Slashdot Mirror
The Science of Password Selection
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
What's the inspiration for choosing short, simple passwords? They are short and simple, so you don't forget them. Similar reason to using the same password for a variety of different purposes. For bank accounts, use the strongest possible password, and don't write it on a sticky note. For Facebook, use "asdf1234" and don't put *any* important information on there.
That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.
The problem with passwords is that if they are too complex people can't remember them or write them down in plain sight. Pass phrases can be very effective, easy to type and don't rely on the cleverness of people who can't remember 10 random letters, numbers and special characters.
This is why, when you have a password policy from hell, there are post-its stuck under keyboards or to the monitor. Users won't put up with your tyranny.
--
BMO
You know, what is more shocking is that clueless "security experts" still relying on passwords as their primary security measure. Passwords are bad because they are not natural. Humans are not computers, i.e. we are have not evolved to memorise random string of letters and numbers. Our brain has evolved to make the most of connecting and contextializing information, not memorizing 1 and 0s. This is the mistake you computer people always make, whether designing GUIs or security systems.
The only secure password is the one you can’t remember.
Great. So remember to write your password on a sticky note that you leave on your monitor, and you'll be golden.
Rejected by dictionary checker in password widget in security-conscious software application.
To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.
Like most everyone else, managing passwords is a nightmare for me:
Some websites require a 15 character password with at least 2 upper case letters 3 digits, at least 2 UNICODE characters, and must be changed weekly. Others require from 5 to 7 characters with no numbers and cannot be changed for at least 2 months. The password rules bear no relationship to the sensitivity of the data.
Managing all of this crap is a royal pain in the ass. I use keypassX with an IronKey to make things manageable, but it is still ridiculous.
Why not just all the user to put anything they want as a password, including spaces, commas, etc. Ban passwords under 5 characters, the top 500 easiest ones, anything matching personal info, etc. But otherwise all other things - and have a lockout policy after, say 5 bad attempts. While a script can run through the 190,000 words in a dictionary in a few minutes, it is a lot harder if the account is locked out after the first 5.
While lots of people hate PayPal for various reasons, they have one thing that is really slick: The ability to use your cellphone as a FOB. Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password. So even if someone gets your password, unless they also have your cell phone, they still can't login. Why every bank doesn't have this security feature is beyond me.
"Be grateful for what you have. You may never know when you may lose it."
I've become a recent convert to the idea of using a password card or
password chart to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.
Your design to a real part online: Big Blue Saw
Passwords with patterns are easy for humans to remember, but any short password i vulnerable to a bruteforce attack.
My favourite way to generate passwords is the first letter of each word in a phrase. Somebody looking over your shoulder sees you type TbonoTbTitQ, don't see a pattern, and can't remember it. While you think To be or not To be, That is the Question. Not that this makes any difference to a computer that starts at aaaaaaaaa and works up to zzzzzzzzz.
No, I've never used this password on any computer system. One I did use, though (20-odd years ago, at a company that has long since ceased to exist), was MRwitdtEssahtuwws. If you can tell me the underlying phrase I'll be impressed. And scared. :-)
...laura
All those pie charts make me hungry.
- Holy crap, I've got MOD points! Who thought that was a good idea.
A function that returns a string of 12 random ASCII characters including upper and lowercase alphas, numerics and symbols will score 100% on a password strength test like http://www.passwordmeter.com/ but I find that a password like that will be hard to type, much less to remember.
Another way is to return two random words from a list of less-used English words, separated by two or three random numerics. That won't score as high but it will be plenty secure against dictionary attacks and will be easier to remember.
I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.
https://www.grc.com/haystack.htm
If you build it, nerds will come. Soylentnews.org
You know what's worse? Security questions! Especially when you can't type your own.
They can ask for your favorite color but you don't have to answer that particular question. If you are a fan of pass phrases you can enter some sort of phrase indicating the color. For example if your favorite color is red you could enter "The BBC first aired Red Dwarf in 1988".
It is a lot quicker to type '1wtb0t1wtw0t!' though, especially if you are used to it. I usually add a number somewhere which I can increment though to workaround the stupid password expiry policies some places have.
I'm surprised a large chunk of the obfuscation attempts didn't involve replacing letters with numbers. termin8, passw0rd, etc.
I used a password cracker once as a sysadmin many years ago and I recall that that was one of the higher priority alternates the password cracker tried after dictionary words. I also remember there were plenty of adjunct dictionaries for password crackers with things such as anime/book/movie/tv names and character names and places which might cover a lot of that "other" category.
