got married! : Mww'tgdomswgm!

    Whatever. You get the idea. All you have to remember is the sentence.

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  6. Re:Simple by iluvcapra · · Score: 5, Insightful

    When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.

    I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...

    And having written-down passwords negates the benefit of all those special characters

    This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.

    Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.

    You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.

    --
    Don't blame me, I voted for Baltar.