Slashdot Mirror
Multiword Passwords Secure Or Not?
Gaygirlie writes "An article over at Gizmag says: 'It's a meme that's been doing the rounds on the internet in recent years: multi-word pass-phrases are as secure as long strings of gibberish but with the added benefit of being easy to remember. But research from Cambridge University suggests that this may not be the case. Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds.' I find this to be twisting of words and general consensus; of course any password whatsoever is going to be insecure against offline attack, and using common, popular words is going to make guessing the password much easier. But is this really an issue in a world where most attacks are done online? Should general populace still be coaxed into using randomly generated passwords?"
http://xkcd.com/936/
NoShitSherlock
If you use dictionary words, you'll be vulnerable to a dictionary attack. SHOCKER.
I find that passwords like "Linuxrox4ever" are very secure. havn't had a problem with that one yet.
lol omg. it worked.
The article implies they only used dictionary attacks and complete pass phrases.
Compare that with the phrase "L!ondonbridgeisfa%llingdowNDOWN"
When you add the potential of single or spread out capitalisations and that any word can be split up by any sign, dictionary attacks start to struggle.
Getting joe public to use something other than "password" is hard, but its easier to persuade Joe to use a phrase like "HomerLovesDonuts" than some random string of letters - we all know the random string will just get written down.
How many attempts are these supposed sites allowing? If someone has a one in a million chance to determine my password how much of a threat is that to me if the site that requires the password only allows a few attempts before it locks the account?
I work on a system with ten character passwords, not case sensitive but numbers can be used, yet I don't worry about someone cracking the system. Its not like they are going to have unrestricted access to try and multiple failures lock accounts.
I do like multiple word passwords as it tends to not lead to people using little yellow stickies near their desk to record their passwords or keep them as reminders in their email.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Is Vogon poetry available in common attack-dictionaries?
bickerdyke
General populace is getting sick of this shit.
Seriously, I have multiple 10 to 30 character passwords, completely randomly generated, with upper, lower, numbers and symbols. I just practice typing them in a few times a day for a week or two, and then I find I can remember them for years. The upper end of that range is good enough that I can use the password directly for encryption purposes, IE, that's enough bits without strengthening to be just as secure as the underlying encryption keys.
I mean, who hasn't had to memorize a poem or something for English class back in highschool? It's really not that different, you just have to have the mindset that you can do it, and then practice.
The passphrase system they studied wouldn't allow duplicate passphrases. So if you picked one that was already in use, it would tell you so.
The problem isn't that the passphrase is insecure, the problem is that the system itself is giving you information about what's inside it. Doesn't it seem obvious that any security system that relies on secret data that gives up information about the secret data is insecure?
Then they did an analysis on passphrases that use english words with the same frequency as in standard English. So the word 'betwixt' was probably pretty low down on the list, and 'material' was probably higher. That also seems unreasonable. Just because you want a memorable password/passphrase, it doesn't mean that you have to use small, ultra-common words.
This study has little merit in declaring that passphrases are insecure. (It does have merit in letting us know that obvious security problems are, in fact, obvious security problems.)
I use and love LastPass. It has a really great password generator that I use for all sites. I always use the maximum number of characters and the largest character set (letters, numbers, symbols) the site will let me.
My actual LastPass password (the single point of failure) is 32 characters long. It is a phrase in "leet" speak with symbols padding the start, middle, and end.
I feel pretty safe with this.
Just my 2c
K Man
"Pass-phrases comprised of dictionary words may not be as vulnerable as individual passwords, but they may still succumb to dictionary attacks, the research finds."
Pass phrase containing dictionary words is susceptible to dictionary attack. In other news, the sky is still blue. Water still wet.
As mentioned, a lot of stock is put into secure passwords, when the reality of computer usage makes all the effort meaningless.
Lets look at a normal user, Joe. Joe has many corporate logins at his job. His company has a password strength policy, so Joe has ended up with this password: Jason5 (Jason is his youngest son). The last password was Jason4, then Jason3, etc. Some system require more powerful passwords, so he uses _Jason$5. I have met dozens of Joe's IRL.
