Slashdot Mirror
Why People Are So Bad At Picking Passwords
mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."
These studies also reveal that when it comes to passwords, women prefer length and men diversity.
We are still talking about passwords, right?
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
"women prefer length and men diversity"
Fnarr fnarr.
So from this article I take it I'm supposed to track down aredhead and have her make my password for me?
She looks like she has a trustworthy face.
http://xkcd.com/936/
So, before choosing an important password make sure you have shaved, had a haircut and dyed your hair red.
(A sex change is asking too much though.)
http://xkcd.com/936/
who where what when now?
Also are the most passionate lovers.
Hope is the currency of fools
... for RMS !
Time for bed, said Zebedee - boing
A modern day password cracker (brute force) with a reasonably large dictionary can basically break all human generated paswords these days.
First - besides the dictionary, they also try variations - including l33t 5p34k variations, various capitalizations and putting numbers at the beginning or end of the word.
Second, the old trick of picking a phrase and using it? Also done - the dictionaries often pick phrases out of the Bible and other texts and run with those, too. You'd think this would be difficult, but surprisingly not. And there's the variations in the above as well.
A brute forcer that uses a dictionary often enlarges it through variations, which is still far less to check through than a full test-every-combination brute force.
About the only choices left are pure random passwords that the only way to break them is testing every combination.
What is the quality of the password then?
As a very well known xkcd points out, a great deal of the problem could be averted if people weer encouraged to use long passphrases with spaces and everything rather than a pass'word'. password as a concept was good enough for the time of it's popularity, to defend against people typing their way into someone else's account. When the model fell apart in a world with much more automation and network connectivity, the 'fix' was 'keep length about the same, but toss some numbers and maybe some punctuation in there'.
The madness comes in when a great deal of the sites I visit put a 12 character *maximum* on a password for their site.
My personal strategy: base64.b64encode(os.urandom(12)) for every site and store the values on a couple of my devices with a phrase that is about 32 characters long (but easy for me to remember and easy to type). hashing a master key with the domain to generate passwords like some chrome and firefox plugins (password hasher) can do is similarly nice without having to worry that you won't have access to the copy of the database.. Of course, the annoying thing is my 16 random numbers and letters frequently fail the 'complexity' check and I have to add some punctuation character to it.
XML is like violence. If it doesn't solve the problem, use more.
Please tell me no one is surprised by the general conclusion (haven't we been here a time or ten before?) of these studies. Add to this the corporate or government attitude demonstrated so equivalently here, the lack of effective computer security training, including a complete failing of organizations to have or heaven forbid enforce policies about password practices and you've got a pretty pickle.
Sadly, it took the recent Adobe compromise, to get me to finally start using a password wallet and use different passwords for each Internet service I use. Have to admit I was stunned, by the number of accounts I had when I got through most of the sites I access.
After hearing a few disturbing stories from my wife, about how computer security and passwords are treated at her place of work, I stepped up my training for her and her co-workers that will listen. Based on what I've heard from her the choice of poor passwords is the least of our troubles.
Unless the underlying problem of poor culture surrounding computer security is changed and an understanding of the associated risks is cultivated, it won't matter one whip whether users can choose "Good Passwords TM".
These days, I just use a decent password manager (KeePass or Password Safe.) Of course, that comes with its own risks, but with so many passwords one uses, all should be unique [1], might as well have a system that uses a known good cryptographically secure RNG and a decent password length [2] does the trick.
[1]: That way, a cracked password from site "A" won't be able to get access to site "B".
[2]: Even now, some sites will choke at a password length greater than 8-10 characters.
A lot of these studies come from accounts where people do not care if someone else knows the password, because the password doesn't protect anything of use to the subscriber. For accounts like that, my password is the same as my username, and it is linked to a spamtrap email account that doesn't get used for anything else. I know it is insecure, but I don't care.
Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
Then you get redicoulous requirements on some websites, like can't use special characters, can't be longer than 10 chars. Why? You should be using a hashing algo which means special characters or max length shouldn't matter (within reason)
I have about 4 passwords
My low security one where I do not give a shit if people hack my account eg slashdot/most forums
Medium security - Password for sites I care a little about and that contain some personal information eg, some forums, some online shopping sites that don't store cc info, etc
High security - Mostly used for sites that are used for purchasing things and that have linked CC info to it
Very High security - Used for financial institutions
This way I always know when I go to a site which password it uses.
However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious). This may increase security of password a little, as well as benefit of most passwords being unique.. but not sure how much it increases the security by
" up to 80% of choices come from just 100 different numbers."
It gets worse, as 100% of those are chosen from just 10 numerals.
If we start with the asumption that that passwords must be memorized somewhat, we are better remembering things with an attached meaning than something random, and those meanings make usually bad passwords. But, we don't need to remember all passwords, there are password managers for making and storing a bunch of meaningless, secure passwords, and for the keys you must remember (the password manager one at the very least) there are some mnemonic tricks that can help to have safe enough passwords.
and yes I butchered the spelling of ridiculous
Must be an idle day at the BBC. A couple paragraphs of statistical wank about physical attributes seeming to correlate with password quality. Then a rehash of old news about bad passwords being easy to crack. My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)
On passwords, what was once thought to be good password security is no longer true. The length of a password matters more than diversity and given the right instructions, can be much easier to remember than complex passwords.
My current suggestion for passwords is this: Pick three (or more) random words. mongoose, screwdriver, automobile. Now you have a password you can remember, but is very hard for a computer to "crack" and you only have to remember three things, as opposed to memorizing eight (or more) things that don't make any sense.
And, to make it unique for each System you log in to, add in the name: Amazon Mongoose Screwdriver Automobile, or Ebay or whatever.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I devised my best password for my luggage. I'm too tired after doing that to worry about online passwords
rewriting history since 2109
I love them.. I trawl through them laughing at the passwords on them, at least so far as mine have never shown or close variants of them.
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
Security researchers agree: It's OK to write down passwords for online accounts. The typical threat model is a remote attacker, so a password written on a piece of paper is as secure as a password can be. People forget passwords all the time, even really simple passwords. That's why we have stupid mechanisms like "three questions to reset your password - let's just hope nobody else knows your mother's maiden name, your favorite dish and your favorite color".
there are a lot of sites, that require setting up and account, i could care less about. i use a junk email account and a simple junk password. those accounts, if they are hacked, won't give you any useful information to get into another site's account that i do care about. i think many people do the same. those junk sites also get hacked and the stolen lists get published. then the appalling headlines stating "OMG these passwords are so easy!!!" get published... so what...
All of us. We just choose a different place to start.
