Slashdot Mirror
The Science of Password Selection
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.
You know what's worse? Security questions! Especially when you can't type your own.
Favorite Color? Too easy - people aren't going to say FF1A16. Most will say black, red, green, blue, white, or a handful of other labels.
With all these favorite questions, I either don't have one. I really lack strong favorites in all areas. And the next time it asks me that, it will have likely changed.
OR, it's information that's know to my entire household. Even if they don't do anything nefarious, I'm sure someone can wrangle out of my mother what street I lived on as a kid in a casual conversation.
I hate SQs with a passion. Whoever thinks this is security is nuts.
(Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)
The problem with passwords is that if they are too complex..
Partly. There are also too damned many of them. Every pissant site seems to require a login/passwd, it's best to keep them all distinct, and the difficulty of remembering all these passwords is in a continuum with their complexity.
I've become a recent convert to the idea of using a password card or
password chart to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.
Your design to a real part online: Big Blue Saw
A function that returns a string of 12 random ASCII characters including upper and lowercase alphas, numerics and symbols will score 100% on a password strength test like http://www.passwordmeter.com/ but I find that a password like that will be hard to type, much less to remember.
Another way is to return two random words from a list of less-used English words, separated by two or three random numerics. That won't score as high but it will be plenty secure against dictionary attacks and will be easier to remember.
I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.
https://www.grc.com/haystack.htm
If you build it, nerds will come. Soylentnews.org
You know what's worse? Security questions! Especially when you can't type your own.
They can ask for your favorite color but you don't have to answer that particular question. If you are a fan of pass phrases you can enter some sort of phrase indicating the color. For example if your favorite color is red you could enter "The BBC first aired Red Dwarf in 1988". For extra security use the wrong year. :-)
I hate SQs with a passion. Whoever thinks this is security is nuts.
Simply put, security questions reduce your account's security to the strength of the security questions. Mostly, they're weaker than average passwords. Lord help you if you've got a Facebook profile. Mother's maiden name. Hell, that's public information today.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Simple? Yes. Short? NO.
Please consider that not every character in a password needs to contribute a high level of entropy; As long as a few do (to increase the search space) the length of a password can contain relatively low entropic character streams.
0#f$%aEx
6.7e15 search space (cracked in 3.35e15 brute force attempts on average).
Sl@5h--------------------VortexCortex
1.51e73 (cracked in 75.5e72 brute force attempts on average).
(Sl@5h, twenty dashes, user name -- easy to remember -- not my real algo, make up your own)
A short string of upper and lower case, with symbols increases the search space required per character. However, each character thereafter, even if it repeats, increases the search space size by a factor of the search character set size...
The biggest problem with passwords is that they are not hashed, thus many sites place limitations on the characters and length. If any sites do: I write a scathing e-mail to the moronic IT staff and I refuse to use the insecure service (if I can, otherwise, for places like my previous bank, Wells Fargo, I just bitch about it every so often until my account gets hacked and I'm forced to choose a more secure service...).
Exactly, so repeating patterns are OK as far as brute force is concerned.
The way I tell my users to create a password is to think of a four or five letter word, lets use "bill" and a number, say "4". Now the simple way to get a 10 character complex password is to use the word with the first letter capitalised, follows by the number, then the special character associated with that number followed by the word (again, capitalised), for example:
Bill4$Bil
All the user has to remember is Bill4, simple to remember, not based on a dictionary word (because as soon as a cracker has gone through the dictionary and common names they'll go through he dictionary and common names + $number) as long as its repeated at least once and it can be repeated as many times as you like and it's still only five characters to remember.
Although, with password lengths I think you start to get diminishing returns after a while, the more characters you have, the more likely you'll have a typo and the more frustrating for the user it becomes and then the user will just switch to a simpler password. Remember that most users dont have a password on their home machines simply because they cant be arsed.
Passwords should also be cycled if they are important. Length, complexity and password cycling are all useful and work together in creating robust security but they do so at the expense of user friendliness. If a security system is too unfriendly to it's users they simply wont use it, so we make trade offs to ensure that the system is used correctly.
So realistically, length, complexity, password cycling and user friendliness need to work together in creating robust security and work well in the right mix. However getting 3 IT security to agree on what that mix is like negotiating peace in the Middle East.
And now we have reached the end of anther long and exciting post about passwords.
Calling someone a "hater" only means you can not rationally rebut their argument.
A totally underrated (and largely ignored) issue with long passwords, is the user's typing accuracy. I'm typing reasonably accurate I guess, but at least every 20 keystrokes I will mistype one. So a 10-character password has already a reasonable chance for a mistype, a 20-character phrase will have a very high chance to mistype. That would mean I have to re-try typing that long password a few times before it is finally accepted. And having your password hidden while you type it in doesn't help of course.
The 7-9 character passwords that I use normally are hard enough in that respect. I often have to re-type because of a typo. And that are strings that I type often, so have muscle memory developed for them already. I dread the idea of having to use 20-character phrases for that. Too much risk of re-typing, and too much work in having to re-type it five times until you're finally exactly right.
learn to type.
my regular password is 16 characters and i rarely mistype it, even if just for muscle memory.
http://www.accountkiller.com/removal-requested
If you want to secure something like a bank account, you don't use a security measure like a password in the first place. Passwords are strictly for low security applications where you openly know that others are going to be getting into the data that you have stored behind that password.
For something that you really want to protect from prying eyes, you use something like an SHA-512 encryption hash with a public/private pair or something else along that line. I declare it is the whole notion that a password actually does more than provides a simple roadblock for pure idiots and to "keep the honest people honest" is a mistaken notion.
I should also note that the number of possible physical keys to most locks is shockingly low. I had a locksmith point out that for most cash registers in grocery stores (at least for a great many years) used only one of five basic keys. I even had all five of them in my possession at one time. Yes, they worked too! Again, it is to keep people from pushing the buttons when they really shouldn't be there. Even now, most cash registers are "protected" with nothing more than a 4-digit key that can be hacked through social engineering alone... if they use something other than the register keys. Some stores are getting fancy with barcodes that need to be scanned indicating some supervisor ID, but even that is not a complicated string of numbers.
Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name. It doesn't matter how complicated you make your passwords or encryption key, the information can be "hacked" with other very simple social engineering if you really want to get into somebody else's information. Of course, I find the whole notion of "identity theft" to usually be something absurd like this as those confirming identity are using information that really can't establish identity in the first place. Biometrics really are the only true way to establish identity, ranging from a handwritten signature to a finger print, a blood test, a DNA sample, and perhaps something like a retinal scan (something even twins have different). Identity establishment is intimately tied to passwords, as the point of a password is to prove that you are authorized to use a particular resource of some kind.