Slashdot Mirror
Ask Slashdot: How Do You Create A Highly-Secure Password? (securitymagazine.com)
An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."
But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?
But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?
https://www.random.org/passwords/
With a length of at least 10, preferably 20 or more.
20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
& d0n't repe@t
All of my passwords are 32 char random strings using all the available chars.
The only drawback is that I have to write them down on a yellow sticky.
Fortunately, none of the hackers have physical access to my collection of yellow stickies...
If you want news from today, you have to come back tomorrow.
#1. No password re-use. Ever.
#2. Not formulaic.
#3. Not in a dictionary list.
#4. Long. I prefer 32 characters long.
Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.
Star Trek, there maybe hope.
I like to use the 1st letters of song lyrics and other phrases that are easy to remember.
For instance, the wireless password for my home is "luitsiabiapis". Which is an acronym of "look, up in the sky... it's a bird, it's a plane, it's superman".
Take any song lyric that you like and that matches the format. The geneaology website login might be "iodagos", which is "in olden days a glimpse of stocking".
I have pretty-much no problem remembering my passwords.
date +%s | sha256sum | base64 | head -c 32 ; echo
Or
cat /dev/urandom| tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:?='|fold -w 12| head -n 4| grep -i '[!@#$%^&*()_+{}|:?=]'
The first one is easier to remember. But the second one is more random. Ezpz.
If you're setting password policy tell users to use 5 truly random words. (flip through the dictionary with their eyes closed or use a random word generator) If you're making a new password for one of the many, many places with preposterously restrictive policies that confuse "hard to remember" with "secure"... well what I do is break the cardinal rule. I make a password as secure as possible by randomly selecting applicable characters. Then I write it down and store it on an encrypted drive. The drive I leave unmounted unless I'm looking up a password. That's the best I can do. "It has to have a capital, a lowercase and a special character and can't be over 8 characters long" is a recipe for some of the most crackable passwords imaginable.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
I use or make up a phrase that I can remember and use the first or last letters in each word for the password.
example not in use :
This is my #1 bank password phrase choice.
Tim#1bppc. or ssy#1kdee.
errr....umm...*whooosh* *whoosh* Is this thing on ?
Rot13.
For real security, use it twice.
I'm Swede (29 characters in the alphabet.)
xkcd covered this a while ago.
I use this now. Not the actual passphrase, but the principle.
https://sqlite.org/random-pass... shows example output with a link to the source code.
echo -n "<mypassword>|<username>+example.org" | sha256sum | cut -c1-20
Need to change all my passwords? Change the cut or my password.
Use a sentence. This is easier to remember and way much longer than random-characters. For improved security against dictionary attacks, you can add typos.
Example: "Little pyg, little pig, let me in!"
Darn it. Too slow. Oh well.
Rot13.
For real security, use it twice.
I'm Swede (29 characters in the alphabet.)
ROT14.5?
It's simple. I come up with a short word. Then I translate the word into morse code, with SHIT as the the dot and FUCK as the dash. For example, HORSE becomes SHITSHITSHITSHITFUCKFUCKFUCKSHITFUCKSHITSHITSHITSHITSHIT. That's actually a very strong password.
I do this, too, but will caution others who want to start -- some sites (usually those that don't publish a max length) will allow you to set really long passwords but then break when you try to use them.
In addition to using a random string generator (easy enough to find on-line), add accented characters.
---- The above post was generated by the Turing Institute. Maybe.
Apply something specific to you - such as the first 3 letters of 4 pets you have / grew up with. Take "Rufus, Hobbs, Chipper, Stinky" and turn it into "RufHobChiSti". Or how about the different street names you have to walk along to go from home to school. Lots of combinations are possible, the point is to figure out something you can remember. In order to remember it has to have some personal meaning otherwise you would just use random numbers.
What I do is I have a common password which is then tweaked for each specific website. I use the website URL to prefix or postfix the password. For example, www.slashdot.org would turn into "stog" and be prefixed onto my common password to become "stogRufHobShiSti". Easy to remember yet impossible to guess.
It is very important to use different passwords for each website because the risk of one being stolen then applied elsewhere is very high. Far too many people share passwords between websites, email, etc. Very bad - apply a simple algorithm of your own design using the URL to prevent this.
I create a secure password by not telling anyone how I made it
A long easy to remember and enter password beats a short complex password that requires finger gymnastics. As others have pointed out, the XKCD comic says it all https://xkcd.com/936/ Also look at https://www.grc.com/haystack.h... Now if you are always going to use a password manager to enter the password for you, then long and complex is the best of both worlds, as long as you do not personally need to do the finger gymnastics of entering the long complex password. And if using a password manager, make the access to the password manager a long easy to remember and enter password, as that is the one you will be typing a lot.
The thing I don't understand is the variation in password acceptiblilty from one site to another. Some sites don't allow special characters, or only certain ones, some limit passwords to 12 characters, some 16, etc. Why on earth are there any limits to usable characters and why are any limited to less than 64 characters?
I would never remember the extra "I" before the $...
err, that would be 96^32, about half as "secure" as you claim, though still plenty strong (assuming you got the for loop right, which might be a generous assumption).
"They were pure niggers." – Noam Chomsky
I use eight asterisks as my password so I can see it when I'm typing it in.
In an offline cracking scenario, the number of possibilities is what counts, not which possibility you used. That means users should have the option of simple or short passwords, but should use long ones. For ease of use (more on this later), a passphrase of several words and punctuation is appropriate. Don't mandate the use or exclusion of any particular symbols, because that reduces the search space, and similarly reduces the time to break the password. In a famous example, "correct horse battery staple" is far more resistant to brute-force attacks than something complex like "Tr0ub4dor&3".
In an online cracking scenario, uniqueness is what counts. If an attacker has harvested your password from one location, they will try to use it to access another. Make sure every password you use is unique. Dumb tricks like appending the site name to a common password are easily caught by attackers, so they don't improve security much. The best way to mitigate the risk of an online attack, then, is use a trusted password manager to create and store your passwords, so every location has a long unique password. This is the approach I use, and most of my passwords are 24+ characters, randomly generated, and all unique.
For universal access, I keep my password manager's encrypted database files in a cloud storage service that my phone can access. Even if that storage is compromised and my file is stolen, it's useless without my master password, which is of course different from every other password for any other purpose.
If you're ever designing a system to handle authentication, the best solution is to not do it. Thanks to standards like OpenID and OAuth, you can connect your services to someone else's authentication, because they're far more likely to handle it correctly.
If you must do your own authentication, use sane policies. Require long (10+ characters) passwords, but don't force numbers or symbols. Requiring a number in a password cuts the password's resistance to brute-forcing by about half (very roughly speaking, and noted in TFS). Make sure nothing in your application interferes with the use of password managers, which often use the system clipboard to copy/paste passwords. To improve user experience, avoid asking for the password at all, instead using an expiring authentication token to reinstate a previous session. The less often a user has to type their password, the less averse they'll be to having a long and secure one.
On the back end, if you must store passwords, make sure they are hashed using a modern secure algorithm (AES-256, SHA-2 or SHA-3) and salted, and do that as soon as possible in your back-end processes. No, your users do not need a way to recover their old passwords. They need a way to reset their password to a new value, and that should only happen by using two separate forms of ID (like a phone call to customer support verbally confirming security questions and an email to the address on file). Those security questions should also be as unrestricted as passwords. Allowing the user to enter open-ended prompts allow the user to use prompts that are only meaningful to them, and are thus much more difficult to find an answer on social media.
Above all else, do not take advice from others, including me and this post, without understanding the reasoning behind it. Computer security is steeped in several decades of little more than superstition, relying on "common knowledge" that often turns out to be incorrect. It may start out well-intentioned, but the implementation is usually missing a key detail, undermining the security of the whole system.
You do not have a moral or legal right to do absolutely anything you want.
The longer the password req, the harder it is for normal users to remember them. I keep a 30 ish character password for my real accounts. I see folks having trouble with 14 characters.. writing down hints, doing keyboard runs, reusing passwords all over the place. How bout we stop using 1 factor authentication (something you know, 2x in normal logins) and kick it up to 2 or 3.. Say go to a smart card with identity certs on them and a pin, or a token, pin, biometric combo?
Stop signs are only Suggestions
Are you new? You forgot, "you insensitive clod! "
Nah, I thought it and I take it for granted.
Just draw some runes on the touchscreen. .. or why not complete images? =P
https://s-media-cache-ak0.pini...
1) Choose your password in your native tongue 2) Transliterate that to English 3) Sprinkle in letters and characters 4) Done!
Perhaps include the house number or phone number of a place where you lived years ago, or a scrambled version of an imaginary name you had for yourself, or a candy brand that is no longer made? The older you are, and the more secretive, the more material you might have to work with.
Don't use accented characters, or anything outside ASCII. You don't know how they will be encoded and transmitted.
(And don't say “UTF-8”, because a *shitload* of software still doesn't handle character encodings correctly. You can rely on your browser to do so, and maybe on the site's HTTP server, but you have no idea what sort of yahoo wrote the backend.)
Variation of this, if you speak any language other than english, always use passwords from your language. Easy to remember long passwords, but still random variation and gibberish. 's4chb0lr@h4hoo'
String together a couple of the 'play online' codes from McDonalds monopoly game pieces. Random numbers and letters, just capitolize at your discression. You can even keep them in your wallet for refrence without much risk of giving away your password, because everyone has a few of the damn things floating around for months after the promotion ends.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
I delegate creating passwords to PasswordSafe. The current standard policy is 15 characters, requires at least 2 lowercase letters, 1 uppercase letters, at least 1 symbol. The password database is backed up and available to my devices via a server I control. I've been steadily increasing the password length as hardware improves.
Sorry, typo.
Star Trek, there maybe hope.
e4kss$$%Jjsov..>32\][[wDGAPz0.qpaWW=-nveke
That would be a shocking secure password... but it isn't something you can remember, or type easily.
A password manager works, but now you have moved the vulnerability to a new place.
If you don't mind a slightly longer password, lyrics to a song are a good way to go. Best choose something a bit more obscure.
...on how big the rainbow tables have gotten.
Also, regardless of the low-sodium health push these days, it would be nice if more vendors used a little salt.
I mean, it's not like that's a new concept or anything...
So one of the (at the time) drawbacks of my UK education was that we had to learn poems off by heart for the English Lit. exam. At the time I thought it was just about the most boring part of the curriculum, but now they're a treasure trove of password sources...
Example (no, I don't use this one). One of the poems we had to learn was "Dulce Et Decorum Est"...
Bent double, like old beggars under sacks,
Knock-kneed, coughing like hags, we cursed through sludge,
Till on the haunting flares we turned our backs
And towards our distant rest began to trudge.
Men marched asleep. Many had lost their boots
But limped on, blood-shod. All went lame; all blind;
Drunk with fatigue; deaf even to the hoots
Of tired, outstripped Five-Nines that dropped behind.
Gas! Gas! Quick, boys! – An ecstasy of fumbling,
Fitting the clumsy helmets just in time;
But someone still was yelling out and stumbling,
And flound'ring like a man in fire or lime . . .
Dim, through the misty panes and thick green light,
As under a green sea, I saw him drowning.
In all my dreams, before my helpless sight,
He plunges at me, guttering, choking, drowning.
If in some smothering dreams you too could pace
Behind the wagon that we flung him in,
And watch the white eyes writhing in his face,
His hanging face, like a devil's sick of sin;
If you could hear, at every jolt, the blood
Come gargling from the froth-corrupted lungs,
Obscene as cancer, bitter as the cud
Of vile, incurable sores on innocent tongues,
My friend, you would not tell with such high zest
To children ardent for some desperate glory,
The old Lie; Dulce et Decorum est
Pro patria mori.
"The old lie" being "It is a great and glorious thing to die in the service of one's country". Anyway, take the N'th character of every line - easiest is the first, until you get the number of characters you need. It's easy to remember if you know the poem, it gives you a completely unintelligible password, and it's easy to make a password hint that's opaque to pretty much everyone but you.
Has worked for me for ages. (I'm very old, compared to you yound whippersnappers hanging around /. recently).
Simon
Physicists get Hadrons!
If I left my Answer of how then it would not be a highly secure mechanism anymore. However for my moderately security sensitive passwords I usually use a pass phrase combined with capital's, numbers and non alpha numeric characters. e.g. Security thru Obscurity could become "5eCur!tythru0bsCur!ty" incredibly easy to remember and incredibly difficult to brute force or guess
~ $ pwgen -y -s 20
My blog, if you're interested: http://www.purp
Pick a song and use the first line from it. "Scooby Dooby Doo, where are you?" with the next password iteration for the account being "We've got some work to do now". Substitute in your favorite alpha-numeric swaps or capitalize all formal names and not only have you got a longer than normal password, but also one with names, spaces, and a theme for easy memorization. You just need to have memorized the words for more songs than Happy Birthday....
Sorry, typo.
I intentionally missgell words in my passphrases.
Dammit!!. You stole my line. Kudos.
There are many ways to make a password. Use your imagination. Also note that a lock-out policy on failed attempts means more than ANY fucking password. It is usually built into the system...USE IT!!!
If it has to be something you can remember, then some examples are substitution cyphers (eg, rot13, but more complex substitutions work better), keyboard patterns, interleaving two words, spelling backwards, mixing two languages, &c. For example, a substitution cypher of the keyboard key up and to the left moves Password to ")qww294e". Tough choice for mobile, though. Interleave: mybank -> "m!y@b#a$n%k^". Now go make up your own.
