Slashdot Mirror
Ask Slashdot: How Do You Create A Highly-Secure Password? (securitymagazine.com)
An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."
But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?
But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?
#MakeHappy
https://www.random.org/passwords/
With a length of at least 10, preferably 20 or more.
20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
& d0n't repe@t
How big is your haystack: https://www.grc.com/haystack.htm
I know I'll get a lot of shit using a web based password manager, but with 2FA using yubikey and changing my master twice a year, along with never logging in on anything my by computer and using a 50 character master password, I think I'm good.
Rot13.
For real security, use it twice.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
All of my passwords are 32 char random strings using all the available chars.
The only drawback is that I have to write them down on a yellow sticky.
Fortunately, none of the hackers have physical access to my collection of yellow stickies...
If you want news from today, you have to come back tomorrow.
#1. No password re-use. Ever.
#2. Not formulaic.
#3. Not in a dictionary list.
#4. Long. I prefer 32 characters long.
Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.
Star Trek, there maybe hope.
I generate a password using the tool available in mSecure, which also allows me to securely store the passwords with strong encryption. It allows me to randomly generate a password while specifying the length and whether to include capital letters, numbers, and punctuation marks. I generate a separate password for each service I use, each with a minimum of 12 characters. That's about as secure as I can make it.
I like to use the 1st letters of song lyrics and other phrases that are easy to remember.
For instance, the wireless password for my home is "luitsiabiapis". Which is an acronym of "look, up in the sky... it's a bird, it's a plane, it's superman".
Take any song lyric that you like and that matches the format. The geneaology website login might be "iodagos", which is "in olden days a glimpse of stocking".
I have pretty-much no problem remembering my passwords.
The way I do it is think of a story that has people and numbers in it. For example: "My friend Mike drank 24 beers yesterday". Because it is a story, it is easy to remember. I then take the first letter of every word respecting capitalization. For the given example, it would give "MfMd24by". It usually think of stories that are related to the web site I am using so it is easier to remember.
date +%s | sha256sum | base64 | head -c 32 ; echo
Or
cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:?=]'
The first one is easier to remember. But the second one is more random. Ezpz.
Trying to get everyone here to reveal how they came up with their passwords....very sneaky. Try hunter42 and correcthorsebatterystaple and you will probably get at least a quarter of the people here anyway.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
If you're setting password policy tell users to use 5 truly random words. (flip through the dictionary with their eyes closed or use a random word generator) If you're making a new password for one of the many, many places with preposterously restrictive policies that confuse "hard to remember" with "secure"... well what I do is break the cardinal rule. I make a password as secure as possible by randomly selecting applicable characters. Then I write it down and store it on an encrypted drive. The drive I leave unmounted unless I'm looking up a password. That's the best I can do. "It has to have a capital, a lowercase and a special character and can't be over 8 characters long" is a recipe for some of the most crackable passwords imaginable.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
I always recommend using phrases instead of words, something like "Thisisthepasswordforwifi!" because it will be easy to remember and unrealistic to brute force.
I use or make up a phrase that I can remember and use the first or last letters in each word for the password.
example not in use :
This is my #1 bank password phrase choice.
Tim#1bppc. or ssy#1kdee.
errr....umm...*whooosh* *whoosh* Is this thing on ?
I generate them from /usr/share/dict/words, excluding words with apostraphes, with a Python script. With that setup, a word is just a hair over 16 bits of entropy; I generally go for five or six words (80 or 96 bits of entropy).
I could tell you a far better way, but then I'd have to kill you. I may have to kill you anyway, just to be sure.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
xkcd covered this a while ago.
I use this now. Not the actual passphrase, but the principle.
Nobody will ever think of that one. It's much better than my old password, hunter2.
https://sqlite.org/random-pass... shows example output with a link to the source code.
"correct horse battery staple"
echo -n "<mypassword>|<username>+example.org" | sha256sum | cut -c1-20
Need to change all my passwords? Change the cut or my password.
Use a sentence. This is easier to remember and way much longer than random-characters. For improved security against dictionary attacks, you can add typos.
Example: "Little pyg, little pig, let me in!"
https://xkcd.com/936/
correct horse battery staple
Obligatory xkcd:
https://xkcd.com/936/
minimum 32 characters log, upper, lower, numbers, and special characters, randomly generated.
good luck cracking it!
if the system allows it, increase it to 128 characters...
I wrote my own password generator for such things. 96 total combinations per character. :)
so 32 = 32 ^96 = more than enough
Stay off of porn sites and use long gibberish passwords. Then write them down on a sticky note attached to your computer because you will never remember them. In all seriousness, long phrase-based passwords and obscure personal stuff seem to work best for me. I know a friend of mine use 162.55Mhz! because it was something he would always remember. What you don't want to do is use common phrases I was told the 123244444444555 would be much harder to crack than 123#hg^ because of the length. The strength of a password is directly related to it's length a 7 digit password is 7 times harder to crack than a 6 digit password and 8 digit 8 times harder than a 7 digit etc. (think factorials) Nuff said?
It's simple. I come up with a short word. Then I translate the word into morse code, with SHIT as the the dot and FUCK as the dash. For example, HORSE becomes SHITSHITSHITSHITFUCKFUCKFUCKSHITFUCKSHITSHITSHITSHITSHIT. That's actually a very strong password.
In addition to using a random string generator (easy enough to find on-line), add accented characters.
---- The above post was generated by the Turing Institute. Maybe.
Apply something specific to you - such as the first 3 letters of 4 pets you have / grew up with. Take "Rufus, Hobbs, Chipper, Stinky" and turn it into "RufHobChiSti". Or how about the different street names you have to walk along to go from home to school. Lots of combinations are possible, the point is to figure out something you can remember. In order to remember it has to have some personal meaning otherwise you would just use random numbers.
What I do is I have a common password which is then tweaked for each specific website. I use the website URL to prefix or postfix the password. For example, www.slashdot.org would turn into "stog" and be prefixed onto my common password to become "stogRufHobShiSti". Easy to remember yet impossible to guess.
It is very important to use different passwords for each website because the risk of one being stolen then applied elsewhere is very high. Far too many people share passwords between websites, email, etc. Very bad - apply a simple algorithm of your own design using the URL to prevent this.
Create a random stream of random ASCII characters of at least 128 characters and then put a bullet in your head. By the time they figure it out, you'll clearly not give a shit.
I create a secure password by not telling anyone how I made it
A long easy to remember and enter password beats a short complex password that requires finger gymnastics. As others have pointed out, the XKCD comic says it all https://xkcd.com/936/ Also look at https://www.grc.com/haystack.h... Now if you are always going to use a password manager to enter the password for you, then long and complex is the best of both worlds, as long as you do not personally need to do the finger gymnastics of entering the long complex password. And if using a password manager, make the access to the password manager a long easy to remember and enter password, as that is the one you will be typing a lot.
use a 1 letter password. Sue the company that allowed the hash to be breached. Can't stand having to type passwords on a touchscreen device.
don't use anything based on silicon
Convert all financial assets to physical gold, buried in widely separated sites
write on one sheet of paper at a time, on a sheet of glass, and only use paper you can eat
etc
my sig: lets not elect the unfit one
The most secure password on the planet is 12 characters long.
It is: atlv!&@-9207pass
Everyone should be using this password since it is the most secure one top people worked on.
God spoke to me
The thing I don't understand is the variation in password acceptiblilty from one site to another. Some sites don't allow special characters, or only certain ones, some limit passwords to 12 characters, some 16, etc. Why on earth are there any limits to usable characters and why are any limited to less than 64 characters?
It took my a while to figure out a really secure password... but once I did, it's so secure I've been using it for everything ever since.
If anyone else wants to use it too, it's "may$in1a_pzy"
I would never remember the extra "I" before the $...
I use eight asterisks as my password so I can see it when I'm typing it in.
In an offline cracking scenario, the number of possibilities is what counts, not which possibility you used. That means users should have the option of simple or short passwords, but should use long ones. For ease of use (more on this later), a passphrase of several words and punctuation is appropriate. Don't mandate the use or exclusion of any particular symbols, because that reduces the search space, and similarly reduces the time to break the password. In a famous example, "correct horse battery staple" is far more resistant to brute-force attacks than something complex like "Tr0ub4dor&3".
In an online cracking scenario, uniqueness is what counts. If an attacker has harvested your password from one location, they will try to use it to access another. Make sure every password you use is unique. Dumb tricks like appending the site name to a common password are easily caught by attackers, so they don't improve security much. The best way to mitigate the risk of an online attack, then, is use a trusted password manager to create and store your passwords, so every location has a long unique password. This is the approach I use, and most of my passwords are 24+ characters, randomly generated, and all unique.
For universal access, I keep my password manager's encrypted database files in a cloud storage service that my phone can access. Even if that storage is compromised and my file is stolen, it's useless without my master password, which is of course different from every other password for any other purpose.
If you're ever designing a system to handle authentication, the best solution is to not do it. Thanks to standards like OpenID and OAuth, you can connect your services to someone else's authentication, because they're far more likely to handle it correctly.
If you must do your own authentication, use sane policies. Require long (10+ characters) passwords, but don't force numbers or symbols. Requiring a number in a password cuts the password's resistance to brute-forcing by about half (very roughly speaking, and noted in TFS). Make sure nothing in your application interferes with the use of password managers, which often use the system clipboard to copy/paste passwords. To improve user experience, avoid asking for the password at all, instead using an expiring authentication token to reinstate a previous session. The less often a user has to type their password, the less averse they'll be to having a long and secure one.
On the back end, if you must store passwords, make sure they are hashed using a modern secure algorithm (AES-256, SHA-2 or SHA-3) and salted, and do that as soon as possible in your back-end processes. No, your users do not need a way to recover their old passwords. They need a way to reset their password to a new value, and that should only happen by using two separate forms of ID (like a phone call to customer support verbally confirming security questions and an email to the address on file). Those security questions should also be as unrestricted as passwords. Allowing the user to enter open-ended prompts allow the user to use prompts that are only meaningful to them, and are thus much more difficult to find an answer on social media.
Above all else, do not take advice from others, including me and this post, without understanding the reasoning behind it. Computer security is steeped in several decades of little more than superstition, relying on "common knowledge" that often turns out to be incorrect. It may start out well-intentioned, but the implementation is usually missing a key detail, undermining the security of the whole system.