"people are lousy at picking good passwords"
This begs the question. There is some reasonable expectation that people should learn to properly use the tools of modern society, but in the end, the tools should serve the people, not the other way around. If your car pulled to the left, would you say you were lousy at driving in a straight line? No, you'd say your car was out of alignment and get it fixed.
A password is something we're expected to remember, but we're wrong to pick words or numbers that might be easy to remember, such as familiar names or dates. Even if you say pick a system of choosing passwords to remember rather than an individual password, that's impossible. Every different system and site has different password requirements, so no single easy to remember system will work for all of them.
"You have to remember we are all human and we all make mistakes"
Yes, and Mr Thorsheim's mistake is assuming the issue is with the people who are using the system and not the people designing the system. The truth is,
"password systems are lousy at serving people."
(as an aside, WTF is up with systems that do not allow special characters in passwords? Are they worried about SQL injection? If that's possible from a password field, the system is FUBAR.)
I would hope the list of allowable PINs is shorter than that. The 10 possibilities with the same number repeated all the way through should be disallowed (and usually are), as well as 1234, 4321, and anything else with four consecutive digits. While taking those 24 possibilities out doesn't dramatically reduce the number of possible PINs (only 2.4% reduction) it is still a list of less than 10,000.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Humans are no good at generating passwords. That is just a fact. The best option is to use a password generator and to change the passwords often. I started using keepassx a couple of years ago and I have never looked back.
I have a really really good password that I use to get into my server at home. All other passwords are for random sites (like slashdot) and I use a very simple password for them. Does this make me 'bad at picking passwords', or do I simply not care if someone hijacks my slashdot account, ruining my excellent karma?
A good password is one that you don't mentally consider a word or string of words, as much as it is a dance that you do with your hands and fingers, really really fast.
Politics; n. : A religion whereby man is god.
your favorite color".
Blue... No, RED!
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Hire Allyson Hannigan to choose your passwords. PROBLEM SOLVED in sexiest way possible.
Gamingmuseum.com: Give your 3D accelerator a rest.
I use regexes related to the site name/function. (*)
Now the hackers have 2 two problems when they want to break into my account!
* I actually I do incorporate regex like strings.
I am Slashdot. Are you Slashdot as well?
Ive been doing the 4 tiered password thing for over 10 years now. There is NOTHING like hitting an old website you havent been to in years and logging in first try.
... and your favorite color".
green ... no blue.
I ended up using something similar. I just have a bunch of memorized passwords using a very simple 3 keyed format
like "AB#" "EF#" "I#K"
This way whenever I need a new password to add to my list I write anything that pops into my head on a note. for example..
J92bd3Yp4. "J92" "bd3" "Yp4". write it down, use it for a week until it's memorized and it's done. I have about 6 passwords in this format completely memorized and cycle them everywhere.
did you forget to take your meds?
I started using the Readable Password plug-in for KeePass. For anything I need to remember, a random sentence is much more useful than random characters.
Given that it's widespread across huge numbers of people, presumably of all kinds and intelligence levels, I think that dismissing the problem as being because people are too lazy/stupid is...well....lazy and stupid.
Remember that people treat their computers like a social being - and a subordinate one at that. Every morning, someone will go and sit down at their office computer and find it's forgotten who he is, even though it sees him every day. He can walk away for an hour and it'll forget again. It'll fail to understand that he's him over and over again as he uses websites, servers, etc, stopping each time to refuse his instructions and demand that he perform some silly little task purely to help the computer out in functioning correctly: remember an irrelevant string of nonsense. And, very occasionally, the computer will fail and do something like send banking details to someone in Russia, or show his ex-wife his e-mails to his lawyer.....even though it's blatantly obvious to even an imbecile that these are the wrong things to do.
We all know that computers are unintelligent tools that are not capable of doing better than this - on slashdot, at least. But it still feels like talking to a forgetful, obstructive, naive, reckless, stupid and insubordinate little shit. Even the most stupid of assistants should be expected to do better most of the time.
People can certainly do better, but we have to accept that humans behave like humans and recognize that we're going to need to improve the technology as well as people's habits. In the short term that could mean things like providing ways to generate secure passphrases and asking them to write them down, using authentication devices and using UIs to promote better practices....and we need security researchers who stop looking a memory dumps for a while and look for more secure ways to interact with users.
Why can't my home computer manage passwords. Seems like it's smart enough to generate a password, pass it to the secure site, then at log off generate another password pass it to the site and then log off. Let the computers handle the task. Then have one master password or some other technique to log onto the computer that can only be used from the keyboard.
Re-using the same "high security" or "very high security" password across financial institutions, etc., is a recipe for disaster. You may have very high security standards... but it turns out sometimes those tasked with taking care of the peons' data don't (and fail on simple precautions like salted hash password storage). Whichever institution has the crappiest security gets hacked (maybe even that old bank you moved your money out of years ago), and suddenly all your accounts are vulnerable.
The proper and secure way to do things is one high-security passphrase, that decrypts your (well-backed-up) encrypted store of thoroughly unmemorable random character passwords for each institution. It takes a couple extra seconds to look up the password for each site, and puts additional control over security in your own hands (which care more about you personally losing all your monies than some random bank contractor). And, for anything that you use moderately often, you'll end up remembering the random-jumble password just fine after the first several times typing it in.
Every time I see articles like this, I feel compelled to bring up the solution I'm using, which is (so far) the single best solution I have been able to find.
It's called 1Password. Runs on Mac, Windows, Linux (read only I think), iOS, Android, and has plugins for all major browsers.
It records your login details for you, has a password generator that you can customize in various ways, and stores an AES encrypted archive on dropbox so that all your devices can sync together.
Now I can safely create new logins everywhere with abandon, because I'm not afraid that if one service is compromised (*cough*Adobe*cough*) I'm not afraid something else is at risk.
It can generate passwords up to 50 characters in length with your choice of number of digits and symbols. It can even make easily pronounceable passwords if you need, and avoid ambiguous characters (eg O (oh) and 0 (zero) ).
It's a little pricey, but IMO it's worth every penny because there is no other product out there that is this easy to use, AND supports so many platforms all at once.
I also blame sysadmins who frequently don't understand that security is contextual; you do not need the same level of password complexity for a gardening forum or slashdot that you need for your bank account. But you still see ridiculous requirements for low-security sites.
Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
The thing is, your password with KeepPass or what have you is up to your encryption level and password strength. The password you use on any given site is reliant on their password encryption. So if someone gets a hold of, say, LinkedIn's passwords and is able to decrypt your password there, they can hit every site with it and your email address. Getting access to your KeepPass file will grant them all access to all your accounts, but they are going to have a harder time getting the info out of it if you've done it correctly.
If pass phrases are inherently far more secure, why do we still prompt people to create and use a *password* and then make a big stink that they did *exactly that*? Just because they do that poorly we shouldn't hold that against them since the process itself doesn't do anything to help them do so better--it's actually at odds, whereas simply indicating the different process of selecting a pass *phrase* does.
Why not simply change the labels and validation (since when should a site ever *prohibit* any specific character from a pass phrase?!!) to say "pass phrase" to urge people in a better direction?
We have bone-headed developers that have "helpfully" sent out emails to every member of a site saying "to improve security we have stripped all non alpha-numerics from your password"... Huh????? a) that means you stored my pass phrase *in plain text* in your database, then b) you *shortened it*! and c) you reduced the available combinations and d) turned my pass phrase into a password.
We have *banks* adding "site lock" security--reducing the security of their websites and *lying* to their users telling them that a) it increases their security and b) *trust the site lock image to indicate that it's really the correct site* rather than educating them to check the *SSL cert*!
Perhaps we need an article similar to "what every developer needs to know about character encoding" but for "handling user credentials". It's obvious that it's not just users that don't get it--but many developers and businesses also.
I don't. Pi is wrong. Tau is the proper circle constant. I pick my pins from there.
When our name is on the back of your car, we're behind you all the way!
The proper way is to use a good password manager with the following features:
1) cloud-based sync, so you can access it from any computer or mobile device
2) multifactor authentication, such as a USB stick or a grid or biometrics
3) a configurable password generator (i.e. you can choose length, complexity, etc.)
I use LastPass and like it enough to have bought a year's subscription for $12, but there are other good choices out there like 1Password, or you could homebrew up something with e.g. DropBox + KeePass or Google Drive + TrueCrypt + something that can read TC volumes on iOS/Android.
Generate a different random password for each site needing an account, as complex and as long as the site will allow for, and with LastPass at least you can attach a note to each site's entry so you could enter random line-noise answers for security questions like "What is your mother's maiden name?", thus making crackers work much harder. I've also got LP set up for multifactor authentication and with a strong master password.
Hail Eris, full of mischief...
E pluribus sanguinem
The only realistic way to fullfill all these requirements:
1) 100+ passwords
2) every password unique
3) every password good
4) no password stored or written down.
is to create an algorithm that only you know. For instance, the 3rd letter of the url + a pin + the inverse color of the company logo, etc...
That's simple enough but my problem is that as soon as I create one every 3rd website has some stupid password requirement that
won't allow it so I'm back to writing down all the exceptions.
Oh yeah.... I really love it when I go to a site and try to create a password with punctuation, and it gets kicked because the site doesn't support it.
Really????
I'm talking about some major sites... financial institutions too. Scary and unacceptable.
Huh?
Actually it's not a good password if you can't remember it.
From my experience as a sysadmin for a generation is that women do forget their passwords more often. I'm sure that men are to blame...
A few users even use password reset tools every time they access services without even trying a password first.
His password is open source and everybody is entitled to read it, modify it, or to sell it as text source if he can find a buyer, as long as the copyright notice remains attached!
I use LastPass and the two-factor authentication adds a lot to the security. If someone can guess my password and obtain my two factor secret, I'm probably screwed regardless of what I did. I also enable two-factor on as many sites as I can (stupidly most banks don't have that).
Epic fail! Not the correct colors even with a video link...
No sig today...
True, but I guess my issue is that I log into websites from home, work, multiple mobile devices, friends house.
Now I haven't done very much (well any) research into these applications, but I would need something that is compatible with all of those device, and preferably one that I don't need to lug around on a usb key (which can be lost/stolen)
I may decide to look into it, because I can't be the only one with these requirements, so I assume solutions exist
However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious).
Yeah, but almost every site begins with "www" so you are still stuck with a single password everywhere
I think the website's logos are blue because the marketing department saw that everybody was choosing "blue" for their password...
No, RED! Aaaaaaaaargh!
No sig today...
Why are we still using passwords?
Time to deploy client certificates. That can be done pseudonymously. And with Tor even anonymously.
Because a certificate isn't something you can carry in your brain.
A certificate can also get lost, while a password can at most be forgotten. That matters, because you have to keep the certificate in a storage. When that becomes unavailable, and you then lose all your certificates, instead of just forgetting a password.
In the UK, ANY offence (like shouting "war criminal" at a UK politician who voted to authorise some military atrocity) is an ARRESTABLE offence, under fundamental changes to British Law introduced by Tony Blair. And, any arrestable offence allows the police to raid the subjects home, confiscating ALL records and electronic devices.
So, what does this have to do with 'password' propaganda? Well, the single most common way 'law' enforcement goons use to 'crack' encryption is to locate where a password is written down. The more OBSCURE a password is made, the more likely it is to be on paper somewhere in the vicinity of the computer.
Now, as I type, the BBC is purposely spinning this report to tell the sheeple that passwords are 'WEAK' if part of them contains, say, the name of a pet. Notice I said "PART". This fallacy is the carefully planted NSA/GCHQ lie.
Passwords are NEVER cracked section by section. Sheeple do NOT understand this mathematical fact. Sheeple would think "PEPSIBANANA" was a 'weak' password, because it can be assumed that 'PEPSI' and 'BANANA' are weak, and that a cracking program would first find one 'word' and then the other in the cracking process. NOTHING COULD BE FURTHER FROM THE TRUTH.
For password systems with REVERSE TABLE LOOK-UP KEYS, passwords are mechanically cracked by building up unthinkably large databases of passwords and their encrypted key equivalents. Then the State discovers your encrypted key, and checks to see if it is present in the database. Commercial services offer this facility as a way for people to 'recover' (yeah, right) their 'lost' passwords. Safe encryption does NOT maintain an encrypted key that matches the password.
The BEST password systems allow LONG password phrases that allow the statistical combinatorial options to grow so large that easy to remember strings are impossible to crack, PROVIDED the phrase is memorable, NOT common. A common phrase with one word perversely modified is a STRONG password.
Again, despite the best efforts to lie to you about the subject, passwords are NEVER broken part by part. The entire password has to be guessed by the cracking program, unless you are using weak encryption algorithms (eg., anything mandated by the government or standards bodies). Use Truecrypt with a personal 'perverse' phrase that is so memorable, you never need write it down (and YES, it can safely partly include the name of your pet), and your encryption is UNCRACKABLE.
Use an NSA recommended password like "19!sDF3g99MM28DD" and you WILL write it down, and the locations you store the written password WILL be located by anyone that seeks access to your files. The hiding places for written passwords are VERY VERY small in number, and no matter how clever you think your hiding plan is, you will use one of the same small number of locations the security experts already have on their list from DECADES of experience locating written passwords.
"I have about 4 passwords
My low security one where I do not give a shit if people hack my account eg slashdot/most forums
Medium security - Password for sites I care a little about and that contain some personal information eg, some forums, some online shopping sites that don't store cc info, etc
High security - Mostly used for sites that are used for purchasing things and that have linked CC info to it
Very High security - Used for financial institutions"
Be sure the password for the email account that will get the "password reset" emails is in the very high category !!!
Here's a crutch for those with too few passwords on too many sites. Just paste it to something like safepassword.sh in /usr/local/bin or similar:
#!/bin/bash //g"
# script: safepassword
# this script depends on sha512sum
if [ "$2" = "" ]
then
echo "usage: safepassword constant_key password_purpose"
echo " where constant_key is a string of printable non-whitespace characters,"
echo " and password_purpose is a memorable string related to the purpose of"
echo " the password, e.g. a website address and year. Since the script removes"
echo " any characters outside 0-9 a-z A-Z it is possible that the password"
echo " could be too short in some cases."
else
echo -n "$1-$2" | sha512sum | xxd -r -p | tr -cd [:print:] | sed -e "s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]//g" | sed -e "s/
echo
fi
And to prevent any of the command lines going into your command history, and thus exposing your passphrases, be sure to run (once on each account that will use the shell script):
echo "export HISTIGNORE=\"safepassword*\"" >> ~/.profile
Since sha512sum should work the same way on all operating systems, a script such as this could probably be made for Windows as well as BSD/Linux/OSX.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
red-haired women tend to choose the best ...... and men with bushy beards or unkempt hair, the worst. .....women prefer length and men diversity.
I was beginning to wonder where this summary was going after the first few sentences.
Have gnu, will travel.
I used to have a beard and bushy hair and my password was "test123". After I neatened my hair and shaved, I had this overwhelming compulsion to change my password, and now it's UjuW8LxttbsWKqMbDaA4SqSJVST783ty
I agree, we all know people choose bad passwords, we have to design systems that take that into consideration. This is my current thinking:
A smart key that plugs into a usb slot that will provide a (you may have multiple) public key to a web site.
When you log on to a website you press a button on the "smart key" it will respond to exactly 1 challenge response.
You could password protect the smart key if you wished, but this is not the primary protection mechanism, that is possession of the key.
You could also have a back up key, you kept in a safe place just in case the other is lost.
The advantages are:
1. no web site can store your password since you never give it to them.
2. hard to issue multiple requests try to break the private key since it requires physical interaction for each request.
3. If you loose the card it can be replaced, you could have a central lost key repository. invalidating all logins that used that key at once.
4. The keys it generates could be random, well more random than passwords now.
5. no need to remember passwords.
6. you can have multiple "smart keys".
My bank card PIN is four digits. It's not the year I was born, nor is it any other year (or other four-digit number, for that matter) that you will find in my personal information.
For computer passwords I like the "first letter of a phrase" algorithm, producing passwords like TbontbTitQ and MRwiTDtESSahtuwws. Or pick a phrase, l33t it up a bit, and come up with something like W1nd0ze1sTehSux0r3. Long passwords are good.
The worst public web site I've encountered for silly password requirements is U.S. Customs eAPIS, which you use to send your information if you're going to fly privately to the U.S.A. Not only does it enforce silly password requirements, it doesn't tell you about them until after you have typed in your new password and it tells you why your password sucks. Yes, I end up writing them down.
...laura
I used to do this, until I couldn't remember if that was a 1 or l or L, or @ or A or a or 4. Or was that $, S or s .... And it is really hard to tell if that was a 0 or O or o.
But I never forgot the three words I used. I have a mental picture of a Mongoose fixing a car with a screwdriver (not my real password)
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Then has it with a salt and use the hash as your password. Unfortunately password character limits always rear their ugly heads.
So by compromising that one account you know of all the other accounts the user has? This is a tired tale of security from a non-hacker perspective.
I like the algorithm method (and even if the algorithm would be obvious to a human with access to 3-4 passwords, it would save you from some bot getting one password and simply trying the same pair at every major service), but when you have sets of requirements like this, it is impossible to implement. A and C are mutually exclusive, B is annoying (and actually reduces brute force complexity) but avoidable, and D will break your whole algorithm the first time it changes (unless you add a counter, but then you have to remember what iteration you are on).
I keep a little list in a google doc of the rarely accessed but important sites that have weird password requirements (since it is rare they tell you the requirements on the login page)...then at least I know that I may have had to modify my algorithm because '^*()' aren't valid characters, or that the requirements were dumb enough that I just said "screw it" and used some old insecure password that has probably been unknowingly leaked 15 times while hoping for the best.
Bottles.
Unkempt hair and bushy beard? Yup thats me. You know, I DID pick out terrible passwords when I was younger and early on in my career. However, being a sysadmin I had to learn to be better. First I thought I improved on my own....then I got called into the security guys office and he pointed at a jumble of letters on the board and said "Recognize anything there?".... my password was clearly embeded in the jumble. Damnit!
Soon after I learned to use mnemonics and never looked back.... not till I found out about passphrases ala xkcd's "Correct Horse Battery Staple", and password vaults. Now I don't choose my passwords, I generate them...and I only have to remember one really good one.
"I opened my eyes, and everything went dark again"
"women prefer length and men diversity"
Yes... yes they do.
"If any question why we died, Tell them because our fathers lied."
Sure that [sic] are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
I use a password keeper that encrypts the password file locally on my desktop. Not only would you need to break my passphrase (which obviously is fairly strong), but you'd also need physical (or at least remote) access to my Linux desktop. That adds a level of difficulty.
I always use randomly-generated passwords for web sites and I make them as long as I can.... 32 characters if the site permits, otherwise whatever the site maximum is.
True, but I guess my issue is that I log into websites from home, work, multiple mobile devices, friends house.
First of all, you should never log into an important site like a banking site from a machine you don't own and trust.
Secondly: My password keeper runs under X11, so I can tunnel an SSH connection to my desktop and start my password keeper. Oh, what about devices that don't support X? SImple: I don't use them. Even my phone supports X and has an SSH client.
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
If you think to yourself after reading the first page, "But all of those long passwords were phrases, not nonsense strings!" then you should keep reading to page 2's sidebar for the list of passwords that were cracked using the methods in the article. Crackers have dictionaries of billions of words now and can try combinations and variations at GPU-fueled speeds. Length only protects you if and only if you can exhaust dictionary attacks.
The only safe password is long and either randomly generated or indistinguishable from it. Using some other device to store and auto-fill your passwords like a password manager or a device like a YubiKey is the only long-term solution. Humans are the weakest link.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
That's the good thing about tiers. If someone gets into my Slashdot account, I've lost nothing. If someone gets into my bank account, there's no reason to keep my second bank account separate, they've already compromised me financially, so I can use the same (weak) password on my forum accounts. There's nothing in them worth protecting. The only possible thing of note is that they'd get my email address, and possibly some home address (usually of somewhere I haven't lived in years).
