Slashdot Mirror
Why People Are So Bad At Picking Passwords
mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."
These studies also reveal that when it comes to passwords, women prefer length and men diversity.
We are still talking about passwords, right?
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
http://xkcd.com/936/
So, before choosing an important password make sure you have shaved, had a haircut and dyed your hair red.
(A sex change is asking too much though.)
http://xkcd.com/936/
who where what when now?
... for RMS !
Time for bed, said Zebedee - boing
What is the quality of the password then?
As a very well known xkcd points out, a great deal of the problem could be averted if people weer encouraged to use long passphrases with spaces and everything rather than a pass'word'. password as a concept was good enough for the time of it's popularity, to defend against people typing their way into someone else's account. When the model fell apart in a world with much more automation and network connectivity, the 'fix' was 'keep length about the same, but toss some numbers and maybe some punctuation in there'.
The madness comes in when a great deal of the sites I visit put a 12 character *maximum* on a password for their site.
My personal strategy: base64.b64encode(os.urandom(12)) for every site and store the values on a couple of my devices with a phrase that is about 32 characters long (but easy for me to remember and easy to type). hashing a master key with the domain to generate passwords like some chrome and firefox plugins (password hasher) can do is similarly nice without having to worry that you won't have access to the copy of the database.. Of course, the annoying thing is my 16 random numbers and letters frequently fail the 'complexity' check and I have to add some punctuation character to it.
XML is like violence. If it doesn't solve the problem, use more.
Please tell me no one is surprised by the general conclusion (haven't we been here a time or ten before?) of these studies. Add to this the corporate or government attitude demonstrated so equivalently here, the lack of effective computer security training, including a complete failing of organizations to have or heaven forbid enforce policies about password practices and you've got a pretty pickle.
Sadly, it took the recent Adobe compromise, to get me to finally start using a password wallet and use different passwords for each Internet service I use. Have to admit I was stunned, by the number of accounts I had when I got through most of the sites I access.
After hearing a few disturbing stories from my wife, about how computer security and passwords are treated at her place of work, I stepped up my training for her and her co-workers that will listen. Based on what I've heard from her the choice of poor passwords is the least of our troubles.
Unless the underlying problem of poor culture surrounding computer security is changed and an understanding of the associated risks is cultivated, it won't matter one whip whether users can choose "Good Passwords TM".
A lot of these studies come from accounts where people do not care if someone else knows the password, because the password doesn't protect anything of use to the subscriber. For accounts like that, my password is the same as my username, and it is linked to a spamtrap email account that doesn't get used for anything else. I know it is insecure, but I don't care.
Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
Then you get redicoulous requirements on some websites, like can't use special characters, can't be longer than 10 chars. Why? You should be using a hashing algo which means special characters or max length shouldn't matter (within reason)
I have about 4 passwords
My low security one where I do not give a shit if people hack my account eg slashdot/most forums
Medium security - Password for sites I care a little about and that contain some personal information eg, some forums, some online shopping sites that don't store cc info, etc
High security - Mostly used for sites that are used for purchasing things and that have linked CC info to it
Very High security - Used for financial institutions
This way I always know when I go to a site which password it uses.
However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious). This may increase security of password a little, as well as benefit of most passwords being unique.. but not sure how much it increases the security by
If we start with the asumption that that passwords must be memorized somewhat, we are better remembering things with an attached meaning than something random, and those meanings make usually bad passwords. But, we don't need to remember all passwords, there are password managers for making and storing a bunch of meaningless, secure passwords, and for the keys you must remember (the password manager one at the very least) there are some mnemonic tricks that can help to have safe enough passwords.
If a system is making it possible for you to do a brute for attack for "days" then your system is the problem more than your password.
Sorry, but brute force attacks should throw up a red flag in a way that any well designed system can automatically detect it and shut down the user account. Most already do this in more roundabout fashions such as locking the account after a number of invalid tries or by forcing the user to wait between failed attempts or a combination of both.
Dedicated Cthulhu Cultist since 4523 BC.
Must be an idle day at the BBC. A couple paragraphs of statistical wank about physical attributes seeming to correlate with password quality. Then a rehash of old news about bad passwords being easy to crack. My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)
On passwords, what was once thought to be good password security is no longer true. The length of a password matters more than diversity and given the right instructions, can be much easier to remember than complex passwords.
My current suggestion for passwords is this: Pick three (or more) random words. mongoose, screwdriver, automobile. Now you have a password you can remember, but is very hard for a computer to "crack" and you only have to remember three things, as opposed to memorizing eight (or more) things that don't make any sense.
