×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Brief Sony Password Analysis

CmdrTaco posted more than 2 years ago | from the change-it-now-people dept.

Security 276

troyhunt writes "With all this [Sony] customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

276 comments

Is Sony now in the banking business? (1)

Anonymous Coward | more than 2 years ago | (#36349392)

Who cares? I don't waste good passwords on trivial online services.

Know what's important to protect and create passwords appropriately.

Re:Is Sony now in the banking business? (3, Insightful)

j00r0m4nc3r (959816) | more than 2 years ago | (#36349406)

I guess credit card data is not important to protect

Re:Is Sony now in the banking business? (2)

somersault (912633) | more than 2 years ago | (#36349456)

Bah! I don't waste good passwords on trivial things like money!

Re:Is Sony now in the banking business? (1)

Anonymous Coward | more than 2 years ago | (#36349576)

My /. account named Anonymous Coward is priceless, so it gets a special 30-character password.

Re:Is Sony now in the banking business? (1)

jhoegl (638955) | more than 2 years ago | (#36349614)

OP point is valid.
The only reason people know your Sony password isnt because your account at Sony was brute forced.
Its because Sony is lackadaisical in their patching and security efforts.
Seriously, no one brute forces anymore unless it is against an offline database that they downloaded from the site in question.

Re:Is Sony now in the banking business? (1)

dgatwood (11270) | more than 2 years ago | (#36349874)

My Facebook account got brute forced just a few months ago. It still happens.

Re:Is Sony now in the banking business? (1)

BrokenHalo (565198) | more than 2 years ago | (#36350122)

As a matter of interest, how can you be sure it was brute-forced rather than subjected to some other form of cracking, e.g. via dodgy cookies or some form of compromised admin access? I don't have (or want) a facebook account, so I haven't heard whether or not facebook offers history of failed logins to users.

Re:Is Sony now in the banking business? (0)

Anonymous Coward | more than 2 years ago | (#36349488)

I guess credit card data is not important to protect

Wow, I didn't realize they were collecting credit card information for sweepstakes entries, which is the data that this article is analyzing.

Re:Is Sony now in the banking business? (0)

Anonymous Coward | more than 2 years ago | (#36349512)

You're right. How important is $50 to you?

Re:Is Sony now in the banking business? (1)

sangreal66 (740295) | more than 2 years ago | (#36349662)

You're not even liable for $50 if your credit card number is stolen. That number is the maximum liability if your physical card is stolen (and you report it such). You cannot be held liable for anything if the card remains in your possession. This is regulated in federal law (FCBA) and not subject to bank policies.

So no, it isn't that important for you to protect. That is a problem between the vendor and the bank.

Re:Is Sony now in the banking business? (1)

Big Smirk (692056) | more than 2 years ago | (#36349528)

If Sony had my credit card info, then that would make sense. They don't and based on recent history they are either not good enough at security, or too lucrative of a target, so they won't get identifiable information.

Quite frankly, I don't even know the user name I used.

Its just a game console to me

Re:Is Sony now in the banking business? (2)

Lumpy (12016) | more than 2 years ago | (#36350012)

Only a fool gives their credit card to everything.

MY Xbox live account is a simple password. and I'm not dumb enough to give them my credit card. I use their prepaid cards to keep their fingers out of my finances.

Re:Is Sony now in the banking business? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#36349574)

This case underlines the futility of long passwords. Everyone's data was exposed no matter how strong they were.

It does however underline the importance of compartmentalisation. Don't reuse passwords between sites.

Re:Is Sony now in the banking business? (0)

Anonymous Coward | more than 2 years ago | (#36349640)

I could not agree more. My account had the longest hardest password ever known to man or alien - past, present and future. It didn't help.

Re:Is Sony now in the banking business? (0)

Anonymous Coward | more than 2 years ago | (#36350054)

Unless, of course, you don't care about the account.