Lets look at Lucy. Lucy knows that a good password only has to be easy to remember and hard to brute force. "Simple Man" is one of her favorite songs. Especially these lyrics:
"Boy, don't you worry you'll find yourself
Follow your heart and nothing else
And you can do this, oh baby, if you try
All that I want for you my son is to be satisfied"
She selects this password: allthatiwantforyoumysonistobesatisfied
She'll never forget it, and I won't be cracked by ANYONE. Governments who want her password could crack it, but they would probably just put her in jail until she gave it up.
Then, Lucy reads the article linked above and starts to doubt the security of her password. She is wrong, her password is WAY better than Joe's.
Both accounts end up getting compromised. The company had been storing passwords in plain text and was hacked via a 2-year old SQL injection vuln. So much for all that bullcrap.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
12 random characters from a 60 character set = 60^12 = 2.17e21
4 random words from a 200 000 word dictionary = 200000^4 = 1.6e25
Even if you have a very small set of words (about 1.000) to choose from, with four words you reach about 40 bits entropy. No chance to crack this brute force.
If you take only two words, you would have about 20 bits of entropy which is about as good/bad as cryptic password.
The system is broken if people can't use it. People aren't broken because they can't use the system right.
If your method of controlling access is nice and easy for computers but hard for people, it's broken and you need to find a new method.
Business/App ideas are like arseholes: everyone's got one, they're mostly shit, but very rarely they contain a diamond
The password that I use is "onetwothreefourfive". Is that secure enough?
They assume they get ideal circumstances, ie as many attempts as they want. As such their research is basically fucking worthless. The only time such a situation applies is if you have, say, encrypted data and an adversary has gotten that data. They can then try to decrypt it until the end of time and you can't change the password.
That doesn't do shit for remote login. No system is so accommodating to let you just try and try. Even if they don't do permanent lockouts, they'll lock you out for awhile. Like our domain, you get 5 attempts and then it locks the account for 30 minutes. So you can get a whopping 240 attempts per day (presuming we don't notice and shut it down). Gonna take a LONG time to cover the password spaces they are talking about, LONG time.
This also assumes that you know that someone is using a multi-word phrase, and that you know they aren't playing games with number substitution, caps, and so on. This is useful maybe in an intelligence agency type situation, where you can survey your target and you can learn about the kind of password they use, even if you can't find out the password itself, and restrict the search space. However in terms of randomly hacking things remotely, nope, not useful. There are too many possibilities for what the person could use and multi-word phrase is only one of them. You could try every single one of to 10 words, only to then discover your target doesn't use that, and has a simple password like password123 that wasn't in your search space.
Get 'em from /dev/urandom (or random if you feel like waiting).
I'm not a lawyer, but I play one on the Internet. Blog
Fuck it I say. I just always use letmein for all my passwords. Easy to remember and so easy to hack into nobody's going to waste time thinking there's anything valuable protected by it.
I call it security through insecurity.
Based on my read of the article, I conclude it as saying that pass phrases really are good, just not a panacea. We already knew that people pick stupid passwords. It turns out that people pick stupid passphrases too. That's too bad, but it is really unsurprising.
One thing I can say from personal experience: smart people still pick stupid passwords. I think most people just aren't paranoid about it, and don't care until something bad happens to them as a result. This might be something that parents need to teach their children: Don't talk to strangers, brush your teeth everyday, and don't pick obvious passwords. Maybe once a generation is imbued with this as obvious then the problem will diminish.
Instead of words, I think shapes. Pick a starting point, say &, then for a shape on the keyboard (say a 4x4 square), returning to the original key. Lots of shapes, sizes, patterns that are not vulnerable to dictionary attacks, but easy to remember.
If you have a decent vocabulary, you can choose between about 10000 words. So, even against a dictionary attack, a password of 4 words is 53 bits strong, a password of 5 words is 66bits strong (strong enough for everyday use), and a password of 6 words is 79 bits strong (uncrackable today).
The good thing about the English language is that it's got over a million words. Use a few uncommon ones:
> We're 12 widdiful pronks -- and 21 scopperloit nihilarians!
"but they may still succumb to dictionary attacks, "
If your system can do a dictionary attack on my 5 word phrase in three attempts, you deserve access to my accounts.