Back in the day, we would trade off the duty of creating the root password, and changing it everywhere it needed to be changed. When it was my turn, I used a random set of letters and numbers that everyone said no-one could remember. That password had fewer people re-requesting it than any other. I still remember it today. I just Googled it, and nope, it's not there yet.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
I pick 12 or so digit passwords with a mix of stuff that has nothing to do with anything. One of my more recent passwords was:
$8.3JOe$&#aW=
When I pick a new one, I just type it 20 or so times and my fingers remember it from then on. I usually cannot reproduce my passwords verbally without first typing them. The fingers remember. The brain does not.
the rationale
1) easy to remember (weak)
2) it's good enough (average strength)
3) holy shit, hackers! (strong)
Anons need not reply. Questions end with a question mark.
Seriously, I don't care if someone guesses or bruteforces a password to some news site, or anything where I've used a totally random pseudonym in the first place. I will do things like use weak passwords, re-use them, etc. Because I don't care. I mean, I *really* don't care. Please hack these. Who cares? Not me.
Web sites and applications where I *do* care, get particularly long, entropy-rich randomly generated passwords. These passwords do get stored locally, on a well-encrypted medium that I would be most happy to surrender at the first hint of torture. But these aren't going to be casually guessed, and if you're trying to brute force one of these accounts, you're much better off attacking the next one over. (I take the same strategy with auto and home security as well -- all I really have to do is make YOUR car look more attractive to thieves.)
-fb Everything not expressly forbidden is now mandatory.
I am as lazy as anyone else, but I guess I'm just lucky in that I understand a certain amount of english, binomial nomenclatural Latin, spanish, and 3 lesser known NA aboriginal languages. I use one language for username, and another for password. I'm so happy there is no dictionary for O'kmuK.
Problem #1: people don't have random password generators conveniently at hand when they need to create passwords. OS designers should make sure that good random password generator applets are installed by default and obvious. Designers of systems that require passwords should remind users to use random password generators, and suggest where they may be found in popular GUIs. Not every interface can offer that information, but certainly websites could, and if enough do, the information will get around.
Problem #2: people get the EXTREMELY BAD ADVICE that they should not write down passwords. They should be advised to write down their password and put it somewhere safe and out of sight, like their wallet.
If they were called passphrases and required a space character, they'd be easy to remember and hard to brute force.
I use a system that is similar to this: Take a phrase, mash it up very well and then add the name of the account to the end of it. Its very secure, but some sites don't support it because it contains plain text.
Phrase: Don't taze me bro! (remember that guy?)
lets mash it up a big
d0nT+A2eM3bR0!
After typing it in a few times it becomes natural. So, now you have a 14 character alphanumeric password with symbols. But, if some script kiddie hacks a site that you're signed up to (this happened to one of my various online accounts) then they will have access to all of your accounts using that password, rendering it useless, right? Well not so fast. Now we add the next part of protection.
Take the name of the site/account you're logging in to. Mash it up just once (one letter/number) and append it to the 14 character mashup. For example
d0nT+A2eM3bR0!f@cebook
d0nT+A2eM3bR0!sl@shdot
d0nT+A2eM3bR0!n3wegg
d0nT+A2eM3bR0!f@rk
In this case I replaced the first vowel in each site name with a symbol.
I consider this to be VERY secure, and if any of my accounts gets broken into, the likelihood of any other of my accounts being compromised is next to nil.
I'd love to hear the comments of my fellow slashdotters on this. Keep in mind that even a very simplified version is better than most of the passwords out there. I try to get my customers (neophytes mostly) to adopt this because at the very least they aren't using "password1" as their password for everything.
Nobodies Prefect
Tidbits for Techs Technology Blog
I find the ability to have an encrypted password safe always at hand more than makes up for the inconvenience of typing in my master password.
If it was really security conscious, it wouldn't have access to the plain text password.
shocking nonsense
https://www.unix-ag.uni-kl.de/~conrad/krypto/passphrase-faq.html
stop makeing us change the password so much and get rid of the repeating rules.
But otherwise all other things - and have a lockout policy after, say 5 bad attempts.
Which lets anyone who knows your username DOS you.
Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password.
Even those who have a cell phone and a PayPal account don't necessarily have an unlimited SMS plan.
Blackberry password vault and itaks generator have transitioned all my passwords that matter to 16 character random letter upper num sym type passwords
Snowden and Manning are heroes.