I mean, who cares if your Gawker account, of all things, got cracked? OHNOES! So long as you don't use that same email/password combo for, say, your bank or email account (or these days, Facebook... FB accounts can be used to attack others, and so you're not so much protecting yourself as your friend network), then who really gives a shit?

ah geez. (0)

Anonymous Coward | more than 2 years ago | (#36349404)

ah geez. it's like being back in school. my best mate's password was "123".

Re:ah geez. (1)

xkuehn (2202854) | more than 2 years ago | (#36349644)

ah geez. it's like being back in school. my best mate's password was "123".

Ah, the memories. (The school's admin password was "access".)

not surprising (2, Insightful)

Anonymous Coward | more than 2 years ago | (#36349408)

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

Re:not surprising (1)

chemicaldave (1776600) | more than 2 years ago | (#36349514)

it's a pretty big PITA to enter a secure password, or any complex non-alphanumeric mix of characters using an on-screen keyboard.

No, it's really not, especially when you consider that the PS3 will store the password. You should only have to enter it a few times over the lifetime of the unit, and even then, entering some non-alphanumeric chars doesn't make it any more difficult.

Re:not surprising (1)

Darfeld (1147131) | more than 2 years ago | (#36349682)

It's not difficult, it's annoying. And if you don't type it often, you'll forget it. And if you do type it often, it's even more annoying. And if you write the pwd down, it will be lost/stolen anyway...

Re:not surprising (1)

John Hasler (414242) | more than 2 years ago | (#36350088)

> And if you write the pwd down, it will be lost/stolen anyway...

Only if you are a fool, in which all is lost anyway.

Re:not surprising (2)

WuphonsReach (684551) | more than 2 years ago | (#36350150)

And if you write the pwd down, it will be lost/stolen anyway...

Do you also leave your wallet, credit-cards or money laying around so that they get lost/stolen all the time?

Writing the password down is fine, as long as it gets stored in a safe place (safe deposit box, home safe, sealed envelope, even tucked in a wallet). The weakness is not that the password is written down, it's that it is not kept secure against the eyes of others. Like putting it on a sticky note attached to the monitor/keyboard.

Re:not surprising (0)

Anonymous Coward | more than 2 years ago | (#36349636)

OhRe@lly!? --- looks pretty secure to me.
**changes password**

Re:not surprising (1)

Anonymous Coward | more than 2 years ago | (#36349698)

This data is SonyPictures.com not PSN.

Morons! (0)

Anonymous Coward | more than 2 years ago | (#36349410)

Given the average joe have to remeber zillion of passwords what do you expect?

Re:Morons! (0)

Anonymous Coward | more than 2 years ago | (#36349810)

hunter2

As someone who probably fell into some of those (5, Interesting)

vawwyakr (1992390) | more than 2 years ago | (#36349424)

My sony account only held the minimal information and some of that not correct. The PW I used was my public throw away password that I only use on sites that require me to register when I just need it to use a basic service and not enter anything not already public knowledge. So I'm not going to burn a good PW or spend my time trying to memorize a new one to use for something I really wouldn't care if they cracked and couldn't use the same PW on a site for which I care about it being cracked.

Re:As someone who probably fell into some of those (5, Insightful)

Aladrin (926209) | more than 2 years ago | (#36349586)

For a situation such as yours, the website owner actually cares more than you do. If your password gets stolen from another site, the hackers will be able to log into your account on your other throw-away sites. This means they have a new spam account that -looks- like a legit account. That's quite valuable to spammers, and painful for admins.

Re:As someone who probably fell into some of those (2)

KidPix (1512501) | more than 2 years ago | (#36349598)

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

Re:As someone who probably fell into some of those (1)

Rary (566291) | more than 2 years ago | (#36349768)

Yeah, I'd like to see a comparison of bank passwords to Sony/Gawker passwords.

I don't have a Sony or Gawker password, but I can tell you that my Slashdot password is more secure than my bank password. However, that's not by my choice. The credit union I use has this pathetic system that requires passwords to be exactly 7 characters and ONLY numeric. Very annoying.

Re:As someone who probably fell into some of those (0)

Anonymous Coward | more than 2 years ago | (#36350030)

So like a PIN then?If the ATM or website or whatever locks you out after 5 attempts then it doesn't make much difference. My online banking uses a 12 digit PIN, but it records your browser and asks for a separate password if you use a new one / try to log in from a different country.

Best password practices (2)

mangu (126918) | more than 2 years ago | (#36349428)

I don't think very long passwords are necessary.

My own practices:

No dictionary words, only a string of random letters
No change, memorize and keep the same password forever

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc. Another one for all my computers, at home and at work. A third one is for my bank account only.

Re:Best password practices (1)

somersault (912633) | more than 2 years ago | (#36349504)

I don't change mine all that often either, and similarly have different levels of passwords.

What do you mean by "very long"? I think something like 8 or 9 characters minimum is probably necessary to avoid rainbow table cracking these days.

I've taken to slightly modifying my password depending on which site I am using. It helps to lengthen the password but in an easy to remember way, even though my basic password is already above the length that should be easily crackable.

Keeping the same password forever does leave you susceptible to things like hardware keyloggers, and websites storing your passwords in cleartext (like Slashdot apparently does) though.

Re:Best password practices (0)

Anonymous Coward | more than 2 years ago | (#36349516)

I use the same password for all internet sites, slashdot, reddit, throwaway emails, etc.

Soooh...do you have a Sony account by any chance...?

Re:Best password practices (2, Interesting)

Anonymous Coward | more than 2 years ago | (#36349520)

I do somewhat of the same. My letters aren't random though. I typically have a phrase that I remember such as:

jack went to the store to buy some rice.

That would become jwttstbsr

Then append a number n (in this example we'll say n = 3)

Every nth letter in the original sequence becomes uppercase.

So then we get jwTtsTbsR3

Finally, append a single letter suffix designating what it's for. C for computer passwords, F for financial, S for social networking, E for email, W for general websites, etc.

I tend to change which password I'm using every now and then and this lets me keep track of it without having to write anything down (which I'd inevitably have to do for a COMPLETELY random sequence).

Re:Best password practices (1)

jovius (974690) | more than 2 years ago | (#36349546)

i use something like 's0m3t#1nG'

Re:Best password practices (1)

JaredOfEuropa (526365) | more than 2 years ago | (#36349656)

Decent dictionary attack software already accounts for the more obvious substitutions like i/!, o/0, l/1, e/3, a/4 etc. I tend to use passwords that can be pronounced but aren't actual words.

But even with a completely random password, you're still screwed if Sony makes the unbelievable and unexcusable mistake of storing them in plaintext. Hell, even the PHP for Beginners book on my shelf explains one-way encryption for passwords to online services.

Re:Best password practices (2)

Danny Rathjens (8471) | more than 2 years ago | (#36349970)

I don't know why people think that "leet-ifying" a word makes it a better password. leetspeak modifications of dictionary words is one of the first variations that password cracking software tries after straight dictionary words.

Re:Best password practices (0)

Anonymous Coward | more than 2 years ago | (#36349794)

im sorry, did you miss this article?

http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless

What you describe is not good practice, my own passwords are usually 10-12 characters long, aplhanumeric and symbolic, do not contain words or phrases, and never get repeated. I have a 'base' password i use for all 'throw away' accounts, but the password is not exactly duplicated (some of the numbers and symbols are changed) and although i dont change them regularly they get changed around once a year, or sooner if i feel the account may have been compromised. my IMPORTANT passwords are 12-16 characters in length and not related to my throw away passwords.....

Re:Best password practices (1)

angel'o'sphere (80593) | more than 2 years ago | (#36350020)

But you do know that slashdot e.g. does not transfer your paswd encrypted but in plain text? So everyone listening to your connection can read it? I would at least distinguish between https and non https accounts.