Learn to love Alaska
I've been saying it for years: length! Thisshittasteslikechicken! Will take many, many years for any algorithm to crack. http://www.securityadminisanidiot.com/ will also assure security. Why don't management and administrators understand this?
I've worked at places where the password rules didn't match the rules enforced by the system. So I was told "Make a password with a 6 letter word, followed by two numbers". The rules were worded in a way that would allow a number anywhere, but it wouldn't allow one anywhere, and other problems like that, so all new employees were told to do 6 chars and 2 numbers, in that order.
Learn to love Alaska
If they can crack a website's passwords at GPU speeds it means the site is already been compromised.
That's why I don't bother making really strong passwords for most websites. It's a waste of my time - the site is more likely to get hacked then my password bruteforced over network connections. Every few months there's a web service getting pwned.
It's silly to waste time making your password much stronger than a typical website's admin password.
FWIW I've encountered at least one online bank that actually limits passwords to 8 characters for some unknown stupid reason.
That which is tricksy by nature is tricksy by virtue.
-- Tigger warning: This post may contain tiggers! --
I also blame sysadmins who frequently don't understand that security is contextual; you do not need the same level of password complexity for a gardening forum or slashdot that you need for your bank account. But you still see ridiculous requirements for low-security sites.
So that is who stole my gardening tips!
-- Tigger warning: This post may contain tiggers! --
I hate studies like this. Do people pick common passwords, of course they do. Does everyone pick an easy to guess password, of course not. Can it be blindly determined, for any given user, if their password is "simple" or "complex"? No.
The article puts the blame on the end user, when the truth is the problem is with the websites storing the passwords in plain text or as un-salted hashes and not locking out brute force attacks. What the researchers are really arguing is that
1) your account may be compromised if hackers break into the website and steal all the passwords.
2) your password might be easier to guess if it is related to you, hackers are targeting you personally (not likely), and the website doesn't lock the account out.
Don't blame the user, blame the developers and administrators for being lazy and/or inept and failing to protect people from themselves.
Average Intelligence is a Scary Thing
I don't think you understand the concept that the xkcd advocates.
The ars technica article is pointing out that context can grossly reduce the entropy in any given search space. If you're going to test combinations of words from different languages, for instance, you shouldn't bother with "crotalus fthagn" or "Cthulhu atrox" until you've already tried "crotalux atrox" and "Cthulhu fthagn". The point is that you can't beat the password crackers by picking something from an obscure search space -- in other words, it's a classic point against security by obscurity.
The XKCD is making a different point: that passwords comprised of unrelated words deprive the attacker of such information and are resistant to attack not because of the obscurity of the search space in which they're found, but because of its size. Perhaps 44 bits of entropy isn't enough to defeat extensive computational resources, but the point is that six words chosen out of the dictionary at random, all in lowercase, with spaces between them is a better password than "Cthulhu fthagn" because modern datamining techniques mean that it's likely to appear in someone's dictionary after all.
Nope, I use the Catalan sequence, Bell numbers, Fibonacci numbers, and various Mersenne primes. When I have to use letters, I use the letters below the numbers.
The more people I meet, the better I like my dog.
Just add the site name to the password:
Main password: stinkybutt
Home password: stinkybuttHome
Work password: stinkybuttWork
Slashdot password: stinkybuttSlashdot
If you want to get more secure, add something like the number of vowels in the word "Home" or the ASCII value of the 3rd consonant, or something like that.
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
If you think to yourself after reading the first page, "But all of those long passwords were phrases, not nonsense strings!" then you should keep reading to page 2's sidebar for the list of passwords that were cracked using the methods in the article. Crackers have dictionaries of billions of words now and can try combinations and variations at GPU-fueled speeds. Length only protects you if and only if you can exhaust dictionary attacks.
The only safe password is long and either randomly generated or indistinguishable from it. Using some other device to store and auto-fill your passwords like a password manager or a device like a YubiKey is the only long-term solution. Humans are the weakest link.
Using software to store and auto-fill your passwords is the worst possible solution (a post-it on the monitor is more secure in practice). The result of that thinking will be trojan key-stores that simply inform their creator what your password is.
The point of the XKCD is that if you select n random words instead of n random characters you can get a password that can be memorized easily, and exploits the larger search space of words (compared to the smaller search space of characters that exist on your keyboard) meaning your password will be more secure and easier to remember.
A few users even use password reset tools every time they access services without even trying a password first.
Why blame someone who doesn't get their ambitions and capabilities mixed up?
Science advances one funeral at a time- Max Planck
The guy who complained loudly about his department introducing the requisite to use a password, and stop having account separation based on trust.
A password is something that, almost by definition, should be hard to guess, have no relation to the user, and be difficult to "shoulder-surf".
As such, the very definition of a password means that they are hard for THAT PERSON to generate, and hard to remember.
This really needs any kind of study or discussion?
That's only true if you never reuse passwords, which means you're pretty much forced to use something like Keypass anyway, and might as well make the password secure since it's just as easy to use a 32 character random string as it is a normal human password. If you don't use a password manager, then it's hard to come up with a memorable password for every goddamn site that needs a login these days. It's so damn annoying to google a problem and find a potential solution, but then click on the link and bet told "you must register a free account before you can view this forum."
Every time someone sets up forum software to require an account to simply read it, they should be kicked in the nuts. Requiring an account to post is totally ok, but requiring an account to read is not.
I read the internet for the articles.
It is my opinion that you cannot trust a human to make a good password.
You also cannot trust anything, a hard-disk, a notebook, a company(!) to store your passwords.
Which is why I use http://masterpasswordapp.com/ and I unlock it with a passphrase. The key elements here being: stateless, no storage, strong passwords.
``OK, so ten out of ten for style, but minus several million for good thinking, yeah?''
Seconded. give me an option to hide or show. If I need to hide it I will, otherwise, I'd rather it be seen.
Learn to love Alaska
A few users even use password reset tools every time they access services without even trying a password first.
I don't see that as a bad thing... choose an arbitrarily long password that you have no hope of remembering, don't write it down, and instead of logging in every time, send a one time use key to an e-mail address that, theoretically, I'm the only person who can access. Makes a certain sense, really....
That being said, I use a keyring app instead. I just have to remember the master password, and the keyring does the work for me. I have the arbitrarily long password (most of my passwords are at least 30 characters long, though some systems won't take passwords that long), and don't really worry about the physical access thing, because my disks are encrypted. There's a copy of the master file kept in an offsite location (gmail, because let's face it -- anybody who could access my gmail could subpoena access to any sites/systems in question anyway), and if my computer gets stolen I'll have plenty of time to change the passwords before they break the crypto. And honestly, they wouldn't bother to break the crypto, they'd just wipe the drive and start fresh.