Have you actually ever tried an XKCD style password? I have used randomly generated ones and have found them far easier to remember than pure random character passwords. The trick, as shown in the last panel of the comic itself, is to come up with a mnemonic story describing the random sequence of words. Rather than just trying to remember the sequence "correct", "horse", "battery", "staple", you imagine a scenario where the horse is correct about staples used on batteries. The scenario itself is easy to remember, and results in the word sequence. A horse being correct about something is a "correct horse", and a staple used on batteries would be a "battery staple". Combine them all, and you get "correct horse battery staple".
head -c 20 /dev/urandom | uuencode -
/dev/random instead of /dev/urandom.
Replace 20 with whatever you desire, and if you're misinformed or paranoid, use
What I find is the hardest part about changing passwords is getting my kids and dog to accept their new names.
Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.
Even if an application or OS doesn't support long passphrases, you can still use an abbreviated passphrase. The common one is the first letter of each word in your passphrase but there is no reason that you can't use the 2nd letter, the last letter, or some memorized sequence like "first-last-second". Using your passphrase above: "My dog ate a chicken and now is $ick with the gout" and "first-last-second", your passphrase becomes: "Mgtannnsiweo" Throw in a few number and symbols and uppercase letters and you are good to go.
That being said, my biggest problem is that even if I come up with a good formula that is easy for me and hard for everyone else, every site has their own idea of what a secure password is and won't allow an otherwise secure password because of random sometimes mutually exclusive rules like "must contain special characters" or "cannot contain special characters"
Available characters vary by site. Sometimes with absurdly stingy limits.
This issue is a bit more complicated than you think.
I use a password manager and try to make passwords as long as the app or site will allow me.
The bitch is, a lot of sites and apps artificially limit password length at around 10 characters.
Chas - The one, the only.
THANK GOD!!!
1. Have my password vault spew out (hopefully) random noise made up of uppercase, lowercase, numbers and special characters and use that.
2. Just randomly swipe a finger across, up and down and diagonally across my keyboard, hitting this and that and that other thing, while being in my password vault's password field for whatever it is I'm creating.
3. A phrase from a book or film, further obfuscated in some way.
The idea is, however, that no two logins share a password. I don't even know my passwords, I'm at the mercy of my password vault. And no, it's not Keepass.
The "Civilized World" jumped the shark ca. 1973.
"sorry spaces not allowed"
This issue is a bit more complicated than you think.
lotta letters from that middle linein there..
For all your passwords, use a password manager. Have the manager make 20+ character passwords. Make them different for each site.
The basic requirements are (1) Runs on your phone, PC and Mac. (2) Can use a shared password file on a network drive like dropbox or Google Drive. and (3) isn't a pain to use.
I get by with Keeppass2. It has clients that support the file format on all the platforms (E.G. I use KylePass on MacOS).
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
First banks and very many online sites will not tolerate good passwords. ASC11 symbols can help make a very strong password. I like long phrases that are easy to remember. How about "jack and bill went up the hill to fetch a bucket of blood" That little rhyme would take a while for a computer to break. I do think that requiring two passwords with a system that demands the second password be quickly entered would solve a lot of problems.
good enough horse in the stable
This issue is a bit more complicated than you think.
Use my brain. It is random as shit. My wife tells me so, all the time.
This issue is a bit more complicated than you think.
If you're trying to remember the words you are doing it wrong, remember the story that gave you the words.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
You know what the best password of all is? A password that no password manager holds, only your head. A password you could easily share with anyone and they would remember. A password you would not have to write down.
So I have a variety of patterns I use, involving words and numbers and symbols. That is simple enough to easily remember, but is OK by any of the modern password filters that attempt to make passwords too complex to remember easily. If a password system insists I change the password regularly, I can just iterate the numbers as long as is necessary.
If they are somewhat long (and they will be with multiple words) it would take a long time for a password cracker to break through, especially so in combination with the numbers and symbols (which break simple dictionary attacks)
Anything more complex is a waste for most places on the internet.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"This is my 7th mother fucking password, no really, this is it...!"
including quotes
It really pisses me off when sites limit the length of password you can store to 7 or 9 chars... or make punctuation chars invalid or some silly such rule.
I download a public OpenPGP key from a key server. Each key consists of over 2,000 apparently meaningless upper- and lower-case letters, numerals, and the symbols + and /.
I select a 8-10 character string from within the key. Before using the result, I check to make sure that the special characters + and / are allowed in the password. If the string has those characters but they are not allowed in the password, I delete them and extend the string with additional characters from the key.
For more information about OpenPGP, including links to key servers, see my http://www.rossde.com/PGP/inde....
An arbitrary length password/passphrase with no limit is something a cracker will have hard time to crack. Not only you can make passwords using multiple words and spelling variants, but the length being unknown to the cracker, there isn't a clear pattern to try or a finite number of combinations.
The passphrase should be checked against an entropy calculator.before being accepted.
Achille Talon
Hop!
Pretty much any password you use can be cracked with bruteforce. What does it matter if it takes 2 minutes longer or not? What matters is proper interface security. If you allow passwords to be checked at the speed of your processor, no one is secure. But you restrict Ip addresses and users from checking unlimited passwords then practically any password is secure. All reasonable sites lock accounts at around 5-8 wrong guesses, and often start captas at the first wrong guess. With this the password "G" is more than secure enough of a password.
Troll is not a replacement for I disagree.
If you want security, forget single-factor authentication.
You can come up with algorithms or random password generators all day long. The problem is, nobody can remember really good passwords. That means you have to store them somewhere, in a password vault or service, or stick them to your keyboard.
We should really stop relying on a single password for authentication, and move to two-factor authentication. Then password complexity becomes less of an issue in the first place.
get rid of dumb rules
Everything has a unique login.
I adopt the xkcd method for passwords I might need to use frequently. This is for things like my google account, my NT login, and my password managers master password.
For anything else, yeah, it gets tossed into a password manager. I generate a unique password for every site. I don't need to remember the password for everything, I just need to remember the password for my password manager. The vast majority of my passwords, I've never actually seen them.
My password database is stored only on devices where data storage is fully encrypted. I keep it in sync by using a private cloud sync setup (not something public like Google Drive or Dropbox). If I need to update the password database while mobile, I just VPN into my home network to get access to the cloud sync.
I also enable 2 factor wherever I can. Lots of stuff supports the NTOP protocol now, so using something like Google Authenticator is quick and easy.
I do not let my browser save passwords. I do not store credit card information online anymore (with the exceptions of Apple and Amazon).
While it has made logging into some things a bit more of a pain in the ass, the data breaches that have occurred on sites I used (including one that led directly to an identity theft incident) have left me with the feeling that I should do everything I can on my side to protect my information. The irritation of having to pull a password out of a password manager to login is a trifle compared against limiting the extent of a data breach can have on me.
I've also made it a practice to stop frequenting sites which have let my data out in the open, especially if there's a monetary relationship.
Length, not weirdness, is the key to uncrackablity. For easy remembering, embed a simple password in a hell of a long string of repeating characters broken up by odd interruptions of non-repeaters. For instance:
=-4=-=-(repeat lots)=-=-yourpassphraseorword=-(repeat lots)=-88=- (repeat lots) -=-
is bloody impossible to crack with any tables.