Re:Best password practices (1)

DigiShaman (671371) | more than 2 years ago | (#36350032)

Security through Obscurity plays a part in the overall scheme of things. Not by itself, but a part. That said, unless you use different user names, you shouldn't be telling everyone that you use the same password for all those sites. There are several potential implications that could render partial to complete ID theft.

Does it really matter? (0)

Anonymous Coward | more than 2 years ago | (#36349472)

http://it.slashdot.org/story/11/06/05/2028256/Cheap-GPUs-Rendering-Strong-Passwords-Useless

Phew (0)

Anonymous Coward | more than 2 years ago | (#36349476)

I'm not in it.

Is *$#~! allowed? (1)

Captain Centropyge (1245886) | more than 2 years ago | (#36349500)

It doesn't help when some sites don't even allow non-alphanumeric passwords. Besides... when Sony stores them in plain text, what does it matter what your password is?

lowercase (5, Insightful)

Njovich (553857) | more than 2 years ago | (#36349506)

'82% of passwords are lowercase alphanumeric of 9 characters or less.'

So what about lowercase? As long as it's random-ish, it's fine. Good luck brute forcing a 9 character lowercase alphanumeric password... Capitals are overrated anyway, if asked to include an uppercase character, in my experience most people will use exactly 1 uppercase character. So, given a password with length 8, it's only 8 times as many possibilities you would check. However, it is still an extra keypress, so if you went for an extra character it would be a lot more effective. Then there is the point that on many phones it's a nuisance to type capital letters, then there is a problem of readability of for instance I (upper i), or l (lower L). Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

Re:lowercase (2)

chemicaldave (1776600) | more than 2 years ago | (#36349560)

The point is that it's easier to guess a password when you know it only has 36 possible characters, as opposed to 62.

Re:lowercase (2)

Kjella (173770) | more than 2 years ago | (#36349734)

Apple23
aPple23
apPle23
appLe23
applE23

= about 5 times as difficult. The point is that people don't use combinations like ApPLe23, capitalizing one letter because you must isn't exactly a huge gain. Particularly since most people will capitalize the first, since it's easiest. I do stick to alphanumeric passwords though, everything else always generate so much crap with character sets, keyboard layout etc.

Re:lowercase (1)

stewbee (1019450) | more than 2 years ago | (#36349618)

In a way I agree with you, but lets just look at the numbers. A password of n characters long of only lower case letters (in English) is 26^n possible combinations. Adding upper case then give 52^n combinations. If you were a code cracker, and knew in advanced that most people only used lower case letters, then why waste you time with upper case letters. Your code cracking program would take longer allowing for upper case letters. It a matter of low hanging fruit; non capitalized password code cracker will give you reasonable success rate at a shorter time that allowing for capitals.

Re:lowercase (0)

Anonymous Coward | more than 2 years ago | (#36349996)

Yeah so your 52^n-combinations password takes on average n/2 extra key presses to type. He's saying that spending those keypresses on more lowercase letters is better. 26^(n+n/2) > 52^n.

Re:lowercase (-1)

Anonymous Coward | more than 2 years ago | (#36349654)

Yes, only 8 times more. Tell you what, if it's so trivial, why don't you put in 8 times more hours at work this week.

Re:lowercase (1)

Rary (566291) | more than 2 years ago | (#36349726)

Also, when speaking out a password it is annoying. Then, at least for me, it is hard to remember the location of the capital letters.

For starters, you shouldn't be speaking out a password, unless it's the password to something really trivial and low security, in which case go ahead and use a simple all lowercase password. As for remembering the location of the capital letters, use a simple pattern.

For example, if you take the word "password", replace a couple letters with numbers, such as "p4ssw0rd", and then just hold down the SHIFT key for every second character, you get "p$sSw)rD", which is many times more secure, and simple to memorize, because you're not memorizing the actual password, just the pattern used to type it.