Do not look at laser with remaining good eye.
I have started using regex's as the basis for my passwords. Love to see some one crack ^[A-Z0-9]+\([a-z!]+\)$
The trouble is that now I have regex's ..
I am Slashdot. Are you Slashdot as well?
Not likely, seeing as the math is sound. TFA used a minimum case of 20,000 phrases generated from natural language, so of course it will be less secure.
It even says at the end that passphrases generated like in the XKCD comic are sufficiently secure to offline brute force.
... Amazon's PayPhrase registration page. Because the page prohibits the use of any pass-phrase that has been used by another user, it's possible to identify which pass-phrases are in use.
This is a well known, bad idea. Unless you also lock out the original user of an obvious passphrase, you give an attacker information.
Better is to just start with a dictionary of "bad" phrases, that no-one can use. Then, when an existing phrase is no longer in use, you mark it "bad" and unusable in the future. Of course, someone might start using that phrase berfore the rest stop using it. If it's an especially bad case, you might have to lock all those users, and make them reset their password through a different, secure, channel.
Throw some uncommon names and foreign words into your phrase, and it essentially becomes unguessable.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
I have to wonder about this. These attacks take time, especially over a network, are often detectable, and don't guarantee success.
So, serious question - how often are such attacks employed compared with exploitation of vulnerabilities or social engineering?
So, as others have pointed out the only thing that matters is entropy. Entropy isn't just based on the number of characters, and that is true both of one-word and multi-word passwords. I'd probably say that "to be or not" is much lower entropy than "x8Jk$4B" - however, "bicycle tripod tissue diploma" is probably much higher entropy than "Wallets5".
The key with multi-word passwords is that the words need to be unrelated. If the words are closely associated like "apple banana cherry date" then you are opening yourself up to a number of attacks. The same issues apply to 8-char passwords containing numbers and symbols - users can still pick passwords that have far fewer bits of entropy than the character set implies. If anything the problem with single word passwords is that users STILL pick stuff that is dictionary-based, and yet you don't have the protection of having as many combinations as with multiple word passwords.
The math clearly shows that multiple word passwords are much stronger and potentially more memorable - AS LONG AS THE WORDS ARE UNRELATED.
Just hold down shift and type in your 10 digit phone number.
(@)%%%!@#$
"If any question why we died, Tell them because our fathers lied."
In all this discussion, it seemed obvious to me that this problem had been solved quite some time ago:
http://www.itl.nist.gov/fipspubs/fip181.htm ... but I've never seen it come up, Are there any papers with cryptanalysis of this method, or other documented attacks?
Is there some other reason not to use this method? (as a reason why it never comes up as a solution to the problem)
I've been saying for a long time now if companies would just implement lockout policies we wouldn't have any of these issues.
It would help some (less annoying than a lockout policy is just to implement a delay that increases with number of failed attempts). However, the dictionary attacks that are worrisome come from a hacker stealing the password hash tables, and are done offline, trying to decrypt the hash, not simply repeated attempts to log in. These won't be prevented by lockout policies (although they will be prevented by making sure that the hash tables don't get stolen)
http://www.geoffreylandis.com
Amazon PayPhrase wasn't a good system for them to study.
By default, Amazon PayPhrase recommends a random pairing of two words. I bet that most users didn't bother changing their recommended passphrase. It also affected user behavior: users are more inclined to pick two-word pairings or other super simple passphrases if that's what's presented to them initially. Amazon PayPhrase also discourages users from making traditional non-dictionary passwords, which is very different from most other password systems. This, along with the fact that no two passphrases are allowed to be the same, makes their passphrases highly predictable.
I think this study says more about user behavior in regards to using the Amazon PayPhrase system than it does about multi-word password security in general.
As mentioned recently here, make your password ifedthebodytomyneighborspigs
Then, you can't give it up without incriminating yourself. Win-Win!
You didn't read the FA. This research is testing the often-repeated claim that passphrases provide more security than passwords by looking at real data from a passphrase system. No one is claiming that this has anything to do with remote login, so you can forget that strawman. Your criticism about knowing whether someone uses a passphrase or not makes no sense either. The whole point of the research was to look at a database which was *already known* to consist of passphrases, and evaluate how much security *such a system* actually provides. Nothing more, nothing less.
