Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For Lousy Passwords

Posted by CmdrTaco on from the love-for-the-lousy dept.

itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."

16 of 343 comments (clear)

  1. Bad usernames too by alphatel · · Score: 4, Interesting

    Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
    It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    1. Re:Bad usernames too by Anonymous Coward · · Score: 4, Funny

      Anytime I visit a site that wants a signup, I don't bother signing up.

    2. Re:Bad usernames too by Anonymous Coward · · Score: 5, Funny

      Look it didn't even take me three minutes to crack his account.

    3. Re:Bad usernames too by eln · · Score: 4, Funny

      If none of these work, register an account with a throwaway email address (mailinator etc.) and share it on bugmenot and its clones.

      This seems like a good idea in theory, but it can backfire. For example, I used to use a particular email address for certain...less reputable sites. Since those sites occasionally do various email verification things, I had to check that email address every so often so I couldn't just throw it away. Over time, I started to use that address for more and more sites until I eventually remembered that address better than my actual email address. After that, it wasn't long before I instinctively started using is for *everything*.

      Anyway, long story short my primary email address is now midgetgrannyhorseporn@donttellmywife.org.

    4. Re:Bad usernames too by sideslash · · Score: 5, Funny

      Yeah, bugmenot is cool. I use it for my online banking.

    5. Re:Bad usernames too by stonewallred · · Score: 4, Funny

      So you are the prick that made me have to use midgetgrannyhorseporn22@donttellmywife.org.

  2. people write down hard passwords by alen · · Score: 4, Insightful

    one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security

    1. Re:people write down hard passwords by hey! · · Score: 5, Insightful

      Actually having a hard password and writing it down is not such a bad idea. It's leaving the password under the keyboard that's a bad idea.

      Look at this this way. That guy driving a Ferrari around town unlocks it with a key that *anyone* can use. It's reasonably safe, however, because he keeps the key in his pocket.

      Of course, wallets get stolen. So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket. You choose a memorable six character password and keep it in your head. Then concatenate the two to form your working password. That's poor man's two factor security.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  3. 160 seconds? Windows? Bad example by fahlenkp · · Score: 5, Interesting

    Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

  4. Unrealistic time to crack a password? by GreatBunzinni · · Score: 4, Insightful

    The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.

    --
    Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
  5. Passwords are stupid by betterunixthanunix · · Score: 5, Insightful

    Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.

    --
    Palm trees and 8
  6. Re:Password keychains? by mcvos · · Score: 4, Insightful

    And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?

    As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.

    What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

  7. This is why... by RivenAleem · · Score: 5, Funny

    12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!

    I'd also like to add that I'm a giant douche and a poopy-head!

  8. Lastpass by defaria · · Score: 5, Informative

    In a word - Lastpass. 'Nuff said.

  9. TFS Fail... by fuzzyfuzzyfungus · · Score: 4, Interesting

    The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.

    Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.

    With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...

  10. Re:Password keychains? by Red+Flayer · · Score: 4, Funny

    Tell them your mother's maiden name is ct!h0Zf&.

    I usually just tell them my mother's maiden name is cthulhu, and then the bank gives me all their money.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai