A Brief Sony Password Analysis

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

Is Sony now in the banking business?

Who cares? I don't waste good passwords on trivial online services.

Know what's important to protect and create passwords appropriately.

Re:Is Sony now in the banking business?

[j00r0m4nc3r]

I guess credit card data is not important to protect

Re:Is Sony now in the banking business?

[somersault]

Bah! I don't waste good passwords on trivial things like money!

Re:Is Sony now in the banking business?

I guess credit card data is not important to protect

Wow, I didn't realize they were collecting credit card information for sweepstakes entries, which is the data that this article is analyzing.

Re:Is Sony now in the banking business?

You're right. How important is $50 to you?

Re:Is Sony now in the banking business?

[Big+Smirk]

If Sony had my credit card info, then that would make sense. They don't and based on recent history they are either not good enough at security, or too lucrative of a target, so they won't get identifiable information.

Quite frankly, I don't even know the user name I used.

Its just a game console to me

Re:Is Sony now in the banking business?

This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

Re:Is Sony now in the banking business?

My /. account named Anonymous Coward is priceless, so it gets a special 30-character password.

Re:Is Sony now in the banking business?

[jhoegl]

OP point is valid.
The only reason people know your Sony password isnt because your account at Sony was brute forced.
Its because Sony is lackadaisical in their patching and security efforts.
Seriously, no one brute forces anymore unless it is against an offline database that they downloaded from the site in question.

Re:Is Sony now in the banking business?

I could not agree more. My account had the longest hardest password ever known to man or alien - past, present and future. It didn't help.

Re:Is Sony now in the banking business?

[sangreal66]

You're not even liable for $50 if your credit card number is stolen. That number is the maximum liability if your physical card is stolen (and you report it such). You cannot be held liable for anything if the card remains in your possession. This is regulated in federal law (FCBA) and not subject to bank policies.

So no, it isn't that important for you to protect. That is a problem between the vendor and the bank.

Re:Is Sony now in the banking business?

[JustOK]

That's the same as I have for my luggage.

Re:Is Sony now in the banking business?

[dgatwood]

My Facebook account got brute forced just a few months ago. It still happens.

Re:Is Sony now in the banking business?

[Lumpy]

Only a fool gives their credit card to everything.

MY Xbox live account is a simple password. and I'm not dumb enough to give them my credit card. I use their prepaid cards to keep their fingers out of my finances.

Re:Is Sony now in the banking business?

Unless, of course, you don't care about the account.

I mean, who cares if your Gawker account, of all things, got cracked? OHNOES! So long as you don't use that same email/password combo for, say, your bank or email account (or these days, Facebook... FB accounts can be used to attack others, and so you're not so much protecting yourself as your friend network), then who really gives a shit?

Re:Is Sony now in the banking business?

[BrokenHalo]

As a matter of interest, how can you be sure it was brute-forced rather than subjected to some other form of cracking, e.g. via dodgy cookies or some form of compromised admin access? I don't have (or want) a facebook account, so I haven't heard whether or not facebook offers history of failed logins to users.

Re:Is Sony now in the banking business?

[medoc]

Long passwords are still useful if the supplier behaves responsibly (ssl connection + salted hash storage only).

Re:Is Sony now in the banking business?

[Anubis+IV]

Exactly. I use 1Password to generate and store all of my passwords, and apparently I fell into the 1% that used a non-alphanumeric character in their password. Mine was a 16-character password that mixed caps, numbers, and symbols, and it was unique to PSN, so I've had pretty decent peace of mind when it comes to my password.

Unfortunately, I lacked the forethought to not keep my credit card information on file with them. :/

Re:Is Sony now in the banking business?

If you're using ssl connection and salted hash storage, I fail to see how a long password is useful (define long ?).

I mean it's not like a dictionnary attack on your website is going to crack a password with 6-8 characters (which doesn't count as long for me) in less times than it needs to block the attack (for instance lock the account for 5 minutes after 3 missed trials and a dictionnary attack would take years if not centuries to complete)

Re:Is Sony now in the banking business?

[dgatwood]

I seldom use Facebook anywhere other than on my own home network, my company's network, or a cellular network (none of which are very likely to result in cookie attacks). It's certainly possible that it was attacked in some other way, but the likelihood of that is fairly low.

Re:Is Sony now in the banking business?

Well, it depends. It IS important to protect if you use the number for anything and value your time. For example, if you use the card for say monthly cable service billing, maybe TiVo billing, NetFlix account, etc. it gets pretty annoying to have to remember each place you used it and update them all appropriately when you get issued a new number. If you forget one or two of the places you use it you get declined and possibly canceled service. Very annoying and makes it worth it for me to protect my numbers. Your mileage may vary of course.

Re:Is Sony now in the banking business?

[medoc]

We're talking about a case where supplier storage is compromised here (if I got the sony case right). So this is not about trying to log in but about breaking the hash. See:
  http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless

Re:Is Sony now in the banking business?

[Kelbear]

Instead of memorizing passwords for everything I log into, I just memorize 1 process for every site.

For example, if I just translate every other letter into it's numbered position in the alphabet, and capitalize on the 3rd letter. Extend the length as needed with the alphabet if the site has a short name. This way you'd have a reasonably strong and individualized password for every site that won't be hard to remember since I repeat it on each site.

Obviously, this isn't the actual process I use, but it's just one way it could be done.

Re:Is Sony now in the banking business?

[obarel]

How do you buy the prepaid cards? Cash only?

Re:Is Sony now in the banking business?

[tycoex]

Why does it matter? If someone bought a prepaid card with their credit card and Gamestop, how would knowing that person's X-box live password get them access to their credit card info?

Re:Is Sony now in the banking business?

[Golddess]

it gets pretty annoying to have to remember each place you used it and update them all appropriately when you get issued a new number.

If things worked like they should, you'd need to update all those places roughly every other year anyway when your CCV code and expiration date change. Instead, you've got places that don't even bother asking for the CCV (if they don't need it, why do others?) and that will never once complain about how the expiration date on file is 5+ years expired.

Re:Is Sony now in the banking business?

[memyselfandeye]

I seldom use Facebook anywhere other than on my own home network, my company's network, or a cellular network (none of which are very likely to result in cookie attacks). It's certainly possible that it was attacked in some other way, but the likelihood of that is fairly low.

Then it would still be a problem with the application, FB in this case. Even a 15 minute x5 attempt cool down would prevent the brute force of all but the most trivial of passwords such as - 1234, password, qwerty, "insert last name here". With such a scheme and a "poor" password of low entropy, say a dictionary word and number combination of 5-9 characters, apple6174 it would take E5 years to brute force on average. If you used that password with 1000 different applications, it would still take 273 years no matter how fast your computer is.

Passwords are useless if the application security is poor. It's no different than having a RSA keycard and sign-out out process enforced by security guys who like to take naps. That's why I hate those password strength tools on signup pages. It's better than security by obscurity, but it still obfuscates the fact that a dumb password should still be protected by the application... period!

Re:Is Sony now in the banking business?

[Idbar]

I guess credit data shouldn't be stored in systems that do not comply with PCI standards. Moreover, most of the sites I visit (and I do shopping from), never reveal my credit card information, even to me. Why should be any different for Sony or any other company?

There's clear regulation on PCI standards and PNPI that should/shouldn't be stored in their systems. If they are not complying with such, they shouldn't be in the business.

In any case, I never provide my credit card number to companies until they have shown to have some respect for my information. I use virtual credit card numbers, and also, don't waste my good passwords with them.

Re:Is Sony now in the banking business?

[Rob+Kaper]

I guess credit card data is not important to protect

It isn't, really.

All creditcard companies take full risk and let you contest any charge for free*. Both reconfirmed this to me, Amex even discouraged me to replace my card with them because they have monitored zero abuse or strange behaviour so far (CCV numbers were NOT on file IIRC) and do not see the need for immediate action.

This won't cost me a dime and even in the case of fraud minimal time to sort out and from experience I know any necessary replacement card will arrive within five business days. The biggest risk here is for merchants who deliver services or ship physical goods to non-billing addresses as they might actually lose labour or assets.

Also, weak-password end-users are blameless here. My relatively weak 6-digit numerical password was apparently good to never have abused me in any way I've ever been able to notice. Fact remains, not our passwords were compromised, it was a system with 77 million PSN accounts. I do use much stronger passwords for other services, but in reality a weak password is an overrated risk. Common breaches are exploits and "Facebook rapes". Also, barely anyone cares about your personal passwords. Corporate ones are valuable. Consumer ones, not so much (again *).

* At least here in the Netherlands. YMMV, I'm aware that consumer protection might be worse than ours in other parts of the world.

Re:Is Sony now in the banking business?

[obarel]

The point is that you give your card to various people. I'm not sure there's more danger in giving your card to a website than giving your card to Gamestop. Both are using some database, both have employees that would like to cause harm to the business for one reason or another, and both are exposed to other risks (TK Maxx lost details and credit card numbers of customers who shopped in physical shops).

At one point Sony would not let me add credit to my PSN account (yes, I'm one of them), so I bought a gift card online and used it to buy a game. If you asked me a year ago which of them was more likely to lose my details, I would not have said Sony.

I'd like to get a pre-paid credit card to use for online shopping, and top it up occasionally. But who's telling me that the prepaid card company would not be hacked? I'm sure Nintendo have heard of Sony, and yet they were also hacked.

Life is a risky business. We try to minimise the risk, but it doesn't always work. Even if you did say "cash only", there are still enough scams to get people's PINs, and even fake money is not unheard of (I get the occasional forged coin as change).

Re:Is Sony now in the banking business?

[Rob+Kaper]

It doesn't (or better, I'm unaware of it) but it does catch successful logins from unlikely places, which must have eventually happened. It happened to me when I was at a friend's house in Norway. I believe I had to provide extra credentials and I was notified (I think by e-mail) that someone had logged in from Trondheim. Not sure about the details (some of it could have been a trial for Places). Then again, nothing special happened from a Fon hotspot on Madeira (Portugese island), nor from my new work, so I'm not sure it's still in place.

Still, most Facebook breaches seem to be "fb rape"s done when someone isn't paying attention to their logged in account, not brute force attacks. The question here is: what kind of people does GP associate with that anyone even cares enough to abuse his account? It's a non-issue for most.

Re:Is Sony now in the banking business?

[Rob+Kaper]

Only a fool gives their credit card to everything.

A creditcard is supposed to be shared with merchants, such as Sony or Microsoft.

Re:Is Sony now in the banking business?

[Rob+Kaper]

Unless your creditcard is abused there is no unfortunate consequence to having shared it. Even if you get it replaced, the effort of updating information as needed (you'll still share it with merchants, won't you?) is trivial.

Re:Is Sony now in the banking business?

[hedwards]

I've found that using non-alphanumeric characters in password fields to be problematic. The main reason being that a lot of sites won't let you use them and that it gets to be a real pain in the ass to fill them in at times. On top of which a lot of companies fail miserably at validating the password fields when they're being entered initially.

In other words, if companies weren't so incompetent when it comes to passwords then we could insist that users enter stronger passwords, as it stands now, if you go for really strong passwords, you're just asking for trouble.

Re:Is Sony now in the banking business?

[wwfarch]

Most credit card companies work such that if a credit card is used fraudulently the merchant will lose their money. Many use the CCV code to help validate the card online. If they don't require a CCV code then somebody could more easily use the card fraudulently which would leave the merchant liable. Essentially some merchants don't require it because they're unaware of this or don't think it's worth the implementation cost.

Re:Is Sony now in the banking business?

The point is that you give your card to various people.

Outside of a restaurant, I can't think of the last time I handed my card to anyone. Even the tiniest gas station has a self swipe pad.

Re:Is Sony now in the banking business?

[dgatwood]

Even a 15 minute x5 attempt cool down would prevent the brute force of all but the most trivial of passwords such as - 1234, password, qwerty, "insert last name here".

Not when you have a botnet of several million machines, each one trying to gain access to the account. The only way you can prevent a distributed password guessing attack is to block accounts after a number of failed guesses. However, this would also result in locking legitimate users out of their accounts.

Re:Is Sony now in the banking business?

