A Brief Sony Password Analysis

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

Is Sony now in the banking business?

Who cares? I don't waste good passwords on trivial online services.

Know what's important to protect and create passwords appropriately.

Re:Is Sony now in the banking business?

[j00r0m4nc3r]

I guess credit card data is not important to protect

Re:Is Sony now in the banking business?

[somersault]

Bah! I don't waste good passwords on trivial things like money!

Re:Is Sony now in the banking business?

[Big+Smirk]

If Sony had my credit card info, then that would make sense. They don't and based on recent history they are either not good enough at security, or too lucrative of a target, so they won't get identifiable information.

Quite frankly, I don't even know the user name I used.

Its just a game console to me

Re:Is Sony now in the banking business?

This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

Re:Is Sony now in the banking business?

My /. account named Anonymous Coward is priceless, so it gets a special 30-character password.

Re:Is Sony now in the banking business?

[jhoegl]

OP point is valid.
The only reason people know your Sony password isnt because your account at Sony was brute forced.
Its because Sony is lackadaisical in their patching and security efforts.
Seriously, no one brute forces anymore unless it is against an offline database that they downloaded from the site in question.

Re:Is Sony now in the banking business?

[sangreal66]

You're not even liable for $50 if your credit card number is stolen. That number is the maximum liability if your physical card is stolen (and you report it such). You cannot be held liable for anything if the card remains in your possession. This is regulated in federal law (FCBA) and not subject to bank policies.

So no, it isn't that important for you to protect. That is a problem between the vendor and the bank.

Re:Is Sony now in the banking business?

[JustOK]

That's the same as I have for my luggage.

Re:Is Sony now in the banking business?

[dgatwood]

My Facebook account got brute forced just a few months ago. It still happens.

Re:Is Sony now in the banking business?

[Lumpy]

Only a fool gives their credit card to everything.

MY Xbox live account is a simple password. and I'm not dumb enough to give them my credit card. I use their prepaid cards to keep their fingers out of my finances.

Re:Is Sony now in the banking business?

[BrokenHalo]

As a matter of interest, how can you be sure it was brute-forced rather than subjected to some other form of cracking, e.g. via dodgy cookies or some form of compromised admin access? I don't have (or want) a facebook account, so I haven't heard whether or not facebook offers history of failed logins to users.

Re:Is Sony now in the banking business?

[medoc]

Long passwords are still useful if the supplier behaves responsibly (ssl connection + salted hash storage only).

Re:Is Sony now in the banking business?

[Anubis+IV]

Exactly. I use 1Password to generate and store all of my passwords, and apparently I fell into the 1% that used a non-alphanumeric character in their password. Mine was a 16-character password that mixed caps, numbers, and symbols, and it was unique to PSN, so I've had pretty decent peace of mind when it comes to my password.

Unfortunately, I lacked the forethought to not keep my credit card information on file with them. :/

Re:Is Sony now in the banking business?

[dgatwood]

I seldom use Facebook anywhere other than on my own home network, my company's network, or a cellular network (none of which are very likely to result in cookie attacks). It's certainly possible that it was attacked in some other way, but the likelihood of that is fairly low.

Re:Is Sony now in the banking business?

Well, it depends. It IS important to protect if you use the number for anything and value your time. For example, if you use the card for say monthly cable service billing, maybe TiVo billing, NetFlix account, etc. it gets pretty annoying to have to remember each place you used it and update them all appropriately when you get issued a new number. If you forget one or two of the places you use it you get declined and possibly canceled service. Very annoying and makes it worth it for me to protect my numbers. Your mileage may vary of course.

Re:Is Sony now in the banking business?

[medoc]

We're talking about a case where supplier storage is compromised here (if I got the sony case right). So this is not about trying to log in but about breaking the hash. See:
  http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless

Re:Is Sony now in the banking business?

[Kelbear]

Instead of memorizing passwords for everything I log into, I just memorize 1 process for every site.

For example, if I just translate every other letter into it's numbered position in the alphabet, and capitalize on the 3rd letter. Extend the length as needed with the alphabet if the site has a short name. This way you'd have a reasonably strong and individualized password for every site that won't be hard to remember since I repeat it on each site.

Obviously, this isn't the actual process I use, but it's just one way it could be done.

Re:Is Sony now in the banking business?

[obarel]

How do you buy the prepaid cards? Cash only?

Re:Is Sony now in the banking business?

[tycoex]

Why does it matter? If someone bought a prepaid card with their credit card and Gamestop, how would knowing that person's X-box live password get them access to their credit card info?

Re:Is Sony now in the banking business?

[Golddess]

it gets pretty annoying to have to remember each place you used it and update them all appropriately when you get issued a new number.

If things worked like they should, you'd need to update all those places roughly every other year anyway when your CCV code and expiration date change. Instead, you've got places that don't even bother asking for the CCV (if they don't need it, why do others?) and that will never once complain about how the expiration date on file is 5+ years expired.

Re:Is Sony now in the banking business?

[memyselfandeye]

I seldom use Facebook anywhere other than on my own home network, my company's network, or a cellular network (none of which are very likely to result in cookie attacks). It's certainly possible that it was attacked in some other way, but the likelihood of that is fairly low.

Then it would still be a problem with the application, FB in this case. Even a 15 minute x5 attempt cool down would prevent the brute force of all but the most trivial of passwords such as - 1234, password, qwerty, "insert last name here". With such a scheme and a "poor" password of low entropy, say a dictionary word and number combination of 5-9 characters, apple6174 it would take E5 years to brute force on average. If you used that password with 1000 different applications, it would still take 273 years no matter how fast your computer is.

Passwords are useless if the application security is poor. It's no different than having a RSA keycard and sign-out out process enforced by security guys who like to take naps. That's why I hate those password strength tools on signup pages. It's better than security by obscurity, but it still obfuscates the fact that a dumb password should still be protected by the application... period!

Re:Is Sony now in the banking business?

[Idbar]

I guess credit data shouldn't be stored in systems that do not comply with PCI standards. Moreover, most of the sites I visit (and I do shopping from), never reveal my credit card information, even to me. Why should be any different for Sony or any other company?

There's clear regulation on PCI standards and PNPI that should/shouldn't be stored in their systems. If they are not complying with such, they shouldn't be in the business.

In any case, I never provide my credit card number to companies until they have shown to have some respect for my information. I use virtual credit card numbers, and also, don't waste my good passwords with them.

Re:Is Sony now in the banking business?

[Rob+Kaper]

I guess credit card data is not important to protect

It isn't, really.

All creditcard companies take full risk and let you contest any charge for free*. Both reconfirmed this to me, Amex even discouraged me to replace my card with them because they have monitored zero abuse or strange behaviour so far (CCV numbers were NOT on file IIRC) and do not see the need for immediate action.

This won't cost me a dime and even in the case of fraud minimal time to sort out and from experience I know any necessary replacement card will arrive within five business days. The biggest risk here is for merchants who deliver services or ship physical goods to non-billing addresses as they might actually lose labour or assets.

Also, weak-password end-users are blameless here. My relatively weak 6-digit numerical password was apparently good to never have abused me in any way I've ever been able to notice. Fact remains, not our passwords were compromised, it was a system with 77 million PSN accounts. I do use much stronger passwords for other services, but in reality a weak password is an overrated risk. Common breaches are exploits and "Facebook rapes". Also, barely anyone cares about your personal passwords. Corporate ones are valuable. Consumer ones, not so much (again *).

* At least here in the Netherlands. YMMV, I'm aware that consumer protection might be worse than ours in other parts of the world.

Re:Is Sony now in the banking business?

[obarel]

The point is that you give your card to various people. I'm not sure there's more danger in giving your card to a website than giving your card to Gamestop. Both are using some database, both have employees that would like to cause harm to the business for one reason or another, and both are exposed to other risks (TK Maxx lost details and credit card numbers of customers who shopped in physical shops).

At one point Sony would not let me add credit to my PSN account (yes, I'm one of them), so I bought a gift card online and used it to buy a game. If you asked me a year ago which of them was more likely to lose my details, I would not have said Sony.

I'd like to get a pre-paid credit card to use for online shopping, and top it up occasionally. But who's telling me that the prepaid card company would not be hacked? I'm sure Nintendo have heard of Sony, and yet they were also hacked.

Life is a risky business. We try to minimise the risk, but it doesn't always work. Even if you did say "cash only", there are still enough scams to get people's PINs, and even fake money is not unheard of (I get the occasional forged coin as change).

Re:Is Sony now in the banking business?

[Rob+Kaper]

It doesn't (or better, I'm unaware of it) but it does catch successful logins from unlikely places, which must have eventually happened. It happened to me when I was at a friend's house in Norway. I believe I had to provide extra credentials and I was notified (I think by e-mail) that someone had logged in from Trondheim. Not sure about the details (some of it could have been a trial for Places). Then again, nothing special happened from a Fon hotspot on Madeira (Portugese island), nor from my new work, so I'm not sure it's still in place.

Still, most Facebook breaches seem to be "fb rape"s done when someone isn't paying attention to their logged in account, not brute force attacks. The question here is: what kind of people does GP associate with that anyone even cares enough to abuse his account? It's a non-issue for most.

Re:Is Sony now in the banking business?

[Rob+Kaper]

Only a fool gives their credit card to everything.

A creditcard is supposed to be shared with merchants, such as Sony or Microsoft.

Re:Is Sony now in the banking business?

[Rob+Kaper]

Unless your creditcard is abused there is no unfortunate consequence to having shared it. Even if you get it replaced, the effort of updating information as needed (you'll still share it with merchants, won't you?) is trivial.

Re:Is Sony now in the banking business?