And, to make it unique for each System you log in to, add in the name: Amazon Mongoose Screwdriver Automobile, or Ebay or whatever.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
there are a lot of sites, that require setting up and account, i could care less about. i use a junk email account and a simple junk password. those accounts, if they are hacked, won't give you any useful information to get into another site's account that i do care about. i think many people do the same. those junk sites also get hacked and the stolen lists get published. then the appalling headlines stating "OMG these passwords are so easy!!!" get published... so what...
All of us. We just choose a different place to start.
"people are lousy at picking good passwords"
This begs the question. There is some reasonable expectation that people should learn to properly use the tools of modern society, but in the end, the tools should serve the people, not the other way around. If your car pulled to the left, would you say you were lousy at driving in a straight line? No, you'd say your car was out of alignment and get it fixed.
A password is something we're expected to remember, but we're wrong to pick words or numbers that might be easy to remember, such as familiar names or dates. Even if you say pick a system of choosing passwords to remember rather than an individual password, that's impossible. Every different system and site has different password requirements, so no single easy to remember system will work for all of them.
"You have to remember we are all human and we all make mistakes"
Yes, and Mr Thorsheim's mistake is assuming the issue is with the people who are using the system and not the people designing the system. The truth is,
"password systems are lousy at serving people."
(as an aside, WTF is up with systems that do not allow special characters in passwords? Are they worried about SQL injection? If that's possible from a password field, the system is FUBAR.)
your favorite color".
Blue... No, RED!
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
A brute force attack is typically done on a stolen list of hashed passwords, not on the running system.
I use regexes related to the site name/function. (*)
Now the hackers have 2 two problems when they want to break into my account!
* I actually I do incorporate regex like strings.
I am Slashdot. Are you Slashdot as well?
... and your favorite color".
green ... no blue.
I ended up using something similar. I just have a bunch of memorized passwords using a very simple 3 keyed format
like "AB#" "EF#" "I#K"
This way whenever I need a new password to add to my list I write anything that pops into my head on a note. for example..
J92bd3Yp4. "J92" "bd3" "Yp4". write it down, use it for a week until it's memorized and it's done. I have about 6 passwords in this format completely memorized and cycle them everywhere.
did you forget to take your meds?
If it's good enough for nuclear launch code, it's good enough for my bank card!
If I have been able to see further than others, it is because I bought a pair of binoculars.
If an attacker were brute-forcing against an account, something like sshguard or a lockout mechanism [1]. However, since hashed password lists like /etc/shadow are the target, once those are snarfed, those can be cracked at the blackhat's leisure. Stuff like bcrypt helps, but there is a balance between having a number of rounds high enough to slow down an attacker, versus it interfering with legitimate uses.
I have a dedicated appliance that is in testing stages which just stores usernames and hashes, and does not allow the whole database to be dumped at once to a remote site (access is done per user, and the only thing returned is "yes" or "no", so a bad password gives the same result as not having a username.) It will help with this, but still awaits any real commercial use.
[1]: I set Windows's mechanism on an AD forest to be only 3-5 minutes for a lockout, not 20. That is enough to stop the people trying random stuff, but not paralyze a user too long, assuming the attack isn't still going on.
Given that it's widespread across huge numbers of people, presumably of all kinds and intelligence levels, I think that dismissing the problem as being because people are too lazy/stupid is...well....lazy and stupid.
Remember that people treat their computers like a social being - and a subordinate one at that. Every morning, someone will go and sit down at their office computer and find it's forgotten who he is, even though it sees him every day. He can walk away for an hour and it'll forget again. It'll fail to understand that he's him over and over again as he uses websites, servers, etc, stopping each time to refuse his instructions and demand that he perform some silly little task purely to help the computer out in functioning correctly: remember an irrelevant string of nonsense. And, very occasionally, the computer will fail and do something like send banking details to someone in Russia, or show his ex-wife his e-mails to his lawyer.....even though it's blatantly obvious to even an imbecile that these are the wrong things to do.
We all know that computers are unintelligent tools that are not capable of doing better than this - on slashdot, at least. But it still feels like talking to a forgetful, obstructive, naive, reckless, stupid and insubordinate little shit. Even the most stupid of assistants should be expected to do better most of the time.
People can certainly do better, but we have to accept that humans behave like humans and recognize that we're going to need to improve the technology as well as people's habits. In the short term that could mean things like providing ways to generate secure passphrases and asking them to write them down, using authentication devices and using UIs to promote better practices....and we need security researchers who stop looking a memory dumps for a while and look for more secure ways to interact with users.