Three words probably isn't enough. Optimistically assuming that you picked your three words from a 4096-word dictionary with a uniform probability distribution, that's only 36 bits of randomness, the equivalent of a 6-character case-sensitive alphanumeric password (without symbols). To equal a 8-character password with symbols (about 49 bits) you'd need at least four words, assuming the same 4096-word dictionary and uniformly random selection. To avoid similar-sounding and hard-to-remember words, a 2048-word list is more reasonable, in which case you'd need at least five words.
It's a good idea, though. Random words are generally a bit easier to remember and can be made secure, provided you don't let the user pick them. Unfortunately, many systems are not passphrase-friendly, with arbitrary limits on the length and content of the password field.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
I have a different scheme: first one email per site, simply website@mydns.com, so that I know who the fuckers are that sell my email to spammers. Then a standard hard password, appended with the site's name, appended with some scheme (like the number of letters in the site's name, or the last and 1st letter, whatever). This way every site has different login info and it's very easy to remember.
Non-Linux Penguins ?
That's ridiculous !
Non-Linux Penguins ?
Oh, no: someone hacked into all the silly website accounts I have at once. It doesn't really matter to me if I lose my /., reddit, tumblr, facebook etc. accounts at once. My bank has a good password, as does everything else which could reasonably affect me.
Is 1563649 a prime number?
I thought you were just trying to fend off a boggart
> Then you get ridiculous requirements on some websites, like can't use special characters, can't be longer than 10 chars.
Concur 100%! That is by FAR the bigger problem -- noob admins who
a)
i) don't list their password policy (lists which characters are valid) OR
ii) use idiotic password schemas as short maximum-password-length, and
b) don't list WHY your password failed.
I wish there was a way for the government to fine online sites when they have too short a maximum password length.
Such passwords were NEVER safe. The reason passphrases CAN be good is that they can be made easy to remember while STILL BEING RANDOMLY GENERATED. Diceware is a good example: You get a LOT of entropy for each word in the phrase, so a short phrase of 5-6 words gives you a good password. Thinking up 5-6 words will give you a terrible password, since there will be very low entropy in your choices.
Not a sentence!
So you're a male with a bushy beard and unkempt hair?
I also use a tireed system. /. account ).
One password for all the sites I don't give a damn about security ( I actually care a little about my
Then a family of passwords for ones I care about, but have no risk to my finances and personal data.
Then secure passwords for sites that could be damaging to me should they get cracked. I use a password safe, which is triple encrypted, so one would need to crack three passwords in succession all in excess of 15 characters in length, and utilizing mnemonics in a language which I invented, except the first password was generated by a random algorithm so it's not very mnemonic (it took a while to memorize).
But I have a bushy beard and unkempt blond hair. So I guess my passwords aren't very secure. If triple encrypted randomly generated passwords in lengths of greater than 15 characters (the second password to pepare the safe for opening is over 40 non-repeating characters in length in "words" which exist in no publicly known language on the planet with a 50 character "alphabet"), is not secure enough, we're all in serious trouble.
Or perhaps this is just another case of Lies, Damn Lies and Statistics in a badly designed, implemented and fawlty conclusions study.
Although, I have no doubt many of my weak Internet passwrds are insecure, but easy to remember (for me, but register as strong or very strong on sites that actually give a damn).
My problem is being able to correctly type long character strings containing caps and special characters without visual feedback.
I could make my passwords much longer if I could see them as I type them.
I don't have much trouble with that on my computer, but it's a PITA on my iStuff, with neither visual nor tactile feedback.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
The average American high-school graduate knows approximately 45,000 words (1) nearly ten times the number you cited.
And, as I have stated elsewhere (above) the point of a long password is to get past dictionary attacks, and onto brute force. And right now, password length is a deciding factor to even attempt dictionary attack.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I used to consider my email pw medium security. After all, my emails aren't that important. After I realized just how many important accounts, including banks, were tied to it, I changed the pw.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
Nonsense. You don't understand the approach XKCD was suggesting; you can't defeat entropy by getting a bigger dictionary. If that were true, then AES-128 would be trivially easy to crack because I can enumerate all of the possible keys. I have a 100% perfect dictionary.
The point that by selecting a set of randomly-chosen words (do not do the selection yourself; use a random number generator) words, you can get a great deal of entropy in a fairly memorable form. It doesn't matter if the attacker knows the exact method you used (as long as it's random), and knows the exact dictionary you selected your words from; he's still going to have to try 2^n possibilities, where n is large enough to make brute force impractical.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
+1
The system is fine up to that point. For high security passwords, you really need a unique password per site.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
True story from my sys admin days.
It was a Netware 3.12 shop (yes!) and I thought it would be a good idea to scan for vulnerable user passwords. I bought and installed a commercial password-cracker tool for admins, and watched it run. Maybe 20% of our users had pretty bad passwords: MyFirstName123, obvious dates like birthdays, that sort of thing. I got in touch with each such user individually and counseled them to pick something more resistant. One of them was really surprised though.
She was from a village in India, a place so small nobody even really has last names. And she used her uncle's single given name as her password, telling me later that it seemed like something nobody here in the U.S. would ever guess. She was half right: none of the humans knew that name, but our cracker's dictionary attack sure did!
So your point is right on: it's not that the imaginary cracker would know this woman's uncle's name--but the cracker wouldn't be too far off in guessing that perhaps someone was using that name for a password.
Would it keep a government agency from brute-forcing on a super computer? no, but remember most password hacks are on websites, such as facebook, and these attacks go for the lowest hanging fruit (dictionary words and stupid combinations 987654321a). The real problem is with sites which allow brute forcing, I had an old skype account, which had the password brute forced (last year), lesson learnt for me about using a dictionary word followed by numbers, now for semi important stuff, like Skype I use a password which has a common element (including symbols) and the site name in the password, this ensures the stored hash is unique to that site. The other day I had a customer (my company sells software applications), send a scan of their passport to our support email, it was a surprise to us as we never request such documentation. The email he was responding to was from a non-existent address on our domain, when it bounced back to him, he found a working address and sent. The email which he responded to, looked just like one of our emails, but with extra paragraphs inserted, saying for security reasons photo ID was required. It was obvious that his email account was compromised (or servers would never send this email with extra information entered, unless they reprogrammed our backend software), and the attacker was reading all his email (inbox), that document would be read when bounced from our servers. This was a individually targeted attack on that individual (traced to Pakistan - as the attacker clicked on the software download link and was logged), it is scary the length this attack went to to get his passport scan.