[Creepy]

Personally I rarely use non-alphanumerics in 8 character passwords - why? Because that is not much better than 7 chars if you try and brute force it, and if I were brute forcing it, I'd guess ! as the last char because I've seen far too many people do it (I do not). Many of my passwords are more than 8 chars though.

As for Sony, I'm in the 1% that used a capital, punctuation, and 8 chars, but also thanks to Sony, my (several years old) password is now 12 chars long and a random string (it is, incidentally, the same as another password I use, but if you breach my work and my work password you can get to the VMWare images I use it on... good luck with that because you also need to figure out the user that password goes with.

Re:Is Sony now in the banking business?

[memyselfandeye]

Isn't that the whole point though? I mean, I would think that sometime between the start of the attack and one-hundred thousand years later a Facebook admin might realize there is an attack on this account and take appropriate measures. And a botnet will not matter, 5 attempts every 15 minutes is 5 attempts every 15 minutes. Sure, a lot of computers can come up with a lot of answers to the question 'what is the password for account XYZ,' but the computer asking the question will only allow 5 answers every 5 minutes. It doesn't matter if there are a billion guesses from a billion people... for 15 minutes there can be only 5.

Thus, it doesn't matter if it comes from the same computer every time over a period of 10E5 years, or a different computer every time. A modern computer is quite capable of making 5 guesses in 15 minutes, but a trillion computers can't make more than 5 guesses in 15 minutes under this scheme. The only thing that many computers could do would be a DDOS attack against the application gateway/server... and will also bring down service for everyone and not just the account being attacked. (I suppose that many machines could make 'better' guesses, but that is beyond the scope of this argument as even minimum entropy with ideal conditions would still be decades to brute force)

Heck, under this scheme, a single modern high performance CPU would be more than enough to try and attack all 300 million Facebook accounts with maximum efficiency it would still take an average of 10E5 years though (1.5billion guesses every 15 minutes is way less than the 3 billion guesses for a Westome@3GHZ using Base64 encoded SHA1 hashes, for example) And that number will only go up once chips have build in SHA instructions, but it still won't make the net effect any faster.

The lesson here - sanitize your SQL, keep the DB away from the web-server, and for God's sake make sure the application has a modicum of preventative circuit breakers and you will stop a majority of script kiddies.

Re:Is Sony now in the banking business?

[Anubis+IV]

Sharing with merchants is a bit different, since they don't keep it on file. And if we take the attitude that there's no problem unless harm comes of an action, then there would be very little point in any sort of preventative measure at all. After all, we could take your arguments and apply all of them to passwords as well.

Re:Is Sony now in the banking business?

[dgatwood]

It doesn't matter if there are a billion guesses from a billion people... for 15 minutes there can be only 5.

My point was that nobody implements password handling like this because that creates a trivial avenue for denial of service for the account. All I'd have to do is have a botnet of one computer trying five passwords every 15 minutes, and you would never be able to log into your account ever again. I don't need to know your password at all to permanently deny you the use of your account. I need only to learn your username.

Instead, what everyone actually implements in practice is five attempts per 15 minutes per account per IP. So if you have ten million distinct IPs, you have fifty million password attempts per account every 15 minutes, 200 million attempts per account per hour, 4.8 billion attempts per account per day. That's 1.44 trillion total attempts per day, assuming the computers and networks are fast enough to handle this.

The smarter companies implement a limit per IP per unit of time as well, which tends to lower that number considerably.

Now to be fair, what's more common (and what probably got my account) are dictionary attacks and variations on dictionary attacks (common word + a number, substitution of common letters, etc.) rather than true brute force attacks. In my mind, though, I consider brute force attacks and dictionary attacks to be the same thing; the only real difference is the algorithm used for choosing which passwords to try first.

Re:Is Sony now in the banking business?

[sxeraverx]

This case underlines the necessity of one-way salting and hashing passwords, even server-side, before ever storing them. If the passwords were hashed properly, they couldn't feasibly be reused on other sites.

Re:Is Sony now in the banking business?

[somersault]

I think the simplest answer here was that it was someone playing around with Firesheep on your company network after hearing about it on the news. I switched to HTTPS FB sessions after hearing about that.

Technically I already knew of the issue I suppose, but most of the people I work with wouldn't even know what a cookie was, let alone that you can steal sessions with one. The big fuss made about Firesheep means that pretty much anyone can do it now though. I was wondering about running it myself just to see what kind of stuff pops up on our own network.

Re:Is Sony now in the banking business?

[somersault]

For me it doesn't register new locations, but it does register new devices, or fresh OS installs.

Yep, I really think it would have been someone he knows using Firesheep to steal a session cookie.

Re:Is Sony now in the banking business?

[Eponymous+Hero]

i don't think he meant only physically handing the card to a person. anything you swipe the card on will capture the numbers and expiry, billing zip code, etc. and put it somewhere that is vulnerable by virtue of existing. let's face it, nothing is 100% secure AND usable. there will always be an attack vector somewhere.

ah geez.

ah geez. it's like being back in school. my best mate's password was "123".

Re:ah geez.

[xkuehn]

ah geez. it's like being back in school. my best mate's password was "123".

Ah, the memories. (The school's admin password was "access".)

Re:ah geez.

[Canazza]

yours had a password?

Re:ah geez.

[Apocryphos]

For my school's system, one of the superuser accounts was "a" with no password. Things ended badly.

Re:ah geez.

Darn, my password must have been in the vanishingly small amount that used special characters, numbers, upper and lower case and was actually funny as well.

It was "1c@nCurt1t5" (and by WAS I mean several months ago: I am not going to give you my current password - however it is constructed the same way and is also funny)

I can't figure out why everyone can't manage to use good passwords. But, the bigger atrocity is why the hell Sony was storing plain text passwords anyway? Don't they know about things like salted hashes?

Re:ah geez.

[xaxa]

ah geez. it's like being back in school. my best mate's password was "123".

Ah, the memories. (The school's admin password was "access".)

When I was 12 I found out from an older student that the admin password was "changeme". I used it to increase my disc quota.

I then gave the password to a younger student, who changed it. IIRC he had a letter sent to his parents, but I was merely banned from using school computers at lunchtime "until the end of the year", which was about 2 weeks. I think talking to people outside for two weeks probably did me good.

Re:ah geez.

[xkuehn]

Yes.

Some support circus administered the computers. A friend of mine looked over the guy's shoulder once, and I didn't believe him until he demonstrated that it works.

Re:ah geez.

[bickerdyke]

Our Network Administrators password was "ramses" back in those days....

Getting it was even more fun than using it :-)

Re:ah geez.

[Quirkz]

What, it didn't accept the incomplete password and prompt you for additional letters, such as "II"?

not surprising

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

Re:not surprising

[chemicaldave]

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

No, it's really not, especially when you consider that the PS3 will store the password. You should only have to enter it a few times over the lifetime of the unit, and even then, entering some non-alphanumeric chars doesn't make it any more difficult.

Re:not surprising

OhRe@lly!? --- looks pretty secure to me.
**changes password**

Re:not surprising

[Darfeld]

It's not difficult, it's annoying. And if you don't type it often, you'll forget it. And if you do type it often, it's even more annoying. And if you write the pwd down, it will be lost/stolen anyway...

Re:not surprising

This data is SonyPictures.com not PSN.

Re:not surprising

[Gravatron]

I use a USB keyboard on my ps3. Helpful for chat, netflix, and password entry.

Re:not surprising

[swv3752]

Yeah, I have a wireless mouse keyboard combo from my old MythTV box that I use for the PS3.

Re:not surprising

[John+Hasler]

> And if you write the pwd down, it will be lost/stolen anyway...

Only if you are a fool, in which all is lost anyway.

Re:not surprising

[WuphonsReach]

And if you write the pwd down, it will be lost/stolen anyway...

Do you also leave your wallet, credit-cards or money laying around so that they get lost/stolen all the time?

Writing the password down is fine, as long as it gets stored in a safe place (safe deposit box, home safe, sealed envelope, even tucked in a wallet). The weakness is not that the password is written down, it's that it is not kept secure against the eyes of others. Like putting it on a sticky note attached to the monitor/keyboard.

Re:not surprising

[MareLooke]

KeePassX helps with that. But it obviously doens't help with companies spilling their pwd databases...

Re:not surprising

[GIL_Dude]

Exactly. Also some basic, much maligned but still useful, security by obscurity can be used. For example, if you have trouble remembering your ATM PIN, simply put a piece of paper in your wallet with a couple of "phone numbers" on it (for example one would be "Adam - 722-1416" where 1416 is your PIN.) Simple mnemonic - Adam - ATOM - ATM... Simple thieves won't get your PIN from that, but you certainly can remember it. Passwords can be done in a similar fashion.

Re:not surprising

The interface for the onscreen keyboard is really horrendous to use. I'm not surprised at the number of passwords that contain so few characters. And a "few times over the lifetime of the unit"? That has certainly not been my experience with the Playstation network.

Re:not surprising

[Darfeld]

I'm not leaving my wallet laying around but it's not absolute security. It might still be stolen and that's a PITA. A password written down will be lost if they're not in a logical place well organised and that mean that if someone figure out where it is, they have all of them. Or you can store the pwd in different places and forget half of them. Sure you can find a logical place where to store each pwd but either your too predictable or you won't think of the same place each time.

Or you have a decent IQ, are sure your friend won't betray you (but then, who will? ), and are very well organized in which case you're not Average Joe. Or you have the ability to remember 38 pwd > 20 letters... In which case you might not have lots of friends...

Morons!

Given the average joe have to remeber zillion of passwords what do you expect?

Re:Morons!

hunter2

Re:Morons!

[Tolkien]

Why would someone post a message containing just 7 asterisks? Weird.

Re:Morons!

[allo]

******* is my password! And nobody will guess THIS.

As someone who probably fell into some of those

[vawwyakr]

My sony account only held the minimal information and some of that not correct. The PW I used was my public throw away password that I only use on sites that require me to register when I just need it to use a basic service and not enter anything not already public knowledge. So I'm not going to burn a good PW or spend my time trying to memorize a new one to use for something I really wouldn't care if they cracked and couldn't use the same PW on a site for which I care about it being cracked.

Re:As someone who probably fell into some of those

[Aladrin]

For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

Re:As someone who probably fell into some of those

[KidPix]

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

Re:As someone who probably fell into some of those

[Rary]

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

I don't have a Sony or Gawker password, but I can tell you that my Slashdot password is more secure than my bank password. However, that's not by my choice. The credit union I use has this pathetic system that requires passwords to be exactly 7 characters and ONLY numeric. Very annoying.

Re:As someone who probably fell into some of those

So like a PIN then?If the ATM or website or whatever locks you out after 5 attempts then it doesn't make much difference. My online banking uses a 12 digit PIN, but it records your browser and asks for a separate password if you use a new one / try to log in from a different country.

Re:As someone who probably fell into some of those

[aliquis]

Personally I don't see the horror in "99% of passwords don't contain a single non-alphanumeric character."

Since then is a 8 character password with non-alphanumerics better than a say 50 character password with only alphanumerics?

Which one is easier to remeber of:

&/fhy47F

or:

"omg leet slashdot password try to crack this one stupid"

and which one is safer?

Also with no password reminder and all these shitty sites which require you to register for no obivous reason or which require it for a reason which matters who's got time for unique passwords?

Guess one could make one:

thisismypassword and then just use it as simple as thisismypasswordSlashdot, atleast that would make it unique.

Or maybe use different e-mail adresses for various seriousness of the account, so then you can have thisismypassword for all but if it's only for junkaccount@gmail.com then people won't crack your forumposts@gmail.com or emailaccount@gmail.com even though they had the same password.

Anyway I think "rules" for passwords are stupid. There are much better and easier ways to improve safety. Sure 50 characters with an occasional & sign is even better.

Re:As someone who probably fell into some of those

[gman003]

My bank is nearly as bad - only uppercase letters and numbers. I used my normal password as a basis for crafting my bank password, but I can never remember if I replaced all Os with 0s, or just the first one, or just the second, or what I did with the underscore, etc. So I still can't remember it. I got tired of doing a password reset every time I wanted to check my balance, and just signed up for mailed account updates. Fuck trees.