The point about how difficult it is to type these passwords on a phone, however, is absolutely valid. Even worse is when I have to type my fairly secure wi-fi password on my Kobo. Painful.

Re:lowercase (0)

Anonymous Coward | more than 2 years ago | (#36350100)

26^8=208,827,064,576

(26*2)^8=53,459,728,531,456

so adding caps makes it 256 times as hard to crack in principle.

Re:lowercase (1)

tchernobog (752560) | more than 2 years ago | (#36350120)

Actually, it's not exactly true if you are brute-forcing. If you have a nine-characters-long password, of which exactly one letter is uppercase (assuming you can determine that), you would have 8 lowercase letters (26^8) * 26*9 possibilities (because the uppercase letter can appear in 9 different places), so that would make it 9 times the time required to bruteforce an all-lowercase password. That's why they recommend you to use digits, special characters and uppercase letters; they DO increase a LOT the amount of work due to break a password). If you do not know if there *is* a uppercase letter (0 or 1 uppercase letters), that makes it 18 times harder (26^8 * 52*9).

Silly users? (0)

Anonymous Coward | more than 2 years ago | (#36349508)

Like your password entropy makes any difference when it's stored in plaintext. Even if 80% of sites hash passwords, chances are it's the other 20% that'll be vulnerable to SQLi. Given the current state of security, minimising password re-use is the only useful thing you can do.

And 100%... (0)

Anonymous Coward | more than 2 years ago | (#36349524)

And 100% are not hashed and salted.

Password Requirements Are Inconsistent (4, Insightful)

Anonymous Coward | more than 2 years ago | (#36349578)

The whole point of a password is to have something you can memorize (without writing it down) as a security precaution. The problem is that different websites have different password requirements. For example, one website might require at least 8 characters in your password with at least one numeric and one non-alphanumeric character. But then another website might require at least 6 characters (alphanumeric), but DOES NOT ALLOW non-alphanumeric characters. So now you have two different passwords to remember. On top of that, it is recommended that you have a different password for each account. I don't know about you, but I have probably 100 accounts to various websites, games, etc - and there's no way I could memorize that many different passwords containing a mixture of alphanumeric and non-alphanumeric characters.

not to bad actually (-1)

Anonymous Coward | more than 2 years ago | (#36349580)

after all we are talking about people who are still willingly customer of a company that has shown noting but contempt for its customers for years.

Very few words are bad passwords. (0)

Anonymous Coward | more than 2 years ago | (#36349584)

I strongly believe that very few words are bad passwords. Sure, using "password" is bad. As is "qwerty". But something like "football123" is fine. Or "soccerfan" - that'd be fine too. But *only* as long as there is decent bruteforce protection. 3 password attempts and a 5-15 minute lockout. Annoyingly, few websites use this policy.
An issue is, however, hash security. But salts help with that.

Other Common Mistakes (-1)

Anonymous Coward | more than 2 years ago | (#36349596)

Additionally . . .
47% of passwords used English letters
Fewer than E% used non-decimal numbers
95% of users neglect to use double-punch characters
And, most shockingly, over 99% of passwords are not dead locked, leaving them susceptible to infiltration via sonic technology.

Re:Other Common Mistakes (2)

Yvan256 (722131) | more than 2 years ago | (#36349728)

And, most shockingly, over 99% of passwords are not dead locked, leaving them susceptible to infiltration via sonic technology.

Stop screwing around.

My Best Practices (3, Interesting)

gregarican (694358) | more than 2 years ago | (#36349612)

For my passwords I use the keys one-up-and-to-the-right of the "dictionary style" password I have. For example, for password this would come out as -wee305r, making it harder to brute force. Of course if the passwords are all stored plain text by some incompetents what's the point?!

Re:My Best Practices (1)

jawtheshark (198669) | more than 2 years ago | (#36349688)

That works as long as you only have to do with US-Layout keyboard. I have to cope with a multitude different keyboard layouts. The only I type this on (which is not the one I normally use) would render password like ")éeeà(r".