You do not have a moral or legal right to do absolutely anything you want.
The longer the password req, the harder it is for normal users to remember them. I keep a 30 ish character password for my real accounts. I see folks having trouble with 14 characters.. writing down hints, doing keyboard runs, reusing passwords all over the place. How bout we stop using 1 factor authentication (something you know, 2x in normal logins) and kick it up to 2 or 3.. Say go to a smart card with identity certs on them and a pin, or a token, pin, biometric combo?
Stop signs are only Suggestions
I agree that length is key here. I typically ask someone who uses systemd to try and tail their syslog, and paste me the last line of garbage that comes out. No way anyone's going to crack that.
1) Choose your password in your native tongue 2) Transliterate that to English 3) Sprinkle in letters and characters 4) Done!
Even better, leave the spaces in it. It confuses people all to high hell.
I say you open a text file and mash the keyboard in a way that feels maximally natural and includes some numbers. I found a longish combination that I can reliably produce in less than 2 seconds, and it looks like complete randomness that would be quite hard to guess.
For personal passwords, I generate a new one every time. I have a couple of copies of a gpg encrypted text files where I list the passwords. I don't upload them to cloud storage, but I do mirror the data/requisite key between places I control.
For example, in python: base64.b64encode(os.urandom(15))
Additionally, where supported, 2 factor authentication.
For local administrator accounts (regardless of OS), most systems have the account disabled (they are disposable, so total inability to debug it is ok, it can be reinstalled). For certain systems as needed, local admin account has a similar, unique password, curated in a shared location, with remote access totally disabled for those accounts (though some users do have ability to login and sudo).
Just like Chip the salesman.
How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember.
No, you *THINK* it's easy to remember because you're looking at it right now. I guarantee, in a week you won't be sure what it is.
From a quote, books, or lyrics. "Only a fool learns exclusively from his own experience". I'll take that and make a password of: experIenced33foolH2O. number 33 could be from a page of the book, capitalized the sixth letter from 3+3. and added set value at the end which includes numbers and letters which provide more capitalization factor. H2O could be added to all my tier 1 passwords and I'll have different value for next tier up.
Perhaps include the house number or phone number of a place where you lived years ago, or a scrambled version of an imaginary name you had for yourself, or a candy brand that is no longer made? The older you are, and the more secretive, the more material you might have to work with.
I use a 2-character password, because no one would be stupid enough to do that and consequently the hackers all start their cracking engines at 8 or 10 characters long.
Just cruising through this digital world at 33 1/3 rpm...
Don't use accented characters, or anything outside ASCII. You don't know how they will be encoded and transmitted.
(And don't say “UTF-8”, because a *shitload* of software still doesn't handle character encodings correctly. You can rely on your browser to do so, and maybe on the site's HTTP server, but you have no idea what sort of yahoo wrote the backend.)
45 character random upper and lower alpha-numeric and symbols protected Tails persistent encrypted volume with 100 somewhere ~20-30 character same complexity https://www.fourmilab.ch/hotbits/secure_generate.html passwords in a flat text file I append the service to after a space. Need to recycle or make a new one? Mark it and use it. Get at me bro.
And a password manager.
Variation of this, if you speak any language other than english, always use passwords from your language. Easy to remember long passwords, but still random variation and gibberish. 's4chb0lr@h4hoo'
String together a couple of the 'play online' codes from McDonalds monopoly game pieces. Random numbers and letters, just capitolize at your discression. You can even keep them in your wallet for refrence without much risk of giving away your password, because everyone has a few of the damn things floating around for months after the promotion ends.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
I delegate creating passwords to PasswordSafe. The current standard policy is 15 characters, requires at least 2 lowercase letters, 1 uppercase letters, at least 1 symbol. The password database is backed up and available to my devices via a server I control. I've been steadily increasing the password length as hardware improves.
Sorry, typo.
Star Trek, there maybe hope.
e4kss$$%Jjsov..>32\][[wDGAPz0.qpaWW=-nveke
That would be a shocking secure password... but it isn't something you can remember, or type easily.
A password manager works, but now you have moved the vulnerability to a new place.
If you don't mind a slightly longer password, lyrics to a song are a good way to go. Best choose something a bit more obscure.
I use the website URL to generate a password and plug in static passwords parts at predetermined locations, an example is:
Primary static password1, numeric position of a character 1 of URL, numeric position of a character 2 of URL, numeric position of a character 3 of URL, Primary Static password2
So for this site:
Dog11911Farts
For Facebook:
Dog613Farts
I can go to any site I have an account with and generate the password without having to memorize it. I've gone back to accounts I have not accessed in 8 years, and used the same protocol to access it. If one site gets hacked they will not immediately be able to access all my accounts with the same username/password.
...on how big the rainbow tables have gotten.
Also, regardless of the low-sodium health push these days, it would be nice if more vendors used a little salt.
I mean, it's not like that's a new concept or anything...
So one of the (at the time) drawbacks of my UK education was that we had to learn poems off by heart for the English Lit. exam. At the time I thought it was just about the most boring part of the curriculum, but now they're a treasure trove of password sources...
Example (no, I don't use this one). One of the poems we had to learn was "Dulce Et Decorum Est"...
Bent double, like old beggars under sacks,
Knock-kneed, coughing like hags, we cursed through sludge,
Till on the haunting flares we turned our backs
And towards our distant rest began to trudge.
Men marched asleep. Many had lost their boots
But limped on, blood-shod. All went lame; all blind;
Drunk with fatigue; deaf even to the hoots
Of tired, outstripped Five-Nines that dropped behind.
Gas! Gas! Quick, boys! – An ecstasy of fumbling,
Fitting the clumsy helmets just in time;
But someone still was yelling out and stumbling,
And flound'ring like a man in fire or lime . . .
Dim, through the misty panes and thick green light,
As under a green sea, I saw him drowning.
In all my dreams, before my helpless sight,
He plunges at me, guttering, choking, drowning.
If in some smothering dreams you too could pace
Behind the wagon that we flung him in,
And watch the white eyes writhing in his face,
His hanging face, like a devil's sick of sin;
If you could hear, at every jolt, the blood
Come gargling from the froth-corrupted lungs,
Obscene as cancer, bitter as the cud
Of vile, incurable sores on innocent tongues,
My friend, you would not tell with such high zest
To children ardent for some desperate glory,
The old Lie; Dulce et Decorum est
Pro patria mori.
"The old lie" being "It is a great and glorious thing to die in the service of one's country". Anyway, take the N'th character of every line - easiest is the first, until you get the number of characters you need. It's easy to remember if you know the poem, it gives you a completely unintelligible password, and it's easy to make a password hint that's opaque to pretty much everyone but you.
Has worked for me for ages. (I'm very old, compared to you yound whippersnappers hanging around /. recently).
Simon
Physicists get Hadrons!
If I left my Answer of how then it would not be a highly secure mechanism anymore. However for my moderately security sensitive passwords I usually use a pass phrase combined with capital's, numbers and non alpha numeric characters. e.g. Security thru Obscurity could become "5eCur!tythru0bsCur!ty" incredibly easy to remember and incredibly difficult to brute force or guess
~ $ pwgen -y -s 20
My blog, if you're interested: http://www.purp
How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout".
Taking that idea one step further: To make the passwords different for each website, start with your main password, and then add the first two letters of the website in your password.
For example, put the first 2 letters of the website after the "My".
For Slashdot (sl), the password is Mysldogateachickenandnowisi$ickwiththegout.
For Visa (vi), the password is Myvidogateachickenandnowisi$ickwiththegout.
etc.
If someone stole only you password (no one else's), and if they figured out your password (or if it were stored unencrypted), then they might notice that the 3rd and 4th characters are sl or vi, and realize that they might use that pattern for your other accounts.
However, if they stole millions of passwords, they won't analyse the individual passwords closely enough to notice that the 3rd and 4th characters are sl or vi.
Pick a song and use the first line from it. "Scooby Dooby Doo, where are you?" with the next password iteration for the account being "We've got some work to do now". Substitute in your favorite alpha-numeric swaps or capitalize all formal names and not only have you got a longer than normal password, but also one with names, spaces, and a theme for easy memorization. You just need to have memorized the words for more songs than Happy Birthday....
Sorry, typo.
I intentionally missgell words in my passphrases.
Dammit!!. You stole my line. Kudos.
There are many ways to make a password. Use your imagination. Also note that a lock-out policy on failed attempts means more than ANY fucking password. It is usually built into the system...USE IT!!!
Flop your dick randomly around on the keyboard. If you're a woman, use your tits.
close your eyes. Type gibberish in a text file. Take 15-20 characters out of the middle. memorize it or store it in a secure file.
G7JKgk(09uKJGgf^&o9lkJH*Kn&(L%lkjmhf(OPMh7*_&%$jkk;alkshdf7i3k,a/sdklf823jhv^,JH6p&gbljBN^4JH(8676GB
password=$jkk;alkshdf7i3k
Not joking - this is how I do it.
head -c 20 /dev/urandom | uuencode -
/dev/random instead of /dev/urandom.
Replace 20 with whatever you desire, and if you're misinformed or paranoid, use
What I find is the hardest part about changing passwords is getting my kids and dog to accept their new names.
Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.
Even if an application or OS doesn't support long passphrases, you can still use an abbreviated passphrase. The common one is the first letter of each word in your passphrase but there is no reason that you can't use the 2nd letter, the last letter, or some memorized sequence like "first-last-second". Using your passphrase above: "My dog ate a chicken and now is $ick with the gout" and "first-last-second", your passphrase becomes: "Mgtannnsiweo" Throw in a few number and symbols and uppercase letters and you are good to go.
That being said, my biggest problem is that even if I come up with a good formula that is easy for me and hard for everyone else, every site has their own idea of what a secure password is and won't allow an otherwise secure password because of random sometimes mutually exclusive rules like "must contain special characters" or "cannot contain special characters"
Available characters vary by site. Sometimes with absurdly stingy limits.
This issue is a bit more complicated than you think.
I just use the Nato phonetic alphabet, easy to remember something like "WRITE" turned into Whiskey, Romeo, India, Tango, Echo.
I use a local copy of pwdhash.com. Make the site password something memorable, but which you can change if required.
It doesn't handle sites with picky requirements but is good enough for most sites.
I use a password manager and try to make passwords as long as the app or site will allow me.
The bitch is, a lot of sites and apps artificially limit password length at around 10 characters.