That is because every single person wrote it on a sticky note somewhere, thereby greatly decreasing its security.
How so, if "somewhere" is inside one's wallet?
"Shadowfax".
You can thank Phillip Sutcliffe for telling us about it:
http://www.theonion.com/articles/the-threat-of-cyberterrorism,14671/ :)
putting the 'B' in LGBTQ+
The problem is that it isn't always at hand. It may die, or you may lose it or get robbed while on vacation, or you may forget it, or it may be in the laundry.
And, of course, to be of much use it must be quick and easy to use, which means these things are almost never behind a complex password.
Seriously, do you have a password like Pz3vHkr7#w for your password safe, or a short and simple word or number? Remember that no chain is stronger than the weakest link:
1. Steal someone's phone or laptop.
2. Hit 1234 to unlock it.
3. Find password safe
4. Hit 1234 to unlock it.
5. Profit!
You can still check a hashed password against a hashed dictionary.
If you lock your car, a skilled car thief can be inside in 15 seconds. Should you stop locking your car? No. Should everyone buy a high-security locking system? No. If somebody wants your car badly enough, they will get it. The lock just prevents casual theft.
Same with passwords. If somebody wants into your Citibank account badly enough, they'll find a way to get it, like just logging in as themselves and then changing the URL! Does that mean you shouldn't have a password? No. Should you use an ultra-complex combination of letters, numbers, and symbols? No.
I think password strength rules should be eliminated. It's not really about how strong the password is. If the system is built in a secure way (like locking you out after three bad attempts, etc.), any password will be good enough for most people.
Simple? Yes. Short? NO.
Please consider that not every character in a password needs to contribute a high level of entropy; As long as a few do (to increase the search space) the length of a password can contain relatively low entropic character streams.
0#f$%aEx
6.7e15 search space (cracked in 3.35e15 brute force attempts on average).
Sl@5h--------------------VortexCortex
1.51e73 (cracked in 75.5e72 brute force attempts on average).
(Sl@5h, twenty dashes, user name -- easy to remember -- not my real algo, make up your own)
A short string of upper and lower case, with symbols increases the search space required per character. However, each character thereafter, even if it repeats, increases the search space size by a factor of the search character set size...
The biggest problem with passwords is that they are not hashed, thus many sites place limitations on the characters and length. If any sites do: I write a scathing e-mail to the moronic IT staff and I refuse to use the insecure service (if I can, otherwise, for places like my previous bank, Wells Fargo, I just bitch about it every so often until my account gets hacked and I'm forced to choose a more secure service...).
Give an answer like "Vp !N 7#3 @1R u{mt WY widdle waddle".
No need to actually answer the question, and usually no real need to remember the answer you gave, because you never want to have to answer those security questions.
Write it down. Don't write what it connects to, but write it down. That's why you don't really answer the question.
Write it somewhere the people who might see it won't recognize it.
If you really need it to be safe, put it in a portable digital vault.
But write it down.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
so it isn't quite as obvious to guess, I make my answer to the security question a clue to what the literal answer would be, rather than putting in the literal answer itself.
For example, "what's your favorite number" might be answered as "Douglas Adams" rather than "42".
remembering what you used but forgetting how you phrased it sucks too.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
Just choose one or two numbers of 2 or 3 digits, two completely unrelated words with some uppercase, or misspelled intentionally and a punctuation mark or two - 237heiNeKen&GoriLLA709+
Great. I'll go check at Google what odd-looking strings have been looked up in the last little bit.
No, I won't, either, but I think doing a web search for your password on someone else's search engine is a wise thing to do. Download one of the larger password dictionaries out their and search it off-line, if you must.
Of course, if that system is no longer running and neither you nor your cohorts ever re-use it, okay.
But what about the twenty passwords you have to remember now?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
What I meant to say.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Citizens brings up additional verification questions when their online banking system doesn't recognize the computer you're logging in from (by IP, MAC or whatever, I'm not sure).
If it's a computer you intend to use again, you can have the system skip that step for that computer in the future.
Chase doesn't do this.
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
Exactly, so repeating patterns are OK as far as brute force is concerned.
The way I tell my users to create a password is to think of a four or five letter word, lets use "bill" and a number, say "4". Now the simple way to get a 10 character complex password is to use the word with the first letter capitalised, follows by the number, then the special character associated with that number followed by the word (again, capitalised), for example:
Bill4$Bil
All the user has to remember is Bill4, simple to remember, not based on a dictionary word (because as soon as a cracker has gone through the dictionary and common names they'll go through he dictionary and common names + $number) as long as its repeated at least once and it can be repeated as many times as you like and it's still only five characters to remember.