So, the research is not worthless - it's actually very interesting to have some real, you know, *evidence* on the subject, rather than just emailing the usual xkcd passphrase cartoon to everyone and claiming "see, passphrases are clearly more secure!!!" (something I have been guilty of, I admit).
Two minutes behind this guy and I'm "Redundant".
Random Thoughts From A Diseased Mind (Not For Dummies)
If they aren't easy to remember then people write them down, put them on sticky notes on their monitors and the like. It's not just about the math, it's about the social practices as well. I think multiple word pass phrases are still our best avenue for the common man.
We professional types handling encryption keys and such should probably be pushing that extra strength of full random strings but we also handle them professionally and keep them secure and we certainly don't expect that from Joe Enduser.
g0|d$U}{d'o'k3yB4|lz` = gold sux donkey balls
This is easy to break?
All these secure password strategies just encourage people to write down their passwords and save them into the browser. Even pass phrases are hard to remember if you have to change them every three months on multiple accounts.
Secure passwords can still be compromised by social engineering, a key logger or messing with the much needed password reset tool. Stop thinking about the problem one dimensionally.
For myself, I have three phrase+number complex passwords which I use, one for financial sites, (online banking, amazon, anywhere I shop & my plastic is stored) one for places I expect to use regularly (such as slashdot) and one for trash sites where I gotta register for whatever it is I want, but don't likely expect to be back. The variant thing is, I have my own domain with a catchall address (similar to gmails + system) and for all domains I use the domain name plus my @domain.com
assuming the method show in the cartoon was automated checking of the password email + combo-- it'll fail because I wouldn't use the same email address at ANY website.
every day http://en.wikipedia.org/wiki/Special:Random
I'm pretty sure I'm not the first to express this, but what about using two words, eg. "banana" and "guitar" this way: "bgauniatnara"? It's still easy to remember, but not that easy to guess by dictionary search. That being said, the major problem I think is not about a single password strength, but about the reuse of passwords along different services...
Wait,
Which words are you using as a password?
In the 1980s we programmed 3-second pauses between attempts from any single source.
But around 2004 I had a frustrating conversation with a couple of Novell's architects where they refused to admit that allowing you to try passwords at the speed of hardware was a bad idea.
What those guys didn't want to admit was that they didn't have a good way of determining the source of each attempt. Modern attackers can spread across IPs - just yesterday itbusinessedge.com hit my mailservers (all of them, not just the highest MX record) with a email address guessing attack sourced from various machines all over 173.240.145.0/24 and 173.240.146.0/24. Spammers and other online criminals just buy huge address blocks from godaddy.com and set the DNS TTLs to 15 minutes and have a field day.
Posting anon because those are real names and numbers there.
elephant492GENERATION
I’ve been advocating through my research though [...]
Yeah. I got to this point in the article and stopped.
How about we teach people not to thieve others' passwords?
See, the problem is, almost any password setup can be sidestepped by using a keylogger. Tiny device, about the size of a fingernail.
So, perhaps a little more focus on teaching people that it's not in their best interest to use someone else's identity.
I am John Hurt.
@lw@y$ U$3 Ch@r@ct3r R3pl@c3m3nt 1f Y0u U$3 R3@l W0rd$ 1n Y0ur P@$$phr@$3$ !!!
I have passwords that look like that (minus the spaces). Break that with a dictionary! :p
Seriously folks, if you use real words in a password in this day and age, you're a little bit more than naive or completely out of touch with what computers of the current generation are capable of. IMHO, you CANNOT use straight dictionary words (regardless of language, and yes, I do mean Klingon and Sindarin!) in your passwords without some sort of numeric or symbolic character replacement pattern. Then you can use easy to remember song lyrics, movie quotes, and other colloquial sayings as pass phrases. Use them "au naturelle" and you will get pwnd!
P.S. I don't always use the same replacement pattern or characters, either. The above is just an example. I wouldn't use that one as someone has it in their dictionary by now, btw.
Just lift up the keyboard and read it off the post-it note you stuck to the bottom of it!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If you force people into using passwords they cannot remember, then you will have a bunch of passwords written down on paper. This leads to a less secure situation than when you started.
It's free, powerful and secure.
$ pwgen -sy 256 1
I tend to use the first letters of every word in a line Or two from a poem. At one time I used 'cargoes' by John Masefield, giving me QoNfdOrhthisP, or "Quinquireme of Ninevah from distant Ophir, rowing home to haven in sunny Palestine".
Trivial to remember if you know the poem (and the name of the poem makes a good password hint without giving too much away) but pretty much impossible to brute-force or dictionary-attack. You can still throw in the o->0, I->1 transformations etc., but there's probably already enough entropy there already unless someone "clever" is insisting on 2 numbers, 2 upppercase letters, etc.
Simon
Physicists get Hadrons!
Bad pass phrases are worst than good passwords.
Wonderful. So I'll try to remember to never use titles to popular movies and songs as my pass phrases. The same way I don't use passwords like 'dog' or my middle name or birthday and such. Password, pass phrase, either way we computer types need to try to encourage people to not use easy to guess keys to their digital life.
But, all other things being equal, I'd say that good pass phrases are better than good passwords, and I prefer them. There's no way you can tell me that "now is the Time for all strange Eggs to dance" is vulnerable to a dictionary attack.
This is quite simple and has long since being answered:
- A random English word gives you about 0.6 to 1 bit of entropy per letter. If the words are not randomly chosen, you get (potentially a lot) less, especially for long words.
- A random alphanumeric character gives you 5.1 bits of entropy
Take your pick. I go with the random alphanumeric passwords for anything where I actually need security.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I've found small Welsh village names are easy to remember- look random- and don't appear in the dictionary. I use them for low-security sites that I don't access often and don't care too much if they get hacked.
For things I really want to protect I use a random combination of letters numbers and symbols.
"That's the way to do it" - Punch
...with a few space characters in it.
This confuses me to know end. Password crackers from the early 90's did agglomerations of words. nth-letters from words in a sentence are not uniformly distributed. Entropy people -- guessable patterns are bad. Things like wordNumberWORD is only three elements long and not that hard to guess. Think of words as numbers -- and then consider each word as a "number" in a very large base -- then this is a 3 number sequence in a dictionary sized base -- but that's still smaller than a n-characters in base 36 (=26+10, you could use 36*2 if you want to allow basic western shift sequences- -- a little more if you want other characters etc).
and then a few paragraphs later is the rather unsurprising observation:
So, as the summary says, to try to generalize from that to find fault with the idea of multi-word passwords is "twisting of words." That's not what the researchers were trying to find; a more accurate characterization of their findings is that, given their own choice of passphrases, a lot of people will choose something shockingly weak that is then easily guessed in a dictionary attack.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
This doesn't take Diceware passwords into account, only user generated phrases (eg. song lyrics etc).
Good luck bruteforcing this: curb dope yl wz 39 niche a simple 6 word passphrase generated by diceware, which has about 98.6 bits of entropy
So MacGuyver can pick your house's door lock in 15 seconds with a light bulb filament. So what? You're not worried about MacGuyver. You probably haven't changed your house keys since you moved in. Does that make your house vulnerable? Maybe, but we've learned to live with that level of risk. Besides, if somebody really wants into your house, they'll just kick the door in or break a window. Keys just keep honest people honest, and you rely on your neighbors, and the police, to prevent unauthorized access to your home.
My bank ATM card is protected only with a 4-digit PIN, which is encrypted in the bank's records using 64-bit DES. But I've never heard of anybody cracking that DES encryption, or brute-forcing ATM codes, to gain unauthorized access to people's bank accounts. Instead, they use easier methods--human engineering--to get people to reveal their account numbers or other personal information. Then the thieves don't even need your PIN number! In other words, they come in through a window. So a 4-digit PIN number turns out to be secure enough after all.
If you're Fort Knox, you might have reason to care about the strength of your password or pass phrase. But for those of us that live in the real world, ANY password is good enough.
That's the way Compuserve generated passwords way back in the 80's. Two random words, separated by a nonwhitespace character. forged$elephant, that kind of thing.
Multi-phrase is too much work:
http://sierracomputergroup.blogspot.com/search/label/Passwords
Sudden Disruption
My recommendation for a really secure pass phrase:
1. Pick a phrase like "maryhadalittlelamb"
2. Add (or replace) with one capital letter, one number, one special character. Don't use l33t-speak, just at random.
3. Remember your three weird words like "maVry" "li6ttle" and "lam!b", it's much easier than when it's all just a hopeless mess.
4. Your password is now "maVryhadali6ttlelam!b", there not a password cracker in the world that'll find this.
It's way, way too long and uses from all the character sets for a brute force attack. As for a dictionary attack, there's way, way too many permutations. It could just as easily be "mar#yha1dalittlelRamb" or "m%aryhadalitOtlela9mb" or a million other combinations based on "maryhadalittlelamb", even if you knew that was the basis. Of course the biggest risk is the computer you're typing it into, for example I feel my mail is now much safer now that I can log into it from my smartphone rather from any random webcafe/desktop/laptop I happen to have available. It's a lot more difficult to get a spy app installed or bug my hardware than if I type it in on machines I don't control.
If I remember correctly, this is how our university got breached once, they bugged a desktop in the computer lab, trashed the software a bit then waited for an admin to come and try cleaning things up with the admin password. Boom, they got admin rights to every desktop on the network. Against that it doesn't matter if your password is a kilometer long, if you can't trust the console it doesn't matter. It only matters if your data is stolen and they never got the password, which is of course one important vector with stolen laptops and all, but it doesn't protect against other threats. All in all I consider my password complexity as being a very low-risk threat. No point in a bullet proof blast door if a burglar would use the window.
Live today, because you never know what tomorrow brings
Security through obscurity is a valid layer of security.
For anything serious, obscurity of course shouldn't be used as the only layer of security. Nor should horses who can correctly identify battery staples be the sole layer, for that matter. You shouldn't have a sole layer of security, period.
Most people can easily remember a shorter string of garbage, say five characters. A password that is short garbage followed by three dictionary pulls should be maximally strong against any attack.
This line from the summary was written by someone who doesn't understand the slightest thing about modern encryption and password security:
Look up the concept of key stretching. In a nutshell, you basically take a plaintext password and then apply many thousands of rounds of encryption or hashing to it and then store the end result in the password database. The idea is that you incur a few seconds of computation time every time the password is set or retrieved, which is a very minor inconvenience in normal use but is a humongous amount of overhead to brute forcing even a single account.
With this technique, a dictionary attack on one account can take days to work through the whole set of words. So if you're using a dictionary word for your password, you're screwed no matter what. But a halfway-strong password that doesn't appear in any dictionary can be completely immune to an offline attack if the hashes were computed securely. The only way for an attacker to get around it would be to find some fatal flaw in the encryption or hashing algorithm. (In which case, the NSA would probably like to speak with him.)
Use a password in a language besides English to foil dictionary attacks. (Example:ki'uleza'ijyfinca'ilebangugi'edjicalenumutcejitroleiselci'a)
Of course they are. You use words, a dictionary attack is the obvious weapon of choice, and of course it will fall.
The question is not if, the question is when. A good multi-word password (which according to my own calculations should have four words) has a searchspace as large as an 8-character password following one of the standard password policies. More importantly, it does not degrade as badly. What your password policy works out to on paper is one thing, what your users make of it is an entirely different thing.
In fact, it's horrible. Mathematically, your average password policy has a complexity on the order of 10^16. However, considering psychological factors and typical user preferences as we know them, the actual complexity is somewhere near 10^7. That's ridiculous from a security POV.
A four-words passphrase, however, degrades from a theoretical 10^18 down to 10^12 in a worst-case estimate. That's a better overall result and less degradation.
Assorted stuff I do sometimes: Lemuria.org
Recommending multi word passwords is fucking retarded. 95% of the login systems people will use DON'T ALLOW MULTIWORD PASSWORDS. Linux doesn't allow spaces, no website I can find does, and most corporate Windows networks also block spaces.