Chas - The one, the only.
THANK GOD!!!
1. Have my password vault spew out (hopefully) random noise made up of uppercase, lowercase, numbers and special characters and use that.
2. Just randomly swipe a finger across, up and down and diagonally across my keyboard, hitting this and that and that other thing, while being in my password vault's password field for whatever it is I'm creating.
3. A phrase from a book or film, further obfuscated in some way.
The idea is, however, that no two logins share a password. I don't even know my passwords, I'm at the mercy of my password vault. And no, it's not Keepass.
The "Civilized World" jumped the shark ca. 1973.
"sorry spaces not allowed"
This issue is a bit more complicated than you think.
Mash my forearm on the keyboard, then delete the middle half, stay in the middle and mash on the keyboard some more.
Ta dah!
For all your passwords, use a password manager. Have the manager make 20+ character passwords. Make them different for each site.
The basic requirements are (1) Runs on your phone, PC and Mac. (2) Can use a shared password file on a network drive like dropbox or Google Drive. and (3) isn't a pain to use.
I get by with Keeppass2. It has clients that support the file format on all the platforms (E.G. I use KylePass on MacOS).
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
First banks and very many online sites will not tolerate good passwords. ASC11 symbols can help make a very strong password. I like long phrases that are easy to remember. How about "jack and bill went up the hill to fetch a bucket of blood" That little rhyme would take a while for a computer to break. I do think that requiring two passwords with a system that demands the second password be quickly entered would solve a lot of problems.
Use my brain. It is random as shit. My wife tells me so, all the time.
This issue is a bit more complicated than you think.
You know what the best password of all is? A password that no password manager holds, only your head. A password you could easily share with anyone and they would remember. A password you would not have to write down.
So I have a variety of patterns I use, involving words and numbers and symbols. That is simple enough to easily remember, but is OK by any of the modern password filters that attempt to make passwords too complex to remember easily. If a password system insists I change the password regularly, I can just iterate the numbers as long as is necessary.
If they are somewhat long (and they will be with multiple words) it would take a long time for a password cracker to break through, especially so in combination with the numbers and symbols (which break simple dictionary attacks)
Anything more complex is a waste for most places on the internet.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I use a word that's misspelled, with numeric increments and/or replacements on the end.
For example, and not really my password:
frnechr0457 french roast, with oast turned to digits, and french spelled wrong.
This is a crude example, and I will also add punctuation or caps as needed, but this generally seems pretty secure, since dictionaries, by definition, seem to usually know correctly spelled words but don't reliably predict all possible misspelllings.
"This is my 7th mother fucking password, no really, this is it...!"
including quotes
It really pisses me off when sites limit the length of password you can store to 7 or 9 chars... or make punctuation chars invalid or some silly such rule.
I have a list of 27489 words up to 8 letters long, and I pick 4 at random using a cryptographic RNG. 58.98 bits of entropy.
Actually, I degrade entropy slightly by generating half a dozen and picking one that is interesting to me, but that's fairly subjective and difficult to automate.
Here are 10 for example. The second seems more memorable to me, so I'd probably pick that one.
whiles erratic someday copal
ocher shrew mythos marker
kokanee notum papers heeler
medlar famished sawdust pretense
braggart urial scirrhus event
babul heraldry prison pe
feints crass lardy pulmonic
specter warship uracil foilsman
planned meltage argali dipstick
topple okay manikin boater
I download a public OpenPGP key from a key server. Each key consists of over 2,000 apparently meaningless upper- and lower-case letters, numerals, and the symbols + and /.
I select a 8-10 character string from within the key. Before using the result, I check to make sure that the special characters + and / are allowed in the password. If the string has those characters but they are not allowed in the password, I delete them and extend the string with additional characters from the key.
For more information about OpenPGP, including links to key servers, see my http://www.rossde.com/PGP/inde....
An arbitrary length password/passphrase with no limit is something a cracker will have hard time to crack. Not only you can make passwords using multiple words and spelling variants, but the length being unknown to the cracker, there isn't a clear pattern to try or a finite number of combinations.
The passphrase should be checked against an entropy calculator.before being accepted.
Achille Talon
Hop!
Pretty much any password you use can be cracked with bruteforce. What does it matter if it takes 2 minutes longer or not? What matters is proper interface security. If you allow passwords to be checked at the speed of your processor, no one is secure. But you restrict Ip addresses and users from checking unlimited passwords then practically any password is secure. All reasonable sites lock accounts at around 5-8 wrong guesses, and often start captas at the first wrong guess. With this the password "G" is more than secure enough of a password.
Troll is not a replacement for I disagree.
My password is 32 characters long so it will be really hard to crack -- maybe even impossible!
It's "Password" repeated 4 times, so it is "PasswordPasswordPasswordPassword". I use it for everything except my briefcase which is 123456.
Oh yeah, I make sure NOT to tell anybody my password, especially my nosy wife
If you want security, forget single-factor authentication.
You can come up with algorithms or random password generators all day long. The problem is, nobody can remember really good passwords. That means you have to store them somewhere, in a password vault or service, or stick them to your keyboard.
We should really stop relying on a single password for authentication, and move to two-factor authentication. Then password complexity becomes less of an issue in the first place.
Generate the toughest, longest, most cryptic passwords imaginable. ... Excel's built-in password protection, with something easy to type, like "openme", since you're going to be opening it 50x a day.
Put them all into an Excel file cleverly disguised as pass.xlsx in My Documents.
An then, the ultimate final lock...
get rid of dumb rules
Everything has a unique login.
I adopt the xkcd method for passwords I might need to use frequently. This is for things like my google account, my NT login, and my password managers master password.
For anything else, yeah, it gets tossed into a password manager. I generate a unique password for every site. I don't need to remember the password for everything, I just need to remember the password for my password manager. The vast majority of my passwords, I've never actually seen them.
My password database is stored only on devices where data storage is fully encrypted. I keep it in sync by using a private cloud sync setup (not something public like Google Drive or Dropbox). If I need to update the password database while mobile, I just VPN into my home network to get access to the cloud sync.
I also enable 2 factor wherever I can. Lots of stuff supports the NTOP protocol now, so using something like Google Authenticator is quick and easy.
I do not let my browser save passwords. I do not store credit card information online anymore (with the exceptions of Apple and Amazon).
While it has made logging into some things a bit more of a pain in the ass, the data breaches that have occurred on sites I used (including one that led directly to an identity theft incident) have left me with the feeling that I should do everything I can on my side to protect my information. The irritation of having to pull a password out of a password manager to login is a trifle compared against limiting the extent of a data breach can have on me.
I've also made it a practice to stop frequenting sites which have let my data out in the open, especially if there's a monetary relationship.
Length, not weirdness, is the key to uncrackablity. For easy remembering, embed a simple password in a hell of a long string of repeating characters broken up by odd interruptions of non-repeaters. For instance:
=-4=-=-(repeat lots)=-=-yourpassphraseorword=-(repeat lots)=-88=- (repeat lots) -=-
is bloody impossible to crack with any tables.
Most people think password breaking is like the way people crack safes. One spin, crack, another spin, crack, until the code is broken. Password crackers have *no way of knowing* if they are hot or cold. They must guess the entire string at one go. That means length, not oddness, is the primary defense. You can have a simple one word password.... if you embed it in a string of simple and easy to remember character repetitions (broken at random intervals by a deal breaker to foil crackers trying for character padding repetition guesses). Steve Gibson came up with it, and it works, if the site allows for long passwords.
If someone bugged your keyboard, all bets are off, of course.
Note: Slashdot's filter error won't let me type repeating characters.
Why the hell are hackers allowed to guess bajillion times? The login system should be isolated and only allow limited number of tries per time period per account. Make it like a hardware pluggin. Don't put the login info on regular disks/storage with everything else.
Table-ized A.I.
but i dont sign up for things or partake in most of the internet, anonymous coward here, there and everywhere
I have a mental algorithm that generates a unique password for practically every website. I derive, instead of remember my passwords. There are probably flaws I am not aware of, and improvements I could make, but it seems safer and easier than some alternative systems I used to use. It's been ~3 years and password recovery is now a thing of the past.
Here's how it works:
Take a predetermined sampling of characters out of the website name. Take a known, unchanging string of text, and mentally apply a rule to use the string of text to jumble the selection of characters from the website name. Take these jumbled characters, apply another rule to capitalize certain ones, and insert them in to a template password.
Here's an example that is not my actual system:
Website: AliceAndBob.com
Selection rule: First letter, third from last letter, second letter
Starting sampled text: abl
String of text to use for jumbling: The quick brown fox jumps over the lazy dog
Jumbling rule: shift 1 position left from first instance of letter sampled from website name
jumbled text: lke (the LAzy dog) (quicK Brown fox) (thE Lazy dog)
Capitalization rule: capitalize the first character of the jumbled string
Second-pass jumbled text: Lke
Password template: pass_ _ _ word1234
Mostly unique, memory free password: passLkeword1234
Does anybody else already do this?
The passphrase would be to login to your OS or to open a password application. Then you retrieve the silly short passwords web sites make you use from a app or encrypted file. I use random key press passwords for everything I don't have to remember.
Star Trek, there maybe hope.
https://en.m.wikipedia.org/wiki/Diceware
Each word has 12 bits of entropy, so choose the number of words necessary for security purposes. For local non-cryptographically strong passwords two or three words is sufficient if local login attempts are throttled by the OS. Don't allow direct password logins remotely; use ssh public keys or require vpn access with a client cerrificate. For web sites you might as well not even try; social engineering and weak password reset workflows defeat any password. For the rare web sites where passphrases are the weakest link, use cryptographically secure passphrases. 10 diceware words in a passphrase to protect cryptographic secrets are good enough for the lifetime of the universe or until a cryptographic breakthrough, your hardware/software is compromised by a 0-day, or you are otherwise surveilled while entering it, whichever comes first.
i find a pattern on the key board such as \]' and use it as a letter delimiter
\]'P\]'A\]'S\]'S\]'W\]'O\]'R\]'D
and/or I could have a phone number that i know, say 18005556789 and hold shift and enter it !*))%%%^&*(
and/or i find another pattern on the keyboard such as vftyhb and i''ll do a few of them alternating caps vftyhbVFTYHBvftyhbVFTYHB
and/or i will take just two keys and make a little beat out of it kkakakakakkakakaka or mmmammmammmaaammma
so now i can have a really long password that only takes, let's see
\]'P\]'A\]'S\]'S\]'W\]'O\]'R\]'D!*))%%%^&*VFTYHBvftyhbVFTYHBvftyhbkkakakakammssmmsmmssmmssmmssmmsm
twenty seconds to type and it's easy to remember and fun to type too
Wrote a script that takes a string as input and outputs a 32 character string like: ”“ÕE__ÙsR.“âÅÜv¼__(#Jçwç,*eÔ2È__1Ì
Double-underscores are upper ANSI characters that Slashdot still wont render.