Re:As someone who probably fell into some of those

[Plekto]

The big thing that needs to happen is that the systems need to upgrade to a proper unicode character set. And not limit us to stupid things like 8 characters or force use to only use numbers and letters. It's not like the computer itself cares what we put in, after all. @#93^202¾3\fm395212i.345349wdm is just as easy for a computer to put into a table as password42.(as an example) Most of these systems seem to be archaic holdovers from pen and paper days. After all, when you recover the password, it clears the old one anyways. It's not not like some rent-a-tech is actually reading it back to you over the phone.

(note - Slashdot choked on what I typed) - The characters that I randomly inserted were:
@#93^202[3/4 symbol]3\fm39[r shaped graphics character - ignored]5[epsilon - also ignored]212i.345[up/down arrow - also ignored]349wdm
This is bog-standard Arial Unicode. Every PC and every site should support it at this point. But even slashdot is behind the times, so it seems.

Also, where I used to work, we had to crack Office file passwords for clients from time to time (data recovery and the like) Most could be brute-forced in seconds, but add a single unicode character like or even something as innocuous as an extended graphic character like to the password and the cracker would choke and never get it. We'd know it was no more than 8-12 characters and it would run overnight and get nothing (problem with having clients in foreign countries send you data to recover... sigh). I'd wager that less than 1% of all cracking programs and tools that are available to use, either commercially or that are out on the net in the hands of criminals are set up to deal with Unicode.

It's a shame only two sites that I visit allow it. Slashdot isn't one of them, BTW. Sony certainly did not. Of course, I always used the prepaid cards as well, since it was an obvious problem - not only from a password perspective, but the idea that anyone (ie - kids) could log into your main account and buy stuff from the store pretty easily if they wanted to.

Re:As someone who probably fell into some of those

[mortonda]

indeed. What I do is create a new password for every site, and then use a password manager like 1Password to remember it for me ... even for sites that I may not ever log in to again. That way, my password doesn't convey any information to any other sites.

1Password syncs to my other systems and my phone, so I'm never without a password, and all I have to remember is my local encryption key.

Re:As someone who probably fell into some of those

Hey Admins,
Don't want the hassle described here? Set up security so this stuff doesn't happen. As a user, I need to trust your system. As a user, I've been working on improving my passwords. The fact that an organization as big a Sony can't secure my data, including my password, drops my confidence. How vulnerable is my data with smaller retailers?

Re:As someone who probably fell into some of those

Props for using a credit union instead of an evil bank.

Re:As someone who probably fell into some of those

[KZigurs]

Thank you, kind sir! Please make sure that your account is in good standing to avoid ... uhm... *overdraft fees and ensure good credit score*. Yeah, that.

Re:As someone who probably fell into some of those

You seem to be assuming that all "throw away" sites are spam relays, such as email accounts, or even perhaps relevant forums.

Re:As someone who probably fell into some of those

[Rich0]

That's the price admins pay for using passwords to authenticate users. It will only get better once it gets sufficiently worse. :)

Re:As someone who probably fell into some of those

Good point. Now I have twice the incentive of using standard passwords at shitsites that insist registering for no reason:)

Re:As someone who probably fell into some of those

[hedwards]

If you add even a single non-alphanumeric key it means that in order to brute force the password, they don't get to stick with the 26 lower case letters, 26 uppercase letters and 10 digits, they also have to deal with the , ; . ! ? @ and probably even more. And they don't know that's the case until they try every combination of alphanumeric characters that is possible within the given length.

Re:As someone who probably fell into some of those

Seriously??
I wonder how many account holder passwords can be looked up in the phone book?

Re:As someone who probably fell into some of those

[aliquis]

Yeah, but say 26 lower case, 26 upper case, 10 numbers and then how many special characters? 30?

So you got 62 vs 92 characters.

To begin with they don't know if you use alphanumerics only or not, so it's not obvious what.

But regardless, say they do.

8 characters with special characters:
92^8 = 5.13218873 Ã-- 10^15

10 characters but only alphanumerics:
62^10 = 8.39299366 Ã-- 10^17

So now Hedwardish (heck, screw the numbers, 52^11 = 52^10 = 1.44555106 Ã-- 10^17) is much better than 3TtÂed6/ and 3TtÂedÂ6/ is just four times as good.

Imho the former is easier to remember, and "bla bla yada yada story of my life this is my gpg key" is imho much more convenient than Y45i64tgi4%409d9di34k68rgft645egfed5t6&&7.

But I may be wrong ..

Best password practices

[mangu]

I don't think very long passwords are necessary.

My own practices:

No dictionary words, only a string of random letters
No change, memorize and keep the same password forever

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Re:Best password practices

[somersault]

I don't change mine all that often either, and similarly have different levels of passwords.

What do you mean by "very long"? I think something like 8 or 9 characters minimum is probably necessary to avoid rainbow table cracking these days.

I've taken to slightly modifying my password depending on which site I am using. It helps to lengthen the password but in an easy to remember way, even though my basic password is already above the length that should be easily crackable.

Keeping the same password forever does leave you susceptible to things like hardware keyloggers, and websites storing your passwords in cleartext (like Slashdot apparently does) though.

Re:Best password practices

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc.

Soooh...do you have a Sony account by any chance...?

Re:Best password practices

I do somewhat of the same. My letters aren't random though. I typically have a phrase that I remember such as:

jack went to the store to buy some rice.

That would become jwttstbsr

Then append a number n (in this example we'll say n = 3)

Every nth letter in the original sequence becomes uppercase.

So then we get jwTtsTbsR3

Finally, append a single letter suffix designating what it's for. C for computer passwords, F for financial, S for social networking, E for email, W for general websites, etc.

I tend to change which password I'm using every now and then and this lets me keep track of it without having to write anything down (which I'd inevitably have to do for a COMPLETELY random sequence).

Re:Best password practices

[jovius]

i use something like 's0m3t#1nG'

Re:Best password practices

[JaredOfEuropa]

Decent dictionary attack software already accounts for the more obvious substitutions like i/!, o/0, l/1, e/3, a/4 etc. I tend to use passwords that can be pronounced but aren't actual words.

But even with a completely random password, you're still screwed if Sony makes the unbelievable and unexcusable mistake of storing them in plaintext. Hell, even the PHP for Beginners book on my shelf explains one-way encryption for passwords to online services.

Re:Best password practices

im sorry, did you miss this article?

http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless

What you describe is not good practice, my own passwords are usually 10-12 characters long, aplhanumeric and symbolic, do not contain words or phrases, and never get repeated. I have a 'base' password i use for all 'throw away' accounts, but the password is not exactly duplicated (some of the numbers and symbols are changed) and although i dont change them regularly they get changed around once a year, or sooner if i feel the account may have been compromised. my IMPORTANT passwords are 12-16 characters in length and not related to my throw away passwords.....

Re:Best password practices

[Danny+Rathjens]

I don't know why people think that "leet-ifying" a word makes it a better password. leetspeak modifications of dictionary words is one of the first variations that password cracking software tries after straight dictionary words.

Re:Best password practices

[angel'o'sphere]

But you do know that slashdot e.g. does not transfer your paswd encrypted but in plain text? So everyone listening to your connection can read it? I would at least distinguish between https and non https accounts.

Re:Best password practices

[DigiShaman]

Security through Obscurity plays a part in the overall scheme of things. Not by itself, but a part. That said, unless you use different user names, you shouldn't be telling everyone that you use the same password for all those sites. There are several potential implications that could render partial to complete ID theft.

Re:Best password practices

[BrokenHalo]

I don't know why people think that "leet-ifying" a word makes it a better password.

Leetifying a dictionary word doesn't make it any stronger as a password. However, using "leet" substitutions in a password which cannot be found in a dictionary, but is otherwise memorable increases the range of combinations/permutations of characters, so making a lot more work to brute-force. Thus, "P45sword" is just silly, but "Tb,at5tDg4gitw:" (from "Twas brillig, and the slithy toves \n Did gyre and gimble in the wabe:") would be considered by most to be a pretty strong password.

Re:Best password practices

[WuphonsReach]

That depends on whether you assume that the attacker has your password hash and can brute-force it at an increased rate. For $1000, an attacker can easily build a unit capable of attacking most password hashes at a rate of say 1 billion per second.

If your password is 8 character or less, it will be spit out by that machine in 2-48 hours.

The math:

Assume 60-80 possibles per letter in the password, weaker passwords that are mostly lower-case can be as low as 40 possibles per letter.

40 = ~5.33 bits per position, 60 = ~5.91 bits, 80 = ~6.32 bits.

Search time at 1 billion / second:
5.33 bits per character, 8 characters = 1.97 hours
5.91 bits per character = 47.5 hours
6.32 bits per character = 461 hours

So for fairly complex password, that $1000 machine can break about 180 passwords per year. And since most passwords are much weaker then 5.91 bits per position, it might be as high as 5000 passwords per year.

Which means the attacker only spends $0.20 per password cracked for passwords of 8 character or less that are not completely random. And that assumes that they're paying for the hardware and electricity and time.

Do your short passwords protect items / time worth more then $0.20? You say that you use more random passwords, which means the attacker would probably have to spend about $5.00 to break it if it's 8 characters or less.

For every letter that you add to your password length, you increase the attacker's workload by 40x to 80x.

Re:Best password practices

[binkzz]

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Hey! Would you like to sign up to my site? http://dodgysite.com/ . It has tons of cool stuff. Hope to see you there soon!

Re:Best password practices

[Inda]

I've said the same on here many, many times before giving up. No one will listen and no one will change their ways.

I used to play with password cracking programs on my P3. They all allowed for character substitution and many had a 'leet-speak' option to tick.

BTW, a full dictionary attack used to take about 3 seconds on my P3 and people would be magically impressed when I found their ZIP file passwords.

PS. My bank allows 14 characters... *facepalm*

Re:Best password practices

[Bengie]

If the attacker assumed a 40 char alphabet and you used even a 41 char, they would NEVER break your password.

The attacker knows nothing about your password, so they have only a few options. Use a limited alphabet like all lower case and no specials, which means dramatically faster brute forcing but anyone who uses even a single special char or upper case will be protected from you. Or they can use the full alphabet and take a very very very long time breaking everyone's passwords.

The problem with a lot of password theory is it assumes the attackers knows something about the password. The attacker typically doesn't know you're using a phrase of simple words, they don't know what your entropy is or how large your alphabet is. Assuming the dictionary attack didn't work, all they can do is brute force and go through EVERY combination. Use a simple word, throw in an upper case somewhere and toss in a special char, and add another word if you want to make sure you're at least 12 chars.

"Blueplanet[69]" is 14 chars. The attacker doesn't know anything about my password and it won't show up in a dictionary attack. It would have to be brute forced.

You know why the above example is safer than "A5#[z~];wLr^0@" ? because "B" is higher than "A" in the ascii table and assuming an incremental brute force, it would take longer to make a match.

A 90 char alphabet is considered the pretty much the full one. 90 combinations per char and 14 chars, that's 2,287,679,245,496,100,000,000,000,000 combinations. divide by half for average chance to hit in top of lower portion of the range, 1,143,839,622,748,050,000,000,000,000 combinations. At 100 trillion combinations per second, it would take on average, 362,709 years to break a 14 char password assuming a search space of the full 90 char alphabet. If they didn't assume the full alphabet and someone used even one char outside of theirs, they would NEVER break the password.

Another option is for the web site to use bcrypt to hash the passwords and make it take 50ms per hash. Even simple passwords would be fairly safe if your DB got stolen.

Re:Best password practices

[jovius]

That's why I don't use words from dictionary. Made up words, combinations or mangled. It's easy to have per site unique password. Besides I come from somewhat minor language group which provides lots of weird material to the mix.

Re:Best password practices

[WuphonsReach]

The problem with a lot of password theory is it assumes the attackers knows something about the password. The attacker typically doesn't know you're using a phrase of simple words, they don't know what your entropy is or how large your alphabet is. Assuming the dictionary attack didn't work, all they can do is brute force and go through EVERY combination. Use a simple word, throw in an upper case somewhere and toss in a special char, and add another word if you want to make sure you're at least 12 chars.