Re:My Best Practices (1)

gregarican (694358) | more than 2 years ago | (#36349770)

Good point. And my US keyboards render the passwords a lot differently than the time I am trying to enter in my password from my iPhone/iPad...and since I don't always memorize the jumbled version I sometimes get a brain cramp :)

Whats the point .. (2)

Idimmu Xul (204345) | more than 2 years ago | (#36349628)

of having 100 alphanumeric+special character long passwords when websites just give up the password lists with the magical words 'sql injection'?

Unique passwords at least ensure that once a website you frequent is compromised you don't get further screwed over...

Typing in a password... (-1)

Anonymous Coward | more than 2 years ago | (#36349638)

...with a PS3 controller would make anyone chose something simple. I don't think this is a good indication of real-world password practices.

non-alphanumeric characters (1)

pb186 (1114937) | more than 2 years ago | (#36349642)

"99% of passwords don't contain a single non-alphanumeric character." Many sites out there don't allow non-alphanumeric passwords. Most bank login pages I've seen are this way. It's really infuriating that a page whose security is of the utmost importance doesn't allow very secure passwords. Since a lot of people reuse passwords this statistic makes sense.

Huh? (1)

iluvcapra (782887) | more than 2 years ago | (#36349646)

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

Re:Huh? (2)

Jim Hall (2985) | more than 2 years ago | (#36349802)

67% of accounts on both Sony and Gawker use the same password.

Without a map of Sony accounts to Gawker accounts I don't know what this means... I take it to mean "The cardinalty of the set that is the union of password sets from Sony and Gawker is 67% of the cardinality of the set of Sony passwords."

IIRC, Gawker had their username/password database stolen a year or so ago? I read the "67%" as: for accounts on both Gawker and Sony, where the email address matched up, 67% of the passwords were also the same.

That is, 2/3 of the people who had accounts on both Gawker and Sony were using the same password, not a different one.

Bad passwords are not always the user's fault. (4, Insightful)

mcmonkey (96054) | more than 2 years ago | (#36349652)

The issue is I have, at last count, 13 systems with separate passwords. There's a network account, elevated privileges account for server admin, HR systems, online learning systems, expenses system, which is not the same as the travel booking system, etc.

With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

So the next issue, not all those systems have the same password requirements. There is one system which does not allow the use of special characters. So while my password always has lower case, upper case, and numeric, I'm always going to be in that 99% with no non-alphanumeric characters. Oh, and I think the max characters limit is around 12.

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Re:Bad passwords are not always the user's fault. (1)

Idimmu Xul (204345) | more than 2 years ago | (#36349704)

you could use a password management tool like keepassx to remember them for you

Re:Bad passwords are not always the user's fault. (1)

Anonymous Coward | more than 2 years ago | (#36349844)

What part of "With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option" did you not understand?

Re:Bad passwords are not always the user's fault. (1)

mcmonkey (96054) | more than 2 years ago | (#36349866)

Except I can't install any software I want on the company's computer. You know, for security!

Re:Bad passwords are not always the user's fault. (0)

Anonymous Coward | more than 2 years ago | (#36349884)

You have the reading comprehension skills of a small child.

With the company's computer, I can't just install any software I want, so one of the password tracking programs is not an option. So I use the same password for all 13 systems.

Re:Bad passwords are not always the user's fault. (5, Insightful)

KMitchell (223623) | more than 2 years ago | (#36349828)

Of course, writing down passwords is such a bad practice. But there's no way I can afford to burn the cycles to memorize 13 new passwords every 90 days, so I use the same password for all work systems. The same bad password.

Nothing inherently wrong with writing down passwords. You move from "something you know" to something you have, As long as you properly secure "what you have", it's still decent single-factor authentication. Just write your passwords on a $100 bill, and you're fine.

Re:Bad passwords are not always the user's fault. (2)

Mr_Plattz (1589701) | more than 2 years ago | (#36349842)

Agreed!

