Slashdot Mirror
The Science of Password Selection
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.
You know what's worse? Security questions! Especially when you can't type your own.
Favorite Color? Too easy - people aren't going to say FF1A16. Most will say black, red, green, blue, white, or a handful of other labels.
With all these favorite questions, I either don't have one. I really lack strong favorites in all areas. And the next time it asks me that, it will have likely changed.
OR, it's information that's know to my entire household. Even if they don't do anything nefarious, I'm sure someone can wrangle out of my mother what street I lived on as a kid in a casual conversation.
I hate SQs with a passion. Whoever thinks this is security is nuts.
(Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)
I've become a recent convert to the idea of using a password card or
password chart to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.
Your design to a real part online: Big Blue Saw
I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.
https://www.grc.com/haystack.htm
If you build it, nerds will come. Soylentnews.org
Simple? Yes. Short? NO.
Please consider that not every character in a password needs to contribute a high level of entropy; As long as a few do (to increase the search space) the length of a password can contain relatively low entropic character streams.
0#f$%aEx
6.7e15 search space (cracked in 3.35e15 brute force attempts on average).
Sl@5h--------------------VortexCortex
1.51e73 (cracked in 75.5e72 brute force attempts on average).
(Sl@5h, twenty dashes, user name -- easy to remember -- not my real algo, make up your own)
A short string of upper and lower case, with symbols increases the search space required per character. However, each character thereafter, even if it repeats, increases the search space size by a factor of the search character set size...
The biggest problem with passwords is that they are not hashed, thus many sites place limitations on the characters and length. If any sites do: I write a scathing e-mail to the moronic IT staff and I refuse to use the insecure service (if I can, otherwise, for places like my previous bank, Wells Fargo, I just bitch about it every so often until my account gets hacked and I'm forced to choose a more secure service...).