The input string was: "Wrote a script that takes a string as input"
Simple, secure
I think what needs to happen first is you need to identify the biggest pathways by which people break into peoples accounts. And then use those to develop the requirements for an excellent password. For example, it could be that the greatest risk is caused by password reuse, where a leak from one side is then used to pack email accounts or bank accounts or wherever on other sites. If that's the case then some sort of unique password even if it's like password0, password1, password2, fixes that problem.
JGL5CyR^c0#zSZrw8K$uuRWNJ8zPACC5z^XvpTbij#@89Ro39gSmJ8ZQareGW8*CyovRM$VU#Rfpu$CkLKi^FBcvaWqAqUu$cjm!
time pwgen -cny 20
theochai5oe(PheT0voh iem3Kie9thoosu|eb2Ae oGheimaeli2ohph]ot>e
moozi3eedah7Rohsee]c ohdookeiDie=ch3sei8d ahPhobaekiegh7ahB{ah
Eig7aev9To0Feeph[ag8 oojee9Ooj2ahxa(ngoya eiP$ohjaeng{o5iequoh
kei]ng3oeQuei9nae6ca ooM$ah?b-aeNgath3Icu ub+od5aev1Fahqu9sohs
jooke6phaephoh^PaePh me~jaiJe7ahphiy6otah tohfiem.u2aifis)ae/Z
sheiwaeK9euk,eizoh/r co0sek-aij7wiMiitai5 pie[x9Bu9vu4FaiP-aih
neeg{ieghah6Hoo@we2F eeboocoo?Vaekah2yohz fahphae8vus2fai"w4Vi
aht2cheeB1xeiQuoo\po roonai&y9pho5tahPong aoseiKie1jee1Aij;ee3
gei0caiXiev}eeQuoh5a OhngioC|uo9ViePhahgh xoh8aemup>ooGh5chie4
paiGhoo3wiech1auP%ie chae2ki0che9uqu+eiKu Ia1bowai(quah4aicame
real 0m0.022s *-- time it took to answer the posted question
Diceware.com Dice-Indexed Passphrase Word List
http://world.std.com/%7Ereinhold/dicewarewordlist.pdf
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
As pointed out by security experts, biometric data is permanent. Once stolen, it's good anywhere bio is required of you. Passwords should allow alteration of *all* components.
Most guides for passwords recommend using a long password with lots of complicated symbols and a different password for each site, so I figured that that is what hackers would try to guess at for my password.
To confuse them, I do the exact opposite! A simple six letter password containing only two different characters, and then I use that same password for all websites. No one would ever figure it out.
Is it really that important? Do sites actually allow you to attempt ten million+ login attempts without generating some lockout response?
Is there a more interesting question to ask here?
Have we reached the point where the concept of the password itself is no longer either appropriate, or adequately secure? For example, should we be recommending use of multi-factor and/or multi-channel solutions?
A useful question to ask is, "Where do you have to place your trust?" For example, many respondents to this thread recommend using a password manager.cOK, but how many of those people are aware of the emergence of specific threats targeting password managers, or that some solutions have been found to be insecure? How many people come to rely more and more heavily on a smartphone or similar personal device - a single object that can give access to web, email and voice authentication vectors - yet which is one of the most heavily-targeted platforms from a threat perspective?
I am not trying to denigrate the many excellent answers given here, but I wish to point out the risk that we are taking by asking this as a closed question ("How do you create a highly-secure password?") when changing the question slightly (for example, to "What are the most pragmatic and reliable secure authentication mechanisms available?").
As technology consumers, maybe we should be a bit more demanding about the solutions we are offered. Maybe it would be nice if we had a trustworthy and independent third party that offered a security audit rating system for commonly used service providers, like banks? This alone would drive down a lot of the risk, because to so e extent breaches can be facilitated by bad practices on the part of the service providers...
But other options could consider available variation on the themes of something you have, something you are and something you know. Services should allow us to set our security based on a selection of two or more of that trinity, with a range of options for each... Here's a bad example... Suppose that the fingerprint reader on new Apple iDevices had an exposed API. Then suppose that a web site authentication engine integrated with this, over a secure SSL channel. You go to the site, you tap the option for fingerprint reader, then you put your pinky on the sensor.... What would it take to engineer that securely? In a combination with even the most basic of known passwords, wouldn't that be much more secure?
Or what about something you have? How many people drive a vehicle with a remote control unlock mechanism? One German manufacturer uses a supposedly very secure rotating key mechanism that never sends the same release code twice... What if we used the same principle and allowed people to connect their car key to their keyboard via Bluetooth, using the same or similar principle to integrate an everyday object like a car key as a "something you have" factor?
Both of these are spur-of-the-moment suggestions and likely flawed, but I just wanted to push us past the idea that the right solution is still a password. Respectfully, that's still only single-factor and thus still implicitly weak.
If you can remember a phrase related to your children, pets, whatever, you can simply use an initialism. For instance, if your daughter Sally was born in 1999 in Tampa, you could remember the phrase "Sally was born in 99 in Tampa at 5 o'clock", and then your password is Swbi99iTa5o. The field of total sentences is massive, and this hooks the good parts of using pet, child, or spouse names, with the good parts of not using words as any percent of your password.
Upsides: You keep the password in your head. You can type the password quickly because it is short.
Downsides: Bullshit like "you must have two numbers, two lowercase, two uppercase, two special" will incorrectly reject your secure password as if it were insecure. You can get around this by always postpending or prepending a short string with the same whatever-you-needs.
Solutions like "keep your passwords in a vault" have issues, though unlikely ones. Your online vault is a potential target for hackers (who wouldn't be looking to target anyone in particular- it's just a rich source of access tokens potentially), your local vault needs to be transported and cared for like any data, along with whatever decrypts it.
Whenever I can, a completely randomly-generated password. At work, where, for reasons I can't go into, I need to change it every 3 days currently, a semi-random component and a date-based component, which ironically beats out the "last X similar passwords" check. If they're gonna make my life hell, I'll return it in spades... Also, I have to write down the date-based part, just to remember it for the next 3 days... #imahorribleperson
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
I'm with XKCD on this - it's all about how many things you can remember easily, and catering to that. Sure, I can just bang on my keyboard like a frustrated pianist and make an ironclad password like apSo8soDis+y2apjbea;is5ya4sHayb,Fia7py but can I memorize that? Heck, no. I construct a sentence of long words that almost makes sense, and include a bit of punctuation (if allowed), numbers and capitalization. If you construct the sentence well, you can even make several words count as one thing to remember. Here's an example of a password that has four things to remember (a four word sentence, a number, a punctuation and a capitalization) that took me a minute or two to generate: powerful3education=automaticallyMeasured
The first thing you need to do is stop listening to statistics someone else faked.
Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.
In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.
So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.
The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.
IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.
Assorted stuff I do sometimes: Lemuria.org
When i go to my bank online, i've to type a password, no shorter then 6 characters, no longer then 12 and with other weird limitations.
My question is: Why do they have a size limit? Are they storing the password in clear / encrypted?
So my password is: iiiiiiivvviviiviiiixx /. yelling filter prevent me to type it)
(but in caps
password ... bad. ... slightly less bad. ... 4000x less bad. ... They'll never guess that!
p@ssw0rd
pAsswOrd
pAswsOrd
If you can't dependably type it in a comment, how well are you going to do when all you see is 40 stars?
*locked out of account*
I used the first letters of an sentence. For this I use longer sentences which I don't use in normal speaking.
And to make it unique for any website and service I but a special character in after which I insert a code for the special website.
So I don't need services like keepass, because I can remember my password but I have also a save password.
I find on some major websites the problem is the restrictions placed on passwords.
MUST be 8 - 10 characters, (upper, lower, numeric only)
Well that makes cracking nice and simple!
Pick a long word or phrase. I'm using my name "OWEN" for the example.
For each letter in the phrase, hold down alt and trace the shape of the letter out on the keyboard.
O is a circle, so it's Alt plus 79317 or
W is 71539 so s
E is 97513 so
N is 1739 so
s
You can change the shape you draw for each letter too, so E could be 9745413 or , N could be 178239 or ?.
Of course, this only works if the system supports full unicode.
- In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
head -c12 /dev/urandom | base64
The number "4000" is most probably wrong.
If there are 100000 dictionary words, and you do the standard character replacements, you're actually adding only ONE bit of information: A cracker can search those passwords after trying the dictionary words "as is" first.
But "random capitalizations" of an 8 character words add about 256 possibilities. So that makes it only about 128 times more complicated than the "with the standard substitutions".
If there are more than one substitution characters in the word, you can also chose to not-do-them-all. That would mean more information goes in the password, and it becomes more difficult to guess. This reduces the gap between "random capitalzations" and "substitute some letters".
So, all those numbers depend very strongly on how the model ranks different "password obfuscation methods". If the assumption is that after trying password (and all other 99999 words in the dictionary) they will first try p4ssw0rd, then password0 through password99, then password~ to password before eventually coming to "random capitalisations" of the base word, then the "4000" number is plausible as what their model predicts.
But such a model is arbitrary. Now that "random capitalizations" has been published as a better alternative, the bad guys should move that perturbation up on their list of things-to-try.
From my stash of "5.5 million passwords tried by hackers" I present to you the 10 worst passwords to use:
3795 abc123
3950 default
4436 admin
4801 123
5123 12345
5229 test
5713 1234
7652 root
7737 password
12823 123456
Note again that this is very "context specific". On a different server, "1" as a password IS in the top-10, whereas it is on 15 on the first server. And the first server had 12k out of 5.5M attempts for the password "123456", whereas the second server only had 12k out of about 10M breakin attempts.... Anyway, I don't monitor those logs too closely. I don't know where the differences come from. IIRC the logs were started only a few days apart, so a change in tried-passwords over time should not be the cause of this.