Although, with password lengths I think you start to get diminishing returns after a while, the more characters you have, the more likely you'll have a typo and the more frustrating for the user it becomes and then the user will just switch to a simpler password. Remember that most users dont have a password on their home machines simply because they cant be arsed.
Passwords should also be cycled if they are important. Length, complexity and password cycling are all useful and work together in creating robust security but they do so at the expense of user friendliness. If a security system is too unfriendly to it's users they simply wont use it, so we make trade offs to ensure that the system is used correctly.
So realistically, length, complexity, password cycling and user friendliness need to work together in creating robust security and work well in the right mix. However getting 3 IT security to agree on what that mix is like negotiating peace in the Middle East.
And now we have reached the end of anther long and exciting post about passwords.
Calling someone a "hater" only means you can not rationally rebut their argument.
I'm surprised the common public hasn't really gotten into password managers like lastpass or keepass yet.
For example, I use lastpass. I have it set up so it logs off every time I close my browser, and I can set a delay time on how long after I close my browser it logs off as well. I only really have to log in with my master password once, and then everything is great after that.
Seeing as lastpass will autofill every form or password field on every website, and can even generate completely random passwords, from all forms of characters and symbols at any length, it seems odd to me that most wouldn't like to use it. It's very point-and-click-y and doesn't really provoke much in the way of effort, sans setting it up once and letting it do it's thing.
Plus, you only have to remember one password. The master password. And if you tell me that you can't remember a single complex password, then I challenge you to try. It's really not that hard. With only one password to remember, it's hardly a big deal to strain yourself to remember it. Plus, if you do it properly, the rest of your passwords that are stored will be 64+ some characters in length (assuming there's no size limit) and will be 100% random. Since you never bother to look at the generated passwords, you never remember them, and never know them, which is probably the safest way to keep it.
In any case, I'm shocked that people still think they can get away with garbage passwords nowadays. I could probably break into the entirety of my parent's and sister's accounts just by guessing passwords that I think they'd use. My parent's especially on that list. Then again, here I am preaching to the choir (I hope) and it's likely they'll never change their ways and set up a decent password longer than 6 or 8 characters.
(Since this was a long post, here, have fun playing the how secure is my password game. Longest amount of years = biggest e-peen)
HowSecureIsMyPassword?
I wouldn't worry about password crackers, because the encrypted passwords are not supposed to be available to an attacker. In case they are available to him, he surely already has root. He can just trojan the authentication process at that point.
Trying passwords over the network is relatively slow, noticable to clueless admins because it fills the network connection, and likely to cause an account lockout. Just don't use shit like "password" or "1234" and you should be OK.
The big concern should be to minimize the number of places NOT on the system where your password can be associated with you. Sharing passwords across different systems means that even a /dev/random password can fail you. Picking a password related to your life is another fail.
Suppose I picked a dictionary word like "telephone". It's not related to me and it's not a popular password. Just how is an attacker to brute force that without causing an account lockout? Let's suppose he gets 3 tries every day. Really, it's not going to happen.
If my passwords for eBay and PayPal are too hard to type when I am durnk, I won't get cool random things delivered to my PO BOX!
This issue is a bit more complicated than you think.
tools -->> generate secure password -->> generate -->> save -->> autofill done and done.
https://www.accountkiller.com/removal-requested
A totally underrated (and largely ignored) issue with long passwords, is the user's typing accuracy. I'm typing reasonably accurate I guess, but at least every 20 keystrokes I will mistype one. So a 10-character password has already a reasonable chance for a mistype, a 20-character phrase will have a very high chance to mistype. That would mean I have to re-try typing that long password a few times before it is finally accepted. And having your password hidden while you type it in doesn't help of course.
The 7-9 character passwords that I use normally are hard enough in that respect. I often have to re-type because of a typo. And that are strings that I type often, so have muscle memory developed for them already. I dread the idea of having to use 20-character phrases for that. Too much risk of re-typing, and too much work in having to re-type it five times until you're finally exactly right.
Forcing people to enter passwords considered to be "secure" by a standard where it is infeasable to brute force by offline means becomes increasingly foolish with each passing year.
All a password should have to be able to withstand is some managable number of random guesses moderated by a sane password authentication system.
Password files "encrypted" with one way hashes are worthless. Anyone who treats them differently than a list of plaintext passwords is a certified moron.