Re-using the same "high security" or "very high security" password across financial institutions, etc., is a recipe for disaster. You may have very high security standards... but it turns out sometimes those tasked with taking care of the peons' data don't (and fail on simple precautions like salted hash password storage). Whichever institution has the crappiest security gets hacked (maybe even that old bank you moved your money out of years ago), and suddenly all your accounts are vulnerable.
The proper and secure way to do things is one high-security passphrase, that decrypts your (well-backed-up) encrypted store of thoroughly unmemorable random character passwords for each institution. It takes a couple extra seconds to look up the password for each site, and puts additional control over security in your own hands (which care more about you personally losing all your monies than some random bank contractor). And, for anything that you use moderately often, you'll end up remembering the random-jumble password just fine after the first several times typing it in.
Every time I see articles like this, I feel compelled to bring up the solution I'm using, which is (so far) the single best solution I have been able to find.
It's called 1Password. Runs on Mac, Windows, Linux (read only I think), iOS, Android, and has plugins for all major browsers.
It records your login details for you, has a password generator that you can customize in various ways, and stores an AES encrypted archive on dropbox so that all your devices can sync together.
Now I can safely create new logins everywhere with abandon, because I'm not afraid that if one service is compromised (*cough*Adobe*cough*) I'm not afraid something else is at risk.
It can generate passwords up to 50 characters in length with your choice of number of digits and symbols. It can even make easily pronounceable passwords if you need, and avoid ambiguous characters (eg O (oh) and 0 (zero) ).
It's a little pricey, but IMO it's worth every penny because there is no other product out there that is this easy to use, AND supports so many platforms all at once.
The proper way is to use a good password manager with the following features:
1) cloud-based sync, so you can access it from any computer or mobile device
2) multifactor authentication, such as a USB stick or a grid or biometrics
3) a configurable password generator (i.e. you can choose length, complexity, etc.)
I use LastPass and like it enough to have bought a year's subscription for $12, but there are other good choices out there like 1Password, or you could homebrew up something with e.g. DropBox + KeePass or Google Drive + TrueCrypt + something that can read TC volumes on iOS/Android.
Generate a different random password for each site needing an account, as complex and as long as the site will allow for, and with LastPass at least you can attach a note to each site's entry so you could enter random line-noise answers for security questions like "What is your mother's maiden name?", thus making crackers work much harder. I've also got LP set up for multifactor authentication and with a strong master password.
Hail Eris, full of mischief...
E pluribus sanguinem
The only realistic way to fullfill all these requirements:
1) 100+ passwords
2) every password unique
3) every password good
4) no password stored or written down.
is to create an algorithm that only you know. For instance, the 3rd letter of the url + a pin + the inverse color of the company logo, etc...
That's simple enough but my problem is that as soon as I create one every 3rd website has some stupid password requirement that
won't allow it so I'm back to writing down all the exceptions.
I use LastPass and the two-factor authentication adds a lot to the security. If someone can guess my password and obtain my two factor secret, I'm probably screwed regardless of what I did. I also enable two-factor on as many sites as I can (stupidly most banks don't have that).
Hire Allyson Hannigan to choose your passwords. PROBLEM SOLVED in sexiest way possible.
The problem with "restraining order" is that it's too short to be a useful passphrase.
SJW n. One who posts facts.
I like the algorithm method (and even if the algorithm would be obvious to a human with access to 3-4 passwords, it would save you from some bot getting one password and simply trying the same pair at every major service), but when you have sets of requirements like this, it is impossible to implement. A and C are mutually exclusive, B is annoying (and actually reduces brute force complexity) but avoidable, and D will break your whole algorithm the first time it changes (unless you add a counter, but then you have to remember what iteration you are on).
I keep a little list in a google doc of the rarely accessed but important sites that have weird password requirements (since it is rare they tell you the requirements on the login page)...then at least I know that I may have had to modify my algorithm because '^*()' aren't valid characters, or that the requirements were dumb enough that I just said "screw it" and used some old insecure password that has probably been unknowingly leaked 15 times while hoping for the best.
Bottles.
That's the good thing about tiers. If someone gets into my Slashdot account, I've lost nothing. If someone gets into my bank account, there's no reason to keep my second bank account separate, they've already compromised me financially, so I can use the same (weak) password on my forum accounts. There's nothing in them worth protecting. The only possible thing of note is that they'd get my email address, and possibly some home address (usually of somewhere I haven't lived in years).
Learn to love Alaska
I've been saying it for years: length! Thisshittasteslikechicken! Will take many, many years for any algorithm to crack. http://www.securityadminisanidiot.com/ will also assure security. Why don't management and administrators understand this?