This title would make a pretty strong password... "AskSlashdot:HowDoYouCreateAHighly-SecurePassword?"
I sometimes use mathematical formulae like:
ten!=exactlythenumberofsecondsin42days
etotheithetaplusone=0
asqrcos2phi=piapprox3.1416
cossqrtheta+sinsqrtheta=1
USB, USB, USB!
google password: googleisevil, yahoo password: yahooisevil, facebook password: facebookisevilindeed, slashdot password: slashdotisntevil, amazon password: mywalletisbroken
Simple really. I click the button in KeepassX and save it.
I just use the password on my luggage.
Sorry, typo.
And that's exactly the problem I have with these kinds of long passwords.
The chance I mistype it goes up exponentially with length.
This includes things like key bouncing, and a finger hitting a key too soft, or multiple keys at once. When typing in a normal text field, that's easily corrected, but in a password field it's hard to notice.
my email or financial stuff : relatively long password with combo of what I think is non sensical Vuh;Kal-Poh23. If it is some forum stuff : password01. I don't care about foren.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Don't use a singal word, even with letters and symbles these canesily find their way into a rainbow table espeshaly after a massive data breach ihn a popular service. But instead use a sentence, something personal to you that you created, not common ones like the "The Fox Jumped Over The Laszy Dog". Gives you a good opertunity to use spaces and capital letters and even numbers in a more organic way. Tip, make them funny.
random_hex ()
{
local n="${1-40}";
head -c "$(( $n / 2 + 1 ))"
}
usage: random_hex <maximum allowed length of the password field>
-- 'The' Lord and Master Bitman On High, Master Of All
I use passwords in email form.
cat@dog#39.COM
Monk007@porn.net
They are easy to remember. They are flexible, length, special characters,upper case & numbers.
The one thing I do is either use random generated passwords for security questions.
What city was your mother born in? TpV2e\LE-hYX*^w+d0l@\p3Ta
Good luck getting those right.
https://howsecureismypassword.net/
Just choose a password which takes 3,200,407,146,487 nonagintillion years to guess.
I"m still waiting for this one to gain momentum.
https://www.osapublishing.org/optica/abstract.cfm?uri=optica-1-6-421
My workflow is to Use @1Password (but there are other similar tools) to create and store a random 30 character string (website permitting, some have max lengths) with numbers, symbols, and letters for every passwd. All of my passwords are unique garbage. The downside is that if you are ever without your tool (in my case 1password), you aren't getting into anything. Luckily most of these tools have mobile apps.
MFA is where it's at.
Word number Word number Word number sometimes punctuation (when necessary). Every phrase also serves something like an identity check to those who know me. I flip them every 3 months and recycle old ones.
Do not use passwords.
Any password can be cracked in just one guess, I only depends on how good you are at guessing.
-- Make America hate again!
I wrote a web page that uses JavaScript to output the first 16 characters of the base64-encoded version of the value generated by a SHA256 of the phrase "password.site", where password is a single password that you choose to remember for everything, and site is the name of the site you want to authenticate against (i.e. hunter2.facebook). It works well for me and generates a unique password per site whilst still allowing me to only have to remember one password.
Stick this in your $HOME/.bashrc
/dev/urandom | head -c ${1:-16}; echo;
genpasswd() {
tr -dc '[:graph:]' <
}
Then you can just generate a password by calling "genpasswd". If you don't like the default length of 16 you can give a different length as a parameter.
Here's an example of the output:
$ for i in {1..20}; do genpasswd 30; done
?g*urm[[*eFX4595yE4IGJlE}Y=aKM
o+g{\x]z}"G*!+9RSC/9}_?Cm.BAC,
^xvy:R1HAU?ltJvUHYC=?(/Vf94k"i
>CV&G_L0;z~"/8),$]dc|JuVY.Ex8Q
?kRAo&p+?#HhC27tB!Dao$u1K}%Y6G
Q$,CaghZ\>atglH3UNLQP}@G=aea+p
!=5Od(kW\d~Ki4Gf,?6:[iWJVQs+64
9,1FxZB&%#Ha@s,Y,$qNr%y6ddHT3Q
~Y2$7h1gxe(inHVFB=vE^8{dhu{{!"
zG)ft;!I@,j7T<ZKBa3^o^7|~Y/*0T
pfy>r$9B\efdt6)B-x/B5GCQywtb,%
xU+.k%T.g,el|<"H3aejl,68!:9]B-
g=VB2`#j!z5Fdrt|GxK[^oU<%+Qj,$
W0?}1(2W+__~\@.5}d5+;@rM?%.1`>
i59yTDH%Qla97'4"_bNbAh'hI243Js
cq@v,U4_8s*"?:7[qytCQ=9zDxx=k;
kozXefJoN[CI@w:'Fzi0$RSntHk<II
pvpc1vi4U%?]7=/Q!OC[b3V?'9})sC
1Frg'V]hTMFB5GA-Ek!"NCV3Y;5FK:
{]cW%y8cepu)vW;nq:dh}9G]SI=He^
I get a long, complicated, random password, then I make up a phrase to go with it. I repeat the phrase as I type it in
Eg, mAW!t@Eh*J9$r becomes ummm....
My Aunt will bang that hey? Date just 9 dollar
(Date is another word for a chocolate starfish, which looks a bit like, well, you get the idea.)
Now, just try getting that mnemonic out of your head!
I use randomly-generate passwords that are at least 20 characters long and generated from reading /dev/random . Any scheme other than using a cryptographically-secure random number generator will be weaker.
"my voice is my passport"
I take a phrase that I like from a song, book, or movie and then riff on it a bit.
I might start with "God does not play dice with the universe; He plays an ineffable game of His own devising," part of a line from Good Omens.
Then focus down. "ineffableGame" thats a good start.
ineffable Game w/ blank Cards.
or perhaps
ineffable Game for infinite_Steaks
or
an ineffable Game for infinitesimal 6Steaks
Substitutions of words, puns, plays. It make it personal but you still have a have a hook for remembering it. So long as you follow your own (hopefully somewhat twisted) sensibilities you will have a way to re-derive the password, a sort of logical mnemonic.
Choosing a longer phrase, or a more significant part of a phrase, for more security is a natural extension, and it beats trying to remember complex letter and symbol substitutions. Wordplay is much more natural.
md5sum
d41d8cd98f00b204e9800998ecf8427e
$ gpg2 -ear <myself> | md5 | pbcopy
google.com1
$
Now I have the password in the clipboard. I use a nonce/salt (i.e. 1, 2, 3), so that I can change the password if I have to, but it's not hard for me to guess it in case I forgot.
I use Dashlane. 12 or more totally random characters
Before we tackle what makes up a good password, we probably need a standard implemented across the board.
Things like:
Minimum and maximum characters.
Standardized character sets. ( Aa4# )
Hashes, salts, and storage of credentials.
Mandatory HTTPS for login sessions.
Then fine the sh*t out of companies who get breached and expose login credentials because they weren't following the standard.
It does no good to have a fully random twenty seven character password if the damn thing is wide open on the server side or they are still using MD5 to store it.
After we get there, we can probably talk about what makes a good password.
I do the same type of things, though such long passwords are difficult to type when first waking up in the morning.....
And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable.
Not if you're Blizzard and ignore case sensitivity...
https://xkcd.com/936/
#!/bin/bash
for i in {1..4} /usr/share/dict/american-english
do
awk -v lineno="$RANDOM" 'lineno==NR{print;exit}'
done
You're welcome.
$ md5sum
(enter a random string of garbage)
^D
Paste the hash into an editor.
Add a few uppercase and perhaps a special char or two somewhere.
Paste the result into the password database (lastpass or whatever) for safe keeping.
I am not a very security minded person. All I do is make it a sentence. A long sentence (as long as the system allows). With a number in it, so that if the system wants another bloody password, I just increase the number by 1. For example: Little red robin likes to eat 27 pears now. Works well enough for me, though maybe I just don't realize when my accounts get compromised.
http://biblehub.com/john/14-6.htm
Jesus saith to him: I am the way, and the truth, and the life. No man cometh to the Father, but by me.
How do you hide your ass from God?
I use a combination of Lastpass and Keypass. When I generate a password, I default to a 100 random character string... if the website is stupid and puts an upper limit on the security of my password, I reduce the password length accordingly. Basically, it is a random string that is as long as the individual website will allow me to make.
I have 20 fingers and toes, two ears, two eyes. Most places, the biometric data is stored locally. We're quibbling over what is quite possibly the weakest possibly security measure known though.. Passwords are all nothing but security via obscurity (worst practice). The weakest link in this whole authentication scheme isn't the password, its the user. Didn't the reg have an article where something like 40% of users would give up their password for a piece of chocolate?
Stop signs are only Suggestions
i use a random string generator and a string lenght of 15 to 20 char , reset password montly where i cannot use dual factor
taeniaeaxolotlstarniestrongyl
Tournament Scrabble players memorize lots of words, often without knowing their meanings (I don't know the meanings of the four seven-letter acceptable words above). Makes for cool passphrases for LastPass et al.
So for those who understand the maths, is the above passphrase harder to crack than the 20-random-printable-character passwords I have LastPass generate for me?
"I'm looking for new heuristics for my rainbow tables"
I create a password for the system like Pass1234.
Then I pull out the network card, fill the PCI slots, USB ports, Firewire, and Bluetooth with resin.Then I put the computer in a lead lined room with a deadbolt on the door. Then I remove the keyboard. Then I smash the network card I removed to tiny, tiny pieces, just to be sure...
NO ONE is hacking THAT password...
How come Slashdot never gets Slashdotted?
my 2c
a lengthy password that is memorable.
You want users to have passwords they don't write down and they can recall easily.
A random jumble password of 20 characters isn't easily memorable.
A memorable phrase can be very useful
as an example
irememberthetimeifirststartedusinglongpasswords
I suppose you could use a phrase not likely to be guessed or encountered in real life, like "MicrosoftIsEthical", or "Windows10IsPerfect!". That last one contains numbers and a special character, as well as being easy to remember.
sudo apt-get install apg
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Passwords are a passing fad they've only been around for about 45 years and it is my hope they will be a dead method within the next 5.
For now, I use a long random passwords with at least 44 bits of entropy (not telling you the character set or length, that leaks too much information). But as I said, the password must die because it is fatally flawed, it relies on having the service store a secret for comparison. Something that can be captured in transit or stolen on the server and brute force reversed from its hash (if used), then used repeatedly until revoked by an out of band repudiation method.
