Password Security: Why the Horse Battery Staple Is Not Correct

First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."

Oh great

[Falos]

> asserting that a single point of ultimate failure is the most important technology
Yeah, it's important all right. Critical, even.

We're being awfully slow about teaching people to adopt passphrases. Simple, no number no symbol nonsense.

"rrrybgdts" is a nursery rhyme. It doesn't even have to be written on a sticky.

Re:Oh great

[roc97007]

In theory it is, but in practice "Love is beautiful, like birds that sing." is more likely to show up in a dictionary attack than a random string of gibberish. Just because it's nearly impossible to brute force doesn't mean it's necessarily a good password. Popular pharses, lyrics, Bible verses, etc can be substituted in a guessing algorithm just like using "$" instead of "S". Here's an interesting article about some of that:
http://arstechnica.com/securit...

Perhaps, but I think that's why the xkcd comic stipulated four random words. It's the human mind's ability to see patterns or visualizations in words ("It's a battery staple!" "Correct!") that makes such phrases easy to remember.

I agree that common phrases may not be good choices. But I'm pretty sure that "gopher banana rim plunger" would be fairly immune to attack, although perhaps unpleasant to visualize.

Re:symbols, caps, numbers

[unfortunateson]

> symbols, caps and numbers are still very useful when the site limits password length.
I disagree: Insist that there must be a cap, and it will be the initial letter in >90% of the cases.
Insist that it have numbers, and they'll either be trailing (often the year, especially if you require two digits)
Insist that it be symbols, and you'll probably find a period or comma at the end (the only symbols commonly available on the first smartphone keyboard screen).

So, now I've changed the two digits to one out of ten, and instead of a random character out of the 70 or so common ASCII characters, I'm probably starting with just one of the uppercase letters.

At one point when I was a system administrator and we only required 6-digit passwords changed every 90 days, I could log in to 3/4 of the computers with "spring", "summer", "autumn" or "winter". When we beefed up to 8 digits with numbers, it would be "spring95", "autumn96" etc.

You've got to make it more random: Pick a phrase, a song lyric, a movie quote. Change a word or two. Make some letters just the initials, a word all in caps, a number substitution: "You light up my life" -> "uL1GHT^ml". That's unlikely to be in a cracker dictionary (until today, of course).

lost password process as an attack vector

[roc97007]

Even with the best password, memorized or securely stored doesn't protect you against a password recovery process that's improperly engineered. Often an institution, even a BANK, will give you as a recovery password a choice from perhaps six possibilities, any of which can be divined from publicly available information or a little social engineering. Your password may be q4ot38yhewa;okl, but your password recovery phrase will be the street you lived on in high school or the name of your first dog. This is not secure.

And don't even get me STARTED about pin code security. When I set up my AmEx corporate card, the phone menu suggested strongly that I use digits that are easy to remember, like my mother's birthday. Ignoring the directions and entering a random code, I got rejected because my pin WASN'T A VALID DATE. I called tech support, told the tech monkey the error I was getting and he immediately said that I was to set it to my mother's birthday. I said I didn't want to use something that would so easily be discovered, and he seemed nonplussed. He had to consult with a supervisor. They eventually decided that I could use a random number, but I had to tell him the number over the phone so he could override the menu's requirements to use a valid date. This was AMEX!

Back to the lost password process, I give random strings as answers to the challenge questions, but I figure eventually banks won't let me use strings that aren't a valid dog's name or a listed street name in my home town.

I know why they do this -- it cuts down on service calls to require shlubs to use passwords that are easy for them to remember. But geeze... I foresee a time when we'll all be required to use the common name for an eating implement. Everyone will choose "spoon". The institution will be able to cut customer support back to one person in north-eastern Poland. Or perhaps they already have.

(I use Poland not to denigrate the Poles, but because a company I do business with was quite proud of the low low DL price they got for customer support hotline personnel in eastern Poland. To cover North American accounts. Because that makes sense. Really.)