Most authentication protocols stink. They are based on some draconian form of CHAP and thus subject to offline attack or simply send plaintexts over an unbound (SSL) channel which is no better.
In my view two things are needed to solve technology problems with password use:
1. Operationally we must all assume hashed passwords are no more secure than plaintext variants. This means abolishing all forms of /etc/shadow. If you wouldn't store a plaintext password in a file don't do it with the hashed version either. Protect your password file with an encryption key. Protect the encryption key with your life.
2. Use a modern password authentication system such as SRP.
My wallet currently contains about $700 in cash (which I admit is more than usual) and a number of plastic cards that can be used to buy even more expensive things with just a signature that nobody looks at.
You really think I'm going to keep my damn slashdot password more secure than those things?
Any site that really requires strong security (such as banks) should run a suite of standard password cracking programs (including ones using lists of passwords that have come out of large leaks, such as the Sony ones) over all their user passwords at regular intervals and notify users if their password is considered weak (i.e. found by the tools). Sure, it won't help with people that just don't care (if you use "password" as your password you are clearly under no delusion that it is secure) but I'm sure frequently people just don't realize that their password is terrible (or maybe just compromised in a leak).
learn to type.
my regular password is 16 characters and i rarely mistype it, even if just for muscle memory.
http://www.accountkiller.com/removal-requested
The topic of password complexity has been present on Slashdot almost every day lately. Everything that was possible to be said WAS said. You can do massive karma poach with copy & paste if that's your thing, but this is not why I come to Slashdot.
Feel free to mod me down, but can we stop this nonsense? Please?
I have full-sentence keyphrases on things like the truecrypt vault that holds my SSH keys. I mean 50+ character sentences.
Most of the time, I have it right on the first shot. Muscle memory helps a lot with things you type regularly, like some passwords.
What a depressingly stupid machine.
... allows potentially very long passwords, are easy to remember and you can always swap out vowels for digits or symbols. If the site doesn't permit spaces then swap them out for asterisks/underlines/a different character/omit the space
http://www.baekdal.com/tips/password-security-usability?
Apparently
"It is 10 times more secure to use "this is fun" as your password, than "J4fS
At least not if the password is generated according to a system... if it's just randomly generated, I think it's okay to divulge it.
Specifying use of non-alphabetic characters is a stupid, stupid, stupid mistake. It makes passwords harder to remember, harder to type, and creates a completely false sense of security.
I agree. To put it in even simpler terms, if your password is "heatsink", randomising the case:
only adds 8 bits of complexity. You get more complexity if you just add two lower-case characters:
The same goes for mixing in numbers - it only adds a little complexity.
And yet, many, many systems complain if you choose a complex password like
TFA complains about simple passwords (containing no non-alphanumeric characters). Over the years I found that every single little stupid corner of the internet decided they had a better idea what should be in a password than everyone else. Each of them excludes a random subset of non-alphanumeric characters from being valid. Another subset of stupid little corners of the internet can't code their way out of a paper bag, and can't properly escape non-alphanumeric characters, especially ['"\%&=] which need to be escaped in certain contexts or are contained in urls. Yet another subset of stupid corners of the internet place arbitrary length restrictions on your password (here on slashdot: 20 characters). Working on wiki software for a while, I watched as time and time again, contributors couldn't understand the basics of properly escaping strings, so they invented stupid crazy regexes that always failed. Then they would pile on more hacks to catch corner cases. On web forms it usually takes the form of some javascript that "checks" the password, and other javascript that has to encode it into a URL or POST request.
So I gave up. As you argue, increasing the length increases the complexity exponentially fast, while increasing the character set increases the complexity only logarithmically fast. So it's better to use a long alphanumeric password than to discover that you can't log in, because the password form can't encode what you typed properly. These days I find it's extremely rare to run across a site or application that requires a non-alphanumeric character to be present.
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
This sort of thing is often ignored by people wanting to analyse passwords
Some people don't care about the account being secure. Its not important. Sure, I want a secure password on my bank account, my email account, but for a whole bunch of forums I've posted on once, I just use a standard simple password. You can hack it. Pretend to be me. Get banned. It doesn't matter to me.
Complicated passwords are by their nature insecure, without photographic memory, the hundred and fifty passwords I have would be unmanageable without password weakness and repetition. I'd have to write them down if every one was strong and different, and that in itself is the biggest password weakness...
So why can't I paste my public GPG key into a form when I sign up to some web site? Or even just the keyID, if the key itself is on a public key server? Authentication would simply send challenge to be decrypted with private key...