If the very near future only a per site unique zero knowledge proof of sufficient strength to preclude brute forcing will suffice, thus only public information is present on a server and by the nature of a zero knowledge proof against a unique challenge there is nothing useful to steal.
The most secure way is to use certificates and smartcards.
> Our ability to remember long passwords is limited without context or patterns.
Certainly true.
> A computer's ability to recognize patterns is however insanely difficult.
"pOs5IbL3" is not pattern recognition, and it is used by common cracking tools. The rules are well known - 3 is interchangeable with E, 0 for O, and 5 for S. Bad guys do those substitutions.
Mainly what it comes down to when choosing passwords is length. Add a few extra characters to the alphabet, using 0,3, and 5 as letters, is fine and all, but you get more bits of entropy by making your password a character or two longer.
To create long passwords that one can remember, a sequence of words is good, but of course attackers have dictionaries. One option to improve it, therefore, is non-dictionary words like unjoyfully, runnableness, or happify (make happy). A sequence of such non-words can be easy to remember and hard to crack.
dd if=/dev/random status=none bs=24 count=1 | base64
This should produce passwords accepted by the majority of sites, and should be about as secure as your random number generator and password management system. Tack on characters as the site requires. You may substitute your RNG of choice, and adjust length to your liking (protip: use a length that's a multiple of 6 to avoid getting extra =s' at the end of the encoding). Dropping the status=none saves you typing, but you have to pick out the password from the resulting jumble of output.
I have a scrambled 100,000+ English word dictionary. I have a javascript script that I feed 100 random bits drawn from John Walker's Hotbits. The script produces 4 random words when taken together are at least 16 characters long. To remember the four words, I construct a single sentence story that says something about the site.
Since I have the source code which I run in a browser that has never seen the web, I don't have to trust the author - that's me - to keep my passwords secret. The only thing I need to trust are the 72 bits are what Walker says they are and that his site isn't recording the bits he's handing out. If it ever comes to thinking otherwise, I have a lava lamp. Yeah, I'm that old.
I only use the script on moderately and very important to secure like email and work. For sites that I don't care if someone pretends to be me, I use one word passwords.
There are 10^20 possible combinations . Adding a fifth word for banking cranks that up to 10^25 combinations. I can type quickly so 4-6 word phrases aren't a problem for me.
I suspect a clever cryptologists could find several weaknesses in the approach (etaoin shrdlu comes to mind) but I think the resulting pass phrase will defeat most attacks.
I tell everyone to use this: https://www.gregd.org/projects/GeekTools/#/passwords and LastPass
Random passwords, reasonable lengths, no confusing characters
#4. Long. I prefer 32 characters long.
What? What's the fucking point?
Most online services won't even accept a password that long.
Many services that do accept such a password will silently truncate it to 16 characters or less, even Windows did this not too long ago.
It's impossible to remember.
It takes an inordinate amount of time to type and is highly prone to transposition errors. Are you saving them in some online password safe, negating all the security that you imagine 32 characters provides?
32 characters is something that's used/needed/recommended for encryption keys and key generation. It is ludicrous for password use.
Password Safe >> New Entry >> [type url] >> [Default Username] >> Generate Password >> Save
I never type it, not even once.
I use RoboForm for almost all password generation.
I don't actually know 90% of my passwords.
When it is a requirement for me to remember my password, I will do one of the following:
- make a repeatable number letter combo (i.e. 2pt2p2PT)
- use a phrase. I like to select phrases based on band names, album names, song titles or song lyrics (i.e. Red Barchetta is a car)
My eyes reflect the stars and a smile lights up my face.
Completely unimportant (the fake email you use to fill out forms when you don't want spam later) -- mailinator doesn't use any password at all :)
Mostly unimportant (games and such, with no personal information and no credit card attached) -- pick something easy, because who cares?
Moderately important -- "correct horse battery staple", but keep it unique
Really important -- `openssl rand -base64 12`
Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?
... and whenever you need one just click "forgot password" to get a new random, unique password...
Two factor authentication.
Is a dictionary going to have, for instance, the phrase "Clark Kent"? I can't imagine, or at least not something it'd try right off the bat, right? But "Clark Kent does 44 situps" (not my actual password to anything) is at least as easy to remember as "correct horse battery stapler" or whatever. So, that's what I do. (For passwords to places I'm actually worried about. For everything else, I have a fairly easy to guess, but also super easy to type, password, because... so?)
All it takes is a 20s dice
Decide on the password length then look at whatever ascii table is handy and roll the 20s 5 times and record the value.
Can't really get much more random than that...
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
I've read that you can use a letter from each word of a memorable sentence to make a long pw that you can remember. But, such a pw is still a huge PITA to type on a phone with no keyboard, and even worse if you include numbers & special chars.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
I used to use what I called the spastic monkey on crack method. When I needed to create a new password, I would open an editor, close my eyes, and just start slapping my finger tips down on the keyboard at random, being sure to hit all four rows and alternating stretches without the shift key held with stretches with the shift key held down. Then, I would go back through and delete any subsequent keystrokes that were immediately adjacent (on the standard QWERTY keyboard layout) to the previous keystroke, as well as any exact duplicates. Then, trim to length (generally 16 characters, and use that as my password. Generally this process would also have to remove verboten punctuation marks.
This process got so tedious that I automated it with a bash script. So, now, whenever I need a new password, I just bring up a terminal session and type the "new_password" command and up comes 16 $RANDOM keystrokes, no symbols reused, and easy to type correctly since no sequential keystrokes are right next to each other. I've since modified it to accept a length so I can generate passwords longer (or shorter, but why would I want to do that?) than 16 characters. I still need to modify it to accept a list of verboten punctuation and simply refuse to generate those keystrokes in its output.
obviously the best dog name is now : Fido'); DROP TABLE DOGS; --
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I remember some fairly secure passwords from 20 years ago. We had an intern who left, and he gave me his unix password in case I needed it.
It was CIrpotb, It was the first letter from each word in the lyric in the song Jeremy "Clearly I remember picking on the boy," and included the comma.
I have used a similar method. Here's how:
1. Pick something significant to you that you will not forget. Let's say you saw your first girlfriend's hot mom in the nude. Her name was Alice. Aliceboobs
2. Throw in some caps. AliceboobS. Then some numbers and punctuation. Aliceb00bS!
Done
So when you have to change it, bump up the 2nd number. Aliceb01bS! Aliceb02bS!...
If you just go from 00 to 09 and back, you have 10 iterations. If you go to 99 you have 100.
Need to keep a reminder on a post-it? write milf18!
That means Aliceb18bS!
Need to answer a security question? What was the name of your first pet? milf18! easy reminder
You only need to modify a few characters to get a new secure password that only you know the story behind.
Find your own event, make up your own rules. Anyone can do it. I have had the same password scheme since 2000. The password now looks random because of modifications over the years.
(note: that is NOT the story behind my password, but the story is true) :)
My beliefs do not require that you agree with them.
My work environment:
Photographic ID to get on the property.
Access lists on the buildings.
Combination locks on the doors.
16 character password.
Rolling Code Clock fobs.
6 digit PIN on a 1024 bit cert on a smartcard.
And just about everyone uses "P@$$w0rd' on external web-sites.
It does not matter how secure the sysadmin makes the workspace log in process, users are idiots.
If everyone used salt, rainbow tables would be useless.
However, GPU-based hashing became fast and cheap enough to obsolete rainbow tables years ago.
Salt should still be used. For one, it prevents attackers from cracking the most common passwords first.
https://www.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf
A joint study between the US's NIST and Carnegie Mellon University (ca. 2011) shows that there's little benefit to exceeding 16 characters.
"Among conditions we tested, a 16-character minimum with no additional requirements provides the most entropy while proving more usable on many measures than the strongest alternative."
I suggest 16 or more characters, and something easy to remember (vs, say, something from a password generator). Remembering 20 different passwords which are all easy to remember, is easier than remembering 20 (or 10, or even 5) that are totally random mixes of numbers, letters and symbols. But as always ymmv.
It's a page dedicated to creating easy to remember passwords for children.
I use it on my adult users all the time when I have to create a password for them, and I copy-paste the entire picture of the dinosaur and send it to them when I do.
The preceding post was not a Slashvertisement.
oh, wait, you said how do "I" create a secure password. never mind. I just use CowboyNeal's.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I usually look for the box that says new password and type "Highly-Secure" (without the quotes). If there is a confirm password box I enter the same thing there.
Make up a phrase that isn't common, something that makes sense to you. Then replace random characters with symbols/numbers and add some characters at the front and back..
*$1s7h3R0070f3v1l!!
I would recommend https://en.wikipedia.org/wiki/...
Pwgen 20 1
Variation of this, if you speak any language other than english, always use passwords from your language.
The most common password crackers have used dictionaries for multiple languages since the 1990s at least.
Then I memorize it like a slightly longer phone number by typing it in to the secure field every single time I use it. Google, Facebook, banks all have different passwords that I finally memorized.
what the fuck are you doing that doesn't make you enough money to get a proper phone plan?
For some, it involves having been automated out of a job while residing and holding citizenship in a country that does not provide universal basic income.
Move out of a country that allows such an idiotic practice.
Emigration is even more expensive than receiving SMS.
What if I choose to spam you like hell?
Your spam campaign may end up hitting someone willing to see you in court.
I didn't use to post as an AC, but I used a secure password on my slashdot account, and forgot it years ago.
Sadly, the ISP that the email account was with went out of business and a different company bought up it's domain, so that recovery method is out also.
Every few months I go back and try a few more passwords that seem like I might have used them, but apparently it was a pretty good password.
So yea, for 95% of your online accounts, "wordpass" is secure enough, and you won't face the horror of having to post as an AC because you won't forget it.
Your main email account and your financial business accounts are the only ones that need more than that in my opinion.
The site that requires 8+ character passwords and no words mixed in, and does nothing but let me check if my order has shipped yet? They can go die in fire.
You make up words and new random algorithms, then throw all knowledge of them away.
You make the mold, make the key, then destroy the mold and don't lose the key and murder anyone who might be able to re-create it. (the last part is optional).
Seriously though, the best passwords for their weight are when you make up a word or spell a word wrong in an unusual way.You can also do fun things like translate your passwords into another language, like Latin. Not a lot of hackers have strong latin dictionaries. For practical high security passwords, I like those best. They are also possible to communicate if needed, that can be a security advantage or disacantage depending on what you want to secure.