If they can crack a website's passwords at GPU speeds it means the site is already been compromised.
That's why I don't bother making really strong passwords for most websites. It's a waste of my time - the site is more likely to get hacked then my password bruteforced over network connections. Every few months there's a web service getting pwned.
It's silly to waste time making your password much stronger than a typical website's admin password.
FWIW I've encountered at least one online bank that actually limits passwords to 8 characters for some unknown stupid reason.
I don't think you understand the concept that the xkcd advocates.
The ars technica article is pointing out that context can grossly reduce the entropy in any given search space. If you're going to test combinations of words from different languages, for instance, you shouldn't bother with "crotalus fthagn" or "Cthulhu atrox" until you've already tried "crotalux atrox" and "Cthulhu fthagn". The point is that you can't beat the password crackers by picking something from an obscure search space -- in other words, it's a classic point against security by obscurity.
The XKCD is making a different point: that passwords comprised of unrelated words deprive the attacker of such information and are resistant to attack not because of the obscurity of the search space in which they're found, but because of its size. Perhaps 44 bits of entropy isn't enough to defeat extensive computational resources, but the point is that six words chosen out of the dictionary at random, all in lowercase, with spaces between them is a better password than "Cthulhu fthagn" because modern datamining techniques mean that it's likely to appear in someone's dictionary after all.
Just add the site name to the password:
Main password: stinkybutt
Home password: stinkybuttHome
Work password: stinkybuttWork
Slashdot password: stinkybuttSlashdot
If you want to get more secure, add something like the number of vowels in the word "Home" or the ASCII value of the 3rd consonant, or something like that.
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
If you think to yourself after reading the first page, "But all of those long passwords were phrases, not nonsense strings!" then you should keep reading to page 2's sidebar for the list of passwords that were cracked using the methods in the article. Crackers have dictionaries of billions of words now and can try combinations and variations at GPU-fueled speeds. Length only protects you if and only if you can exhaust dictionary attacks.
The only safe password is long and either randomly generated or indistinguishable from it. Using some other device to store and auto-fill your passwords like a password manager or a device like a YubiKey is the only long-term solution. Humans are the weakest link.
Using software to store and auto-fill your passwords is the worst possible solution (a post-it on the monitor is more secure in practice). The result of that thinking will be trojan key-stores that simply inform their creator what your password is.
The point of the XKCD is that if you select n random words instead of n random characters you can get a password that can be memorized easily, and exploits the larger search space of words (compared to the smaller search space of characters that exist on your keyboard) meaning your password will be more secure and easier to remember.
A few users even use password reset tools every time they access services without even trying a password first.
Why blame someone who doesn't get their ambitions and capabilities mixed up?
Science advances one funeral at a time- Max Planck
That's only true if you never reuse passwords, which means you're pretty much forced to use something like Keypass anyway, and might as well make the password secure since it's just as easy to use a 32 character random string as it is a normal human password. If you don't use a password manager, then it's hard to come up with a memorable password for every goddamn site that needs a login these days. It's so damn annoying to google a problem and find a potential solution, but then click on the link and bet told "you must register a free account before you can view this forum."
Every time someone sets up forum software to require an account to simply read it, they should be kicked in the nuts. Requiring an account to post is totally ok, but requiring an account to read is not.
I read the internet for the articles.
It is my opinion that you cannot trust a human to make a good password.
You also cannot trust anything, a hard-disk, a notebook, a company(!) to store your passwords.
Which is why I use http://masterpasswordapp.com/ and I unlock it with a passphrase. The key elements here being: stateless, no storage, strong passwords.
``OK, so ten out of ten for style, but minus several million for good thinking, yeah?''
I have a different scheme: first one email per site, simply website@mydns.com, so that I know who the fuckers are that sell my email to spammers. Then a standard hard password, appended with the site's name, appended with some scheme (like the number of letters in the site's name, or the last and 1st letter, whatever). This way every site has different login info and it's very easy to remember.
Non-Linux Penguins ?
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
Nonsense. You don't understand the approach XKCD was suggesting; you can't defeat entropy by getting a bigger dictionary. If that were true, then AES-128 would be trivially easy to crack because I can enumerate all of the possible keys. I have a 100% perfect dictionary.
The point that by selecting a set of randomly-chosen words (do not do the selection yourself; use a random number generator) words, you can get a great deal of entropy in a fairly memorable form. It doesn't matter if the attacker knows the exact method you used (as long as it's random), and knows the exact dictionary you selected your words from; he's still going to have to try 2^n possibilities, where n is large enough to make brute force impractical.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.