Would also have the advantage in case of compromise, I could invalidate every login I have by issuing a revocation certificate (and presumably a new key signed with old key).
This is why I prefer to use English sentences as passphrases - if you're a decent typist you can type those perfectly accurately, however long, and the extra length more than makes up for using a smaller range of characters. (And I don't even get to use muscle memory, since I'm frequently typing them in on an unusual (to me) keyboard layout).
I am trolling
You're "Sl@5h------VortexCortex" example however can be attacked by brute-force attacks trying every one, two or three words combination and their 3133t spelling variation, where any word is separated by [0...20] times the same character repeated.
This shall crack "d0t;;;;;;;;;;LemonYellow" too.
Sure, it takes a lot time *BUT* the keyspace for such an attack is 1.51e73 only in your wildest dream.
You're giving a very dangerous advice here: you say one can write trivial stuff like "123456789" or "---------" and think it brings a huge boost in keyspace. It does bring an increase in keyspace, but not by any stretch of imagination the boost you think it does.
I mean: three (eleet spelled or not) words + a unique character repeated 'x' times? Seriously? That's about 1e15 or something, while *also* brute-forcing all the normal passwords.
>>> As you argue, increasing the length increases the complexity exponentially fast, while increasing the character set increases the complexity only logarithmically fast.
Are you really sure?
def POST(self, response): ...
password = self.getargument('password')[:20] # what's the size of the password field in the database?
In a few months, they do this:
def POST(self, response): ...
password = self.getargument('password')[:32] # I checked, and MD5 hexdigest is 32 characters!
And your password won't work, because it isn't being truncated anymore.
I tend to type passwords much more carefully than anything else. Rather than relying on my blind typing, I revert to hunt and peck, to make sure there are no mistakes since there is no feedback.
1) Ask users to think of two simple passwords. Then tell them to use them both in this form:
1)simplepass2)simplepass
a)simplepassb)simplepass ie. have them insert the 1) 2) or a) b) before each password. they will eventually mutate to c) d) and other variations out of habit if you force mandatory new passwords on them.
2) Ask users to think of a word password, a number password, and a surrounding character. Then tell them to use them in this form:
surroundingChar cNcNcNcNc surroundingChar ie. ***m1y2p3a4s5s*** most users start adding the surrounding character between the simple passwords then start using different characters on each mandatory password update. this works best for users that insist on amy123. **a1m2y3** is better than nothing.
3) Ask the user to describe the log in. You get a lot of "this is rediculus" and "i'll never remember this annoying shit" for passwords but eventually they come around
Having to work for a living is the root of all evil.
My password is just as long, and like you, I rarely ever get it wrong.... More to the point though.. I have no idea what my actual password is, if you ask me to write it down, I am liable to get it wrong most of the time, but I can certainly type it out without any issues.
My password scheme..
I use 4 random words, separated by spaces and punctuation, 1 of those words will have something to do with the the application or site I am connecting to. Every few months, I will change the password, using those same 4 words, changing the order, and the location of the punctuation. Throughout the password I will also randomly replace letters with their related number or special character symbols.
I have yet to forget my password (except on sites where I will log in once every 4 or 5 months, the Startek website being one of those (the user and parts site for my car), where I do a password reset and pick a new password.
I came, I conquered, I coredumped
I often use passwords that are us one of 2 non-english languages that i speak well. The words and phrases in that when written in English are typically unique to me as there is no right way to spell hindi words in English and then i add sprinkling of local context from my childhood. So Hindi for teacher is adhyapika/adhyaapica/adhyapeeka and now change few of those letters with numbers/special characters using one of the many possible choices... replace english letters with corresponding numbers or actually change the corresponding letters with numbers from hindi alphabet set (like aa could be 11 or 2).
My sense is that using non-english languages brings in a complexity that is highly resistant to attacks but I am not sure. In theory someone could have compiled a password dictionary with these combinations as well.
No idea if he's actually the one that came up with this idea (and I generally don't like his writing), but I am surprised no one has mentioned the approach that Farhad Manjoo outlines in this Slate article. Basically, you come up with a phrase about each website/system and then type the acronym for that phrase. For example, for Bank of America, "I can't believe that quote from the head of the subprime mortgage division" becomes Icbt"fthotsmd.
It doesn't generate the most secure passwords possible (it's hard to come up with phrases that use symbols or multiple capitalized words), but its a pretty good way to create (and remember!) a unique password for each system.