Reading the summary, implies that people picked Blue because it was in the company logo. I wonder if the COMPANY picked blue because it's likely a color many people like, and therefore people use it in their passwords. As in "correlation is not causation".
Or you're telling me that Facebook just came up with blue because they had "intel" or "IBM" logos in front of them?
...girth is more important.
Not sure how that relates to passwords.
The pursuit of absolute tolerance leads to the most rigorous and ludicrous intolerance. - REX MURPHY
Whether those 'silly website accounts' being hacked is a problem depends on the amount of personal non-public information you have stored there. If enough information is compromised, it becomes really easy to use that information for social engineering purposes. They could simply call up your bank and tell them that 'you have moved to a new address and that you lost your bank card and need a new one'. Usually even they accept things like your DOB as valid identification. Retarded, but true more often than not.
That's why I'm born on 01-01-1970 when anybody who (or entity that) has no fucking business knowing my birth date asks.
The average American high-school graduate knows approximately 45,000 words (1) nearly ten times the number you cited.
Sure, but what are the odds of most of those being picked? The standard word-lists for systems like yours are only about 2000 words long, and for a good reason. You have to eliminate minor variations, sound-alikes, and long words with complicated spellings or you run into problems with people not being able to remember the exact variation they used in their passphrase. And if you let people pick their own words you'll be lucky to get beyond the top 1000 with any regularity.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Or you're telling me that Facebook just came up with blue because they had "intel" or "IBM" logos in front of them?
The way I've heard it is that when a company is deciding on branding, look at a couple enormous companies that have a well-established business and have been around for a long time. Chances are that they have spent a fair bit of money on marketing research and branding. Companies like IBM, for example. Look at the colors they use. You can either fund a study to figure out what colors people like, or have faith that IBM has already done such a study.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
A few users even use password reset tools every time they access services without even trying a password first.
I do that for various things like utilities. Blame the site designers who decided to lock me out of their online system without telling me how many tries I get, who then set the number of tries at 2. I try one password, it doesn't work, I try another one, I'm locked out and now I have to wait until tomorrow to call them. Why bother, just reset the password.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Would it keep a government agency from brute-forcing on a super computer?
Depends how many words you use. Use enough to get to, say, 80 bits of entropy, and assuming a decent (slow) hashing algorithm, yes it would.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Reading the summary, implies that people picked Blue because it was in the company logo. I wonder if the COMPANY picked blue because it's likely a color many people like, and therefore people use it in their passwords. As in "correlation is not causation".
Or you're telling me that Facebook just came up with blue because they had "intel" or "IBM" logos in front of them?
I'm thinking Blue Screen of Death is the reason.. Every body was used to seeing that until Red Hat came along.....
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
All of the examples they gave in the article break one of the fundamental rules in that XKCD strip. The words shouldn't be words that are easily associated with each other. Of course picking a quote straight out of fiction is stupid. Four random 4-6 letter words that don't appear together in common language usage would be harder to crack for people using the strategy in the article http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/
I don't think you understand the concept that the xkcd advocates.
This.
Also, what the article doesn't say is that the programs it uses as examples aren't that fast over a network, so if they're cracking the passwords at full speed, they've already compromised the site. Network speed plus other forms of detecting password crackers (such as locking out after 5 or 10 attempts) really slow down attempts to crack a password. This is why they tend to use dictionary attacks rather than brute force, dictionary attacks are faster and yield decent results.
The XKCD is making a different point: that passwords comprised of unrelated words
This again,
/.ers to know where this is from) but extremely unlikely to be found in a dictionary attack, especially with the punctuation (which is not 100% correct, but they're mistakes I make commonly, Grammar nazi's can bite me). So the only real way an attacker has to defeat this is via brute force, so the longer and more complex the password, the longer it will take over a network.
/. as you do for your knitting forum isn't that bad. However using the same password on your webmail or work account as you have on Facebook is terrible, so important accounts should have unique passwords whilst ones that are potentially vulnerable (such as a forum for your lawn bowls club) should never use a password that is the same as something important... Doubly so if that password is the same as the password you use on the email address you joined the forum with.
Along with being unrelated words they are easy to remember. For example "Shotgun, Raptor; clever girl" are pretty unrelated outside of the context (and I expect most
The other issue is password reuse.
A lot of people get around password resuse by using a password safe (such as key pass) but all this does is introduce a single point of failure. What people need to realise is that reuse can be managed, using the same password for
Calling someone a "hater" only means you can not rationally rebut their argument.
"...women prefer length..." I feel so lied to.
You didn't do the math :-)
If we were to count letters, the "correct horse battery staple" password would have ~117 bits of entropy (26^25 = ~2^117). But it doesn't, it has 44 bits. This is because it's a sequence of four words selected from a dictionary of 2048 entries. 2048^4 = (2^11)^4 = 2^44.
Assuming a good iterated password hashing function like, say, scrypt, 44 bits is pretty decent, and proof against anyone who isn't willing to throw tens of thousands of dollars at cracking that one password.
FWIW, I don't actually use XKCD-style passwords, not because of security deficiencies but because I have to use my passwords far too often to want to type anything that long. I shoot for 50 bits of entropy, but with shorter passwords. My passwords are generally 8 characters long, unless the character set specified by the system is too restricted to achieve 50 bits, in which case I add characters until I achieve the desired level. 50 bits is arguably excessive, but only if you assume that systems implement proper password hashing, with iterated hash functions and salt. I know from experience that you can't assume that, so I add a few more bits to be sure.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Now I haven't done very much (well any) research into these applications, but I would need something that is compatible with all of those device, and preferably one that I don't need to lug around on a usb key (which can be lost/stolen)
Using your own home-brew security rather than doing research on established solutions is, to a first approximation, always a terrible idea.
There are solutions like SuperGenPass which can generate passwords on the fly by multiple-round hashing and can be trivially accessed from any device. However, I'd argue that if you have access from (multiple!) mobile devices, you don't need any special access from your friend's house, unless your friend has a strict no-mobile policy in place. Once you have a mobile device in place, there are lots of applications -- LastPass, 1Password, KeePass, KeePassX, &c., that will all serve your needs. I use KeePassX (and the compatible KeePassDroid on my phone) and synchronise my password database by storing it in Dropbox, which runs on all platforms I care about, partially because I prefer not to have a cloud password company be in charge of my password data. (I don't regard Dropbox as highly secure, but the odds of anyone breaking into my Dropbox account and subsequently breaking some two million rounds of AES applied by KeePassX...this is not a danger that keeps me awake at night.)
Another nice feature of KeePassX (which the others may have as well, I'm not sure) is the ability to generate passwords for different sets of rules. If some site irritatingly allows only 10 character passwords with a restricted set of symbols, you can configure its random password generator to satisfy that restriction. I don't think I've come across a site yet with requirements it can't generate passwords for.