[hedwards]

I've found that using non-alphanumeric characters in password fields to be problematic. The main reason being that a lot of sites won't let you use them and that it gets to be a real pain in the ass to fill them in at times. On top of which a lot of companies fail miserably at validating the password fields when they're being entered initially.

In other words, if companies weren't so incompetent when it comes to passwords then we could insist that users enter stronger passwords, as it stands now, if you go for really strong passwords, you're just asking for trouble.

Re:Is Sony now in the banking business?

[wwfarch]

Most credit card companies work such that if a credit card is used fraudulently the merchant will lose their money. Many use the CCV code to help validate the card online. If they don't require a CCV code then somebody could more easily use the card fraudulently which would leave the merchant liable. Essentially some merchants don't require it because they're unaware of this or don't think it's worth the implementation cost.

Re:Is Sony now in the banking business?

[dgatwood]

Even a 15 minute x5 attempt cool down would prevent the brute force of all but the most trivial of passwords such as - 1234, password, qwerty, "insert last name here".

Not when you have a botnet of several million machines, each one trying to gain access to the account. The only way you can prevent a distributed password guessing attack is to block accounts after a number of failed guesses. However, this would also result in locking legitimate users out of their accounts.

Re:Is Sony now in the banking business?

[Creepy]

Personally I rarely use non-alphanumerics in 8 character passwords - why? Because that is not much better than 7 chars if you try and brute force it, and if I were brute forcing it, I'd guess ! as the last char because I've seen far too many people do it (I do not). Many of my passwords are more than 8 chars though.

As for Sony, I'm in the 1% that used a capital, punctuation, and 8 chars, but also thanks to Sony, my (several years old) password is now 12 chars long and a random string (it is, incidentally, the same as another password I use, but if you breach my work and my work password you can get to the VMWare images I use it on... good luck with that because you also need to figure out the user that password goes with.

Re:Is Sony now in the banking business?

[memyselfandeye]

Isn't that the whole point though? I mean, I would think that sometime between the start of the attack and one-hundred thousand years later a Facebook admin might realize there is an attack on this account and take appropriate measures. And a botnet will not matter, 5 attempts every 15 minutes is 5 attempts every 15 minutes. Sure, a lot of computers can come up with a lot of answers to the question 'what is the password for account XYZ,' but the computer asking the question will only allow 5 answers every 5 minutes. It doesn't matter if there are a billion guesses from a billion people... for 15 minutes there can be only 5.

Thus, it doesn't matter if it comes from the same computer every time over a period of 10E5 years, or a different computer every time. A modern computer is quite capable of making 5 guesses in 15 minutes, but a trillion computers can't make more than 5 guesses in 15 minutes under this scheme. The only thing that many computers could do would be a DDOS attack against the application gateway/server... and will also bring down service for everyone and not just the account being attacked. (I suppose that many machines could make 'better' guesses, but that is beyond the scope of this argument as even minimum entropy with ideal conditions would still be decades to brute force)

Heck, under this scheme, a single modern high performance CPU would be more than enough to try and attack all 300 million Facebook accounts with maximum efficiency it would still take an average of 10E5 years though (1.5billion guesses every 15 minutes is way less than the 3 billion guesses for a Westome@3GHZ using Base64 encoded SHA1 hashes, for example) And that number will only go up once chips have build in SHA instructions, but it still won't make the net effect any faster.

The lesson here - sanitize your SQL, keep the DB away from the web-server, and for God's sake make sure the application has a modicum of preventative circuit breakers and you will stop a majority of script kiddies.

Re:Is Sony now in the banking business?

[Anubis+IV]

Sharing with merchants is a bit different, since they don't keep it on file. And if we take the attitude that there's no problem unless harm comes of an action, then there would be very little point in any sort of preventative measure at all. After all, we could take your arguments and apply all of them to passwords as well.

Re:Is Sony now in the banking business?

[dgatwood]

It doesn't matter if there are a billion guesses from a billion people... for 15 minutes there can be only 5.

My point was that nobody implements password handling like this because that creates a trivial avenue for denial of service for the account. All I'd have to do is have a botnet of one computer trying five passwords every 15 minutes, and you would never be able to log into your account ever again. I don't need to know your password at all to permanently deny you the use of your account. I need only to learn your username.

Instead, what everyone actually implements in practice is five attempts per 15 minutes per account per IP. So if you have ten million distinct IPs, you have fifty million password attempts per account every 15 minutes, 200 million attempts per account per hour, 4.8 billion attempts per account per day. That's 1.44 trillion total attempts per day, assuming the computers and networks are fast enough to handle this.

The smarter companies implement a limit per IP per unit of time as well, which tends to lower that number considerably.

Now to be fair, what's more common (and what probably got my account) are dictionary attacks and variations on dictionary attacks (common word + a number, substitution of common letters, etc.) rather than true brute force attacks. In my mind, though, I consider brute force attacks and dictionary attacks to be the same thing; the only real difference is the algorithm used for choosing which passwords to try first.

Re:Is Sony now in the banking business?

[sxeraverx]

This case underlines the necessity of one-way salting and hashing passwords, even server-side, before ever storing them. If the passwords were hashed properly, they couldn't feasibly be reused on other sites.

Re:Is Sony now in the banking business?

[somersault]

I think the simplest answer here was that it was someone playing around with Firesheep on your company network after hearing about it on the news. I switched to HTTPS FB sessions after hearing about that.

Technically I already knew of the issue I suppose, but most of the people I work with wouldn't even know what a cookie was, let alone that you can steal sessions with one. The big fuss made about Firesheep means that pretty much anyone can do it now though. I was wondering about running it myself just to see what kind of stuff pops up on our own network.

Re:Is Sony now in the banking business?

[somersault]

For me it doesn't register new locations, but it does register new devices, or fresh OS installs.

Yep, I really think it would have been someone he knows using Firesheep to steal a session cookie.

not surprising

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

Re:not surprising

[chemicaldave]

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

No, it's really not, especially when you consider that the PS3 will store the password. You should only have to enter it a few times over the lifetime of the unit, and even then, entering some non-alphanumeric chars doesn't make it any more difficult.

Re:not surprising

[Darfeld]

It's not difficult, it's annoying. And if you don't type it often, you'll forget it. And if you do type it often, it's even more annoying. And if you write the pwd down, it will be lost/stolen anyway...

Re:not surprising

This data is SonyPictures.com not PSN.

Re:not surprising

[Gravatron]

I use a USB keyboard on my ps3. Helpful for chat, netflix, and password entry.

Re:not surprising

[swv3752]

Yeah, I have a wireless mouse keyboard combo from my old MythTV box that I use for the PS3.

Re:not surprising

[John+Hasler]

> And if you write the pwd down, it will be lost/stolen anyway...

Only if you are a fool, in which all is lost anyway.

Re:not surprising

[WuphonsReach]

And if you write the pwd down, it will be lost/stolen anyway...

Do you also leave your wallet, credit-cards or money laying around so that they get lost/stolen all the time?

Writing the password down is fine, as long as it gets stored in a safe place (safe deposit box, home safe, sealed envelope, even tucked in a wallet). The weakness is not that the password is written down, it's that it is not kept secure against the eyes of others. Like putting it on a sticky note attached to the monitor/keyboard.

Re:not surprising

[MareLooke]

KeePassX helps with that. But it obviously doens't help with companies spilling their pwd databases...

Re:not surprising

[GIL_Dude]

Exactly. Also some basic, much maligned but still useful, security by obscurity can be used. For example, if you have trouble remembering your ATM PIN, simply put a piece of paper in your wallet with a couple of "phone numbers" on it (for example one would be "Adam - 722-1416" where 1416 is your PIN.) Simple mnemonic - Adam - ATOM - ATM... Simple thieves won't get your PIN from that, but you certainly can remember it. Passwords can be done in a similar fashion.

Re:not surprising

[Darfeld]

I'm not leaving my wallet laying around but it's not absolute security. It might still be stolen and that's a PITA. A password written down will be lost if they're not in a logical place well organised and that mean that if someone figure out where it is, they have all of them. Or you can store the pwd in different places and forget half of them. Sure you can find a logical place where to store each pwd but either your too predictable or you won't think of the same place each time.

Or you have a decent IQ, are sure your friend won't betray you (but then, who will? ), and are very well organized in which case you're not Average Joe. Or you have the ability to remember 38 pwd > 20 letters... In which case you might not have lots of friends...

As someone who probably fell into some of those

[vawwyakr]

My sony account only held the minimal information and some of that not correct. The PW I used was my public throw away password that I only use on sites that require me to register when I just need it to use a basic service and not enter anything not already public knowledge. So I'm not going to burn a good PW or spend my time trying to memorize a new one to use for something I really wouldn't care if they cracked and couldn't use the same PW on a site for which I care about it being cracked.

Re:As someone who probably fell into some of those

[Aladrin]

For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

Re:As someone who probably fell into some of those

[KidPix]

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

Re:As someone who probably fell into some of those

[Rary]

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

I don't have a Sony or Gawker password, but I can tell you that my Slashdot password is more secure than my bank password. However, that's not by my choice. The credit union I use has this pathetic system that requires passwords to be exactly 7 characters and ONLY numeric. Very annoying.

Re:As someone who probably fell into some of those

[aliquis]

Personally I don't see the horror in "99% of passwords don't contain a single non-alphanumeric character."

Since then is a 8 character password with non-alphanumerics better than a say 50 character password with only alphanumerics?

Which one is easier to remeber of:

&/fhy47F

or:

"omg leet slashdot password try to crack this one stupid"

and which one is safer?

Also with no password reminder and all these shitty sites which require you to register for no obivous reason or which require it for a reason which matters who's got time for unique passwords?

Guess one could make one:

thisismypassword and then just use it as simple as thisismypasswordSlashdot, atleast that would make it unique.