As an aside, I am still flabbergasted that Citibank's student loan system will not let you have a password longer than eight characters. It occurs to me every time I login.
There's pwgen that generate memorable random passwords. Generate a screenful and usually something pretty simple to remember will pop out at you.
What is the point of a password at a home machine anyway? If you must keep people from accessing it while you are around, you are doing something wrong.
Rethinking email
They only need to do that because they force users to choose bad passwords. If they asked for a nice (even if just 8 chars long) alphanumeric password, they'd just need to insert a small waiting time between tries.
Rethinking email
Don't waste time creating long passwords (e.g. 20 characters long) for online services. Just make sure you don't use the same password for everything, and don't use stupid passwords. Easy to guess = stupid. Brute forceable in 100 billion tries = not stupid.
;) ).
Why? From what I see - the attackers are way more likely to crack the sites via other ways (SQL injection, social engineering) than crack my passwords. Just look at the plentiful evidence.
If the hackers try to make say 100 billion tries in 1 day they're more likely to DoS the service first, someone/something will notice the 1 million hits per second.
So it's stupid to waste your life typing in >20 character passwords only to find the hackers pwned the site via other means (or via the CTO's easily guessed password
Yes once they pwn the site they can download and brute force the passwords. But if that password isn't the same for anything that you really care about, it doesn't matter, a successful bruteforce only gets them what they already have.
Long passphrases can make sense for stuff that you have near complete control over, e.g. PGP/GPG signing, disk crypto. Or you are confident that the weakest link will still be comparable to the strength of a long passphrase.
BTW, changing passwords regularly is also overrated for similar reasons.
It makes it faster to crack. English passwords have letters that usually follow on from eachother.
A good password cracker would try English word combinations before rando letters.
Say you start on A your cracker might try a N next rather than a Z because that's more likely.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Only if you doesn't salt it.
Anyway, the GP doesn't have a point. Every aplication has access to the plain text password. If not where would the hash come from?
Rethinking email
I ran across a rather good password generator a few years ago, called "XYZZY", after the old text game. I like it, because it creates passwords that are pronounceable, but very random, and not in any dictionary. Throw in upper and lower-case characters, and you've got some pretty strong passwords.
You can download it on various places on the net, but it's tiny, very simple, and very good. From the README.TXT...
Here's a selection? Just 8 characters, with numbers thrown in...
toconi69
toropid8
udimpha3
ounpla44
ctyleg69
Try pronouncing them! It usually works, although that last one might be troublesome if you try to add an "i"? But it's a mnemonic device that really helps you remember a strong password without writing it down.
[End Of Line]
If that is the weakest link, you have a pretty strong chain there. Compare with:
Or the more complex:
If the attacker needs to get to you in order to break the chain, it is alwead as strong as it can be.
Rethinking email
The problem is that it isn't always at hand. It may die, or you may lose it or get robbed while on vacation, or you may forget it, or it may be in the laundry
The point of a mobile phone is that it's always at hand -- barring misfortune, of course. The encrypted password safe on my phone is a copy of the database on my computer. There are a variety of ways to sync those files -- the most straightforward of which is simply to connect a phone to a computer via USB, and copy the file.
And, of course, to be of much use it must be quick and easy to use, which means these things are almost never behind a complex password.
Seriously, do you have a password like Pz3vHkr7#w for your password safe, or a short and simple word or number? Remember that no chain is stronger than the weakest link:
My master password is actually longer than that example, and I've got an additional password to lock the phone. It takes me perhaps two seconds to type the two passwords and access my password safe. I believe people seriously underestimate their ability to memorize and use randomly generated passwords.
One thing Troy Hunt's article pointed out was that less than 1% of the passwords in the database were randomly generated. That is far, far too low, and I think people are overestimating the security risks of recording passwords and underestimating the security risks of using weak passwords. Your dozen co-workers may be able to see the sticky on your monitor, but the other six billion people in the world can't see it; you can cut that dozen down by quite a bit if you just put the sticky in a desk drawer.
Also, "no chain is stronger than the weakest link" doesn't apply when you're using the strategy of defense-in-depth.