Incidentally, key files (on USB sticks or similar) are there to enhance, not reduce, security: you can configure the software to require both a passphrase and the key file, s.t. even a stolen USB stick doesn't severely compromise your security. Of course, very thorough backups would be adviseable...but if you store all the passwords you ever use in one database file, you hopefully back things up thoroughly already.
(The one nuisance is a consequence of shitty websites: my default settings generate superfluously long random strings because why not?, certainly won't hurt, but some sites will silently truncate your passwords to whatever their undisclosed maximum length is. Since they don't necessarily truncate it identically on login as on password registration, this means that long passwords will fail on some shitty login systems. Of course, this would apply equally well to manually generated passwords, if long enough.)
Far from that. 2^n is assuming there is a possibility all the words are used.
No.
With a 2048-word dictionary, you get 11 bits of entropy per randomly-selected word (because 2048 = 2^11). A four-word example like the one Munroe suggested therefore has 44 bits of entropy -- with four words n = 44.
For 2048 word dictionary, with average word size 5, 2^n means a password of length 0 to 10240 (over ten thousand) characters
Ah, I see, you think we're trying to achieve n = 2048? Not at all. The point is to achieve a reasonable level of entropy in a memorable way. If you want a password space of 2^44 with randomly-selected lowercase letters you have to use a 10-letter password, but a sequence of 10 randomly-selected letters is pretty hard to remember. Even if you use an alphanumeric character set, with upper and lower case, and throw in another 10 symbols for a character set of size 72, you'd still need 8 characters.
The beauty of the XKCD approach is that you can much more easily remember four random words -- or four images, especially if you can invent some relationship between them -- than 8 random characters.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Assume 0-10 words are required for this, reducing 2^n to n^10 (same word can be chosen twice in the same password, of course). Then all permutations of those 10 words are required, so multiply it by factorial 10.
Oh, one correction: You already accounted for all the permutations in the initial selection n^10 (assuming n is the number of words in the dictionary). Multiplying by 10! results in over-counting. n^10 is the entropy... and if n=2^11, you've got a 110 bits of entropy which is an incredibly strong passphrase.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
They may know 45k words (and there are roughly 300k English Dictionary words), but the number of commonly used words is far less. Estimates that I've seen over the years say that the commonly used English words is around 5k to 10k.
So unless the user has a very large vocabulary and the good sense to stay away from those 5k-10k most frequently used words, you can get a long way into cracking passwords by sticking to those frequently used words.
5k ^ N is a lot smaller then 45k ^ N or 300k ^ N.
Wolde you bothe eate your cake, and have your cake?
Ah, I see, you think we're trying to achieve n = 2048? Not at all
Ok, I am not sure what you meant by n if they have to try 2^n possibilities, and n is not the dictionary size. You still haven't defined "n" for the statement "still going to have to try 2^n possibilities"
Unless you defined n as the log of number of times the cracker has to try. Was that statement meant as a tautology ?
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Right, thanks.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
? 9*log(62)/log(2)
:-(
53.58776679348187687925511239
I'd ad an extra character, if I were you.
If I were me, I'd add 2 characters to my current scheme, as my typical passwords are the <2^50 range
Anyone not salting passwords should be shot. Salt can be worth 20 bits of security if you're not specifically targetted. (But maybe nothing if you are specifically targetted.)
Also FatPhil on SoylentNews, id 863
Yes, 2^n is just the keyspace size. I expressed it that way for analogy with the AES keyspace size, and used 'n' rather than specifying a value because it obviously depends on how many words you use and what size dictionary. I suppose I could have written 2^(word_count * log_2(dict_size)).
The point is that Valdrax was wrong; you can certainly achieve entropy in an XKCD-style key.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Likely the backend system is/was a mainframe with RACF, which can have limitation of 8 characters to their passwords.
So why doesn't the front-end hash the user's password and use the base64 of the first 48 bits as the mainframe password, preserving up to 48 useful bits of entropy?
a bad password gives the same result as not having a username
In your system, what happens when a user attempts to use an unknown username to register, begin self-service password reset, or visit a user's public profile? A growing number of systems, such as two of the three banks I interact with, will ask for a username on one form and a password on the next to increase security against phishing.
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
If you think to yourself after reading the first page, "But all of those long passwords were phrases, not nonsense strings!" then you should keep reading to page 2's sidebar for the list of passwords that were cracked using the methods in the article. Crackers have dictionaries of billions of words now and can try combinations and variations at GPU-fueled speeds. Length only protects you if and only if you can exhaust dictionary attacks.
The only safe password is long and either randomly generated or indistinguishable from it. Using some other device to store and auto-fill your passwords like a password manager or a device like a YubiKey is the only long-term solution. Humans are the weakest link.
Using software to store and auto-fill your passwords is the worst possible solution (a post-it on the monitor is more secure in practice). The result of that thinking will be trojan key-stores that simply inform their creator what your password is.
The point of the XKCD is that if you select n random words instead of n random characters you can get a password that can be memorized easily, and exploits the larger search space of words (compared to the smaller search space of characters that exist on your keyboard) meaning your password will be more secure and easier to remember.
Better yet, randomly capitalize and use aural memory to remember where they are. "Correct horse, BATtery staPLE!" If say it aloud a few times (in private, of course), pronouncing it with stress on the capitals, you'll remember it easily, even if it's silly :) Of course you might have to leave out the punctuation, depending on the password field tolerances...which sucks.
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
Countermeasures against certificate-loss: backups (difficult) or sync-tools such as Firefox Sync. Makes it useable at every device you own.
I own many devices that can't run Firefox Sync. Including my TV and Blu-Ray player, from which I need to log in to services with a password to access content. And my e-book reader. And my command line only server. And my car. And ...
Assuming that wasn't sarcastic, one would define "site's name" in terms of the last part of the hostname before a public suffix. For example, in "it.slashdot.org", the public suffix is "org", and the part before that is "slashdot", giving "sla" as the site name.
Those passwords are completely trivial.
Of course they were: they were examples.
The point of the system is that you can increase the complexity of your passwords without having to write down each one.
For all those 100+ websites you should use your OpenID. if you don't have one It might be enough with your facebook account. Most of the sites now a days accept any of those so you don't have to memorize hundreds of passwords.
--
Title says it all. You have to remember your password, so you probably won't use a password like "afi9blm#20niv8__q4i".
Pseudo-words - i.e. words that you can read but are in no dictionary - are probably slightly better, but I wouldn't rely on passwords at all in the first place.
BTW if somwone is interested, this tool CAN generate readable pseudo-words like "foliticalling", "uppet" or "furvicially".