Or maybe use different e-mail adresses for various seriousness of the account, so then you can have thisismypassword for all but if it's only for junkaccount@gmail.com then people won't crack your forumposts@gmail.com or emailaccount@gmail.com even though they had the same password.

Anyway I think "rules" for passwords are stupid. There are much better and easier ways to improve safety. Sure 50 characters with an occasional & sign is even better.

Re:As someone who probably fell into some of those

[gman003]

My bank is nearly as bad - only uppercase letters and numbers. I used my normal password as a basis for crafting my bank password, but I can never remember if I replaced all Os with 0s, or just the first one, or just the second, or what I did with the underscore, etc. So I still can't remember it. I got tired of doing a password reset every time I wanted to check my balance, and just signed up for mailed account updates. Fuck trees.

Re:As someone who probably fell into some of those

[Plekto]

The big thing that needs to happen is that the systems need to upgrade to a proper unicode character set. And not limit us to stupid things like 8 characters or force use to only use numbers and letters. It's not like the computer itself cares what we put in, after all. @#93^202¾3\fm395212i.345349wdm is just as easy for a computer to put into a table as password42.(as an example) Most of these systems seem to be archaic holdovers from pen and paper days. After all, when you recover the password, it clears the old one anyways. It's not not like some rent-a-tech is actually reading it back to you over the phone.

(note - Slashdot choked on what I typed) - The characters that I randomly inserted were:
@#93^202[3/4 symbol]3\fm39[r shaped graphics character - ignored]5[epsilon - also ignored]212i.345[up/down arrow - also ignored]349wdm
This is bog-standard Arial Unicode. Every PC and every site should support it at this point. But even slashdot is behind the times, so it seems.

Also, where I used to work, we had to crack Office file passwords for clients from time to time (data recovery and the like) Most could be brute-forced in seconds, but add a single unicode character like or even something as innocuous as an extended graphic character like to the password and the cracker would choke and never get it. We'd know it was no more than 8-12 characters and it would run overnight and get nothing (problem with having clients in foreign countries send you data to recover... sigh). I'd wager that less than 1% of all cracking programs and tools that are available to use, either commercially or that are out on the net in the hands of criminals are set up to deal with Unicode.

It's a shame only two sites that I visit allow it. Slashdot isn't one of them, BTW. Sony certainly did not. Of course, I always used the prepaid cards as well, since it was an obvious problem - not only from a password perspective, but the idea that anyone (ie - kids) could log into your main account and buy stuff from the store pretty easily if they wanted to.

Re:As someone who probably fell into some of those

[mortonda]

indeed. What I do is create a new password for every site, and then use a password manager like 1Password to remember it for me ... even for sites that I may not ever log in to again. That way, my password doesn't convey any information to any other sites.

1Password syncs to my other systems and my phone, so I'm never without a password, and all I have to remember is my local encryption key.

Re:As someone who probably fell into some of those

[KZigurs]

Thank you, kind sir! Please make sure that your account is in good standing to avoid ... uhm... *overdraft fees and ensure good credit score*. Yeah, that.

Re:As someone who probably fell into some of those

[Rich0]

That's the price admins pay for using passwords to authenticate users. It will only get better once it gets sufficiently worse. :)

Re:As someone who probably fell into some of those

[hedwards]

If you add even a single non-alphanumeric key it means that in order to brute force the password, they don't get to stick with the 26 lower case letters, 26 uppercase letters and 10 digits, they also have to deal with the , ; . ! ? @ and probably even more. And they don't know that's the case until they try every combination of alphanumeric characters that is possible within the given length.

Re:As someone who probably fell into some of those

[aliquis]

Yeah, but say 26 lower case, 26 upper case, 10 numbers and then how many special characters? 30?

So you got 62 vs 92 characters.

To begin with they don't know if you use alphanumerics only or not, so it's not obvious what.

But regardless, say they do.

8 characters with special characters:
92^8 = 5.13218873 Ã-- 10^15

10 characters but only alphanumerics:
62^10 = 8.39299366 Ã-- 10^17

So now Hedwardish (heck, screw the numbers, 52^11 = 52^10 = 1.44555106 Ã-- 10^17) is much better than 3TtÂed6/ and 3TtÂedÂ6/ is just four times as good.

Imho the former is easier to remember, and "bla bla yada yada story of my life this is my gpg key" is imho much more convenient than Y45i64tgi4%409d9di34k68rgft645egfed5t6&&7.

But I may be wrong ..

Best password practices

[mangu]

I don't think very long passwords are necessary.

My own practices:

No dictionary words, only a string of random letters
No change, memorize and keep the same password forever

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Re:Best password practices

[somersault]

I don't change mine all that often either, and similarly have different levels of passwords.

What do you mean by "very long"? I think something like 8 or 9 characters minimum is probably necessary to avoid rainbow table cracking these days.

I've taken to slightly modifying my password depending on which site I am using. It helps to lengthen the password but in an easy to remember way, even though my basic password is already above the length that should be easily crackable.

Keeping the same password forever does leave you susceptible to things like hardware keyloggers, and websites storing your passwords in cleartext (like Slashdot apparently does) though.

Re:Best password practices

I do somewhat of the same. My letters aren't random though. I typically have a phrase that I remember such as:

jack went to the store to buy some rice.

That would become jwttstbsr

Then append a number n (in this example we'll say n = 3)

Every nth letter in the original sequence becomes uppercase.

So then we get jwTtsTbsR3

Finally, append a single letter suffix designating what it's for. C for computer passwords, F for financial, S for social networking, E for email, W for general websites, etc.

I tend to change which password I'm using every now and then and this lets me keep track of it without having to write anything down (which I'd inevitably have to do for a COMPLETELY random sequence).

Re:Best password practices

[jovius]

i use something like 's0m3t#1nG'

Re:Best password practices

[JaredOfEuropa]

Decent dictionary attack software already accounts for the more obvious substitutions like i/!, o/0, l/1, e/3, a/4 etc. I tend to use passwords that can be pronounced but aren't actual words.

But even with a completely random password, you're still screwed if Sony makes the unbelievable and unexcusable mistake of storing them in plaintext. Hell, even the PHP for Beginners book on my shelf explains one-way encryption for passwords to online services.

Re:Best password practices

[Danny+Rathjens]

I don't know why people think that "leet-ifying" a word makes it a better password. leetspeak modifications of dictionary words is one of the first variations that password cracking software tries after straight dictionary words.

Re:Best password practices

[angel'o'sphere]

But you do know that slashdot e.g. does not transfer your paswd encrypted but in plain text? So everyone listening to your connection can read it? I would at least distinguish between https and non https accounts.

Re:Best password practices

[DigiShaman]

Security through Obscurity plays a part in the overall scheme of things. Not by itself, but a part. That said, unless you use different user names, you shouldn't be telling everyone that you use the same password for all those sites. There are several potential implications that could render partial to complete ID theft.

Re:Best password practices

[BrokenHalo]

I don't know why people think that "leet-ifying" a word makes it a better password.

Leetifying a dictionary word doesn't make it any stronger as a password. However, using "leet" substitutions in a password which cannot be found in a dictionary, but is otherwise memorable increases the range of combinations/permutations of characters, so making a lot more work to brute-force. Thus, "P45sword" is just silly, but "Tb,at5tDg4gitw:" (from "Twas brillig, and the slithy toves \n Did gyre and gimble in the wabe:") would be considered by most to be a pretty strong password.

Re:Best password practices

[WuphonsReach]

That depends on whether you assume that the attacker has your password hash and can brute-force it at an increased rate. For $1000, an attacker can easily build a unit capable of attacking most password hashes at a rate of say 1 billion per second.

If your password is 8 character or less, it will be spit out by that machine in 2-48 hours.

The math:

Assume 60-80 possibles per letter in the password, weaker passwords that are mostly lower-case can be as low as 40 possibles per letter.

40 = ~5.33 bits per position, 60 = ~5.91 bits, 80 = ~6.32 bits.

Search time at 1 billion / second:
5.33 bits per character, 8 characters = 1.97 hours
5.91 bits per character = 47.5 hours
6.32 bits per character = 461 hours

So for fairly complex password, that $1000 machine can break about 180 passwords per year. And since most passwords are much weaker then 5.91 bits per position, it might be as high as 5000 passwords per year.

Which means the attacker only spends $0.20 per password cracked for passwords of 8 character or less that are not completely random. And that assumes that they're paying for the hardware and electricity and time.

Do your short passwords protect items / time worth more then $0.20? You say that you use more random passwords, which means the attacker would probably have to spend about $5.00 to break it if it's 8 characters or less.

For every letter that you add to your password length, you increase the attacker's workload by 40x to 80x.

Re:Best password practices

[binkzz]

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Hey! Would you like to sign up to my site? http://dodgysite.com/ . It has tons of cool stuff. Hope to see you there soon!

Re:Best password practices

[Inda]

I've said the same on here many, many times before giving up. No one will listen and no one will change their ways.

I used to play with password cracking programs on my P3. They all allowed for character substitution and many had a 'leet-speak' option to tick.

BTW, a full dictionary attack used to take about 3 seconds on my P3 and people would be magically impressed when I found their ZIP file passwords.

PS. My bank allows 14 characters... *facepalm*

Re:Best password practices

[Bengie]

If the attacker assumed a 40 char alphabet and you used even a 41 char, they would NEVER break your password.

The attacker knows nothing about your password, so they have only a few options. Use a limited alphabet like all lower case and no specials, which means dramatically faster brute forcing but anyone who uses even a single special char or upper case will be protected from you. Or they can use the full alphabet and take a very very very long time breaking everyone's passwords.

The problem with a lot of password theory is it assumes the attackers knows something about the password. The attacker typically doesn't know you're using a phrase of simple words, they don't know what your entropy is or how large your alphabet is. Assuming the dictionary attack didn't work, all they can do is brute force and go through EVERY combination. Use a simple word, throw in an upper case somewhere and toss in a special char, and add another word if you want to make sure you're at least 12 chars.