Most people think password breaking is like the way people crack safes. One spin, crack, another spin, crack, until the code is broken. Password crackers have *no way of knowing* if they are hot or cold. They must guess the entire string at one go. That means length, not oddness, is the primary defense. You can have a simple one word password.... if you embed it in a string of simple and easy to remember character repetitions (broken at random intervals by a deal breaker to foil crackers trying for character padding repetition guesses). Steve Gibson came up with it, and it works, if the site allows for long passwords.
If someone bugged your keyboard, all bets are off, of course.
Note: Slashdot's filter error won't let me type repeating characters.
Why the hell are hackers allowed to guess bajillion times? The login system should be isolated and only allow limited number of tries per time period per account. Make it like a hardware pluggin. Don't put the login info on regular disks/storage with everything else.
Table-ized A.I.
The passphrase would be to login to your OS or to open a password application. Then you retrieve the silly short passwords web sites make you use from a app or encrypted file. I use random key press passwords for everything I don't have to remember.
Star Trek, there maybe hope.
Wrote a script that takes a string as input and outputs a 32 character string like: ”“ÕE__ÙsR.“âÅÜv¼__(#Jçwç,*eÔ2È__1Ì
Double-underscores are upper ANSI characters that Slashdot still wont render.
The input string was: "Wrote a script that takes a string as input"
Let's a sample password.
now we need to go OSS in diesel cars
Let's see a sample password.
now we need to go OSS in diesel cars
I think what needs to happen first is you need to identify the biggest pathways by which people break into peoples accounts. And then use those to develop the requirements for an excellent password. For example, it could be that the greatest risk is caused by password reuse, where a leak from one side is then used to pack email accounts or bank accounts or wherever on other sites. If that's the case then some sort of unique password even if it's like password0, password1, password2, fixes that problem.
JGL5CyR^c0#zSZrw8K$uuRWNJ8zPACC5z^XvpTbij#@89Ro39gSmJ8ZQareGW8*CyovRM$VU#Rfpu$CkLKi^FBcvaWqAqUu$cjm!
time pwgen -cny 20
theochai5oe(PheT0voh iem3Kie9thoosu|eb2Ae oGheimaeli2ohph]ot>e
moozi3eedah7Rohsee]c ohdookeiDie=ch3sei8d ahPhobaekiegh7ahB{ah
Eig7aev9To0Feeph[ag8 oojee9Ooj2ahxa(ngoya eiP$ohjaeng{o5iequoh
kei]ng3oeQuei9nae6ca ooM$ah?b-aeNgath3Icu ub+od5aev1Fahqu9sohs
jooke6phaephoh^PaePh me~jaiJe7ahphiy6otah tohfiem.u2aifis)ae/Z
sheiwaeK9euk,eizoh/r co0sek-aij7wiMiitai5 pie[x9Bu9vu4FaiP-aih
neeg{ieghah6Hoo@we2F eeboocoo?Vaekah2yohz fahphae8vus2fai"w4Vi
aht2cheeB1xeiQuoo\po roonai&y9pho5tahPong aoseiKie1jee1Aij;ee3
gei0caiXiev}eeQuoh5a OhngioC|uo9ViePhahgh xoh8aemup>ooGh5chie4
paiGhoo3wiech1auP%ie chae2ki0che9uqu+eiKu Ia1bowai(quah4aicame
real 0m0.022s *-- time it took to answer the posted question
Cool. I did the same thing. Mine's Papa Alfa Sierra Sierra Whiskey Oscar Romeo Delta.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Diceware.com Dice-Indexed Passphrase Word List
http://world.std.com/%7Ereinhold/dicewarewordlist.pdf
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
As pointed out by security experts, biometric data is permanent. Once stolen, it's good anywhere bio is required of you. Passwords should allow alteration of *all* components.
Is there a more interesting question to ask here?
Have we reached the point where the concept of the password itself is no longer either appropriate, or adequately secure? For example, should we be recommending use of multi-factor and/or multi-channel solutions?
A useful question to ask is, "Where do you have to place your trust?" For example, many respondents to this thread recommend using a password manager.cOK, but how many of those people are aware of the emergence of specific threats targeting password managers, or that some solutions have been found to be insecure? How many people come to rely more and more heavily on a smartphone or similar personal device - a single object that can give access to web, email and voice authentication vectors - yet which is one of the most heavily-targeted platforms from a threat perspective?
I am not trying to denigrate the many excellent answers given here, but I wish to point out the risk that we are taking by asking this as a closed question ("How do you create a highly-secure password?") when changing the question slightly (for example, to "What are the most pragmatic and reliable secure authentication mechanisms available?").
As technology consumers, maybe we should be a bit more demanding about the solutions we are offered. Maybe it would be nice if we had a trustworthy and independent third party that offered a security audit rating system for commonly used service providers, like banks? This alone would drive down a lot of the risk, because to so e extent breaches can be facilitated by bad practices on the part of the service providers...
But other options could consider available variation on the themes of something you have, something you are and something you know. Services should allow us to set our security based on a selection of two or more of that trinity, with a range of options for each... Here's a bad example... Suppose that the fingerprint reader on new Apple iDevices had an exposed API. Then suppose that a web site authentication engine integrated with this, over a secure SSL channel. You go to the site, you tap the option for fingerprint reader, then you put your pinky on the sensor.... What would it take to engineer that securely? In a combination with even the most basic of known passwords, wouldn't that be much more secure?
Or what about something you have? How many people drive a vehicle with a remote control unlock mechanism? One German manufacturer uses a supposedly very secure rotating key mechanism that never sends the same release code twice... What if we used the same principle and allowed people to connect their car key to their keyboard via Bluetooth, using the same or similar principle to integrate an everyday object like a car key as a "something you have" factor?
Both of these are spur-of-the-moment suggestions and likely flawed, but I just wanted to push us past the idea that the right solution is still a password. Respectfully, that's still only single-factor and thus still implicitly weak.
If you can remember a phrase related to your children, pets, whatever, you can simply use an initialism. For instance, if your daughter Sally was born in 1999 in Tampa, you could remember the phrase "Sally was born in 99 in Tampa at 5 o'clock", and then your password is Swbi99iTa5o. The field of total sentences is massive, and this hooks the good parts of using pet, child, or spouse names, with the good parts of not using words as any percent of your password.
Upsides: You keep the password in your head. You can type the password quickly because it is short.
Downsides: Bullshit like "you must have two numbers, two lowercase, two uppercase, two special" will incorrectly reject your secure password as if it were insecure. You can get around this by always postpending or prepending a short string with the same whatever-you-needs.
Solutions like "keep your passwords in a vault" have issues, though unlikely ones. Your online vault is a potential target for hackers (who wouldn't be looking to target anyone in particular- it's just a rich source of access tokens potentially), your local vault needs to be transported and cared for like any data, along with whatever decrypts it.