You will not come up with one password that works best for ALL things that require passwords, Mobile passwords generally need to be shorter or easier to remember because you don't have the standard keyboard layout to help you.
All in all for normal use it's best to just use a password manager like Chrome's or Last Pass. Even if they aren't secure, neither are you, and they will improve more reliably than you. Unless you really are that important, don't worry about it too much. If you generate a random password for every new site, you will be much more secure than relying on your silly human brain... 99% of the time. If you are the 1%.. stop reading slashdot and get back to work building that omnipotent AI so I can have robot slave women orgies before I die.
Two and three factor security is clearly the correct way to go, not stupid complex passwords, which at some point present their own logistics problems. There is no point in putting all your eggs into one authentication code... basket... analogy.
The rules are well known - 3 is interchangeable with E, 0 for O, and 5 for S. Bad guys do those substitutions.
That is my point exactly. The bad guys use this rule, and the next rule, and the rule after that, but if we just keep adding rules and rules that the bad guys need to match we're no worse off than a brute force eventually. We now have a dictionary that requires not one guess, but 6515 guesses for just this one word, and that's assuming a perfect substitution without a misspelling somewhere.
Back up the GP proposed using an md5 from a dictionary passphrase. Well apparently they are working on that too because ... well they are bad guys and dictionaries are fun and ram is cheap right?
My point is that basic patterns and number combinations are used in cracking tools. No one is sophisticated (bored?) enough to perform a dictionary attack against a passphrase that has been md5'd and is then used as the password which is finally hashed. Not when the most common passwords in the world can be easily guessed.
You're not talking about hiding from hackers anymore, but rather from the NSA or from a very targeted attack.
"And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable.""
Umm that doesn't jive. The search space for "pAsswOrd" is 52^8, whereas the search space for "p@ssw0rd" is 68^8.
a-z = 26 characters
A-Z = 26 characters
0-9 = 10 characters
Symbols = 32 characters
http://csrc.nist.gov/archive/pki-twg/y2003/presentations/twg-03-05.pdf
With things like hash at getting better and better, I run a full 16 char random string unique to each site and then store them in a SQLcypher database.
Include spaces. 0x20 is a remarkably unusual character in a password. Full sentences, perhaps a favorite quote (although maybe not quite exact since that would be predictable). Include your common misspellings and it's better still. Long is good too, so more than a phrase per se. "Now is the time..." or "Better to remain silent..." are good examples, but don't use overly popular ones. What is the phrase your mother/father/grandparent always said to you? What words of wisdom do you live by? These are good passwords and easily remembered.
openssl rand -hex 32 | less
Then, I'll manually change some letters to Upper Case, and add a few symbols.
I keep them written down, and change them annually. It's a total PITA, but "so far, so good."
Uh, Linux geek since 1999.
I should say, for about fifteen years my job was developing software to thwart dictionary and brute force attacks. I've analyzed many millions of attempts and studied most of the tools attackers use. The point is, I'm not guessing what might work.
> No one is sophisticated (bored?) enough to perform a dictionary attack against a passphrase that has been md5
This can be a good idea if you take it a step further. As-is, there are of course far fewer MD5 hashes than there are passphrases of a given length, so this approach by itself is questionable. It may or may not work well vs a particular configuration of a particular tool. However ...
We know that re-using passwords weakens security. Bad guys get a dump of user names and passwords from MySpace and try those same pairs on other sites. We also know that remembering 100 different passwords is impossible, and storing them is a risk. An alternative I've used is to CALCULATE unique passwords. Your password for slashdot.org is SHA1(correcthorse SLASHDOT.ORG batterystaple) . Your password for Facebook is sha1(correcthorse FACEBOOK.COM batterystaple). In that way, crackers can't use your slashdot password to log in to your email, but you only have to remember one thing. By using a strong hash (not md5) neither hash can be reversed to reveal your passphrase.
* The above is a basic description. There are minor tweaks which enhance the security, such as:
sha1(SL correcthorsebatterystable ASHDOT.ORG)
just nuke the site from orbit. it's the only way to be sure.
The longer the password req, the harder it is for normal users to remember them. I keep a 30 ish character password for my real accounts. I see folks having trouble with 14 characters.. writing down hints, doing keyboard runs, reusing passwords all over the place.
I have found that most people can remember long passwords if they are disturbingly creative. A friend of mine forgot her OS password, and I had to reset it for her. She needed a secure password because her kids were prone to misuse of the PC. After resetting the password, I made up a replacement password I knew she could not forget: DeliciousEarwigPudding5000. We used to joke about that password after the PC was gone, as in "What, no earwig pudding this Thanksgiving? But, it's so delicious!".
It's essentially the xkcd approach linked elsewhere in multiple posts. For another friend, I came up with one similar to this: SexyStripperFetuses@The12ThirtyShow. Now, just try to get that out of your head...
- T
Requiem for the American Dream
Don't use words. C$mnlr@e0r,|ptfet;
Should be hard to guess. How do you remember it? "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof;"
Don't have the amendments memorized? Surely there's something you can remember. Favorite book, favorite poem, favorite song, favorite quote from a movie or TV show.
2cye,stdb4y,&2htlotw!CtB
To crush your enemies, see them driven before you, and to hear the lamentations of their women! Conan the Barbarian
Exactly. Which is why people don't want to use long passwords. Particularly when they're coupled with draconian limits on attempts, such as wiping your phone after 3 failures.
Use a random generator to create a 12-character sequence, then rote memorize it.
And keep a copy in your wallet in the middle of a much longer (e.g. 100 character) sequence.
Your brain's pattern recognition machinery will immediately recognize the correct sequence, but nobody else will.
For example,suppose the random generator spat out
Then print out and save
Whenever you look at this, the correct sequence "uiTb8fqlPhkX" will appear obvious to you, but to no one else.
such as smartcards, etc...
>> To create long passwords that one can remember, a sequence of words is good, but of course attackers have dictionaries. One option to improve it, therefore, is non-dictionary words like unjoyfully, runnableness, or happify (make happy). A sequence of such non-words can be easy to remember and hard to crack.
I've always used a similar strategy, by introducing intentional misspellings into pass-phrases excerpted from books or song lyrics. E.g.,
"All Along The Watchtower" becomes allalongthawutchtower, which is a strong password that is easy to remember.
Note that those small changes break dictionary attacks and make the password much more secure. How much more? While there are many different metrics you can use, here's one site's password strength meter:
https://www.my1login.com/resources/password-strength-test/
allalongthewatchtower = 1 month brute force to crack
allalongthawurchtower = 7 million years brute force to crack
, is non-dictionary words like unjoyfully, runnableness, or happify (make happy).
Except that some may just be odd or unknown words, and as such may exist in dictionaries.
unjoyfully - http://www.collinsdictionary.com/dictionary/english/unjoyful
Others might be made up of real words.
runnable-ness - runnable will be in the dictionary and an attacker might try adding common suffixes such as -ify -ing -ness given that they already substitute 3 for E etc and many people add suffixes incorrectly.
"I read slashdot, because i am so f*cking bored".
If the site limits the length of the password, you still have: Irs,biasf*b
The point of the random pass phrase is *you assume your attacker has your exact dictionary*, and you show they still cannot crack it.
Take a 10,000 word dictionary. Now take 6 words from it at random.
Have you, a human, took at 20 such passwords, pick the one easiest to remember, and reorder it to be easy. You are free to add extra words between the words provided.
You always capitalize the first letter of each of the words, have no space, no number, no symbols (except if the server requires it).
I will assume the attacker (A) has your dictionary, (B) is able to perfectly predict anything a human picked (which of the 20 you prefer, the order of the words, any extra words added, the capitalization, any numbers of symbols added). This is being generous to the attacker.
This password still has more than 75 bits of entropy. It is completely uncrackable remotely.
If they had the encrypted password file with a fixed salt and a rainbow table, which they store *on the combined hard drive storage of the entire planet earth*, they have on the order of a zettabyte of storage, or 70 bytes
Each hashed password is about 10 bytes, so ... the entire world's hard drive storage is not enough for a rainbow table attack.
How about a computational attack? Lets assume a single CPU can check 100 million passwords per second and costs 1.5 cents per hour. That is 26.5 bits of passwords per 1.5 cents, or 39.2 bits of password for 1$. Cracking 75 bits is requires 2^35.8 dollars, or about 60 billion dollars. (This is based off a ridiculously easy to crack password hashing algorithm, and having access to the hashed password file, and paying google Cloud preemtable rates for the CPU)
I don't care if you have my dictionary.
That's all pretty good analysis. Let me throw in one more piece. You don't know what kind of hashing the site uses. Very sadly, the most common is the old-fashioned DES-based which ignores everything past the first eight characters*. Therefore the first eight characters should be as strong as you can make them.
That may seem surprising. Here are a few facts that partially explain it:
Most password protected sites are
I accidentally hit submit too soon.
Over half of password-protected sites are porn sites.
Over 90% of password-protected porn sites use one of three billing companies.
Those three billing companies provide the sites with password scripts that use DES.
DES is also the default for htpasswd.
Therefore, more passwords are hashed with DES than any other algorithm.
The USA doesn't charge to receive text messages if you pay extra per month for an unmetered text message plan.
Every plan that I can find, postpaid anyway, with the major carriers, offer unlimited text and talk.
I'm on pay-as-you-go. I was including postpaid plans, which generally run far more expensive than that, in "pay extra per month for an unmetered text message plan".