"Blueplanet[69]" is 14 chars. The attacker doesn't know anything about my password and it won't show up in a dictionary attack. It would have to be brute forced.

You know why the above example is safer than "A5#[z~];wLr^0@" ? because "B" is higher than "A" in the ascii table and assuming an incremental brute force, it would take longer to make a match.

A 90 char alphabet is considered the pretty much the full one. 90 combinations per char and 14 chars, that's 2,287,679,245,496,100,000,000,000,000 combinations. divide by half for average chance to hit in top of lower portion of the range, 1,143,839,622,748,050,000,000,000,000 combinations. At 100 trillion combinations per second, it would take on average, 362,709 years to break a 14 char password assuming a search space of the full 90 char alphabet. If they didn't assume the full alphabet and someone used even one char outside of theirs, they would NEVER break the password.

Another option is for the web site to use bcrypt to hash the passwords and make it take 50ms per hash. Even simple passwords would be fairly safe if your DB got stolen.

Re:Best password practices

[jovius]

That's why I don't use words from dictionary. Made up words, combinations or mangled. It's easy to have per site unique password. Besides I come from somewhat minor language group which provides lots of weird material to the mix.

Re:Best password practices

[WuphonsReach]

The problem with a lot of password theory is it assumes the attackers knows something about the password. The attacker typically doesn't know you're using a phrase of simple words, they don't know what your entropy is or how large your alphabet is. Assuming the dictionary attack didn't work, all they can do is brute force and go through EVERY combination. Use a simple word, throw in an upper case somewhere and toss in a special char, and add another word if you want to make sure you're at least 12 chars.

"Blueplanet[69]" is 14 chars. The attacker doesn't know anything about my password and it won't show up in a dictionary attack. It would have to be brute forced.

That depends on the attacker. Smart attackers know that most users fall into a predictable pattern, such as preferring lower-case letters over upper-case, only using 1-3 extra digits / symbols, typically putting extra junk between words instead of in the middle of words, and sticking to words that they commonly use. That narrows the search field a lot. Instead of 200,000 - 300,000 words, they only need to use about 8,000-10,000 in their search.

If you don't care about which particular account in a list of hashed passwords you break, then you start with the easy stuff. Such as a list of the N most frequently used passwords. Then you proceed to try the typical patterns (and "word-word-numbers/symbols" is a fairly common pattern). Maybe if you didn't get enough results from the first two methods, you'll try doing a random brute-force search of the entire space.

But is that time worth it? Probably not for most attackers. They'll go after the other accounts in the list first and probably break at least some of them in a matter of hours. After which, unless you are a special target, they don't care enough to spend the effort to break your password.

You only have to run faster then your buddy when being chased by a hungry bear if it doesn't care which of you it eats.

But if you specifically made yourself a target by annoying the bear, then your assumptions have to change.

Re:Best password practices

[WuphonsReach]

PS. My bank allows 14 characters... *facepalm*

14 is not bad. At a minimum, that's probably 62 possibles per position, which is 62^6 better then 8 character passwords. If it allows symbols, then you can assume 80^6 or 92^6, but only if the entire thing is complete gibberish. Otherwise stick with about a 60^6 estimate.

Eight would be too few. Even 10 positions is borderline now. But once you get up into the 12-15 character range, you're past the point where opportunistic attackers will bother. It's faster for them to get the password some other way (shoulder surfing, phishing, social engineering, spyware, physical intrusion/theft, etc.).

Re:Best password practices

[wikdwarlock]

Exactly this...

At least the "leet-ifying" moves it further down the line in terms of brute force. This makes it a bit more expensive and a bit more likely to be deemed not worth the effort. If 50% of the passwords can be had with a simple, non-leet dictionary attack, maybe that's enough ROI for the cracker to call it a day and begin chewing on the next database of victims.

It's akin to using a safe inside your home. The US Navy Seals can still come in and get your safe-protected stuff, but if the safe is just a bit heavier or more secure than the average safe, a typical burglar will leave it alone as it's not worth his time and risk.

Re:Best password practices

[Zomalaja]

I sometimes use dictionary words but I misspell them badly.

Re:Best password practices

[Quirkz]

+1 use of Best Poem Ever

Is *$#~! allowed?

[Captain+Centropyge]

It doesn't help when some sites don't even allow non-alphanumeric passwords. Besides... when Sony stores them in plain text, what does it matter what your password is?

Re:Is *$#~! allowed?

[PhilHibbs]

They probably do that because by French law you have to store them in plain text or something fungible, no one-way-hashing of passwords is allowed in France.

Re:Is *$#~! allowed?

[BrokenHalo]

It doesn't help when some sites don't even allow non-alphanumeric passwords.

Indeed, and by far the worst culprits I have found for such asinine limitations are banks. I have come across many that impose arbitrarily small password lengths and refuse all non-alphanumeric characters.

Re:Is *$#~! allowed?

[Captain+Centropyge]

Exactly! You'd think a bank would want the most-secure passwords a user can come up with. Why would you ever disallow special characters? And, unlike the other poster who replied, these aren't French banks. They're local American banks. I don't get it...

lowercase

[Njovich]

'82% of passwords are lowercase alphanumeric of 9 characters or less.'

So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

Re:lowercase

[chemicaldave]

The point is that it's easier to guess a password when you know it only has 36 possible characters, as opposed to 62.

Re:lowercase

[stewbee]

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations. If you were a code cracker, and knew in advanced that most people only used lower case letters, then why waste you time with upper case letters. Your code cracking program would take longer allowing for upper case letters. It a matter of low hanging fruit; non capitalized password code cracker will give you reasonable success rate at a shorter time that allowing for capitals.

Re:lowercase

[Rary]

Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

For starters, you shouldn't be speaking out a password, unless it's the password to something really trivial and low security, in which case go ahead and use a simple all lowercase password. As for remembering the location of the capital letters, use a simple pattern.

For example, if you take the word "password", replace a couple letters with numbers, such as "p4ssw0rd", and then just hold down the SHIFT key for every second character, you get "p$sSw)rD", which is many times more secure, and simple to memorize, because you're not memorizing the actual password, just the pattern used to type it.

The point about how difficult it is to type these passwords on a phone, however, is absolutely valid. Even worse is when I have to type my fairly secure wi-fi password on my Kobo. Painful.

Re:lowercase

[Kjella]

Apple23
aPple23
apPle23
appLe23
applE23

= about 5 times as difficult. The point is that people don't use combinations like ApPLe23, capitalizing one letter because you must isn't exactly a huge gain. Particularly since most people will capitalize the first, since it's easiest. I do stick to alphanumeric passwords though, everything else always generate so much crap with character sets, keyboard layout etc.

Re:lowercase

[tchernobog]

Actually, it's not exactly true if you are brute-forcing. If you have a nine-characters-long password, of which exactly one letter is uppercase (assuming you can determine that), you would have 8 lowercase letters (26^8) * 26*9 possibilities (because the uppercase letter can appear in 9 different places), so that would make it 9 times the time required to bruteforce an all-lowercase password. That's why they recommend you to use digits, special characters and uppercase letters; they DO increase a LOT the amount of work due to break a password). If you do not know if there *is* a uppercase letter (0 or 1 uppercase letters), that makes it 18 times harder (26^8 * 52*9).

Re:lowercase

[swillden]

Good luck brute forcing a 9 character lowercase alphanumeric password

Per yesterday's article, a GPU can test 3.3 million passwords per second. That means the entire space of 9-character lowercase alphanumeric passwords (there are 36^9 of them) can be searched on a single GPU in 356 days, which means that on average it will take 178 days to find a given password with an undirected brute force search. In practice, that can probably be reduced significantly by searching first for dictionary words, combinations of pieces of dictionary words or letter sequences that are "pronounceable".

Brute force searching is also fully parallelizable, so applying 10 GPUs reduces the average time to 18 days (again assuming naive searching -- smarter searching will probably reduce it to 2-3 days).

Throwing in exactly one uppercase letter multiplies the password space by 9, which makes those numbers for one and ten GPUs 1600 and 160 days, respectively. A factor-of-9 improvement may not seem like much, but in this case it moves the problem from the realm of something that can be done in a couple weeks with a few hundred dollars of hardware to something that requires months or thousands of dollars.

Of course you're right that adding a tenth character does more than choosing one uppercase character. But the point is that a 9-character lowercase alphanumeric password is eminently crackable by someone who cares to do it, and at this level every additional multiplier that can be added to the complexity of the brute force attack is useful.

Re:lowercase

[mortonda]

But this is only when you have access to a very fast hash table of the passwords. Trying to brute force over the network to a server that has a proper failure backoff timeout, it gets a lot harder to brute force a decent (6-8 character) password, assuming you don't do stupid stuff like 'password' or '12345'

As for the case of whether the hackers get ahold of the password table ... well, let's hope it's at least hashed. That's not even always the case... and if that's true, it doesn't matter how long your password is. :(

Re:lowercase

[WuphonsReach]

But this is only when you have access to a very fast hash table of the passwords. Trying to brute force over the network to a server that has a proper failure backoff timeout, it gets a lot harder to brute force a decent (6-8 character) password, assuming you don't do stupid stuff like 'password' or '12345'

Agreed.

But when planning for password security, minimum length and complexity requirements - you assume that the attacker has the hash.

It's a very reasonable assumption to make unless the server is locked in a concrete and steel box, a kilometer or three below the surface, with no external connections, you've filled the box with magma, and you have honey badgers living in the tunnels. Maybe some cazores living at the entrance.

Re:lowercase

[Rich0]

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations.

The parent's point was that this isn't actually correct. That is only true if ANY or ALL of those characters could be upper case. Well, they could be, but most likely they aren't. Instead it is probably the case that all but one are lower case. So, the number of possibilities isn't 52^n, but rather n*26^n. That is barely larger than 26^n.

Require 8 characters, of which at least one is upper case and one is a number? Ok, users will go with the minimums on both, so you start with 6 lowercase and 1 uppercase letters, which is 7*26^7. Then you throw in a digit. That could go in 8 positions, and could be any of 10 characters, so multiply that number by 80. If you just check a "1" in the last character position then you don't increase the number of combinations at all and you'll probably nail 80% of the passwords anyway.

If I lose my car keys then a true brute force search would have to cover the entire volume of c * the elapsed time since I last saw them. However, I wouldn't start by searching the moons of Jupiter - the kitchen counter is far more likely to yield dividends.

Re:lowercase

[n5vb]

There's only a bit of difference between upper and lower case.

(at least in ISO-Latin-1) *rimshot*

Re:lowercase

[Rich0]

Your calculations are way off as you don't know in advance where the one capital letter will be, so you are still stuck with all possibilities.

If the password is n characters long, then the capital letter could be in one of n positions. So, the number of possibilities is n*26^n. Basically you take each 8-char lowercase password and then you capitalize each of the 8 letters in turn.

Or you could look at it this way - you have n-1 chars lowercase, which is 26^(n-1). Then you have 26 possible uppercase chars in any of n positions, or 26*n. So, you get 26*n*26^(n-1), which is just another way of saying n*26^n.

As far as your arguments about making the passwords harder to brute force go, clearly that is just good sense. That doesn't change how the time to brute force scales with n, but just the base time per try, and salting also prevents you from being able to divide the time per password by the number of passwords in the database.

Re:lowercase

[AmiMoJo]

Didn't you see the recent story about GPU password cracking? A GPU will chew through every combination of 9 lowercase characters in minutes.

Password Requirements Are Inconsistent

The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

Re:Password Requirements Are Inconsistent

[tompaulco]

Mod parent up. Nevermind different sites, we have different password requirements on different systems WITHIN MY OWN COMPANY. Our expense reporting system, bug tracking system, OS login, and intranet login all have different and incompatible password requirements, and some of these also expire, requiring you think of a NEW one that fits the format. So within my own company I have to remember 5 different passwords (plus the other system passwords, some of which I also need to know to perform my job). Then externally, I probably have 30 to 40 sites that I have accounts on that I use on a regular basis. Some of these not only have crazy password requirements, but some have non-choosable usernames, like a number or a name that they assign you. Sometimes they assign you a password as well and won't let you change it.
So it comes down to sticky notes, or a trusted source to keep all your passwords. I have chosen the latter. I have a password file that I keep on my own domain. However, even that is not foolproof, because I don't host the sever myself, so somebody at the host, or somebody that compromised the host could get in and look at that file (I have permissions set to keep the casual viewer out, but these people would obviously have admin permission). I still have security through obscurity, as they would have to recognize the file for what it was, while wading through thousands of uninteresting files, and then figure out what user and password goes with what site, which is somewhat cryptic, but recognizable by me.
As an aside, why does talking about my file which is hosted on a unix based system make me want to use vi editor keys when typing into slashdot?

Re:Password Requirements Are Inconsistent

[Hatta]

But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember

You're going to have to remember 2 different passwords anyway. That is, unless you want Sony hackers to be able to access your email/facebook/slashdot account.

Re:Password Requirements Are Inconsistent

[sjames]

It's really getting out of hand. I'm just waiting for the day when passwords must be 100 words or more, mixed case in at least 3 alternate character sets (including Klingon please) with not less than 5 characters that cannot by typed on any keyboard known to man even with a quadruple Bucky.

It's time to admit that not everything is Top Secret and that the real problem is that BANKS insist on using credit card numbers and other more or less public information as the world's worst clear text passwords. It shouldn't matter if you know my credit card number (known to anyone I buy something from) or my mother's maiden name (known by the bank and anyone who bothers to check public records), my shoe size, or my birthday.

We've known how to use public key signatures and encryption on smart cards for decades now. If such a system were in place, and mandated to be open, we could use it for other things as well. If a smart card can securely sign a payment authorization, it can sign an access token.

Re:Password Requirements Are Inconsistent

[tompaulco]

Well, there is no reason why the brute force thing should even enter into it. Any properly designed system will not allow you to try to login again within1 second. Nobody can type that fast anyway. So any kind of brute force attempt is going to take billions of years. All of the IT security is just like TSA, pure theater. It costs us time, money, and decreases security to have the kinds of password rules and expiration that are considered "best practices".

My Best Practices

[gregarican]

For my passwords I use the keys one-up-and-to-the-right of the "dictionary style" password I have. For example, for password this would come out as -wee305r, making it harder to brute force. Of course if the passwords are all stored plain text by some incompetents what's the point?!

Re:My Best Practices

[jawtheshark]

That works as long as you only have to do with US-Layout keyboard. I have to cope with a multitude different keyboard layouts. The only I type this on (which is not the one I normally use) would render password like ")éeeà(r".

Re:My Best Practices

[gregarican]

Good point. And my US keyboards render the passwords a lot differently than the time I am trying to enter in my password from my iPhone/iPad...and since I don't always memorize the jumbled version I sometimes get a brain cramp :)

My password is

'); DROP TABLE Password;

Re:My password is

[snookerhog]

Bobby, is that you?

Whats the point ..

[Idimmu+Xul]

of having 100 alphanumeric+special character long passwords when websites just give up the password lists with the magical words 'sql injection'?

Unique passwords at least ensure that once a website you frequent is compromised you don't get further screwed over...

hunter2

[chemicaldave]

There must have been a few dozen.

Re:hunter2

[MacGyver2210]

There weren't any passwords listed in the sony data as ******* - as you typed it. If you can write the actual password instead of the masked version I could tell you for sure...

non-alphanumeric characters

[pb186]

"99% of passwords don't contain a single non-alphanumeric character." Many sites out there don't allow non-alphanumeric passwords. Most bank login pages I've seen are this way. It's really infuriating that a page whose security is of the utmost importance doesn't allow very secure passwords. Since a lot of people reuse passwords this statistic makes sense.

Re:Non-alphanumeric characters

[John+Hasler]

Sounds like you missed an opportunity to put Bobby Tables to work...

It's also possible that the "#" just happened to fall right after the end of the maximum length password accepted by the site.

Re:Non-alphanumeric characters

[WuphonsReach]

Which sounds like they're storing the passwords in plain text.

(Yet another reason to just use randomized passwords across different websites. At least an attack on one site won't lead to accounts on other sites being exposed due to password re-use. Heck, for sites like talk forums and community sites where you don't have financial information exposed, just let the browser remember the password. Or use a program or a few GPG encrypted text files.)

Re:ah geez.

[xkuehn]

ah geez. it's like being back in school. my best mate's password was "123".

Ah, the memories. (The school's admin password was "access".)

Huh?

[iluvcapra]

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

Re:Huh?

[Jim+Hall]

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

IIRC, Gawker had their username/password database stolen a year or so ago? I read the "67%" as: for accounts on both Gawker and Sony, where the email address matched up, 67% of the passwords were also the same.

That is, 2/3 of the people who had accounts on both Gawker and Sony were using the same password, not a different one.

Re:Huh?

[MacGyver2210]

I take it to mean "We downloaded the un/pw list from the sony hack, and tried every one on Gawker. 67% worked."

Bad passwords are not always the user's fault.

[mcmonkey]

The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Re:Bad passwords are not always the user's fault.

[Idimmu+Xul]

you could use a password management tool like keepassx to remember them for you

Re:Bad passwords are not always the user's fault.

[KMitchell]

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.

Re:Bad passwords are not always the user's fault.

[Mr_Plattz]

Agreed!

I've recently invested time and changed *all* my online passwords. Everything stored inside KeePass with random very strong passwords. Even comparing with the 'core' sites such as Facebook, Twitter, Ebay, Paypal, Gmail --- *ALL* of them have different requirements which I think is unacceptable. Some enforce 14 chars but don't accept alpha-characters while others cap at 20. One big kudos is Facebook was the best and accepted 256 random characters.

So yes, *we* need to agreed on the minimum standard that all passwords can be. I will propose 20 chars, allowing all upper/lowercase alpha-numerics and non-alphanumeric.

Yes I appreciate security isn't just a simple as allowing 256 random chars, but as the above posters suggested, *WE* (customers) should at least be able to expect a certain level of standards.

Re:Bad passwords are not always the user's fault.

What part of "With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option" did you not understand?

Re:Bad passwords are not always the user's fault.

[mcmonkey]

Except I can't install any software I want on the company's computer. You know, for security!

Re:Bad passwords are not always the user's fault.

[benob]

How about using a common random prefix followed by a phrase unique to that system? Like:

Xhk645k_networkaccount
Xhk645k_elevatedprivileges
Xhk645k_hrsystems ...

You only have to remember the random prefix, the second part being much easier to remember.

To security experts: would that be secure enough?

Re:Bad passwords are not always the user's fault.

[eulernet]

At my job, the policy was to change passwords every month.

The guy explaining how to be able to keep memorizing the passwords gave us the following trick:

use your normal password as a prefix
then as suffix, add a counter, like 00, 01, 02, etc...
The idea is to increment the counter when the password expires.

After a few months, the management got upset about this policy, and we have now the same password since 2 years.

Re:Bad passwords are not always the user's fault.

[danpat]

Online password manager with client-side encryption and secure password generation: http://clipperz.com/

Re:Bad passwords are not always the user's fault.

[John+Hasler]

> ...would that be secure enough?

As long as you are the only one doing it. Once the practice became widespread it would become worthless (I am not a security expert.)

Re:Bad passwords are not always the user's fault.

[Cthefuture]

This is exactly the type of thing a smartcard would be good for. You could have all unique passwords using the strongest randomizer possible (or use PKI or similar) and only have to remember a simple PIN for your card. The PIN can be relatively short and simple too (although making it more complicated is recommended).

A smartcard provides a hardware level of protection as it's much more difficult to brute force because it can be set to self destruct after a certain number of bad PIN attempts. Usually between 3 and 8 attempts will "permanently" block the PIN. Many cards do also have an unblock PIN and/or transport key but those will also block after some low number of attempts, at which point the whole card will probably be permanently "bricked."

It's not some magical solution to all problems because unless you're using PKI then your password has to be read off the card and transmitted but the range of attacks is much smaller (mostly limited to local attacks on your system versus stuff like the Sony breach).

Re:Bad passwords are not always the user's fault.

[Roogna]

Use a password management system, that is -not- on your computer. For instance 1Password is available on iOS devices. I'm sure Android has similar apps.

Re:Bad passwords are not always the user's fault.

[mcmonkey]

Oh great. All my accounts have been compromised AND I have to skip lunch for a couple weeks. ;)

Re:Bad passwords are not always the user's fault.

[Anubis+IV]

If you use 1Password, it has companion iOS and Android apps which will automatically sync via Dropbox to your computers. No need to install anything on the company computers when you can keep it on your phone, and the data on the phone is independently encrypted and password protected in addition to anything the mobile OS does.

Re:Bad passwords are not always the user's fault.

[gman003]

I have three different passwords I use for everything. The weakest (8 characters, 2 non-alphanumeric and one uppercase, but I sometimes have to strip the & and @ on things that don't allow it) is used on things where I really don't give a shit if someone hacks it. Want to upload stuff to Imageshack in my name? Who cares? Want to hack my Dropbox? I only use it as free file hosting - everything on it is supposed to be publically-viewed, and I have local copies of all the data. Want my Gawker account? Knock yourself out - I don't even try posting anything there, everyone's too retarded. Hell, some sites email it back to me in plain text.

The next password (9 characters, 2 non-alpha, one uppercase, non-dictionary word (unless someone added Esperanto to their password dictionary)) is used for things I actually care about. Steam. Slashdot. User-level logins. Email. Stuff I would be able to recover, but which would seriously inconvenience me. If I hear that one of the systems I use it on has been compromised, or even "maybe" compromised, I change them all. I do have this one written down in a few places, but always under lock and key.

The highest (20 characters, 3 non-alphanumeric, 4 numbers and 6 uppercase, with nothing at all that would appear in any dictionary) is used on things I need actual security on. Root accounts. Bank accounts (or at least I would, if my bank wasn't retarded). And the only place I have this recorded is in one location, which contains only the instructions I used to generate it, which requires knowledge of hexadecimal, early science-fiction, and the arrangement of my keyboard. I consider this one uncrackable - I would be confident setting it as the launch code to a nuclear missile. If I remember, last I checked it would take several years to crack the password - anyone who cracks it will probably have spent more on electricity for their computer than they'd get out of my bank account.

PS: I know about password management programs. Don't trust them, and I have to use public terminals too often to have passwords I can't remember. I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

PPS: That's not my actual password. And several of my descriptions were deliberately false, just to maintain security.

Re:Bad passwords are not always the user's fault.

[Terrasque]

You could try looking at a solution like http://www.hashapass.com/

The relevant JS code:

function update()
{
                var res = document.getElementById('resultId');
                var seed = document.getElementById('seedId');
                var param = document.getElementById('parameterId');
                var hashapass =
                                b64_hmac_sha1
                                                (seed.value,
                                                  param.value) .substr(0,8);
                res.value = hashapass;
                seed.value = '';
                res.select();
}

As long as you're allowed to make an ascii text document and have access to a web browser, that's available.

Re:Bad passwords are not always the user's fault.

[jomama717]

I use password safe, installed on a thumb drive. I have over 150 unique passwords I have to keep track of for work, as well as close to 100 unique passwords for personal sites stored on it. For passwords I rarely need I let the safe generate them for me, I never even actually know them. Just double click on the entry and it is inserted into your clipboard for ~3 minutes or something. For ones I use more frequently I came up with a scheme:

• All passwords are of the form "[prefix][password][postfix]"
• Choose 3 values for each element of the password. e.g. prefix could be "*(", "$^", or "@!", password could be "sparky", "fido", "jomama", and postfix might just be 3 well known 4-6 digit numbers.
• Memorize these nine tokens, and if you need to write down specific passwords you can just put in placeholders for the values. e.g. "$^fido5150" can be written down as power-woof-vanhalen.

Works like a charm for me.

Re:Bad passwords are not always the user's fault.

[daktari]

You could try and run it from USB flash drive.

Re:Bad passwords are not always the user's fault.

[PhilHibbs]

I've considered using the postfix system (ie. $kurg^is42 would become $kurg^is42_fb on facebook, $kurg^is42_sd on /., etc), but haven't gotten around to actually doing it yet. Probably should.

I do something like that, and I have a few variants of the cryptic prefix as well. I have occasional moments of paranoia that someone will get both Slashdot and Facebook's databases and notice the similarity between my passwords, but really, I'm not that interesting a target for that much effort.

Re:Bad passwords are not always the user's fault.

[CastrTroy]

Kind of funny, since they are only using a hash, why not just allow any length of password. The hash will always be the same length, regardless of the length of the password. You could even allow users to upload a file as their password, in order to allow for non-typeable byte values in order to increase entropy. If you stored the files for each website on a truecrypt partition that automatically dismounted after a timeout, it would probably be about as secure as using keepass, and the actually password would be very strong.

Re:Bad passwords are not always the user's fault.

[gman003]

If the passwords are encrypted, they'll have to go through the effort of cracking them to notice the postfix is there.

Using SHA-1 and the above examples, $kurg^is42_fb becomes de357c5ba1b2e8d6a773319d6c2d1068a3960bb9, while $kurg^is42_sd becomes a15d3716b55df845ef3f421a0343dd08050956c7. That's one of the features of a strong cryptographic hash - a slight change in the input produces a major, complete change in the output.

Re:Bad passwords are not always the user's fault.

[Unequivocal]

Of course, make sure you backup that password safe somewhere. I use spideroak to keep that file synced on lots of systems. Dropbox probably works fine too..

Re:Bad passwords are not always the user's fault.

[joeflies]

You don't trust password management programs but you trust public terminals?

Re:Bad passwords are not always the user's fault.

[IICV]

... but I sometimes have to strip the & and @ ...

... ie. $kurg^is42 would become $kurg^is42_fb ...

PPS: That's not my actual password. And several of my descriptions were deliberately false, just to maintain security.

So now we know that your real password contains none of $, ^, & or @? That reduces the search space quite a bit :)

Re:Bad passwords are not always the user's fault.

[gman003]

I never said *which* descriptions were false. I could have lied about the $, or about the &. I could even have lied about lying to you - maybe that *is* my real password.

Re:Bad passwords are not always the user's fault.

[ibennetch]

Bank accounts (or at least I would, if my bank wasn't retarded).

What is this about? Seems to be more widespread than it should be. At one point, I had a bank account that, among other things, did not allow passwords longer than 8 or 10 characters. I think any non-alphanumeric characters were also out. And I'm supposed to trust them with my money?

I've also had an account somewhere (I forget if it was a 401k, employer payroll system to see my paycheck, or maybe something less important) that uses your SSN as the login name and requires a short (numeric-only) PIN for the password. Plus some sort of funky javascript to "encrypt" each character on each keypress (which also means I can't type it at breakneck speed).

Now, I go out of my way not to deal with companies that force me to use weak passwords...

Re:Bad passwords are not always the user's fault.

[gman003]

My bank account limits me to uppercase letters and numbers, and has a maximum length as well. Since that rules out everything I've ever used as a password (except for one I use on retarded services that email it back to you in plain text), and I don't want it written down anywhere, I'm constantly forgetting it. I got tired of doing a reset every time I wanted to check my account balance, so I just signed up for mailed balance updates and keep track myself - not hard when you only use it for online transactions (ie. Steam games) and major purchases (everything else I just pay cash).

I almost hope someone does hack the account, so the bank ends up losing money giving me back the ~$300 or so in the account. Maybe then they'll learn to follow security guidelines.

Re:Bad passwords are not always the user's fault.

[PhilHibbs]

If the passwords are encrypted, they'll have to go through the effort of cracking them to notice the postfix is there.

That's a big "if". I guess Slashdot's probably is encrypted, because they're nerds. Facebook's probably is as well. Not sure about any others - if a giant tech company like Sony stores them unencrypted, then anyone might. And in France, you're not allowed by law to one-way-hash them.

Re:And 100%...

[Yvan256]

Of course they're not salted. They're checking their sodium intake!

Re:Other Common Mistakes

[Yvan256]

And, most shockingly, over 99% of passwords are not dead locked, leaving them susceptible to infiltration via sonic technology.

Stop screwing around.

Why are you still memorising passwords?!

[Astatine]

Passwords short enough to memorise are now short enough to crack in many cases. See recent article about hash reversal with GPUs.

Use a password safe. Just search -- there are lots around. I use KeePassX (small, cross-platform -- Windows, GNU/Linux, Mac, Android, no install required on Windows). It'll make strong passwords for you and save them in a tiny encrypted file you can copy to all your devices, with a couple of clicks. The only passwords you'll need to remember are your local login password and the password to the safe.

Life is better without having my web accounts chain-hacked or having to clutter my brain remembering a bazillion passwords...

Re:Why are you still memorising passwords?!

[Spy+Handler]

what if you need to access a web account (let's say Gawker) and you're not at home? And you can't remember any of your passwords because they're all strong 35-character random characters stored in your password safe? Do you carry a USB stick with your password safe around with you everywhere you go?

And if you do, you still have to insert your USB stick into a foreign computer and type in your master password. What if that gets owned by a keylogger? Then not only is your Gawker password compromised, every password you have is compromised.

Re:Why are you still memorising passwords?!

[wintercolby]

The article about hash cracking with GPUs was all about cracking NTLM hashes. Even less secure are the random websites that people sign up to with absolutely no idea what type of hash might be used to store their password. To get a good indication of whether or not a site uses a two way encryption or no encryption at all, I usually reset my password. If they email me the (bogus) password that I used to create the account, I know it can't be trusted and put in something simple. There's no telling how strong of a routine a web application uses to store a one-way encrypted password either.

I'm starting to really think that passwords don't matter. Weak or strong, they will be compromised. They only work well when you have a one-off password for each ID/Application/System. Using a password management system makes great sense, keep in mind it's also important to have a 1:1 ratio for each ID:Password that matters.

Re:what did you expect

[snookerhog]

+1 insightful

Re:not to bad actually

[Quiet_Desperation]

Ask a dozen people on the street about the "Sony rootkit" and most will probably think it's an MP3 player for plants.

Strong Password Necessity?

[dmatos]

Here's how I look at it:

My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.

Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.

My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.

Re:Strong Password Necessity?

[hackstraw]

OK, PayPal and Canada Revenue Agency are not trustworthy and allow remote brute force password attacks.

Please tell me which bank also allows this?

Thanks.

Re:Strong Password Necessity?

Not to mention type a complex 26 character password on a PS3 would take several minutes.

Would you trust your "good" passwords to Sony?

[leonbev]

Knowing Sony's recent track record with system security, I wouldn't bother using one of my "good" passwords at one of their sites anyway. If there is a good chance that some hacker is going to get a hold of their password file and post it on the Internet, it might as well be "password" or "abc123". I sure as hell wouldn't use the same password that I use for my bank or my e-mail, anyway.

It's all too much

[Bardwick]

I would like to see a poll on how many accounts people have. The mid to upper level geek will use a password management software, but for 90% of the sheep out there.... I can think of 14 accounts of credentials I have now. I've resorted to putting in some random password that meets the requirements, then hitting the "forgot password" whenever the cookie expires...

Here's the Thing

[wbav]

Sit down and think of the number of sites/services/etc. that you access each week.

Pretend for a second your browser doesn't remember a single one of them.

I came up with 34 different sites. 34 different systems with their own rules, regulations and security questions. Some sites only allow alpha numeric, some require the alphabet to be limited to what shows up on a touch tone phone. Others require passwords to change every 30 days with no repeats for the last 5 passwords.

At 9 characters a piece, that would be a string of 306 characters. Hell I'm lucky if I remember my wife's birthday and our anniversary. And those are much more important to me than my slashdot password.

My point is, the current system is BS. Too many sites require logins so they can advertise to you. I don't want your ads, they go directly into the trash. I'd advocate for a single ID across these systems, but the issue is if that's violated everything goes to hell just as fast as if you had the same password for each site. So what to do? Reuse a password that is reasonably secure and risk it across multiple sites? Or do I follow perfect security and ensure no one can get in, including me?

And don't get me started on security questions. If I can't remember the damn password, what hope do I have to remember the question I used?

Re:what did you expect

[smitty97]

exactly. call it a PIN and you'll get 4 numbers. and most people will use their REAL bank pin on shadystealyourinfosite.biz just so they remember it

The real security

[wye43]

Any non retarded system will not allow more than a few login attempts. Any password longer than 3-4 character doesn't offer any real protection, only psihological comfort.

If someone got a hand of the password hash, its gameover - doesnt matter if its a week or 2 month to crack it.

We need to get our collective heads out of the sand and triage the REAL security values!

Re:The real security

[WuphonsReach]

If someone got a hand of the password hash, its gameover - doesnt matter if its a week or 2 month to crack it.

We need to get our collective heads out of the sand and triage the REAL security values!

All sane, opportunistic, attackers operate under the principle of cost/benefit. Is it really worth 2 weeks of computer time to break a password of moderate strength? (12+ characters, reasonable complexity) Is it worth 2 months? Most attackers are going to give up after about an hour and go after the rest of the account hashes that were stolen. Why spend the extra time break into user X's account when they can get the same benefit by breaking into user Y's account (who used a weaker password)?

So unless the attacker is insane or is specifically targeting your account, then no - it is not automatically "game over, man".

(And in the case of a targeted attack - there are probably other avenues of attack being used. Such as physical intrusion, social engineering, spyware, etc.)

Mod parent up.

[John+Hasler]

Mod parent up.

And when it comes to password I use on the interne

[jader3rd]

Lots of websites have different requirements, so you end up finding a password that fits most of them. Most websites can't agree on what a special character is, because each one will only support one or two. The reason, is because some website admins are afraid of a SQL injection attack through the password box. The last time I felt the need to change one of my passwords, I had to try out the different websites I was going to use that password for, and come up with one that they all agreed on. Personally I think that all passwords should have a space charater in them. That would result in users creating easy to remember phrases. I have yet to find a website which allows spaces in the passwords though.

Why protect against brute force attacks?

[Phurge]

Excuse my ignorance, but why not have a system that locks you out after three attempts and sends an email to your previously verified email account?

Why all this focus on "unguessable" passwords when it looks like if you have a powerful enough computer you can guess most in minutes?

Ok perhaps banks & public utilities need all the crypto stuff, but Joe-sixpack? Surely there's a more elegant solution than getting people to remember unmemorable passwords (which leads to post-it note on the monitor syndrome anyway)

"incremental" passwords

[ironicsky]

I use a sort of "incremental" password. My base password is 10+ characters containing letters/numbers/symbols where no character is used more than once. Using part of the website's URL, based on a pattern I've devised for myself, I take letters/symbols out of the URL and prepend it to my password. So if my base password was E21jd78&@qPm and the site was slashdot.org, my password for slashdot dot might end up being SshoTE21jd78&@qPm. This way I only have to memorize the base password, and use the URL to prompt myself as to what the rest of it should be making every password for every website I use to be different. If the passwords are encrypted on each service no two hashes will ever be the same.

What does this actually tell us?

[dannys42]

The first inclination we have is that all these users have really bad passwords. However, you're missing one key piece of data and that is what was the real hack rate? How many accounts were hacked/month, and was there any correlation between hacked accounts and password strength?

If the correlation is low, then what it really tells us is that our standard "best practices" may not really be the "best" because maybe they're unnecessarily complicated.

We don't have that data, so we really can't say much other than this is what people do.

Given the fact that the account info was stolen, I think it's justifiable that people understand the level of importance of this sort of account (ie not really important at all)

Algorithmic Passwords

[hipp5]

Since the Sony debacle I've switched to deciding my passwords algorithmically. I use a base password of six lower case digits that is the same for all websites. Then I use two capital letters that are related to the website in question (e.g. "SD" for slashdot) which I offset by a certain number of keys in a certain direction (e.g. SD might become "XC" if my offset is one key down, but it's not). Then I append a single number to the end (same in all cases). This gets me a nine digit password with mixed case alphanumerics that's easy to remember and is unique across the websites I use. Of course, if you know my algorithm and base it's easy to figure out my password for all sites. But my concern isn't really being singled out for my password specifically (if they want to do that I'm sure they can get it other ways), but rather being part of a large password theft like Sony's. I highly doubt a hacker who stole 75 million passwords is going to take the time to figure out that hipp5's passwords are algorithmically generated across websites.

How many systems are being brute forced?

[kjdrtgxf]

I have seen no data here or elsewhere that suggests blackhats are brute forcing [my] accounts. Although outside of my area of knowledge I would have thought that blocking more than 5-10 attempts for a login in a [second, minute, hour, day, month] would dramatically impact the effectiveness of brute forcing. All the news coverage on password weakness seems to be sourced from the security failure of the vendor rather than individual user.

Re:How many systems are being brute forced?

[An+ominous+Cow+art]

Yeah, that's what a lot of the posts here are missing. A reasonably hard-to-guess password of moderate complexity is fine as long as login attempts are detected and the user notified.

What the article is about, though, is using GPUs to quickly generate hashes of passwords. For that to be useful, the bad guys have to have obtained a copy of the hashed passwords to compare against. It's only useful against a site that's been compromised to some extent. There's nothing the user can do to prevent that. Best thing is to simply not re-use passwords across different sites.

Playstation and typing?

[tsager]

Typing text on the Playstation is a horror.

"Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start"
THAT would be a password!

Re:Very few words are bad passwords.

[WuphonsReach]

An issue is, however, hash security. But salts help with that.

Not really. If I know that your password is short, comprised of common english words (say 4,000 common words that are short enough), something like "football123" is going to be cracked in a matter of hours.

4000^2 x 1000 = about 4.4 hours at 1 million/sec

Worse, since "football" is itself probably in that list of the 4000 most common words, my search space is only 4000 x 1000, or 4 seconds.

And probably even faster then that since I would probably try "123" and "1234" as common suffix values to the word list.

Doesn't matter if you salt or not if I'm brute-forcing your password. Salt just means that I probably (assuming you were smart and used a 12-16 bit or larger salt) can't use a pre-calculated rainbow table against the password hash.

strong password not really necessary

[tjaldprd]

Until black hats devote a great chunk of their time to cracking random joes videogame/email passwords to a point of it become a real threat, not only a potential one, i dont see any problem with that. usual slashdot bad analogy: theres always a strong real potential risk of us being hit by a comet, but until that become a clear short therm invevitable threat (like someone findind an object on a colision course), we humans wont take any real actions to defends ourselves if it. the very definition of a PARANOID is someone who takes measures to protectef oneself against a very unlikely scenario. hope noneone gains root access to machine and gets a hold of my porn stash just by this post :)

The Password Problem

[InsertCleverUsername]

The real problem with passwords is that there's so damned many of them. It's a little exasperating to me that in the 21st century we're still managing security and authentication the same flawed, stupid way. All the idiot users in the world and the hapless tech support people reseting their passwords would cry tears of joy if we could just change to a standardized approach. What I'd really like is something like this:

1) Everybody pick a trusted authentication provider (the Google, Facebook, Verisign, your bank, etc.)
2) Have that trusted authenticator sell you a cheap USB dongle (a cell phone-based app might work too) with a shifting, unique code synced to their auth. server
3) Enter your master password then plug in the dongle (or enter a "code of the moment" displayed on an LCD display on the side of the dongle) and you're automagically authenticated to all participating sites using that federated security system.

Hell... I'd just be happy if all sites would let you have at least 20 characters, with no moronic restrictions on special characters.

Re:ah geez.

[Canazza]

yours had a password?

Re:Bye bye password

[WuphonsReach]

It seems that standard username and password as authentication may be coming to an end. Anyone agree?

It's dire, but not as dire at that.

8 characters or less, with little to no complexity is truly dead (and has been for years).

Longer passwords (10-15 characters), with complexity checks and not reusing passwords across sites is still fine for 90% of use cases. In 90% of those cases, you're not protecting anything of much value and an accidental exposure does not lead to loss of life or massive theft.

Banks and financial institutions will have to either start enforcing minimum password lengths of 12-15 characters or add two-factor authentication soon. But even that is not perfect as many attackers simply do a MitM attack, capturing the credentials in transit and executing transactions that were not what the user wanted.

The reason why longer passwords are still going to be fine is that every character you add to the password increases complexity by 40x to 80x. Add four letters to the average password and search difficulty increases by anywhere from 2.6 to 41 million times.

The attacker will just shift more towards sniffing / spyware rather then brute-force.

Don't read too much into it

[matunos]

I wouldn't read too much into people's bad password habits to a site that didn't collect any sensitive personal data. Sharing passwords across sites would be more of a problem as it may lead to inadvertently revealig a password to another site that does have more importance; or losing access to a bunch of individually unimportant accounts may be more traumatic.

Re:ah geez.

[Apocryphos]

For my school's system, one of the superuser accounts was "a" with no password. Things ended badly.

Re:ah geez.

Darn, my password must have been in the vanishingly small amount that used special characters, numbers, upper and lower case and was actually funny as well.

It was "1c@nCurt1t5" (and by WAS I mean several months ago: I am not going to give you my current password - however it is constructed the same way and is also funny)

I can't figure out why everyone can't manage to use good passwords. But, the bigger atrocity is why the hell Sony was storing plain text passwords anyway? Don't they know about things like salted hashes?

Security is only as strong as the weakest point.

[JustAnotherIdiot]

It doesn't matter if you password is a single letter or a giant randomized hex string, if the service stores their passwords in a plain text file people can get into, your password is lost either way.

Re:ah geez.

[xaxa]

ah geez. it's like being back in school. my best mate's password was "123".

Ah, the memories. (The school's admin password was "access".)

When I was 12 I found out from an older student that the admin password was "changeme". I used it to increase my disc quota.

I then gave the password to a younger student, who changed it. IIRC he had a letter sent to his parents, but I was merely banned from using school computers at lunchtime "until the end of the year", which was about 2 weeks. I think talking to people outside for two weeks probably did me good.

Re:ah geez.

[xkuehn]

Yes.

Some support circus administered the computers. A friend of mine looked over the guy's shoulder once, and I didn't believe him until he demonstrated that it works.

What were you really expecting?

[Liquidretro]

Of Course the passwords will be simple, Most people setup their accounts on the system with the controller. They just wanted to get past the screens to play with their new system so they wanted something really simple that they could forget. If they ever needed to actually get in they could just reset it in theory. They could of used a strong password but we know people dont do that.

Re:Morons!

[Tolkien]

Why would someone post a message containing just 7 asterisks? Weird.

Security Through Obscurity

[dead_user]

Hehe, I have a friend of mine that wrote her PIN number on the ATM at her bank.

M¥ p4$$w0rÐ$ 4r3 h4rÐ0n

[somejeff]

1 wr173 m¥ p4$$w0rÐ$ 1n p£41n 73x7 4nÐ 1 h4v3 n3v3r h4Ð 4n¥ pr0b£3m$!

wtf???

[advocate_one]

99% of passwords don't contain a single non-alphanumeric character.

that's pretty much a given considering the vast majority of password storing and retrieval systems out there barf when you give them a non-aphanumeric character...

Re:writing down password

[DocSavage64109]

Just subtly change one character in your written passwords, and even someone who has your list wouldn't be able to use it.

Just write down part of the password

Just write down part of the password. Personally, I have all passwords on a text file but just their "2nd half". The first half is the same for all, and I have it memorized. This way, I can do the "2nd half" as random as the site allows me, and if one password gets compromized, it only affects one site and they would have to get into my computer to get to my (disk encrypted) text file with the passwords. I can backup my "password file" online and it still cant be used without knowing my system.

Garbage Sites, Garbage Passwords

[slyborg]

It's interesting that all of these "onoes errybody using the same password errywhere" stories fail to point out that the junk logins required by almost every site for the purpose to collecting ad demo data essentially feed weak passwords to black hats. This has trained many people to use the same password everywhere, since no sane person will maintain and memorize separate passwords for dozens of sites, many of which they may just utilize for entertainment. Combined with the weak security even major players (c.f. Sony) have been shown to use, this is now a bottomless cornucopia of id theft data.
Since it's well known that a large proportion of user demo data entered along with these logins is also junk, the smart guys use bugs and IP tracking, and profiling of various kinds to collect this data now anyway, so it's not even useful to have local logins for that purpose. It's time for sites to Just Say NO To Junk Logins...

Re:ah geez.

[bickerdyke]

Our Network Administrators password was "ramses" back in those days....

Getting it was even more fun than using it :-)

Re:Best password in the world does not...

[Nadaka]

This is how you take a stolen hashed password and retrieve the real password from it.

It is the third step in the process.

1: steal the passwords.

2: If they are hashed, apply a rainbow table and you can crack the weakest and most common passwords.

3: If you want to put in the effort, you do a brute force attack against every possible password for each password you still want to crack.

Credit card number is not important ...

[perpenso]

I guess credit card data is not important to protect

For some people the credit card number that Sony has is not important. It is a temporary alias for the real card number. This alias issued by the bank's online services upon user request, has a user defined expiration, has a user defined limit, and it *locks* to the first company that makes a charge on it.

You think that's bad

[phorm]

Try bank passwords. Of two banks I know, the passwords CANNOT have non-alphanumeric characters, and require passwords be 5-8 characters long...

Re:ah geez.

[Quirkz]

What, it didn't accept the incomplete password and prompt you for additional letters, such as "II"?

welcome to 2000

[Tom]

You're 10 years or so behind.

These nice metrics that are still being thrown around by your so-called security consultants are bullshit. They are from times where brute-force and dictionary attacks were your problem. That's not half as much true today as it used to be. In fact, not only has technology changed, security has matured quite a bit as well.
The main password I use for many sites online is 8 characters, all lower-case letters. Why? Because not even a security expert seriously remembers kCw]^7qwKR+3 - whoever came up with the idea of telling non-tech people to use passwords like that should move out of the basement and meet the real world.

So-called "hard" passwords are mostly one thing: Hard to remember. And hard to remember means you need more password resets, which leads to these "security questions" that are a bigger risk than a weak password. I mean, finding out your mothers maiden name or your first car or the name of your dog is two hours of work tops for anyone who is actually interested in getting access to your account. And the mass-hacks of today don't go via brute-forcing anymore, they grab your password from some database, so it matters little if it's "12345" or something like the above.
But hard to remember also means written down more often. Either physically, which means one visit to your desk and I have your password(s) or electronically which means if I guess your master password (if you even set one) I have all of your access credentials.

I'm sorry to say it that harshly, but stuff like "x% of the passwords don't satisfy this totally arbitrary metric" is meaningless. If you want to do serious security instead of security theatre and consulting, get some actual studies done. Get the numbers on how many accounts with 6-letter passwords are being compromised compared to accounts with 8-characters-at-least-two-numbers-or-special-chars. Then we can talk. If you're still interested, because my 15 years of experience tell me you won't find that the weaker passwords are half as much a problem as you think they are. It's one of those "quick-wins" that consultants come up with when you pay them a lot of money to improve your security. You know, doesn't require much effort, sounds reasonable, is something the client can personally relate to because even the CTO/CIO/CEO uses passwords, etc.

Re:welcome to 2000

[RockDoctor]

While your example "kCw]^7qwKR+3" would pass most complexity tests, so would "con9ass%dom8hole7", which as a combination of syllables of my wallet contents, where I keep my wallet, and a few numbers and a special character. Methods of constructing usable passwords while avoiding the easiest-to-bruteforce errors don't necessarily result in "character salad", and can be reasonably memorable. If you access your work's bank details from the office, then your mnemonics shouldn't be in your living room ; similarly, your domestic banking password mnemonics probably shouldn't be located in the toilet at work.

Most of the task is dedicated to avoiding dictionary attacks. Then you increase the symbol base. And you want a minimal length of password. These rules do not dictate "character salad" (though they do allow it).

Read the parent again

[krischik]

By my estimation in >90% it will be the very first character which is caps, the rest lower and 12 numbers at the end. Pretty simple algorithm for a code cracker to implement. Thinking of it: forcing numbers actually make it easier to crack a password as they mostly added to the end.