"Blueplanet[69]" is 14 chars. The attacker doesn't know anything about my password and it won't show up in a dictionary attack. It would have to be brute forced.

That depends on the attacker. Smart attackers know that most users fall into a predictable pattern, such as preferring lower-case letters over upper-case, only using 1-3 extra digits / symbols, typically putting extra junk between words instead of in the middle of words, and sticking to words that they commonly use. That narrows the search field a lot. Instead of 200,000 - 300,000 words, they only need to use about 8,000-10,000 in their search.

If you don't care about which particular account in a list of hashed passwords you break, then you start with the easy stuff. Such as a list of the N most frequently used passwords. Then you proceed to try the typical patterns (and "word-word-numbers/symbols" is a fairly common pattern). Maybe if you didn't get enough results from the first two methods, you'll try doing a random brute-force search of the entire space.

But is that time worth it? Probably not for most attackers. They'll go after the other accounts in the list first and probably break at least some of them in a matter of hours. After which, unless you are a special target, they don't care enough to spend the effort to break your password.

You only have to run faster then your buddy when being chased by a hungry bear if it doesn't care which of you it eats.

But if you specifically made yourself a target by annoying the bear, then your assumptions have to change.

Re:Best password practices

[WuphonsReach]

PS. My bank allows 14 characters... *facepalm*

14 is not bad. At a minimum, that's probably 62 possibles per position, which is 62^6 better then 8 character passwords. If it allows symbols, then you can assume 80^6 or 92^6, but only if the entire thing is complete gibberish. Otherwise stick with about a 60^6 estimate.

Eight would be too few. Even 10 positions is borderline now. But once you get up into the 12-15 character range, you're past the point where opportunistic attackers will bother. It's faster for them to get the password some other way (shoulder surfing, phishing, social engineering, spyware, physical intrusion/theft, etc.).

Re:Best password practices

So if you registered at the sony website, I would now be able to access your "all internet sites, slashdot, reddit, throwaway emails, etc" ?
Remember that sony stored the passwords in plain text! And how knows who else does...

Re:Best password practices

I don't know why people think that "leet-ifying" a word makes it a better password. leetspeak modifications of dictionary words is one of the first variations that password cracking software tries after straight dictionary words.

Actually, leet-ifying passords adds a significant level of security, as long as you don't confirm to some "standard leet" alphabet. For each letter you have the option to user upper or lower case, or to replace with one or more options of "leet" characters. That gives you at least n^3 variations for an n-letter word, making an 8-letter password at least 512 times harder to crack. Sure, not as good as a completely random ascii string, but saying it does not make a better password is certainly not true.

Re:Best password practices

[wikdwarlock]

Exactly this...

At least the "leet-ifying" moves it further down the line in terms of brute force. This makes it a bit more expensive and a bit more likely to be deemed not worth the effort. If 50% of the passwords can be had with a simple, non-leet dictionary attack, maybe that's enough ROI for the cracker to call it a day and begin chewing on the next database of victims.

It's akin to using a safe inside your home. The US Navy Seals can still come in and get your safe-protected stuff, but if the safe is just a bit heavier or more secure than the average safe, a typical burglar will leave it alone as it's not worth his time and risk.

Re:Best password practices

[Zomalaja]

I sometimes use dictionary words but I misspell them badly.

Re:Best password practices

[Quirkz]

+1 use of Best Poem Ever

Does it really matter?

http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless

Phew

I'm not in it.

Is *$#~! allowed?

[Captain+Centropyge]

It doesn't help when some sites don't even allow non-alphanumeric passwords. Besides... when Sony stores them in plain text, what does it matter what your password is?

Re:Is *$#~! allowed?

[PhilHibbs]

They probably do that because by French law you have to store them in plain text or something fungible, no one-way-hashing of passwords is allowed in France.

Re:Is *$#~! allowed?

[BrokenHalo]

It doesn't help when some sites don't even allow non-alphanumeric passwords.

Indeed, and by far the worst culprits I have found for such asinine limitations are banks. I have come across many that impose arbitrarily small password lengths and refuse all non-alphanumeric characters.

Re:Is *$#~! allowed?

[Captain+Centropyge]

Exactly! You'd think a bank would want the most-secure passwords a user can come up with. Why would you ever disallow special characters? And, unlike the other poster who replied, these aren't French banks. They're local American banks. I don't get it...

lowercase

[Njovich]

'82% of passwords are lowercase alphanumeric of 9 characters or less.'

So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

Re:lowercase

[chemicaldave]

The point is that it's easier to guess a password when you know it only has 36 possible characters, as opposed to 62.

Re:lowercase

[stewbee]

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations. If you were a code cracker, and knew in advanced that most people only used lower case letters, then why waste you time with upper case letters. Your code cracking program would take longer allowing for upper case letters. It a matter of low hanging fruit; non capitalized password code cracker will give you reasonable success rate at a shorter time that allowing for capitals.

Re:lowercase

[Rary]

Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

For starters, you shouldn't be speaking out a password, unless it's the password to something really trivial and low security, in which case go ahead and use a simple all lowercase password. As for remembering the location of the capital letters, use a simple pattern.

For example, if you take the word "password", replace a couple letters with numbers, such as "p4ssw0rd", and then just hold down the SHIFT key for every second character, you get "p$sSw)rD", which is many times more secure, and simple to memorize, because you're not memorizing the actual password, just the pattern used to type it.

The point about how difficult it is to type these passwords on a phone, however, is absolutely valid. Even worse is when I have to type my fairly secure wi-fi password on my Kobo. Painful.

Re:lowercase

[Kjella]

Apple23
aPple23
apPle23
appLe23
applE23

= about 5 times as difficult. The point is that people don't use combinations like ApPLe23, capitalizing one letter because you must isn't exactly a huge gain. Particularly since most people will capitalize the first, since it's easiest. I do stick to alphanumeric passwords though, everything else always generate so much crap with character sets, keyboard layout etc.

Re:lowercase

Yeah so your 52^n-combinations password takes on average n/2 extra key presses to type. He's saying that spending those keypresses on more lowercase letters is better. 26^(n+n/2) > 52^n.

Re:lowercase

26^8=208,827,064,576

(26*2)^8=53,459,728,531,456

so adding caps makes it 256 times as hard to crack in principle.

Re:lowercase

[tchernobog]

Actually, it's not exactly true if you are brute-forcing. If you have a nine-characters-long password, of which exactly one letter is uppercase (assuming you can determine that), you would have 8 lowercase letters (26^8) * 26*9 possibilities (because the uppercase letter can appear in 9 different places), so that would make it 9 times the time required to bruteforce an all-lowercase password. That's why they recommend you to use digits, special characters and uppercase letters; they DO increase a LOT the amount of work due to break a password). If you do not know if there *is* a uppercase letter (0 or 1 uppercase letters), that makes it 18 times harder (26^8 * 52*9).

Re:lowercase

I disagree and use all uppercase in my passwords.. they would never guess that!

Re:lowercase

If you do not know if there *is* a uppercase letter (0 or 1 uppercase letters), that makes it 18 times harder (26^8 * 52*9).

No, 10 times harder (26^8 * 26*10).

Re:lowercase

[swillden]

Good luck brute forcing a 9 character lowercase alphanumeric password

Per yesterday's article, a GPU can test 3.3 million passwords per second. That means the entire space of 9-character lowercase alphanumeric passwords (there are 36^9 of them) can be searched on a single GPU in 356 days, which means that on average it will take 178 days to find a given password with an undirected brute force search. In practice, that can probably be reduced significantly by searching first for dictionary words, combinations of pieces of dictionary words or letter sequences that are "pronounceable".

Brute force searching is also fully parallelizable, so applying 10 GPUs reduces the average time to 18 days (again assuming naive searching -- smarter searching will probably reduce it to 2-3 days).

Throwing in exactly one uppercase letter multiplies the password space by 9, which makes those numbers for one and ten GPUs 1600 and 160 days, respectively. A factor-of-9 improvement may not seem like much, but in this case it moves the problem from the realm of something that can be done in a couple weeks with a few hundred dollars of hardware to something that requires months or thousands of dollars.

Of course you're right that adding a tenth character does more than choosing one uppercase character. But the point is that a 9-character lowercase alphanumeric password is eminently crackable by someone who cares to do it, and at this level every additional multiplier that can be added to the complexity of the brute force attack is useful.

Re:lowercase

I solved that problem by having all capitals!! 8 characters of just capitals; that will make it difficult - lol.

Re:lowercase

[mortonda]

But this is only when you have access to a very fast hash table of the passwords. Trying to brute force over the network to a server that has a proper failure backoff timeout, it gets a lot harder to brute force a decent (6-8 character) password, assuming you don't do stupid stuff like 'password' or '12345'

As for the case of whether the hackers get ahold of the password table ... well, let's hope it's at least hashed. That's not even always the case... and if that's true, it doesn't matter how long your password is. :(

Re:lowercase

[WuphonsReach]

But this is only when you have access to a very fast hash table of the passwords. Trying to brute force over the network to a server that has a proper failure backoff timeout, it gets a lot harder to brute force a decent (6-8 character) password, assuming you don't do stupid stuff like 'password' or '12345'

Agreed.

But when planning for password security, minimum length and complexity requirements - you assume that the attacker has the hash.

It's a very reasonable assumption to make unless the server is locked in a concrete and steel box, a kilometer or three below the surface, with no external connections, you've filled the box with magma, and you have honey badgers living in the tunnels. Maybe some cazores living at the entrance.

Re:lowercase

[Rich0]

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations.

The parent's point was that this isn't actually correct. That is only true if ANY or ALL of those characters could be upper case. Well, they could be, but most likely they aren't. Instead it is probably the case that all but one are lower case. So, the number of possibilities isn't 52^n, but rather n*26^n. That is barely larger than 26^n.

Require 8 characters, of which at least one is upper case and one is a number? Ok, users will go with the minimums on both, so you start with 6 lowercase and 1 uppercase letters, which is 7*26^7. Then you throw in a digit. That could go in 8 positions, and could be any of 10 characters, so multiply that number by 80. If you just check a "1" in the last character position then you don't increase the number of combinations at all and you'll probably nail 80% of the passwords anyway.

If I lose my car keys then a true brute force search would have to cover the entire volume of c * the elapsed time since I last saw them. However, I wouldn't start by searching the moons of Jupiter - the kitchen counter is far more likely to yield dividends.

Re:lowercase

Your calculations are way off as you don't know in advance where the one capital letter will be, so you are still stuck with all possibilities. There is also no way to determine at which position the capital is, only statistical analysis can be of any help (just as you are not going to search for your keys on the moons of Jupiter first ;-).

The question which should be asked: why aren't our precious passwords secured in their systems ? Using a per-user seed - with properly configured random number generators - (avoids the need of having complex user passwords and makes it as good as impossible to use rainbow table attacks) and concatenating two different hashing algorithms on it (to avoid hash collisions) is a must. Protection against brute force attacks are easily solved by pro active system correlation. Using underlying SSL/TLS transport ensures of secure password transmission over the wire.

Reversible passwords (or clear text) are always doomed if the database gets compromised. I'm not saying that there exist something which is unbreakable, but I don't understand how a big company as Sony can't even spot such security breaches. Because it took a while before PSN was back live, they proved that they didn't have any idea at first sight what actually happened and that's a shame.

Re:lowercase

[n5vb]

There's only a bit of difference between upper and lower case.

(at least in ISO-Latin-1) *rimshot*

Re:lowercase

[Rich0]

Your calculations are way off as you don't know in advance where the one capital letter will be, so you are still stuck with all possibilities.

If the password is n characters long, then the capital letter could be in one of n positions. So, the number of possibilities is n*26^n. Basically you take each 8-char lowercase password and then you capitalize each of the 8 letters in turn.

Or you could look at it this way - you have n-1 chars lowercase, which is 26^(n-1). Then you have 26 possible uppercase chars in any of n positions, or 26*n. So, you get 26*n*26^(n-1), which is just another way of saying n*26^n.

As far as your arguments about making the passwords harder to brute force go, clearly that is just good sense. That doesn't change how the time to brute force scales with n, but just the base time per try, and salting also prevents you from being able to divide the time per password by the number of passwords in the database.

Re:lowercase

[AmiMoJo]

Didn't you see the recent story about GPU password cracking? A GPU will chew through every combination of 9 lowercase characters in minutes.

Re:lowercase

I think the point is that, until a password is actually cracked, the attacker doesn't know whether it uses only lowercase letters. Because of articles like this, he could guess that there's an 80% chance that it only has lowercase letters, but he doesn't know that for a fact. What's the chance that his guess is correct? Eh, it's hypothetical, anyway.

The real point is that, over a network, trying to crack a password on a web site, it doesn't matter which kinds of characters are used, because you can only make so many attempts in so much time, anyway.

Silly users?

Like your password entropy makes any difference when it's stored in plaintext. Even if 80% of sites hash passwords, chances are it's the other 20% that'll be vulnerable to SQLi. Given the current state of security, minimising password re-use is the only useful thing you can do.

And 100%...

And 100% are not hashed and salted.

Re:And 100%...

[Yvan256]

Of course they're not salted. They're checking their sodium intake!

Password Requirements Are Inconsistent

The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

Re:Password Requirements Are Inconsistent

[tompaulco]

Mod parent up. Nevermind different sites, we have different password requirements on different systems WITHIN MY OWN COMPANY. Our expense reporting system, bug tracking system, OS login, and intranet login all have different and incompatible password requirements, and some of these also expire, requiring you think of a NEW one that fits the format. So within my own company I have to remember 5 different passwords (plus the other system passwords, some of which I also need to know to perform my job). Then externally, I probably have 30 to 40 sites that I have accounts on that I use on a regular basis. Some of these not only have crazy password requirements, but some have non-choosable usernames, like a number or a name that they assign you. Sometimes they assign you a password as well and won't let you change it.
So it comes down to sticky notes, or a trusted source to keep all your passwords. I have chosen the latter. I have a password file that I keep on my own domain. However, even that is not foolproof, because I don't host the sever myself, so somebody at the host, or somebody that compromised the host could get in and look at that file (I have permissions set to keep the casual viewer out, but these people would obviously have admin permission). I still have security through obscurity, as they would have to recognize the file for what it was, while wading through thousands of uninteresting files, and then figure out what user and password goes with what site, which is somewhat cryptic, but recognizable by me.
As an aside, why does talking about my file which is hosted on a unix based system make me want to use vi editor keys when typing into slashdot?

Re:Password Requirements Are Inconsistent

[Hatta]

But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember

You're going to have to remember 2 different passwords anyway. That is, unless you want Sony hackers to be able to access your email/facebook/slashdot account.

Re:Password Requirements Are Inconsistent

[sjames]

It's really getting out of hand. I'm just waiting for the day when passwords must be 100 words or more, mixed case in at least 3 alternate character sets (including Klingon please) with not less than 5 characters that cannot by typed on any keyboard known to man even with a quadruple Bucky.

It's time to admit that not everything is Top Secret and that the real problem is that BANKS insist on using credit card numbers and other more or less public information as the world's worst clear text passwords. It shouldn't matter if you know my credit card number (known to anyone I buy something from) or my mother's maiden name (known by the bank and anyone who bothers to check public records), my shoe size, or my birthday.

We've known how to use public key signatures and encryption on smart cards for decades now. If such a system were in place, and mandated to be open, we could use it for other things as well. If a smart card can securely sign a payment authorization, it can sign an access token.

Re:Password Requirements Are Inconsistent

Seriously. Different requirements are what keeps out a one's own consistent standarization for security levels (i.e. level one = websites, level two = email, level 3 = bank account or paypal). All I want is to be allowed to use a passphrase, which is too long for a lot of sites, or doesn't live up to their arbitrary. They are way easy to memorize and from what little I've read do a reasonable job. How long would it take to crack the passphrase "My muscle eating towel screams!"? No really, how long would that take? Obviously if someone KNEW it was a passphrase then they could use the linguistical order of words to factor into the cracking process, but if it was simply a common word dictionary (3000 words) brute force, that's 2.43 * 10^14 permutations. Is that bad? Seriously, is there a flaw in this? Because I have passwords likened unto that one and they are EXTREMELY easy to memorize because they are visual, but contain no characters other than punctuation and no numbers.

Re:Password Requirements Are Inconsistent

[tompaulco]

Well, there is no reason why the brute force thing should even enter into it. Any properly designed system will not allow you to try to login again within1 second. Nobody can type that fast anyway. So any kind of brute force attempt is going to take billions of years. All of the IT security is just like TSA, pure theater. It costs us time, money, and decreases security to have the kinds of password rules and expiration that are considered "best practices".

Very few words are bad passwords.

I strongly believe that very few words are bad passwords. Sure, using "password" is bad. As is "qwerty". But something like "football123" is fine. Or "soccerfan" - that'd be fine too. But *only* as long as there is decent bruteforce protection. 3 password attempts and a 5-15 minute lockout. Annoyingly, few websites use this policy.
An issue is, however, hash security. But salts help with that.

Re:Very few words are bad passwords.

[WuphonsReach]

An issue is, however, hash security. But salts help with that.

Not really. If I know that your password is short, comprised of common english words (say 4,000 common words that are short enough), something like "football123" is going to be cracked in a matter of hours.

4000^2 x 1000 = about 4.4 hours at 1 million/sec

Worse, since "football" is itself probably in that list of the 4000 most common words, my search space is only 4000 x 1000, or 4 seconds.

And probably even faster then that since I would probably try "123" and "1234" as common suffix values to the word list.

Doesn't matter if you salt or not if I'm brute-forcing your password. Salt just means that I probably (assuming you were smart and used a 12-16 bit or larger salt) can't use a pre-calculated rainbow table against the password hash.

Re:Very few words are bad passwords.

[allo]

and you need to brute force every password in the list, not one attack over all at the same time.

My Best Practices

[gregarican]

For my passwords I use the keys one-up-and-to-the-right of the "dictionary style" password I have. For example, for password this would come out as -wee305r, making it harder to brute force. Of course if the passwords are all stored plain text by some incompetents what's the point?!

Re:My Best Practices

[jawtheshark]

That works as long as you only have to do with US-Layout keyboard. I have to cope with a multitude different keyboard layouts. The only I type this on (which is not the one I normally use) would render password like ")éeeà(r".

Re:My Best Practices

[gregarican]

Good point. And my US keyboards render the passwords a lot differently than the time I am trying to enter in my password from my iPhone/iPad...and since I don't always memorize the jumbled version I sometimes get a brain cramp :)

Re:My Best Practices

If the data is not made up in the article, then it seems as though *ALL* passwords have been compromised. Even the "secure" or "good" ones. The authors cannot claim that 99% of them don't have a non alphanumeric character unless 100% of them have been converted to plaintext.

So, can you computer dorks please leave us alone with making "secure" passwords and making us change them all the time. There is no such thing. I guess its time to end the /. articles on passwords where dorks talk about how they use these clever mnemonics and rules and tricks, when their passwords are no more secure than any other.

Re:My Best Practices

Nice,

A lot of people do, and that's why Jack The Ripper uses this technique also when brute forcing passwords...

My password is

'); DROP TABLE Password;

Re:My password is

[snookerhog]

Bobby, is that you?

Re:My password is

A link for explanation: http://xkcd.com/327/

Re:My password is

You should change that to: '); DROP TABLE Password; --
Less likely to cause an SQL error.

Re:My password is

Better to truncated table users

Whats the point ..

[Idimmu+Xul]

of having 100 alphanumeric+special character long passwords when websites just give up the password lists with the magical words 'sql injection'?

Unique passwords at least ensure that once a website you frequent is compromised you don't get further screwed over...

hunter2

[chemicaldave]

There must have been a few dozen.

Re:hunter2

[MacGyver2210]

There weren't any passwords listed in the sony data as ******* - as you typed it. If you can write the actual password instead of the masked version I could tell you for sure...

non-alphanumeric characters

[pb186]

"99% of passwords don't contain a single non-alphanumeric character." Many sites out there don't allow non-alphanumeric passwords. Most bank login pages I've seen are this way. It's really infuriating that a page whose security is of the utmost importance doesn't allow very secure passwords. Since a lot of people reuse passwords this statistic makes sense.

Re:Non-alphanumeric characters

[John+Hasler]

Sounds like you missed an opportunity to put Bobby Tables to work...

It's also possible that the "#" just happened to fall right after the end of the maximum length password accepted by the site.

Re:Non-alphanumeric characters

[WuphonsReach]

Which sounds like they're storing the passwords in plain text.

(Yet another reason to just use randomized passwords across different websites. At least an attack on one site won't lead to accounts on other sites being exposed due to password re-use. Heck, for sites like talk forums and community sites where you don't have financial information exposed, just let the browser remember the password. Or use a program or a few GPG encrypted text files.)

Huh?

[iluvcapra]

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

Re:Huh?

[Jim+Hall]

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

IIRC, Gawker had their username/password database stolen a year or so ago? I read the "67%" as: for accounts on both Gawker and Sony, where the email address matched up, 67% of the passwords were also the same.

That is, 2/3 of the people who had accounts on both Gawker and Sony were using the same password, not a different one.

Re:Huh?

[MacGyver2210]

I take it to mean "We downloaded the un/pw list from the sony hack, and tried every one on Gawker. 67% worked."

Re:Huh?

RTFA, they explain it there.

Bad passwords are not always the user's fault.

[mcmonkey]

The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Re:Bad passwords are not always the user's fault.

[Idimmu+Xul]

you could use a password management tool like keepassx to remember them for you

Re:Bad passwords are not always the user's fault.

[KMitchell]

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.

Re:Bad passwords are not always the user's fault.

[Mr_Plattz]

Agreed!

I've recently invested time and changed *all* my online passwords. Everything stored inside KeePass with random very strong passwords. Even comparing with the 'core' sites such as Facebook, Twitter, Ebay, Paypal, Gmail --- *ALL* of them have different requirements which I think is unacceptable. Some enforce 14 chars but don't accept alpha-characters while others cap at 20. One big kudos is Facebook was the best and accepted 256 random characters.

So yes, *we* need to agreed on the minimum standard that all passwords can be. I will propose 20 chars, allowing all upper/lowercase alpha-numerics and non-alphanumeric.

Yes I appreciate security isn't just a simple as allowing 256 random chars, but as the above posters suggested, *WE* (customers) should at least be able to expect a certain level of standards.

Re:Bad passwords are not always the user's fault.

What part of "With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option" did you not understand?

Re:Bad passwords are not always the user's fault.

[mcmonkey]

Except I can't install any software I want on the company's computer. You know, for security!

Re:Bad passwords are not always the user's fault.

You have the reading comprehension skills of a small child.

With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

Re:Bad passwords are not always the user's fault.

[benob]

How about using a common random prefix followed by a phrase unique to that system? Like:

Xhk645k_networkaccount
Xhk645k_elevatedprivileges
Xhk645k_hrsystems ...

You only have to remember the random prefix, the second part being much easier to remember.

To security experts: would that be secure enough?

Re:Bad passwords are not always the user's fault.

[eulernet]

At my job, the policy was to change passwords every month.

The guy explaining how to be able to keep memorizing the passwords gave us the following trick:

use your normal password as a prefix
then as suffix, add a counter, like 00, 01, 02, etc...
The idea is to increment the counter when the password expires.

After a few months, the management got upset about this policy, and we have now the same password since 2 years.

Re:Bad passwords are not always the user's fault.

[danpat]

Online password manager with client-side encryption and secure password generation: http://clipperz.com/

Re:Bad passwords are not always the user's fault.

[John+Hasler]

> ...would that be secure enough?

As long as you are the only one doing it. Once the practice became widespread it would become worthless (I am not a security expert.)

Re:Bad passwords are not always the user's fault.

[Cthefuture]

This is exactly the type of thing a smartcard would be good for. You could have all unique passwords using the strongest randomizer possible (or use PKI or similar) and only have to remember a simple PIN for your card. The PIN can be relatively short and simple too (although making it more complicated is recommended).

A smartcard provides a hardware level of protection as it's much more difficult to brute force because it can be set to self destruct after a certain number of bad PIN attempts. Usually between 3 and 8 attempts will "permanently" block the PIN. Many cards do also have an unblock PIN and/or transport key but those will also block after some low number of attempts, at which point the whole card will probably be permanently "bricked."

It's not some magical solution to all problems because unless you're using PKI then your password has to be read off the card and transmitted but the range of attacks is much smaller (mostly limited to local attacks on your system versus stuff like the Sony breach).

Re:Bad passwords are not always the user's fault.

[Roogna]

Use a password management system, that is -not- on your computer. For instance 1Password is available on iOS devices. I'm sure Android has similar apps.

Re:Bad passwords are not always the user's fault.

Also, you still can't use passwords longer than 8 characters on ICQ.

Re:Bad passwords are not always the user's fault.

[mcmonkey]

Oh great. All my accounts have been compromised AND I have to skip lunch for a couple weeks. ;)

Re:Bad passwords are not always the user's fault.

[Anubis+IV]

If you use 1Password, it has companion iOS and Android apps which will automatically sync via Dropbox to your computers. No need to install anything on the company computers when you can keep it on your phone, and the data on the phone is independently encrypted and password protected in addition to anything the mobile OS does.

Re:Bad passwords are not always the user's fault.

In this particular instance my PSN password would have been longer than six letters and contain more than just lowercase letters and numbers if I didn't have to type it in using a controller. Typing in strings with a controller is a straight up horrible chore.

Re:Bad passwords are not always the user's fault.

[gman003]

I have three different passwords I use for everything. The weakest (8 characters, 2 non-alphanumeric and one uppercase, but I sometimes have to strip the & and @ on things that don't allow it) is used on things where I really don't give a shit if someone hacks it. Want to upload stuff to Imageshack in my name? Who cares? Want to hack my Dropbox? I only use it as free file hosting - everything on it is supposed to be publically-viewed, and I have local copies of all the data. Want my Gawker account? Knock yourself out - I don't even try posting anything there, everyone's too retarded. Hell, some sites email it back to me in plain text.

The next password (9 characters, 2 non-alpha, one uppercase, non-dictionary word (unless someone added Esperanto to their password dictionary)) is used for things I actually care about. Steam. Slashdot. User-level logins. Email. Stuff I would be able to recover, but which would seriously inconvenience me. If I hear that one of the systems I use it on has been compromised, or even "maybe" compromised, I change them all. I do have this one written down in a few places, but always under lock and key.

The highest (20 characters, 3 non-alphanumeric, 4 numbers and 6 uppercase, with nothing at all that would appear in any dictionary) is used on things I need actual security on. Root accounts. Bank accounts (or at least I would, if my bank wasn't retarded). And the only place I have this recorded is in one location, which contains only the instructions I used to generate it, which requires knowledge of hexadecimal, early science-fiction, and the arrangement of my keyboard. I consider this one uncrackable - I would be confident setting it as the launch code to a nuclear missile. If I remember, last I checked it would take several years to crack the password - anyone who cracks it will probably have spent more on electricity for their computer than they'd get out of my bank account.

PS: I know about password management programs. Don't trust them, and I have to use public terminals too often to have passwords I can't remember. I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

PPS: That's not my actual password. And several of my descriptions were deliberately false, just to maintain security.

Re:Bad passwords are not always the user's fault.

[Terrasque]

You could try looking at a solution like http://www.hashapass.com/

The relevant JS code:

function update()
{
                var res = document.getElementById('resultId');
                var seed = document.getElementById('seedId');
                var param = document.getElementById('parameterId');
                var hashapass =
                                b64_hmac_sha1
                                                (seed.value,
                                                  param.value) .substr(0,8);
                res.value = hashapass;
                seed.value = '';
                res.select();
}

As long as you're allowed to make an ascii text document and have access to a web browser, that's available.

Re:Bad passwords are not always the user's fault.

[jomama717]

I use password safe, installed on a thumb drive. I have over 150 unique passwords I have to keep track of for work, as well as close to 100 unique passwords for personal sites stored on it. For passwords I rarely need I let the safe generate them for me, I never even actually know them. Just double click on the entry and it is inserted into your clipboard for ~3 minutes or something. For ones I use more frequently I came up with a scheme:

• All passwords are of the form "[prefix][password][postfix]"
• Choose 3 values for each element of the password. e.g. prefix could be "*(", "$^", or "@!", password could be "sparky", "fido", "jomama", and postfix might just be 3 well known 4-6 digit numbers.
• Memorize these nine tokens, and if you need to write down specific passwords you can just put in placeholders for the values. e.g. "$^fido5150" can be written down as power-woof-vanhalen.

Works like a charm for me.

Re:Bad passwords are not always the user's fault.

Try Portable Apps!

http://portableapps.com/apps/utilities/keepass_portable

This way, you don't really have to install anything, and your company is none the wiser.

Re:Bad passwords are not always the user's fault.

[daktari]

You could try and run it from USB flash drive.

Re:Bad passwords are not always the user's fault.

keepassx is a portable version you can run from a thumb drive without having to install - you just extract the .zip into a directory and run the executable when you need access.

Of course, if the network only allows you to run executables on a whitelist, it's not all that helpful.

Re:Bad passwords are not always the user's fault.

Or you could write them down in a USB. You can always encrypt that text file with a portable encrypter (such as TrueCrypt). Laziness is not an excuse.

Re:Bad passwords are not always the user's fault.

[PhilHibbs]

I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

I do something like that, and I have a few variants of the cryptic prefix as well. I have occasional moments of paranoia that someone will get both Slashdot and Facebook's databases and notice the similarity between my passwords, but really, I'm not that interesting a target for that much effort.

Re:Bad passwords are not always the user's fault.

Try running it from your flash drive. It's really cool that way.

Re:Bad passwords are not always the user's fault.

[CastrTroy]

Kind of funny, since they are only using a hash, why not just allow any length of password. The hash will always be the same length, regardless of the length of the password. You could even allow users to upload a file as their password, in order to allow for non-typeable byte values in order to increase entropy. If you stored the files for each website on a truecrypt partition that automatically dismounted after a timeout, it would probably be about as secure as using keepass, and the actually password would be very strong.

Re:Bad passwords are not always the user's fault.

[gman003]

If the passwords are encrypted, they'll have to go through the effort of cracking them to notice the postfix is there.

Using SHA-1 and the above examples, $kurg^is42_fb becomes de357c5ba1b2e8d6a773319d6c2d1068a3960bb9, while $kurg^is42_sd becomes a15d3716b55df845ef3f421a0343dd08050956c7. That's one of the features of a strong cryptographic hash - a slight change in the input produces a major, complete change in the output.

Re:Bad passwords are not always the user's fault.

[Unequivocal]

Of course, make sure you backup that password safe somewhere. I use spideroak to keep that file synced on lots of systems. Dropbox probably works fine too..

Re:Bad passwords are not always the user's fault.

[joeflies]

You don't trust password management programs but you trust public terminals?

Re:Bad passwords are not always the user's fault.

This. I like using a formula method that incorporates elements of the url/website name/username/other things so I just have to memorize my formula, but it is very depressing how many websites with very personal info have horrendous password limitations.

My former student loan provider, Citibank, has ridiculous password management. It limits your password length to 8 and limits it to alphanumeric, but that's not all!
- the change password form lets you enter more than 8 and then silently chops it down
- the main login page form lets you enter more than 8 and does not chop it down, resulting in an incorrect password! I requested a password reset (sent in plain text e-mail, of course) a fair number of times when I forgot about that lovely glitch.

I sent them an e-mail saying I would never take a loan through Citibank again (also, they had absolutely terrible customer service) and would actively discourage my friends from doing so until they fixed it. No response...

Re:Bad passwords are not always the user's fault.

[IICV]

... but I sometimes have to strip the & and @ ...

... ie. $kurg^is42 would become $kurg^is42_fb ...

PPS: That's not my actual password. And several of my descriptions were deliberately false, just to maintain security.

So now we know that your real password contains none of $, ^, & or @? That reduces the search space quite a bit :)

Re:Bad passwords are not always the user's fault.

[gman003]

I never said *which* descriptions were false. I could have lied about the $, or about the &. I could even have lied about lying to you - maybe that *is* my real password.

Re:Bad passwords are not always the user's fault.

PPS: That's not my actual password. And several of my descriptions were deliberately false, just to maintain security.

It's really "password" isn't it?

Re:Bad passwords are not always the user's fault.

Except I can't install any software I want on the company's computer. You know, for security!

There's android and probably iphone apps for those trackers. I use keepass on android.

Re:Bad passwords are not always the user's fault.

[ibennetch]

Bank accounts (or at least I would, if my bank wasn't retarded).

What is this about? Seems to be more widespread than it should be. At one point, I had a bank account that, among other things, did not allow passwords longer than 8 or 10 characters. I think any non-alphanumeric characters were also out. And I'm supposed to trust them with my money?

I've also had an account somewhere (I forget if it was a 401k, employer payroll system to see my paycheck, or maybe something less important) that uses your SSN as the login name and requires a short (numeric-only) PIN for the password. Plus some sort of funky javascript to "encrypt" each character on each keypress (which also means I can't type it at breakneck speed).

Now, I go out of my way not to deal with companies that force me to use weak passwords...

Re:Bad passwords are not always the user's fault.

[gman003]

My bank account limits me to uppercase letters and numbers, and has a maximum length as well. Since that rules out everything I've ever used as a password (except for one I use on retarded services that email it back to you in plain text), and I don't want it written down anywhere, I'm constantly forgetting it. I got tired of doing a reset every time I wanted to check my account balance, so I just signed up for mailed balance updates and keep track myself - not hard when you only use it for online transactions (ie. Steam games) and major purchases (everything else I just pay cash).

I almost hope someone does hack the account, so the bank ends up losing money giving me back the ~$300 or so in the account. Maybe then they'll learn to follow security guidelines.

Re:Bad passwords are not always the user's fault.

[PhilHibbs]

If the passwords are encrypted, they'll have to go through the effort of cracking them to notice the postfix is there.

That's a big "if". I guess Slashdot's probably is encrypted, because they're nerds. Facebook's probably is as well. Not sure about any others - if a giant tech company like Sony stores them unencrypted, then anyone might. And in France, you're not allowed by law to one-way-hash them.

Re:Bad passwords are not always the user's fault.

Unless you have a policy to forbids writing you password down. We haven't even touched on usernames (x n) as well.

what did you expect

asking the user for or generating a passWORD is the beginning of the problem

call this authentication method something else in your application/gui and you might see a change in user behavior

Re:what did you expect

[snookerhog]

+1 insightful

Re:what did you expect

[smitty97]

exactly. call it a PIN and you'll get 4 numbers. and most people will use their REAL bank pin on shadystealyourinfosite.biz just so they remember it

Go figure...

...people who have to remember passwords for access to accounts at work, to pay their bills at home, to access their e-mail, to buy something online, to visit almost any service providing website... would rather make it something they can actually remember. In other news, smoking isn't healthy for you.

I found it impossible to remember.

I find the writings of security professionals who imply that anyone who doesn't have secure passwords and change them frequently and not write it down but rather expect me to be able to remember all that for every site I go to are fools, quite offensive. I doubt if even THEY can do that! I had to create a way to do it that's not fully dependent on memory.

Sure, I could do one or two secure password but when every site you sign up for requiring a password for the most trivial things, it becomes impossible.

Can't write it down, oh no, can't use it more than a month, having to change it to something else? Forget it! Literally!

So then you have to do reset every time you visit the site now. What a PITA!!!

So how do you do this?

You make a password based on an algorithm that you crate where your password is based on some password you CAN remember, this is based on the month, something you do with the word of the month for this base password. Then you add some numbers or characters based on the name of the site or some other value that's site based you make up, so that its unique, and you can figure out, instead of having to remember the impossible.

That for me has been the ONLY way I can have a secure password that follows best security practices and isn't so hard to remember I can't use it.

Re:Other Common Mistakes

[Yvan256]

And, most shockingly, over 99% of passwords are not dead locked, leaving them susceptible to infiltration via sonic technology.

Stop screwing around.

Why are you still memorising passwords?!

[Astatine]

Passwords short enough to memorise are now short enough to crack in many cases. See recent article about hash reversal with GPUs.

Use a password safe. Just search -- there are lots around. I use KeePassX (small, cross-platform -- Windows, GNU/Linux, Mac, Android, no install required on Windows). It'll make strong passwords for you and save them in a tiny encrypted file you can copy to all your devices, with a couple of clicks. The only passwords you'll need to remember are your local login password and the password to the safe.

Life is better without having my web accounts chain-hacked or having to clutter my brain remembering a bazillion passwords...

Re:Why are you still memorising passwords?!

[Spy+Handler]

what if you need to access a web account (let's say Gawker) and you're not at home? And you can't remember any of your passwords because they're all strong 35-character random characters stored in your password safe? Do you carry a USB stick with your password safe around with you everywhere you go?

And if you do, you still have to insert your USB stick into a foreign computer and type in your master password. What if that gets owned by a keylogger? Then not only is your Gawker password compromised, every password you have is compromised.

Re:Why are you still memorising passwords?!

[wintercolby]

The article about hash cracking with GPUs was all about cracking NTLM hashes. Even less secure are the random websites that people sign up to with absolutely no idea what type of hash might be used to store their password. To get a good indication of whether or not a site uses a two way encryption or no encryption at all, I usually reset my password. If they email me the (bogus) password that I used to create the account, I know it can't be trusted and put in something simple. There's no telling how strong of a routine a web application uses to store a one-way encrypted password either.

I'm starting to really think that passwords don't matter. Weak or strong, they will be compromised. They only work well when you have a one-off password for each ID/Application/System. Using a password management system makes great sense, keep in mind it's also important to have a 1:1 ratio for each ID:Password that matters.

Re:Why are you still memorising passwords?!

[Bengie]

"Passwords short enough to memorise are now short enough to crack in many cases. See recent article about hash reversal with GPUs."

A 14 char password, would take ~ 300,000 years to break at a rate of 100 tril comb/sec. GPUs are still useless for breaking a good password.

The most recent GPU article(past month) I read had GPU clusters in the billions comb/sec and would cost thousands of dollars. Even with a crazy high assumption of 100tril/sec, it would still take a long long long long time.

Re:Why are you still memorising passwords?!

[CTU]

use a software or on screen keyboard? Last I heard keyloggers can't read them and is in windows already (Not sure about other OS's)

nice

wow i'm in the 1%, nice

Re:not to bad actually

[Quiet_Desperation]

Ask a dozen people on the street about the "Sony rootkit" and most will probably think it's an MP3 player for plants.

Strong Password Necessity?

[dmatos]

Here's how I look at it:

My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.

Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.

My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.

Re:Strong Password Necessity?

[hackstraw]

OK, PayPal and Canada Revenue Agency are not trustworthy and allow remote brute force password attacks.

Please tell me which bank also allows this?

Thanks.

Re:Strong Password Necessity?

Not to mention type a complex 26 character password on a PS3 would take several minutes.

Re:Strong Password Necessity?

Actually localizing the password might be a good idea. If your password contains a bunch of CJK characters () and several German Umlauts ( ä ö ü), you wouldn't need to care about dictionary attacks. The password for my wifi connection is a long sentence written in a chinese dialect. So unless those password crackers are having a statistical natural language model which is good enough. hell with them.

Besides being saved in plain text by the sony admins, the only problem with the localized passwords is that you can't input those special characters everywhere.

Re:Strong Password Necessity?

It all comes down to habits. I save all of my PWs into a secure Database, and often use the new password generator inside that software when I hit a new site!

Do I need my hotmail password to look like swefui82g3r78g32 r23#@$?

No.

But, when I do sign up for some obscure service I'll need to check in with once every five years, being in the habit of generating a password, saving in my DB, and backing the DB up to a safe external drive is easier than trying to remember if I chose to use my generic apple$ux password, or made a special entry for it in said DB.

Would you trust your "good" passwords to Sony?

[leonbev]

Knowing Sony's recent track record with system security, I wouldn't bother using one of my "good" passwords at one of their sites anyway. If there is a good chance that some hacker is going to get a hold of their password file and post it on the Internet, it might as well be "password" or "abc123". I sure as hell wouldn't use the same password that I use for my bank or my e-mail, anyway.

Non-alphanumeric characters

[lostdistance]

I used to include non-alphanumeric characters in my passwords until the following incident occurred.

I created a new account at some website. My randomly generated password consisted of alphanumeric and non-alphanumeric characters.

Some time later I returned to login to the website. It rejected my password. I tried several times but with the same result.

Then I looked at my password. One of the characters was a '#'. No, surely it can't be what I'm thinking. So I entered the password up to but not including the '#' character. Yes, password accepted; the stupid website had interpreted the '#' as the start of comment.

It's all too much

[Bardwick]

I would like to see a poll on how many accounts people have. The mid to upper level geek will use a password management software, but for 90% of the sheep out there.... I can think of 14 accounts of credentials I have now. I've resorted to putting in some random password that meets the requirements, then hitting the "forgot password" whenever the cookie expires...

Bye bye password

With all these bad password practices obviously happing everywhere and the growing power of parallel processing (via GPU's), rainbow table lookups etc. It seems that standard username and password as authentication may be coming to an end. Anyone agree?

Re:Bye bye password

[WuphonsReach]

It seems that standard username and password as authentication may be coming to an end. Anyone agree?

It's dire, but not as dire at that.

8 characters or less, with little to no complexity is truly dead (and has been for years).

Longer passwords (10-15 characters), with complexity checks and not reusing passwords across sites is still fine for 90% of use cases. In 90% of those cases, you're not protecting anything of much value and an accidental exposure does not lead to loss of life or massive theft.

Banks and financial institutions will have to either start enforcing minimum password lengths of 12-15 characters or add two-factor authentication soon. But even that is not perfect as many attackers simply do a MitM attack, capturing the credentials in transit and executing transactions that were not what the user wanted.

The reason why longer passwords are still going to be fine is that every character you add to the password increases complexity by 40x to 80x. Add four letters to the average password and search difficulty increases by anywhere from 2.6 to 41 million times.

The attacker will just shift more towards sniffing / spyware rather then brute-force.

Here's the Thing

[wbav]

Sit down and think of the number of sites/services/etc. that you access each week.

Pretend for a second your browser doesn't remember a single one of them.

I came up with 34 different sites. 34 different systems with their own rules, regulations and security questions. Some sites only allow alpha numeric, some require the alphabet to be limited to what shows up on a touch tone phone. Others require passwords to change every 30 days with no repeats for the last 5 passwords.

At 9 characters a piece, that would be a string of 306 characters. Hell I'm lucky if I remember my wife's birthday and our anniversary. And those are much more important to me than my slashdot password.

My point is, the current system is BS. Too many sites require logins so they can advertise to you. I don't want your ads, they go directly into the trash. I'd advocate for a single ID across these systems, but the issue is if that's violated everything goes to hell just as fast as if you had the same password for each site. So what to do? Reuse a password that is reasonably secure and risk it across multiple sites? Or do I follow perfect security and ensure no one can get in, including me?

And don't get me started on security questions. If I can't remember the damn password, what hope do I have to remember the question I used?

The real security

[wye43]

Any non retarded system will not allow more than a few login attempts. Any password longer than 3-4 character doesn't offer any real protection, only psihological comfort.

If someone got a hand of the password hash, its gameover - doesnt matter if its a week or 2 month to crack it.

We need to get our collective heads out of the sand and triage the REAL security values!

Re:The real security

[WuphonsReach]

If someone got a hand of the password hash, its gameover - doesnt matter if its a week or 2 month to crack it.

We need to get our collective heads out of the sand and triage the REAL security values!

All sane, opportunistic, attackers operate under the principle of cost/benefit. Is it really worth 2 weeks of computer time to break a password of moderate strength? (12+ characters, reasonable complexity) Is it worth 2 months? Most attackers are going to give up after about an hour and go after the rest of the account hashes that were stolen. Why spend the extra time break into user X's account when they can get the same benefit by breaking into user Y's account (who used a weaker password)?

So unless the attacker is insane or is specifically targeting your account, then no - it is not automatically "game over, man".

(And in the case of a targeted attack - there are probably other avenues of attack being used. Such as physical intrusion, social engineering, spyware, etc.)

Mod parent up.

[John+Hasler]

Mod parent up.

And when it comes to password I use on the interne

[jader3rd]

Lots of websites have different requirements, so you end up finding a password that fits most of them. Most websites can't agree on what a special character is, because each one will only support one or two. The reason, is because some website admins are afraid of a SQL injection attack through the password box. The last time I felt the need to change one of my passwords, I had to try out the different websites I was going to use that password for, and come up with one that they all agreed on. Personally I think that all passwords should have a space charater in them. That would result in users creating easy to remember phrases. I have yet to find a website which allows spaces in the passwords though.

Why protect against brute force attacks?

[Phurge]

Excuse my ignorance, but why not have a system that locks you out after three attempts and sends an email to your previously verified email account?

Why all this focus on "unguessable" passwords when it looks like if you have a powerful enough computer you can guess most in minutes?

Ok perhaps banks & public utilities need all the crypto stuff, but Joe-sixpack? Surely there's a more elegant solution than getting people to remember unmemorable passwords (which leads to post-it note on the monitor syndrome anyway)

"incremental" passwords

[ironicsky]

I use a sort of "incremental" password. My base password is 10+ characters containing letters/numbers/symbols where no character is used more than once. Using part of the website's URL, based on a pattern I've devised for myself, I take letters/symbols out of the URL and prepend it to my password. So if my base password was E21jd78&@qPm and the site was slashdot.org, my password for slashdot dot might end up being SshoTE21jd78&@qPm. This way I only have to memorize the base password, and use the URL to prompt myself as to what the rest of it should be making every password for every website I use to be different. If the passwords are encrypted on each service no two hashes will ever be the same.

Passwords are useless

First, of the millions of Sony accounts how many people read technical blogs or news sites? How many are technically inclined? Let's even go high and say 10%. That still leaves the vast majority of people who are not tech inclined. It is people like my wife, my parents, my sister, most of my friends, etc. They use passwords that they can remember, period. No amount of me saying anything will stop it. Why? Because it becomes way too difficult to manage. Sure I can create some complex cipher and all that nonsense, but ultimately it makes no difference. Why? Becuase corporations spend zero dollars on security for online stuff. It is no big deal to them, it is not their inconvenience. You know what Sony is crying about? Lost pofits from down time and having to give stuff away for free.

I am sorry, but one of two things needs to happen or both:

1. Allow victims of breaches to sue either individually or as a class action. If a corporation takes the data it is responsible for it. If it lost the data it is responsible for it. No more valet garbage where they are not responsible for personal property. If you do not want to be responsible for it, do not collect it. Contract with a 3rd party willing to take the risk and has proper insurance against threats.

2. Regulate the collection and storage of personal information online. Force companies to reveal any and all breaches of the system (currently they do not have to let you know anything, which is why the hackers announce it so much). Force companies to abide by certain procedures and have the systems used for collection and storage of the data certified by a 3rd party.

Either way, I think this would give rise to a more centralized personal infromation storage structure that overall has a higher level of security because it is forced to or suffer serious damages. Instead of your personal information being stored on hundreds of insecure sites, it is stored on a few more secured sites that are background to the front applications and if setup correctly far less accessible from simple URLs. Yes, this increases the cost of doing business in this space, but it is such a fail right now that it cannot be much worse. You can still have separate usernames and passwords for sites, but the name, phone, email, etc are stored separately.

Because I can guarantee you one thing. Anyone that I know that is not technical is not using something like Last Pass, KeePass, or a cipher for their passwords. And getting the whole list is not their fault anyway, that is the fault of piss poor security from the company. Because guess what. With most sites even if someone logs in as me they cannot see my credit card number or social secuirty number. So yeah, it can hurt me but I can cancel my card if it gets used to send goods to some strange place. When a database gets hacked, you are screwed. The difference is night and day.

What does this actually tell us?

[dannys42]

The first inclination we have is that all these users have really bad passwords. However, you're missing one key piece of data and that is what was the real hack rate? How many accounts were hacked/month, and was there any correlation between hacked accounts and password strength?

If the correlation is low, then what it really tells us is that our standard "best practices" may not really be the "best" because maybe they're unnecessarily complicated.

We don't have that data, so we really can't say much other than this is what people do.

Given the fact that the account info was stolen, I think it's justifiable that people understand the level of importance of this sort of account (ie not really important at all)

Not just the users

I'll have to be fairly vague here for obvious reasons. I was trying to set up an online account with a credit union I just switched to and was getting weird errors. Turned out it did not like the non-alphanumeric characters in my password.

Speaking to my personal habits

Like I'd use a secure password for something as critical as PSN? It's a throwaway account with a throwaway password.

Algorithmic Passwords

[hipp5]

Since the Sony debacle I've switched to deciding my passwords algorithmically. I use a base password of six lower case digits that is the same for all websites. Then I use two capital letters that are related to the website in question (e.g. "SD" for slashdot) which I offset by a certain number of keys in a certain direction (e.g. SD might become "XC" if my offset is one key down, but it's not). Then I append a single number to the end (same in all cases). This gets me a nine digit password with mixed case alphanumerics that's easy to remember and is unique across the websites I use. Of course, if you know my algorithm and base it's easy to figure out my password for all sites. But my concern isn't really being singled out for my password specifically (if they want to do that I'm sure they can get it other ways), but rather being part of a large password theft like Sony's. I highly doubt a hacker who stole 75 million passwords is going to take the time to figure out that hipp5's passwords are algorithmically generated across websites.

How many systems are being brute forced?

[kjdrtgxf]

I have seen no data here or elsewhere that suggests blackhats are brute forcing [my] accounts. Although outside of my area of knowledge I would have thought that blocking more than 5-10 attempts for a login in a [second, minute, hour, day, month] would dramatically impact the effectiveness of brute forcing. All the news coverage on password weakness seems to be sourced from the security failure of the vendor rather than individual user.

Re:How many systems are being brute forced?

[An+ominous+Cow+art]

Yeah, that's what a lot of the posts here are missing. A reasonably hard-to-guess password of moderate complexity is fine as long as login attempts are detected and the user notified.

What the article is about, though, is using GPUs to quickly generate hashes of passwords. For that to be useful, the bad guys have to have obtained a copy of the hashed passwords to compare against. It's only useful against a site that's been compromised to some extent. There's nothing the user can do to prevent that. Best thing is to simply not re-use passwords across different sites.

Playstation and typing?

[tsager]

Typing text on the Playstation is a horror.

"Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start"
THAT would be a password!

strong password not really necessary

[tjaldprd]

Until black hats devote a great chunk of their time to cracking random joes videogame/email passwords to a point of it become a real threat, not only a potential one, i dont see any problem with that. usual slashdot bad analogy: theres always a strong real potential risk of us being hit by a comet, but until that become a clear short therm invevitable threat (like someone findind an object on a colision course), we humans wont take any real actions to defends ourselves if it. the very definition of a PARANOID is someone who takes measures to protectef oneself against a very unlikely scenario. hope noneone gains root access to machine and gets a hold of my porn stash just by this post :)

The Password Problem

[InsertCleverUsername]

The real problem with passwords is that there's so damned many of them. It's a little exasperating to me that in the 21st century we're still managing security and authentication the same flawed, stupid way. All the idiot users in the world and the hapless tech support people reseting their passwords would cry tears of joy if we could just change to a standardized approach. What I'd really like is something like this:

1) Everybody pick a trusted authentication provider (the Google, Facebook, Verisign, your bank, etc.)
2) Have that trusted authenticator sell you a cheap USB dongle (a cell phone-based app might work too) with a shifting, unique code synced to their auth. server
3) Enter your master password then plug in the dongle (or enter a "code of the moment" displayed on an LCD display on the side of the dongle) and you're automagically authenticated to all participating sites using that federated security system.

Hell... I'd just be happy if all sites would let you have at least 20 characters, with no moronic restrictions on special characters.

Re:The Password Problem

[DeusExInfernus]

...with no moronic restrictions on special characters.

Special character restriction is a cheap and easy way to sanitize input.

Don't read too much into it

[matunos]

I wouldn't read too much into people's bad password habits to a site that didn't collect any sensitive personal data. Sharing passwords across sites would be more of a problem as it may lead to inadvertently revealig a password to another site that does have more importance; or losing access to a bunch of individually unimportant accounts may be more traumatic.

Security is only as strong as the weakest point.

[JustAnotherIdiot]

It doesn't matter if you password is a single letter or a giant randomized hex string, if the service stores their passwords in a plain text file people can get into, your password is lost either way.

Best password in the world does not...

Number of times my account has been compromised by someone brute forcing or social engineering my "simple" password: 0
Number of times my account has been compromised by someone stealing information from the company that holds the accounts: 4

Why put that work into one password when you can just take all of them instead?

Re:Best password in the world does not...

[Nadaka]

This is how you take a stolen hashed password and retrieve the real password from it.

It is the third step in the process.

1: steal the passwords.

2: If they are hashed, apply a rainbow table and you can crack the weakest and most common passwords.

3: If you want to put in the effort, you do a brute force attack against every possible password for each password you still want to crack.

Gawker and Sony passwords don't matter

I have around 80 passwords at websites where I would rather not have to use any password at all. For example, Gawker. I couldn't care less if the whole world knew all of these passwords, which protect the sites from spam, but serve no purpose for me.

I have only a few passwords that I do care about. They are strong and unique.

I don't even know anymore...

[DeusExInfernus]

That means that based on the 3.3 billion passwords/second that was said in a previous article about password cracking (with the HD5770) you can crack 82% of this articles passwords in under ~8.6 hours. WTF?!? The math: ( (36 ^ 9) / (3.3 * 10^9) ) / (60*60) = 8,5488179013818181818181818181818 hours

What were you really expecting?

[Liquidretro]

Of Course the passwords will be simple, Most people setup their accounts on the system with the controller. They just wanted to get past the screens to play with their new system so they wanted something really simple that they could forget. If they ever needed to actually get in they could just reset it in theory. They could of used a strong password but we know people dont do that.

my password

;SELECT * FROM USERS

Security Through Obscurity

[dead_user]

Hehe, I have a friend of mine that wrote her PIN number on the ATM at her bank.

Complex passwords

At one site the requirement was a 15 character password (no more and no less) - a mix up upper and lower, numbers and special characters with no 'real' words used in any part of the password. And you could not repeat the last 100 passwords and they had to significantly different than the previous ones (no similar sounding characters in the same spots). Finally updated at least every 30 days and Mandatory change if the account had not been used for two weeks. Account locks on the failed 2nd attempt. The password could not be written down in a visible area.

Lift up every ones key board and guess what you found.

M¥ p4$$w0rÐ$ 4r3 h4rÐ0n

[somejeff]

1 wr173 m¥ p4$$w0rÐ$ 1n p£41n 73x7 4nÐ 1 h4v3 n3v3r h4Ð 4n¥ pr0b£3m$!

wtf???

[advocate_one]

99% of passwords don't contain a single non-alphanumeric character.

that's pretty much a given considering the vast majority of password storing and retrieval systems out there barf when you give them a non-aphanumeric character...

Re:writing down password

[DocSavage64109]

Just subtly change one character in your written passwords, and even someone who has your list wouldn't be able to use it.

Just write down part of the password

Just write down part of the password. Personally, I have all passwords on a text file but just their "2nd half". The first half is the same for all, and I have it memorized. This way, I can do the "2nd half" as random as the site allows me, and if one password gets compromized, it only affects one site and they would have to get into my computer to get to my (disk encrypted) text file with the passwords. I can backup my "password file" online and it still cant be used without knowing my system.

Garbage Sites, Garbage Passwords

[slyborg]

It's interesting that all of these "onoes errybody using the same password errywhere" stories fail to point out that the junk logins required by almost every site for the purpose to collecting ad demo data essentially feed weak passwords to black hats. This has trained many people to use the same password everywhere, since no sane person will maintain and memorize separate passwords for dozens of sites, many of which they may just utilize for entertainment. Combined with the weak security even major players (c.f. Sony) have been shown to use, this is now a bottomless cornucopia of id theft data.
Since it's well known that a large proportion of user demo data entered along with these logins is also junk, the smart guys use bugs and IP tracking, and profiling of various kinds to collect this data now anyway, so it's not even useful to have local logins for that purpose. It's time for sites to Just Say NO To Junk Logins...

A more accurate way of putting it...

Here's a more accurate description of the stats:

"36% of SonyPictures.com passwords appear in a common password dictionary. 50% of SonyPictures.com passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of SonyPictures.com passwords are lowercase alphanumeric of 9 characters or less. 99% of SonyPictures.com passwords don't contain a single non-alphanumeric character"

So we have some statistics on password practices for worthless unimportant websites. That's mildly useful. What about for important ones, like their bank? Well, it's a bit of a paradox, because those important sites are likely to not have the shitty security required to get the password data.

Credit card number is not important ...

[perpenso]

I guess credit card data is not important to protect

For some people the credit card number that Sony has is not important. It is a temporary alias for the real card number. This alias issued by the bank's online services upon user request, has a user defined expiration, has a user defined limit, and it *locks* to the first company that makes a charge on it.

long padded passwords

Just make your password something like this: D0g.....................

http://www.grc.com/haystack.htm

You think that's bad

[phorm]

Try bank passwords. Of two banks I know, the passwords CANNOT have non-alphanumeric characters, and require passwords be 5-8 characters long...

welcome to 2000

[Tom]

You're 10 years or so behind.

These nice metrics that are still being thrown around by your so-called security consultants are bullshit. They are from times where brute-force and dictionary attacks were your problem. That's not half as much true today as it used to be. In fact, not only has technology changed, security has matured quite a bit as well.
The main password I use for many sites online is 8 characters, all lower-case letters. Why? Because not even a security expert seriously remembers kCw]^7qwKR+3 - whoever came up with the idea of telling non-tech people to use passwords like that should move out of the basement and meet the real world.

So-called "hard" passwords are mostly one thing: Hard to remember. And hard to remember means you need more password resets, which leads to these "security questions" that are a bigger risk than a weak password. I mean, finding out your mothers maiden name or your first car or the name of your dog is two hours of work tops for anyone who is actually interested in getting access to your account. And the mass-hacks of today don't go via brute-forcing anymore, they grab your password from some database, so it matters little if it's "12345" or something like the above.
But hard to remember also means written down more often. Either physically, which means one visit to your desk and I have your password(s) or electronically which means if I guess your master password (if you even set one) I have all of your access credentials.

I'm sorry to say it that harshly, but stuff like "x% of the passwords don't satisfy this totally arbitrary metric" is meaningless. If you want to do serious security instead of security theatre and consulting, get some actual studies done. Get the numbers on how many accounts with 6-letter passwords are being compromised compared to accounts with 8-characters-at-least-two-numbers-or-special-chars. Then we can talk. If you're still interested, because my 15 years of experience tell me you won't find that the weaker passwords are half as much a problem as you think they are. It's one of those "quick-wins" that consultants come up with when you pay them a lot of money to improve your security. You know, doesn't require much effort, sounds reasonable, is something the client can personally relate to because even the CTO/CIO/CEO uses passwords, etc.

Re:welcome to 2000

[RockDoctor]

While your example "kCw]^7qwKR+3" would pass most complexity tests, so would "con9ass%dom8hole7", which as a combination of syllables of my wallet contents, where I keep my wallet, and a few numbers and a special character. Methods of constructing usable passwords while avoiding the easiest-to-bruteforce errors don't necessarily result in "character salad", and can be reasonably memorable. If you access your work's bank details from the office, then your mnemonics shouldn't be in your living room ; similarly, your domestic banking password mnemonics probably shouldn't be located in the toilet at work.

Most of the task is dedicated to avoiding dictionary attacks. Then you increase the symbol base. And you want a minimal length of password. These rules do not dictate "character salad" (though they do allow it).

Read the parent again

[krischik]

By my estimation in >90% it will be the very first character which is caps, the rest lower and 12 numbers at the end. Pretty simple algorithm for a code cracker to implement. Thinking of it: forcing numbers actually make it easier to crack a password as they mostly added to the end.