And then there's code like PHPbb, where it will let you create an admin password with an @ in it during site setup, but then just mysteriously strips the @ out of the actual password when the site is set up. I rebuilt a site three times before (for some crazy reason, can't recall how I thought of it) deciding to type the password and leave out the special character, and finally getting in.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
true but when you have 10-15+ words in a row and the cracker knows nothing about them it doesn't matter.
if the cracker knows the scheme by which the password was created then it makes it a lot easier to narrow the search space - but unless it's an inside job or social engineering or something far more elaborate - for long passwords the effective search space is equal to the brute force key space.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Research has shown that between complicated 8 character passwords and basic 16 characters, it takes far fewer tries to generate 16 character passwords, and fewer typos and passwords forgotten, while having the same estimated entropy. It makes a bit of sense; many of the special characters are harder to type. I suspect with mobile, the effect is even more pronounced.
I Browse at +4 Flamebait
Open Source Sysadmin
Any password can be hacked in a single attempt by simply using the correct password first...
Does your proposed algorithm for bruteforcing this password fail entirely if there's less than 3 dictionary-words included? More than 3? Does it fail entirely if the spam-character is included 21 times?
Obviously, if you have a pretty damn good idea what you're looking for, you can optimize towards it.
For the accounts that matter I use http://passwordsafe.sourceforge.net/, what do you think of that program? I use it to then generate my passwords for me and just copy/paste into the browser when needed. Using this I don't know most of my passwords and need just one to unlock the safe.
This article suggests using short phrases instead of cryptic passwords.
What is the point of a password at a home machine anyway? If you must keep people from accessing it while you are around, you are doing something wrong.
or you have both porn and kids.
That said, I expect that by the time my (theoretical) kids are teenagers, they should be able to crack into anything on the home network, and if they can't, I haven't raised them right!
If that is the weakest link, you have a pretty strong chain there. Compare with:
Access website
Type 1234 to have access
That gives you access to one account. Gaining access to the password vault app gives you access to all accounts.
(But so does reaping the average person's .mozilla folder too - it's astonishing that Firefox' password safe is at most behind a password, and can't use TPM, store itself on a USB key, or any other reasonable measures.)
The main issue with that type of method is that you don't know if the site you're connecting to stores the password in plain text or not - and there are a lot more out there than you might think. ...
If it does, then you've just potentially revealed *every* password, for every account you own, on every site - because the pattern is so easy to spot and understand.
As soon as that site gets cracked (which, if they're stupid enough to store plain text passwords, is going to be highly likely) - you're in deep trouble.
Or maybe the owners of the site aren't averse to taking a peek into the password list and checking out the email account you signed up with
Patterns are great for remembering - but you'd still need to have several, so that you can use different methods of generating passwords for different sets of sites. That way you can keep accounts partitioned and reduce the damage when one of your patterns gets outed.
Any good piece of security software checks your password for guessability when you set it. The word "July" would be rejected, even if it's inadvertently embedded in ASCII gibberish.
It's free and the only solution I need to have secure access to all my passwords everywhere I go. I still keep my banking and email passwords memorized but I'm happy to let SuperGenPass handle everything else. Check it out: http://supergenpass.com/faq/
Less *is* more.
Sure. But even taking that into account I suspect that for equal-entropy passwords, an English sentence is going to be easier to remember. (In fact if I remember correctly English averages about 3 bits per character, so it's only going to be about twice the length of a symbolful password.
I am trolling
What is the point of a password at a home machine anyway? If you must keep people from accessing it while you are around, you are doing something wrong.
To stop the simplest of drive by attacks.
The simplest of cracks is just uses this:
U: Administrator
P:
An admin account with no password is giving root access to anyone who just happens to walk by, physically and metaphorically. For a home machine even a simple password like "bob" will stop a lot of drive by attacks.
Calling someone a "hater" only means you can not rationally rebut their argument.
... money. The last time I checked if someone steals a dollar from my wallet, I'll never get it back. I might get a different one the next day, with a completely different serial number, but the dollar is gone. The fact that you think real security should be reserved for certain things shows your complete lack of understanding of security.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That should be only literally... If people are able to metaphorically pass by your home computer and authenticate by password you have a problem.
Rethinking email
That should be only literally... If people are able to metaphorically pass by your home computer and authenticate by password you have a problem.
I meant metaphorically as in a drive by attack (which would certainly be looking for a password-less account to get in with). A lot of Viruses and Trojans get stopped by the mere presence of a password.
I agree that if you dont have a password, it's a problem but I think you took the word metaphorically a little to literally.
Calling someone a "hater" only means you can not rationally rebut their argument.
I use made-up words, bastardized out of transliterated Persian and Greek words related to what I am doing,. Fun to create, easy to remember.
To pick the July out of July_2011 it needs access to the plaintext. A hashed dictionary won't do it.