Whenever I can, a completely randomly-generated password. At work, where, for reasons I can't go into, I need to change it every 3 days currently, a semi-random component and a date-based component, which ironically beats out the "last X similar passwords" check. If they're gonna make my life hell, I'll return it in spades... Also, I have to write down the date-based part, just to remember it for the next 3 days... #imahorribleperson
"The urge to save humanity is almost always a false front for the urge to rule." --H.L. Mencken
I'm with XKCD on this - it's all about how many things you can remember easily, and catering to that. Sure, I can just bang on my keyboard like a frustrated pianist and make an ironclad password like apSo8soDis+y2apjbea;is5ya4sHayb,Fia7py but can I memorize that? Heck, no. I construct a sentence of long words that almost makes sense, and include a bit of punctuation (if allowed), numbers and capitalization. If you construct the sentence well, you can even make several words count as one thing to remember. Here's an example of a password that has four things to remember (a four word sentence, a number, a punctuation and a capitalization) that took me a minute or two to generate: powerful3education=automaticallyMeasured
The first thing you need to do is stop listening to statistics someone else faked.
Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.
In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.
So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.
The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.
IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.
Assorted stuff I do sometimes: Lemuria.org
So my password is: iiiiiiivvviviiviiiixx /. yelling filter prevent me to type it)
(but in caps
password ... bad. ... slightly less bad. ... 4000x less bad. ... They'll never guess that!
p@ssw0rd
pAsswOrd
pAswsOrd
If you can't dependably type it in a comment, how well are you going to do when all you see is 40 stars?
*locked out of account*
Pick a long word or phrase. I'm using my name "OWEN" for the example.
For each letter in the phrase, hold down alt and trace the shape of the letter out on the keyboard.
O is a circle, so it's Alt plus 79317 or
W is 71539 so s
E is 97513 so
N is 1739 so
s
You can change the shape you draw for each letter too, so E could be 9745413 or , N could be 178239 or ?.
Of course, this only works if the system supports full unicode.
- In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
I sometimes use mathematical formulae like:
ten!=exactlythenumberofsecondsin42days
etotheithetaplusone=0
asqrcos2phi=piapprox3.1416
cossqrtheta+sinsqrtheta=1
USB, USB, USB!
google password: googleisevil, yahoo password: yahooisevil, facebook password: facebookisevilindeed, slashdot password: slashdotisntevil, amazon password: mywalletisbroken
I just use the password on my luggage.
my email or financial stuff : relatively long password with combo of what I think is non sensical Vuh;Kal-Poh23. If it is some forum stuff : password01. I don't care about foren.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
random_hex ()
{
local n="${1-40}";
head -c "$(( $n / 2 + 1 ))"
}
usage: random_hex <maximum allowed length of the password field>
-- 'The' Lord and Master Bitman On High, Master Of All
I use passwords in email form.
cat@dog#39.COM
Monk007@porn.net
They are easy to remember. They are flexible, length, special characters,upper case & numbers.
The one thing I do is either use random generated passwords for security questions.
What city was your mother born in? TpV2e\LE-hYX*^w+d0l@\p3Ta
Good luck getting those right.
My workflow is to Use @1Password (but there are other similar tools) to create and store a random 30 character string (website permitting, some have max lengths) with numbers, symbols, and letters for every passwd. All of my passwords are unique garbage. The downside is that if you are ever without your tool (in my case 1password), you aren't getting into anything. Luckily most of these tools have mobile apps.
MFA is where it's at.
Do not use passwords.
Any password can be cracked in just one guess, I only depends on how good you are at guessing.
-- Make America hate again!
Stick this in your $HOME/.bashrc
/dev/urandom | head -c ${1:-16}; echo;
genpasswd() {
tr -dc '[:graph:]' <
}
Then you can just generate a password by calling "genpasswd". If you don't like the default length of 16 you can give a different length as a parameter.
Here's an example of the output:
$ for i in {1..20}; do genpasswd 30; done
?g*urm[[*eFX4595yE4IGJlE}Y=aKM
o+g{\x]z}"G*!+9RSC/9}_?Cm.BAC,
^xvy:R1HAU?ltJvUHYC=?(/Vf94k"i
>CV&G_L0;z~"/8),$]dc|JuVY.Ex8Q
?kRAo&p+?#HhC27tB!Dao$u1K}%Y6G
Q$,CaghZ\>atglH3UNLQP}@G=aea+p
!=5Od(kW\d~Ki4Gf,?6:[iWJVQs+64
9,1FxZB&%#Ha@s,Y,$qNr%y6ddHT3Q
~Y2$7h1gxe(inHVFB=vE^8{dhu{{!"
zG)ft;!I@,j7T<ZKBa3^o^7|~Y/*0T
pfy>r$9B\efdt6)B-x/B5GCQywtb,%
xU+.k%T.g,el|<"H3aejl,68!:9]B-
g=VB2`#j!z5Fdrt|GxK[^oU<%+Qj,$
W0?}1(2W+__~\@.5}d5+;@rM?%.1`>
i59yTDH%Qla97'4"_bNbAh'hI243Js
cq@v,U4_8s*"?:7[qytCQ=9zDxx=k;
kozXefJoN[CI@w:'Fzi0$RSntHk<II
pvpc1vi4U%?]7=/Q!OC[b3V?'9})sC
1Frg'V]hTMFB5GA-Ek!"NCV3Y;5FK:
{]cW%y8cepu)vW;nq:dh}9G]SI=He^
I get a long, complicated, random password, then I make up a phrase to go with it. I repeat the phrase as I type it in
Eg, mAW!t@Eh*J9$r becomes ummm....
My Aunt will bang that hey? Date just 9 dollar
(Date is another word for a chocolate starfish, which looks a bit like, well, you get the idea.)
Now, just try getting that mnemonic out of your head!
I use randomly-generate passwords that are at least 20 characters long and generated from reading /dev/random . Any scheme other than using a cryptographically-secure random number generator will be weaker.
"my voice is my passport"
I take a phrase that I like from a song, book, or movie and then riff on it a bit.
I might start with "God does not play dice with the universe; He plays an ineffable game of His own devising," part of a line from Good Omens.
Then focus down. "ineffableGame" thats a good start.
ineffable Game w/ blank Cards.
or perhaps
ineffable Game for infinite_Steaks
or
an ineffable Game for infinitesimal 6Steaks
Substitutions of words, puns, plays. It make it personal but you still have a have a hook for remembering it. So long as you follow your own (hopefully somewhat twisted) sensibilities you will have a way to re-derive the password, a sort of logical mnemonic.
Choosing a longer phrase, or a more significant part of a phrase, for more security is a natural extension, and it beats trying to remember complex letter and symbol substitutions. Wordplay is much more natural.
md5sum
d41d8cd98f00b204e9800998ecf8427e
Before we tackle what makes up a good password, we probably need a standard implemented across the board.
Things like:
Minimum and maximum characters.
Standardized character sets. ( Aa4# )
Hashes, salts, and storage of credentials.
Mandatory HTTPS for login sessions.
Then fine the sh*t out of companies who get breached and expose login credentials because they weren't following the standard.
