Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For Lousy Passwords

Posted by CmdrTaco on from the love-for-the-lousy dept.

itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."

9 of 343 comments (clear)

  1. hard passwords just lead to post it's even more so by Joe+The+Dragon · · Score: 3, Insightful

    hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

  2. people write down hard passwords by alen · · Score: 4, Insightful

    one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security

    1. Re:people write down hard passwords by hey! · · Score: 5, Insightful

      Actually having a hard password and writing it down is not such a bad idea. It's leaving the password under the keyboard that's a bad idea.

      Look at this this way. That guy driving a Ferrari around town unlocks it with a key that *anyone* can use. It's reasonably safe, however, because he keeps the key in his pocket.

      Of course, wallets get stolen. So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket. You choose a memorable six character password and keep it in your head. Then concatenate the two to form your working password. That's poor man's two factor security.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  3. Unrealistic time to crack a password? by GreatBunzinni · · Score: 4, Insightful

    The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.

    --
    Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
  4. Passwords are stupid by betterunixthanunix · · Score: 5, Insightful

    Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.

    --
    Palm trees and 8
  5. Re:Password keychains? by mcvos · · Score: 4, Insightful

    And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?

    As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.

    What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

  6. Re:160 seconds? Windows? Bad example by Culture20 · · Score: 3, Insightful

    The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

    I'm sure you've noticed from your logs that brute force attempts are made from botnets now too? A lot harder to block.

  7. Ophcrack by Kiaser+Zohsay · · Score: 3, Insightful

    If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.

    --
    I am not your blowing wind, I am the lightning.
  8. Re:Password keychains? by clone52431 · · Score: 3, Insightful

    Yeah, I just registered an online banking account and their password requirements were 8-12 characters, no special characters.

    WTF people?

    But then they use security questions as a second line of defense, which is just another password, and a much longer and therefore stronger one at that (if it’s done properly – which most people don’t do, of course). Now, hopefully they’d require someone logging in from an unrecognized IP address to pass a security question...

    --
    Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.