I've recently invested time and changed *all* my online passwords. Everything stored inside KeePass with random very strong passwords. Even comparing with the 'core' sites such as Facebook, Twitter, Ebay, Paypal, Gmail --- *ALL* of them have different requirements which I think is unacceptable. Some enforce 14 chars but don't accept alpha-characters while others cap at 20. One big kudos is Facebook was the best and accepted 256 random characters.

So yes, *we* need to agreed on the minimum standard that all passwords can be. I will propose 20 chars, allowing all upper/lowercase alpha-numerics and non-alphanumeric.

Yes I appreciate security isn't just a simple as allowing 256 random chars, but as the above posters suggested, *WE* (customers) should at least be able to expect a certain level of standards.

Re:Bad passwords are not always the user's fault. (1)

benob (1390801) | more than 2 years ago | (#36349930)

How about using a common random prefix followed by a phrase unique to that system? Like:

Xhk645k_networkaccount
Xhk645k_elevatedprivileges
Xhk645k_hrsystems ...

You only have to remember the random prefix, the second part being much easier to remember.

To security experts: would that be secure enough?

Re:Bad passwords are not always the user's fault. (1)

eulernet (1132389) | more than 2 years ago | (#36350168)

At my job, the policy was to change passwords every month.

The guy explaining how to be able to keep memorizing the passwords gave us the following trick:

use your normal password as a prefix
then as suffix, add a counter, like 00, 01, 02, etc...
The idea is to increment the counter when the password expires.

After a few months, the management got upset about this policy, and we have now the same password since 2 years.

what did you expect (0)

Anonymous Coward | more than 2 years ago | (#36349696)

asking the user for or generating a passWORD is the beginning of the problem

call this authentication method something else in your application/gui and you might see a change in user behavior

Re:what did you expect (1)

smitty97 (995791) | more than 2 years ago | (#36350024)

exactly. call it a PIN and you'll get 4 numbers. and most people will use their REAL bank pin on shadystealyourinfosite.biz just so they remember it

Go figure... (0)

Anonymous Coward | more than 2 years ago | (#36349716)

...people who have to remember passwords for access to accounts at work, to pay their bills at home, to access their e-mail, to buy something online, to visit almost any service providing website... would rather make it something they can actually remember. In other news, smoking isn't healthy for you.

I found it impossible to remember. (0)

Anonymous Coward | more than 2 years ago | (#36349720)

I find the writings of security professionals who imply that anyone who doesn't have secure passwords and change them frequently and not write it down but rather expect me to be able to remember all that for every site I go to are fools, quite offensive. I doubt if even THEY can do that! I had to create a way to do it that's not fully dependent on memory.

Sure, I could do one or two secure password but when every site you sign up for requiring a password for the most trivial things, it becomes impossible.

Can't write it down, oh no, can't use it more than a month, having to change it to something else? Forget it! Literally!

So then you have to do reset every time you visit the site now. What a PITA!!!

So how do you do this?

You make a password based on an algorithm that you crate where your password is based on some password you CAN remember, this is based on the month, something you do with the word of the month for this base password. Then you add some numbers or characters based on the name of the site or some other value that's site based you make up, so that its unique, and you can figure out, instead of having to remember the impossible.

That for me has been the ONLY way I can have a secure password that follows best security practices and isn't so hard to remember I can't use it.

Why are you still memorising passwords?! (1)

Astatine (179864) | more than 2 years ago | (#36349756)

Passwords short enough to memorise are now short enough to crack in many cases. See recent article about hash reversal with GPUs.

Use a password safe. Just search -- there are lots around. I use KeePassX (small, cross-platform -- Windows, GNU/Linux, Mac, Android, no install required on Windows). It'll make strong passwords for you and save them in a tiny encrypted file you can copy to all your devices, with a couple of clicks. The only passwords you'll need to remember are your local login password and the password to the safe.