Passwords are a shitty way to secure anything. The only reason we use them at all is because it's easy to code (and in that sense, easy in general). Do you think replacing the keylocks on the front door of your house with a guy who asks people "What's the password?" is a good idea? Of course not. You use a key aka token to open the door.
Obviously, tokenized security is better. The best token is your fingerprint hash (since you can't lose it).
My reccomendation is to use randomly generated passwords that are between 8 and 16 characters and are stored in a password vault secured with a token, ideally fingerprints. Buy one of the Authentek readers and haul it around or use a smartphone token or a hardware token. If you go with the reader or hardware token be sure to buy spares.
That works in theory, as I have a system of my own, but then I come across password policies that are, given this day and age, quite ridiculous. I type in my generated password and it refuses it, saying:
Must be between 6 and 8 characters; or
Must be alphanumeric; or
Numbers not allowed (seriously, I got this with one site).
I use a password manager to manage all my passwords, but whenever I come across a stupid website that does this I need to e-mail a "login hint" to myself (a hint that doesn't reveal the password to anybody with access to my e-mails but saves me having to reset my password when I try to login manually but it refuses what the password should have been in the first place).
I see many password experts here. Well, crack this account: . Post the password here to prove you did it and please comment on how long it took you to find the password.
2019 is going to be the year of Linux on the desktop.
There's no way to consistently use secure passphrases with all the shoddy web development out there.
Could somebody please come up with a BNF microformat to describe password requirements? These could be added to the 'password' field type in the HTML form or stored in a 3rd party repository (used by the extension that will generate the strongest password for me given the requirements).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I almost instantly came up against the limit you describe - it's just not really doable in practice because of this limit.
Given the requirements of the website, an extension could hash your human password into the highest entropy password that a site would allow.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If a site is designed by a moron and allows enough repeated failures for an attack to succeed, it doesn't matter what your password is.
If a user is a moron and is too stupid to pick a phrase that isn't nonsense or make their complex random password longer than 8 characters...
Morons will be morons. The problem isn't the password. The problem is the lack of punishment for being a moron, and society's cowardice and lack of long-term thinking in refusing to tell people that they are, in fact, morons.
Everybody knows the Welsh prefer Andruid devices.
I did this in high school in the 70s - a group of us had a game to make up, learn and pronounce the longest possible gibberish word. Mine was something over 50 characters. It's never been hacked in 40 years but I can't use it for many services who insist I choose a "strong" password that is 8-12 characters long and - helpfully (that is for the hacker) - indicate which characters are allowed and not. Moronic.
I tell people, verbally, my made up word on a regular basis and have challenged many to try to transcribe it (assumes they know how I spell it) and even hack an account where the word is used - nada.
... after all- when the Welsh were coming up with names for their villages they used random letter generating apps on their iDruids.
The Welsh use Andruids.
Can you honestly tell me that'd you'd guess "The nuances devour"? (past passphrase). Having substitutions in there isn't going to help you, they'll only confuse you when you try to remember what was replaced with what. This whole "password" thing is shit as well. That's a relic from the 80s when you only had enough of your previous space to store one word at most. In the modern world where space is cheap, all "passwords" should be passphrases.
Another dumb thing that I see a lot is that sites will have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus /decreasing/ security, instead of increasing it. The only requirement that is actually legit, and that should be on every site, in /minimum/ passphrase length. Sadly, some sites are deluded into putting max passphrase length (Which means they're storing it as plaintext in a database like idiots). It doesn't f***ing matter how long a passphrase is. When it's hashed, a one word password will turn out the same as a 200 word passphrase, in terms of length. Any other restrictions just make it harder to remember.
For example, my school recently changed its restrictions on passwords. After I got locked out of my account, they decided to change my passphrase to the school name, because that was the easiest way they knew how to fix locked accounts (Dumb Windows). Of couse, now I can't use spaces, punctuation, or anything else to increase the strength of my password. So I didn't even bother changing it to something stronger, because I'd never remember where I put the underscores and- whoops, I forgot, I can't use punctuation now. Forcing users to go from a multi-word, secure passphrase, to a one-word password that's easily guessable, is ludicrous. The restrictions have to have an end put to them, and now is the time.
http://tinyurl.com/42geekcode