It does no good to have a fully random twenty seven character password if the damn thing is wide open on the server side or they are still using MD5 to store it.
After we get there, we can probably talk about what makes a good password.
I am not a very security minded person. All I do is make it a sentence. A long sentence (as long as the system allows). With a number in it, so that if the system wants another bloody password, I just increase the number by 1. For example: Little red robin likes to eat 27 pears now. Works well enough for me, though maybe I just don't realize when my accounts get compromised.
I have 20 fingers and toes, two ears, two eyes. Most places, the biometric data is stored locally. We're quibbling over what is quite possibly the weakest possibly security measure known though.. Passwords are all nothing but security via obscurity (worst practice). The weakest link in this whole authentication scheme isn't the password, its the user. Didn't the reg have an article where something like 40% of users would give up their password for a piece of chocolate?
Stop signs are only Suggestions
taeniaeaxolotlstarniestrongyl
Tournament Scrabble players memorize lots of words, often without knowing their meanings (I don't know the meanings of the four seven-letter acceptable words above). Makes for cool passphrases for LastPass et al.
So for those who understand the maths, is the above passphrase harder to crack than the 20-random-printable-character passwords I have LastPass generate for me?
"I'm looking for new heuristics for my rainbow tables"
I create a password for the system like Pass1234.
Then I pull out the network card, fill the PCI slots, USB ports, Firewire, and Bluetooth with resin.Then I put the computer in a lead lined room with a deadbolt on the door. Then I remove the keyboard. Then I smash the network card I removed to tiny, tiny pieces, just to be sure...
NO ONE is hacking THAT password...
How come Slashdot never gets Slashdotted?
I suppose you could use a phrase not likely to be guessed or encountered in real life, like "MicrosoftIsEthical", or "Windows10IsPerfect!". That last one contains numbers and a special character, as well as being easy to remember.
sudo apt-get install apg
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Passwords are a passing fad they've only been around for about 45 years and it is my hope they will be a dead method within the next 5.
For now, I use a long random passwords with at least 44 bits of entropy (not telling you the character set or length, that leaks too much information). But as I said, the password must die because it is fatally flawed, it relies on having the service store a secret for comparison. Something that can be captured in transit or stolen on the server and brute force reversed from its hash (if used), then used repeatedly until revoked by an out of band repudiation method.
If the very near future only a per site unique zero knowledge proof of sufficient strength to preclude brute forcing will suffice, thus only public information is present on a server and by the nature of a zero knowledge proof against a unique challenge there is nothing useful to steal.
The most secure way is to use certificates and smartcards.
> Our ability to remember long passwords is limited without context or patterns.
Certainly true.
> A computer's ability to recognize patterns is however insanely difficult.
"pOs5IbL3" is not pattern recognition, and it is used by common cracking tools. The rules are well known - 3 is interchangeable with E, 0 for O, and 5 for S. Bad guys do those substitutions.
Mainly what it comes down to when choosing passwords is length. Add a few extra characters to the alphabet, using 0,3, and 5 as letters, is fine and all, but you get more bits of entropy by making your password a character or two longer.
To create long passwords that one can remember, a sequence of words is good, but of course attackers have dictionaries. One option to improve it, therefore, is non-dictionary words like unjoyfully, runnableness, or happify (make happy). A sequence of such non-words can be easy to remember and hard to crack.
dd if=/dev/random status=none bs=24 count=1 | base64
This should produce passwords accepted by the majority of sites, and should be about as secure as your random number generator and password management system. Tack on characters as the site requires. You may substitute your RNG of choice, and adjust length to your liking (protip: use a length that's a multiple of 6 to avoid getting extra =s' at the end of the encoding). Dropping the status=none saves you typing, but you have to pick out the password from the resulting jumble of output.
I have passwords from 8 years ago that I've struggled to remember. I had one that I used, once, 2 years back, to log into my HSA because they changed password requirements; I saved it in my browser and didn't think much about it. It took me two tries to remember what it was.
The memory is made up of words, images, intonation, caricature, emotion, everything. The original password was generated by pulling together concepts and images; one of the concepts was emotional, generated an emotional word, and thus generated the sense of a person making an exclamation. I *should* have spent eight seconds solidifying the entire set of data that arose from that little bit of effort, but I just picked something, typed it in, and continued on with my financial analysis; I still remembered it.
If I had just picked a word, or two words, or four words, or a phrase from a book, I would have forgotten it in like 10 seconds. Everybody does that: they grab a couple words, don't visualize them, don't render them vividly, and then forget them. Even for mnemonics world champions, memorizing long streams of text *perfectly* is hard; chunking a single concept works well enough, but you really have to generate a ton of associations to remember it.
Support my political activism on Patreon.
I have a scrambled 100,000+ English word dictionary. I have a javascript script that I feed 100 random bits drawn from John Walker's Hotbits. The script produces 4 random words when taken together are at least 16 characters long. To remember the four words, I construct a single sentence story that says something about the site.
Since I have the source code which I run in a browser that has never seen the web, I don't have to trust the author - that's me - to keep my passwords secret. The only thing I need to trust are the 72 bits are what Walker says they are and that his site isn't recording the bits he's handing out. If it ever comes to thinking otherwise, I have a lava lamp. Yeah, I'm that old.
I only use the script on moderately and very important to secure like email and work. For sites that I don't care if someone pretends to be me, I use one word passwords.
There are 10^20 possible combinations . Adding a fifth word for banking cranks that up to 10^25 combinations. I can type quickly so 4-6 word phrases aren't a problem for me.
I suspect a clever cryptologists could find several weaknesses in the approach (etaoin shrdlu comes to mind) but I think the resulting pass phrase will defeat most attacks.
Password Safe >> New Entry >> [type url] >> [Default Username] >> Generate Password >> Save
I never type it, not even once.
I use RoboForm for almost all password generation.
I don't actually know 90% of my passwords.
When it is a requirement for me to remember my password, I will do one of the following:
- make a repeatable number letter combo (i.e. 2pt2p2PT)
- use a phrase. I like to select phrases based on band names, album names, song titles or song lyrics (i.e. Red Barchetta is a car)
My eyes reflect the stars and a smile lights up my face.
Completely unimportant (the fake email you use to fill out forms when you don't want spam later) -- mailinator doesn't use any password at all :)
Mostly unimportant (games and such, with no personal information and no credit card attached) -- pick something easy, because who cares?
Moderately important -- "correct horse battery staple", but keep it unique
Really important -- `openssl rand -base64 12`
Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?
Two factor authentication.
Is a dictionary going to have, for instance, the phrase "Clark Kent"? I can't imagine, or at least not something it'd try right off the bat, right? But "Clark Kent does 44 situps" (not my actual password to anything) is at least as easy to remember as "correct horse battery stapler" or whatever. So, that's what I do. (For passwords to places I'm actually worried about. For everything else, I have a fairly easy to guess, but also super easy to type, password, because... so?)
All it takes is a 20s dice
Decide on the password length then look at whatever ascii table is handy and roll the 20s 5 times and record the value.