Life is better without having my web accounts chain-hacked or having to clutter my brain remembering a bazillion passwords...

nice (0)

Anonymous Coward | more than 2 years ago | (#36349798)

wow i'm in the 1%, nice

Strong Password Necessity? (3, Insightful)

dmatos (232892) | more than 2 years ago | (#36349808)

Here's how I look at it:

My PSN account is used purely for entertainment. It is not linked to a credit card. I have made one PSN purchase on my credit card. My credit card company offers fraud protection.

Why should I have a 26-character long UTF-8 password that I'm never going to remember? It's about as useful as having a strong password on the hotmail account I use to sign up to websites. Huge pain in the ass, negligible benefit.

My banking site, my PayPal account, my Canada Revenue Agency account - these are the places that I bother to use strong passwords. Elsewhere, I don't care that much.

Would you trust your "good" passwords to Sony? (1)

leonbev (111395) | more than 2 years ago | (#36349824)

Knowing Sony's recent track record with system security, I wouldn't bother using one of my "good" passwords at one of their sites anyway. If there is a good chance that some hacker is going to get a hold of their password file and post it on the Internet, it might as well be "password" or "abc123". I sure as hell wouldn't use the same password that I use for my bank or my e-mail, anyway.

Non-alphanumeric characters (0)

lostdistance (1560065) | more than 2 years ago | (#36349966)

I used to include non-alphanumeric characters in my passwords until the following incident occurred.

I created a new account at some website. My randomly generated password consisted of alphanumeric and non-alphanumeric characters.

Some time later I returned to login to the website. It rejected my password. I tried several times but with the same result.

Then I looked at my password. One of the characters was a '#'. No, surely it can't be what I'm thinking. So I entered the password up to but not including the '#' character. Yes, password accepted; the stupid website had interpreted the '#' as the start of comment.

It's all too much (1)

Bardwick (696376) | more than 2 years ago | (#36349968)

I would like to see a poll on how many accounts people have. The mid to upper level geek will use a password management software, but for 90% of the sheep out there.... I can think of 14 accounts of credentials I have now. I've resorted to putting in some random password that meets the requirements, then hitting the "forgot password" whenever the cookie expires...

Bye bye password (0)

Anonymous Coward | more than 2 years ago | (#36349976)

With all these bad password practices obviously happing everywhere and the growing power of parallel processing (via GPU's), rainbow table lookups etc. It seems that standard username and password as authentication may be coming to an end. Anyone agree?

Here's the Thing (2)

wbav (223901) | more than 2 years ago | (#36350022)

Sit down and think of the number of sites/services/etc. that you access each week.

Pretend for a second your browser doesn't remember a single one of them.

I came up with 34 different sites. 34 different systems with their own rules, regulations and security questions. Some sites only allow alpha numeric, some require the alphabet to be limited to what shows up on a touch tone phone. Others require passwords to change every 30 days with no repeats for the last 5 passwords.

At 9 characters a piece, that would be a string of 306 characters. Hell I'm lucky if I remember my wife's birthday and our anniversary. And those are much more important to me than my slashdot password.

My point is, the current system is BS. Too many sites require logins so they can advertise to you. I don't want your ads, they go directly into the trash. I'd advocate for a single ID across these systems, but the issue is if that's violated everything goes to hell just as fast as if you had the same password for each site. So what to do? Reuse a password that is reasonably secure and risk it across multiple sites? Or do I follow perfect security and ensure no one can get in, including me?

And don't get me started on security questions. If I can't remember the damn password, what hope do I have to remember the question I used?

The real security (1)

wye43 (769759) | more than 2 years ago | (#36350098)

Any non retarded system will not allow more than a few login attempts. Any password longer than 3-4 character doesn't offer any real protection, only psihological comfort.

If someone got a hand of the password hash, its gameover - doesnt matter if its a week or 2 month to crack it.

We need to get our collective heads out of the sand and triage the REAL security values!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...