This thread is chock-full of comments which seem to be oblivious to the fact that the subject is very poorly defined/constrained. I'm not stupid (generally speaking) but I'm not young, either. First thing I'd like to know is how many of the people claiming clever PWs actually change their PWs every 6 months and have more than a couple in regular use? I've more than once run into the situation of failing to log in because I'm remembering the PW I used last, or last year, or two years ago and that I (not so) cleverly changed it by a single change in case (or punctuation mark). Can the average human remember a dozen 8 character passwords that change every 6 months? I don't think so, especially if you're given a 3 strikes and you're out penalty. Do most log-ins allow copy and paste? (necessary for a md5 solution) Heck, one of my Tier 3 logins ONLY allows 6 to 8 chars and ONLY from the set of a-z, A-Z, 0-9, and about 6 punctuation marks!! I guess I should mention my 3 Tiers: Tier 1 is the I-Don't-Care-If-I'm-Hacked sites. I use the same 8 char PW for all of them (but may add a 9th char or change case of the 8th). Tier 2 is Business, where the liability isn't mine, and passwords are forced to change regularly (by corporate edict). I use a two or three word phrase, but since these are accessed frequently, memorization isn't burdensome. Tier 3 is my high security, high financial liability PWs. For these I use a random character generator (in an Excel sheet) which is customized for what the site allows (and what my access devices can create). Two points: 1) some sites only allow the characters found on a regular keyboard (usually these sites don't even accept all of those), some are case insensitive (I kid you not...have you checked to see if your Tier 3 site PW is case sensitive? (you may be surprised) and others allow significant extension of the allowable characters into the unprintables (Unicode, alt-numeric pad, etc.). Point 2 is my Android phone allows very few characters outside of a-Z,0-9, and those are European (Ç, è, £, etc.). I've got about a dozen Tier 3 PWs and none of the sites has the exact same set of allowable characters, what's up with that??? (It is noteworthy, I think, that Android (or is it Samsung?) doesn't allow rendition of at least the basic code page of the Unicode code set (ie 0h0000 - 0hFFFF) I mean, is this like A.D. 1990? How about Apple? Can you use or on an Apple phone? [whoops! neither character code appears in the preview window, shame on slashdot!! another anglo/euro centric site. This will change in the next 20 years, I bet, as the Asian economic powers get serious, anyway, suffice to say that one char is arabic and the other simple chinese] Time for both OS mfgs and web-sites to take PW protection seriously. I make no attempt to remember my Tier 3 PWs, they are securely stored and if electronic are well encrypted.
I use chess openings. It comprise Uppercase, lowercase, numbers and even special characters.
For example:
1e4e52Nf3d6Bb5#Bd7Bxd7# etc...
I once saw a good presentation by a major security expert. The presenter designed and implemented security systems for corporations like banks. He provided a list of clients as well as an abbreviated CV, all of which were impressive. In the opening prologue to his presentation he stated bluntly that passwords are the most vulnerable part of any security system, in part due to human factors, as this article suggests. However he went on to say, even more bluntly that no passwords are safe. As if to prove the point he hacked several laptops, and a couple of phones live on stage.
The primary thrust of his presentation was not really about passwords. He talked a good deal about systems with various kinds of backdoors and or deliberate exploitable vulnerabilities. These he advised, likely, created as the result of specific directives from various alphabet agencies or their proxies. All this gets to be very cloak and dagger, so is easy to dismiss as being little more than fantasy. However, given the state of the world, I can well imagine such vulnerabilities actually exist everywhere. The point being made was obvious. If someone with the right understanding of a system wants in, having a password on the font end is pretty much useless.
I have no way to verify what was presented. It just makes sense to me that, given the number of major incidents involving hacked information, security vulnerabilities may well be more wide spread than we might assume. Password security may be the least of our problems.
2FA
*All other comments about password length and style should bow before the obvious superiority of 2FA
For awhile, used Steve Gibson's Perfect Passwords page - https://www.grc.com/passwords....
;)
.php every time.
;)
Then decided to go in-house - eavesdropping on an SSL connection? That's possible?
Started with this script: https://gist.github.com/tylerh...
Changed it up a little so I could pass a number (otherwise it defaults to 63 chars), removed the limitation of zero vs upper-O, number one vs lower-L, etc. (didn't make sense as I'd just be pasting anyway), and put an alias in my bash init so I could call it without typing
Decided never, ever to use a password on more than one site.
Of course, if I lose the password file, I'm screwed..
Use a variation of it to generate alpha-numeric folder names (say, for a Laravel code folder, or many other uses).
https://www.grc.com/passwords.htm
Ultra High Password Generator with explanations
.... to remember this one.
http://dilbert.com/strip/1998-...
You can use common words - you simply have to string them together in unpredictable (so to speak) ways. A password like "Bombay97!sweltering", which might mean something to you, is then easy to remember, and has 86.7 bits of entropy, (according to Rumkin). Two words of medium length, a couple of symbols, and you have a strong and easy to remember password.
Use a password manager, (incidentally, if you encrypt your cloud backups, you shouldn't have any concerns - a password manager's database should be encrypted to begin with), and you can have hundreds of strong, unique passwords, while only having to memorize a handful that you use away from your own devices. Let's not forget, most incidents of password "hacking" involve guessing. The rest, of trying a wordlist of commonly used passwords, perhaps with John the Ripper, but only if they have the downloaded/captured data to work with.
-- sudon't
Air-ride Equipped
If a site requires a password, why don't they tell you the acceptable characters and the minimum and maximum lengths? I default to 16 characters but usually have to play a try-it-and-see-if-it-works guessing game with regard to the maximum length and even the allowable character set. A few sites actually spell it out in detail, but most just say "password too long" or after you've included some special characters they don't like, "passowrd can only contain xxxx". Sometimes they only have one error message like "password too long" even if the length is fine but you've entered a character it doesn't like.
I scanned the whole thread and didn't see anyone suggesting what I've been doing for years. . . The first letter of a long sentence that only I would have made up. . . .
For example, reading the thread makes me think of the sentence: "xkcd says that its important to add extra bits of entropy" turns into "xstiitaeboe"
So easy to remember, that I still remember passwords I created 20 years ago (and haven't used in 16 years). . .
I never had to write it down
For special character "requirements," I still make up a sentence, and then capitalize the first letter and add a number and a special character to the end.
"Xstiitaeboa5%"
I used to have to remember a lot of different ssh passwords for lots of different clients. . . I remembered a different sentence about each owner. . . first letters turned into VERY different passwords. .
I usually use md5 to generate my passwd. $ echo "aword/sentece" | md5sum | cut -c 10 # -c 10 get me first 10 char. So every time I need it i get it with the same command, guess what if you know you that this will not be save in my history, if you notice there is a space in the command to not save this command in my history. Regards and enjoy.
I think the above is a much better topic for discussion, especially since some recent research suggests that one way to increase security is to reuse passwords extensively....just not reusing them on sites where you, personally, have anything much to lose if the password is penetrated. In particular, don't reuse passwords which give access to financial information. So, a couple rules of thumb suggest themselves to me: (0) Be a lot more careful about what you post on-line. Is it really worth it to save your credit card information on line rather than re-enter it when you really need to make a purchase? (1) Reuse passwords extensively for 2nd and 3rd tier sites -- and don't give them any important, REAL information. An alter identity is generally a good idea if you find but-insky sites wanting your birthdate, cellphone number etc. Note google, yahoo, microsoft, etc. aren't really asking for your cell phone number primarily in order to help you -- they want it to surveill you better and tie you together inextricably with your friends, purchase history, address, etc. Fuck these guys good with false or or changing data whenever possible and your security will actually go up. (2) Use a reasonably complex, pretty reliable personal algorithm so you can reliably FIGURE OUT your weird password every time. You might even use several algorithms...a simple one and a massively complicated one. (3) Use some sort of encrypted notebook to put in sufficient (yet sufficiently vague) password hint info. I strongly advise you carry that with you and keep it up to date. (4) I specifically suggest you NOT use a dedicated "password manager" "in the cloud" as (1) these companies seem to get hacked a lot (2) go out of business or are not available when you need them (3) Lack enough flexibility for you to be able to put in sufficient notes which can be regularly updated. One thing to keep in mind is a majority of serious sites have arbitrary, generally idiotic rules which will screw with your algorithm (e.g., not allowing spaces, not allowing certain characters) and tend to force you to periodically change your password (thus breaking your stock algorithm). Anyway, the question of how to create a sufficiently "highly-secure" password is absolutely the wrong question. Creating is pretty easy; recalling is the killer...and coincidentally the thing which tends to kill security as well....unless locking yourself out of your account regularly is something you regard as a "good" thing.
python -c "import base64; print base64.standard_b64encode(open('/dev/urandom', 'r').read(18))"
I ever saw were 10-16 characters, CAPS, lowercase, numbers, and symbols. No sequence of 3 or more letters could spell a dictionary word, no sequence of characters from the 4 groups could go more than 3 characters, and changed every 25-30 days.
If you locked yourself out, you had to be unlocked by a network security officer who had to come to your desk WITH YOUR SUPERVISOR and check your ID.
Seriously, combine words, camelCase, make it long and change it often.
https://www.youtube.com/watch?v=a6iW-8xPw3k
"My dog shit on the left side of the road", "Obama is an animal, Michelle told us, he's good all night!", "I was in Montana once in my life, saw a really nice chick!", "The Republicans are serving donkey burgers out in the parking lot", "Tonight Hilary will take Bill on the stage, sit down on a chair and spank him on camera with a hairbrush!", "This summer I will get laid by 20 virgins, every one of them a 10" Of course, nobody would ever guess the last one.
Notice, the spaces in the password. This throws off a lot of people. The phrases are also very memorable. You may want to throw in some special characters, the date, stuff like that someplace. They would also likely not be broken anytime soon as long as you salt it with the special stuff. At least by brute force. The more creative the better. Some people take a traditional 8 char password they used to use and put it at the front or end.
Not me, Nobody would ever guess Password1$. Nobody!
Why, need a highly secure password? Could use sha512 on /var/log/messages, twice. Even once, heck, even a md5 has on /var/log/secure. That'll make a 32 character password. Good luck breaking that. Good luck ever remembering it.
00000000 ?
or ********?
Star Trek transporters are just 3d printers.
That way, whenever I forget my password, I just type something random, to which the computer responds..."Your password is..."
I toss my keyboard to my pug with a text editor in focus, let him play a bit (he likes to hit with his pawn anything I handle to him). Its safe and double useful as fun for my dog.
Clearly this is directed to the Big Co's that store user data,etc. For the hobbyist PC user, I doubt this password mania is valid.
Why would anyone use a web-based password strength checker? Even if the site is reputable and the page uses browser scripting, if it were ever hacked, then your great password for everything is stolen (or posted to a leak site instantly), and I doubt you'll check the website every day or be on an email list to find out they were hacked. So many people rather not bother downloading free software and rather instead use Web services. This is unfortunate, because you're putting your trust for various tasks that you do daily in the hands of people you don't know. I understand Web storage ( although I have my own server with owncloud), but using the cloud for something so trivial as this (or other trivial tasks like video/audio conversion) is silly (but all too common).