Can't really get much more random than that...
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Just shift in four bits from the character before the 15th one into it?
I guess doing rot 14.5 once (on the digital representation of the characters) may actually be a decent idea.
I do this, too, but will caution others who want to start -- some sites (usually those that don't publish a max length) will allow you to set really long passwords but then break when you try to use them.
I have encountered this. A site may silently cut a "too-long" password short to an acceptable length, so testing that the passwords you have recorded actually do work is important. I try to send a note to such websites letting them know their system sucks. Best practices for websites should be to actually document what length and character sets are acceptable for use, and some sanity checks that give useful feedback when unacceptable passwords are being attempted to be set.
I've read that you can use a letter from each word of a memorable sentence to make a long pw that you can remember. But, such a pw is still a huge PITA to type on a phone with no keyboard, and even worse if you include numbers & special chars.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
obviously the best dog name is now : Fido'); DROP TABLE DOGS; --
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I remember some fairly secure passwords from 20 years ago. We had an intern who left, and he gave me his unix password in case I needed it.
It was CIrpotb, It was the first letter from each word in the lyric in the song Jeremy "Clearly I remember picking on the boy," and included the comma.
I have used a similar method. Here's how:
1. Pick something significant to you that you will not forget. Let's say you saw your first girlfriend's hot mom in the nude. Her name was Alice. Aliceboobs
2. Throw in some caps. AliceboobS. Then some numbers and punctuation. Aliceb00bS!
Done
So when you have to change it, bump up the 2nd number. Aliceb01bS! Aliceb02bS!...
If you just go from 00 to 09 and back, you have 10 iterations. If you go to 99 you have 100.
Need to keep a reminder on a post-it? write milf18!
That means Aliceb18bS!
Need to answer a security question? What was the name of your first pet? milf18! easy reminder
You only need to modify a few characters to get a new secure password that only you know the story behind.
Find your own event, make up your own rules. Anyone can do it. I have had the same password scheme since 2000. The password now looks random because of modifications over the years.
(note: that is NOT the story behind my password, but the story is true) :)
My beliefs do not require that you agree with them.
It's a page dedicated to creating easy to remember passwords for children.
I use it on my adult users all the time when I have to create a password for them, and I copy-paste the entire picture of the dinosaur and send it to them when I do.
The preceding post was not a Slashvertisement.
oh, wait, you said how do "I" create a secure password. never mind. I just use CowboyNeal's.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I would recommend https://en.wikipedia.org/wiki/...
Or Cyrillic
Variation of this, if you speak any language other than english, always use passwords from your language.
The most common password crackers have used dictionaries for multiple languages since the 1990s at least.
what the fuck are you doing that doesn't make you enough money to get a proper phone plan?
For some, it involves having been automated out of a job while residing and holding citizenship in a country that does not provide universal basic income.
Move out of a country that allows such an idiotic practice.
Emigration is even more expensive than receiving SMS.
What if I choose to spam you like hell?
Your spam campaign may end up hitting someone willing to see you in court.
The rules are well known - 3 is interchangeable with E, 0 for O, and 5 for S. Bad guys do those substitutions.
That is my point exactly. The bad guys use this rule, and the next rule, and the rule after that, but if we just keep adding rules and rules that the bad guys need to match we're no worse off than a brute force eventually. We now have a dictionary that requires not one guess, but 6515 guesses for just this one word, and that's assuming a perfect substitution without a misspelling somewhere.
Back up the GP proposed using an md5 from a dictionary passphrase. Well apparently they are working on that too because ... well they are bad guys and dictionaries are fun and ram is cheap right?
My point is that basic patterns and number combinations are used in cracking tools. No one is sophisticated (bored?) enough to perform a dictionary attack against a passphrase that has been md5'd and is then used as the password which is finally hashed. Not when the most common passwords in the world can be easily guessed.
You're not talking about hiding from hackers anymore, but rather from the NSA or from a very targeted attack.
Include spaces. 0x20 is a remarkably unusual character in a password. Full sentences, perhaps a favorite quote (although maybe not quite exact since that would be predictable). Include your common misspellings and it's better still. Long is good too, so more than a phrase per se. "Now is the time..." or "Better to remain silent..." are good examples, but don't use overly popular ones. What is the phrase your mother/father/grandparent always said to you? What words of wisdom do you live by? These are good passwords and easily remembered.
openssl rand -hex 32 | less
Then, I'll manually change some letters to Upper Case, and add a few symbols.
I keep them written down, and change them annually. It's a total PITA, but "so far, so good."
Uh, Linux geek since 1999.
I should say, for about fifteen years my job was developing software to thwart dictionary and brute force attacks. I've analyzed many millions of attempts and studied most of the tools attackers use. The point is, I'm not guessing what might work.
> No one is sophisticated (bored?) enough to perform a dictionary attack against a passphrase that has been md5
This can be a good idea if you take it a step further. As-is, there are of course far fewer MD5 hashes than there are passphrases of a given length, so this approach by itself is questionable. It may or may not work well vs a particular configuration of a particular tool. However ...
We know that re-using passwords weakens security. Bad guys get a dump of user names and passwords from MySpace and try those same pairs on other sites. We also know that remembering 100 different passwords is impossible, and storing them is a risk. An alternative I've used is to CALCULATE unique passwords. Your password for slashdot.org is SHA1(correcthorse SLASHDOT.ORG batterystaple) . Your password for Facebook is sha1(correcthorse FACEBOOK.COM batterystaple). In that way, crackers can't use your slashdot password to log in to your email, but you only have to remember one thing. By using a strong hash (not md5) neither hash can be reversed to reveal your passphrase.
* The above is a basic description. There are minor tweaks which enhance the security, such as:
sha1(SL correcthorsebatterystable ASHDOT.ORG)
just nuke the site from orbit. it's the only way to be sure.
Requiem for the American Dream
Use a random generator to create a 12-character sequence, then rote memorize it.
And keep a copy in your wallet in the middle of a much longer (e.g. 100 character) sequence.
Your brain's pattern recognition machinery will immediately recognize the correct sequence, but nobody else will.
For example,suppose the random generator spat out
Then print out and save
Whenever you look at this, the correct sequence "uiTb8fqlPhkX" will appear obvious to you, but to no one else.
"I read slashdot, because i am so f*cking bored".
If the site limits the length of the password, you still have: Irs,biasf*b
That's all pretty good analysis. Let me throw in one more piece. You don't know what kind of hashing the site uses. Very sadly, the most common is the old-fashioned DES-based which ignores everything past the first eight characters*. Therefore the first eight characters should be as strong as you can make them.
That may seem surprising. Here are a few facts that partially explain it:
Most password protected sites are
I accidentally hit submit too soon.
Over half of password-protected sites are porn sites.
Over 90% of password-protected porn sites use one of three billing companies.
Those three billing companies provide the sites with password scripts that use DES.
DES is also the default for htpasswd.
Therefore, more passwords are hashed with DES than any other algorithm.
The USA doesn't charge to receive text messages if you pay extra per month for an unmetered text message plan.
Every plan that I can find, postpaid anyway, with the major carriers, offer unlimited text and talk.
I'm on pay-as-you-go. I was including postpaid plans, which generally run far more expensive than that, in "pay extra per month for an unmetered text message plan".
I use chess openings. It comprise Uppercase, lowercase, numbers and even special characters.
For example:
1e4e52Nf3d6Bb5#Bd7Bxd7# etc...
For awhile, used Steve Gibson's Perfect Passwords page - https://www.grc.com/passwords....
;)
.php every time.
;)
Then decided to go in-house - eavesdropping on an SSL connection? That's possible?
Started with this script: https://gist.github.com/tylerh...
Changed it up a little so I could pass a number (otherwise it defaults to 63 chars), removed the limitation of zero vs upper-O, number one vs lower-L, etc. (didn't make sense as I'd just be pasting anyway), and put an alias in my bash init so I could call it without typing
Decided never, ever to use a password on more than one site.
Of course, if I lose the password file, I'm screwed..
Use a variation of it to generate alpha-numeric folder names (say, for a Laravel code folder, or many other uses).
.... to remember this one.
http://dilbert.com/strip/1998-...
You can use common words - you simply have to string them together in unpredictable (so to speak) ways. A password like "Bombay97!sweltering", which might mean something to you, is then easy to remember, and has 86.7 bits of entropy, (according to Rumkin). Two words of medium length, a couple of symbols, and you have a strong and easy to remember password.
Use a password manager, (incidentally, if you encrypt your cloud backups, you shouldn't have any concerns - a password manager's database should be encrypted to begin with), and you can have hundreds of strong, unique passwords, while only having to memorize a handful that you use away from your own devices. Let's not forget, most incidents of password "hacking" involve guessing. The rest, of trying a wordlist of commonly used passwords, perhaps with John the Ripper, but only if they have the downloaded/captured data to work with.
-- sudon't
Air-ride Equipped
If a site requires a password, why don't they tell you the acceptable characters and the minimum and maximum lengths? I default to 16 characters but usually have to play a try-it-and-see-if-it-works guessing game with regard to the maximum length and even the allowable character set. A few sites actually spell it out in detail, but most just say "password too long" or after you've included some special characters they don't like, "passowrd can only contain xxxx". Sometimes they only have one error message like "password too long" even if the length is fine but you've entered a character it doesn't like.
I scanned the whole thread and didn't see anyone suggesting what I've been doing for years. . . The first letter of a long sentence that only I would have made up. . . .
For example, reading the thread makes me think of the sentence: "xkcd says that its important to add extra bits of entropy" turns into "xstiitaeboe"
So easy to remember, that I still remember passwords I created 20 years ago (and haven't used in 16 years). . .
I never had to write it down
For special character "requirements," I still make up a sentence, and then capitalize the first letter and add a number and a special character to the end.
"Xstiitaeboa5%"
I used to have to remember a lot of different ssh passwords for lots of different clients. . . I remembered a different sentence about each owner. . . first letters turned into VERY different passwords. .
I usually use md5 to generate my passwd. $ echo "aword/sentece" | md5sum | cut -c 10 # -c 10 get me first 10 char. So every time I need it i get it with the same command, guess what if you know you that this will not be save in my history, if you notice there is a space in the command to not save this command in my history. Regards and enjoy.
I think the above is a much better topic for discussion, especially since some recent research suggests that one way to increase security is to reuse passwords extensively....just not reusing them on sites where you, personally, have anything much to lose if the password is penetrated. In particular, don't reuse passwords which give access to financial information. So, a couple rules of thumb suggest themselves to me: (0) Be a lot more careful about what you post on-line. Is it really worth it to save your credit card information on line rather than re-enter it when you really need to make a purchase? (1) Reuse passwords extensively for 2nd and 3rd tier sites -- and don't give them any important, REAL information. An alter identity is generally a good idea if you find but-insky sites wanting your birthdate, cellphone number etc. Note google, yahoo, microsoft, etc. aren't really asking for your cell phone number primarily in order to help you -- they want it to surveill you better and tie you together inextricably with your friends, purchase history, address, etc. Fuck these guys good with false or or changing data whenever possible and your security will actually go up. (2) Use a reasonably complex, pretty reliable personal algorithm so you can reliably FIGURE OUT your weird password every time. You might even use several algorithms...a simple one and a massively complicated one. (3) Use some sort of encrypted notebook to put in sufficient (yet sufficiently vague) password hint info. I strongly advise you carry that with you and keep it up to date. (4) I specifically suggest you NOT use a dedicated "password manager" "in the cloud" as (1) these companies seem to get hacked a lot (2) go out of business or are not available when you need them (3) Lack enough flexibility for you to be able to put in sufficient notes which can be regularly updated. One thing to keep in mind is a majority of serious sites have arbitrary, generally idiotic rules which will screw with your algorithm (e.g., not allowing spaces, not allowing certain characters) and tend to force you to periodically change your password (thus breaking your stock algorithm). Anyway, the question of how to create a sufficiently "highly-secure" password is absolutely the wrong question. Creating is pretty easy; recalling is the killer...and coincidentally the thing which tends to kill security as well....unless locking yourself out of your account regularly is something you regard as a "good" thing.
python -c "import base64; print base64.standard_b64encode(open('/dev/urandom', 'r').read(18))"
I ever saw were 10-16 characters, CAPS, lowercase, numbers, and symbols. No sequence of 3 or more letters could spell a dictionary word, no sequence of characters from the 4 groups could go more than 3 characters, and changed every 25-30 days.
If you locked yourself out, you had to be unlocked by a network security officer who had to come to your desk WITH YOUR SUPERVISOR and check your ID.
Seriously, combine words, camelCase, make it long and change it often.
"My dog shit on the left side of the road", "Obama is an animal, Michelle told us, he's good all night!", "I was in Montana once in my life, saw a really nice chick!", "The Republicans are serving donkey burgers out in the parking lot", "Tonight Hilary will take Bill on the stage, sit down on a chair and spank him on camera with a hairbrush!", "This summer I will get laid by 20 virgins, every one of them a 10" Of course, nobody would ever guess the last one.
Notice, the spaces in the password. This throws off a lot of people. The phrases are also very memorable. You may want to throw in some special characters, the date, stuff like that someplace. They would also likely not be broken anytime soon as long as you salt it with the special stuff. At least by brute force. The more creative the better. Some people take a traditional 8 char password they used to use and put it at the front or end.
Not me, Nobody would ever guess Password1$. Nobody!
Why, need a highly secure password? Could use sha512 on /var/log/messages, twice. Even once, heck, even a md5 has on /var/log/secure. That'll make a 32 character password. Good luck breaking that. Good luck ever remembering it.
00000000 ?
or ********?
Star Trek transporters are just 3d printers.
That way, whenever I forget my password, I just type something random, to which the computer responds..."Your password is..."