Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Science of Password Selection

timothy posted about 3 years ago | from the insert-horror-stories-here dept.

Security 340

troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."

cancel ×

340 comments

Whats the inspiration..? (2)

101010_or_0x2A (1001372) | about 3 years ago | (#36805864)

What's the inspiration for choosing short, simple passwords? They are short and simple, so you don't forget them. Similar reason to using the same password for a variety of different purposes. For bank accounts, use the strongest possible password, and don't write it on a sticky note. For Facebook, use "asdf1234" and don't put *any* important information on there.

Re:Whats the inspiration..? (2)

John Hasler (414242) | about 3 years ago | (#36806332)

> What's the inspiration for choosing short, simple passwords?

The execrable admonition to never write down a password.

TL; DR (2)

WrongSizeGlass (838941) | about 3 years ago | (#36805890)

That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

The problem with passwords is that if they are too complex people can't remember them or write them down in plain sight. Pass phrases can be very effective, easy to type and don't rely on the cleverness of people who can't remember 10 random letters, numbers and special characters.

Re:TL; DR (1)

Anonymous Coward | about 3 years ago | (#36806082)

Pass phrases need to be drilled into peoples heads. Average person can easily come up with a memorable 30+ character quotation segment. But they never even think to try. Shortened passwords are all they've seen anyone use. So instead they make up another "HerpDerp311" or "DerpHerp022".

Re:TL; DR (1)

Bengie (1121981) | about 3 years ago | (#36806702)

That and many websites have limits on password lengths and which chars you can use. I think they do this because they don't use hashing and/or they don't use parameterized inputs.

Re:TL; DR (4, Insightful)

fish waffle (179067) | about 3 years ago | (#36806086)

The problem with passwords is that if they are too complex..

Partly. There are also too damned many of them. Every pissant site seems to require a login/passwd, it's best to keep them all distinct, and the difficulty of remembering all these passwords is in a continuum with their complexity.

Re:TL; DR (1)

nine-times (778537) | about 3 years ago | (#36807156)

Yup. I think we really need to knuckle down and come up with a good universal-authentication scheme, maybe based on private-key encryption. It's not just a problem that people have so many passwords that they struggle to remember several strong ones, but one of the solutions that people employ is to reuse the same password for everything. Password reuse is a huge security flaw.

It's important to remember that security isn't much stronger than the weakest link. If you use the same password for everything, and then a single service gets compromised, then everything is compromised. You use the same password for PSN, Gmail, and your bank? Well the Playstation network got hacked, and now those hackers have your bank password. What fun!

Re:TL; DR (1)

c0lo (1497653) | about 3 years ago | (#36806088)

That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

Last chart of the article reveals that 69% of the people are actually dumb in regards to picking their password.

Re:TL; DR (1)

adamofgreyskull (640712) | about 3 years ago | (#36806252)

You placed emphasis on the wrong part of the quote.

That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

FTFY E.g. 6969 is not a clever password, but someone may think it is.

Re:TL; DR (0)

starkat2k (2353628) | about 3 years ago | (#36806156)

"You smell like black, tarry donkey poo!" (including the quotes) is both long, and easy to remember.

Re:TL; DR (1)

Abstrackt (609015) | about 3 years ago | (#36806810)

I used to use "you fight like a dairy farmer".

Re:TL; DR (0)

Anonymous Coward | about 3 years ago | (#36806356)

I followed your advice and I came up with a new password set for the websites I visit.

Slashdot, Gawker pwd: "this is my junk password" (verbatim)
Google, Facebook pwd: "this is my normal password"
Bank, Paypal pwd: "this is my secure password"

Wow, my passwords are so very easy to remember now! I shall pass your advice on. <3!

Re:TL; DR (0)

Anonymous Coward | about 3 years ago | (#36806426)

Personally I use a script that takes bytes of /dev/urandom(*) piped to uuencode -m and then the script does a little magic with sed. The script then presents me with a screen full of password choices.

End result: I only know about 5 of my passwords. The rest are sealed in a vault protected by AES256 and a memorized random password that has more than 90 bits of entropy.

* = Yeah, yeah I know it would be better if I used /dev/random.

Re:TL; DR (1)

deadmongoose (1246538) | about 3 years ago | (#36806778)

That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

I make passwords I think are clever. While using a standard keyboard layout I type my password as if I'm using the Dvorak keyboard, the result is a seemingly random set of letters. I'm not sure how many people do this, but I would think it's not a process used by too many people.

And when you get to the end... (1)

bmo (77928) | about 3 years ago | (#36805900)

But the intention of this post was always to identify how people are presently choosing their passwords and we have good insight into that now. Of course the next question is âoehow should people be choosing passwordsâ? The answer to this is simple: The only secure password is the one you canâ(TM)t remember.

This is why, when you have a password policy from hell, there are post-its stuck under keyboards or to the monitor. Users won't put up with your tyranny.

--
BMO

Re:And when you get to the end... (2)

Daniel Dvorkin (106857) | about 3 years ago | (#36806276)

Exactly. Having reasonable policies such as "passwords may not consist solely of names or common dictionary words" strengthens security; going further than that and insisting that all passwords must consist of strings such as "kjf83i3n!mnc_79d" weakens security, because it practically begs people to write their passwords down. Similarly, requiring users to change their passwords every month will result in nothing but the use of weak passwords and/or constant tech support requests from users who can't log in.

Re:And when you get to the end... (2)

tompaulco (629533) | about 3 years ago | (#36806506)

My IT department was not even able to tell me what our password policy is. My password expired and I had to pick a new one. I could not get one to work that passed our policy. I had one with four symbols four upper case four lowercase and four numbers that I would never be able to remember and it still would not take it. Finally, in desperation I logged in as a domain administrator (which I happen to know and which the password never changes because the entire system would break) and set my password to something that has a reasonable complexity that no one would randomly figure out and that I can remember.

Re:And when you get to the end... (0)

Anonymous Coward | about 3 years ago | (#36806858)

I did a course last year, and there was a similar password policy. Every 6 weeks, I had to choose a new password, one that had not been used before, was a minimum length, had at least two numbers and one symbol in it.

This policy meant that people were constantly running upstairs to the secretary who would ring the main campus in another town, and we would ultimately have to leave a message. Then, when they finally got back to us.....

I ended up writing my password on my book, so if anyone wanted in as me, they could walk by my desk and read it.

But, and this is the most important thing of all, what were they protecting? The software we were using was expensive (an Autodesk product, along with Adobe CS5) but we had no network access. That's right, this ridiculous policy was protecting network facilities on a system that was blocked off by a proxy server. What was even better was that, when we asked for internet access so we could find tutorials and reference images, we were told by the IT people "No, you see, you can't connect two different speed networks together because that makes the computers crash."

Re:And when you get to the end... (2)

jamesh (87723) | about 3 years ago | (#36806604)

Having a hard-to-guess password on a post-it note stuck to your monitor is entirely appropriate in a lot of places. If the threat from inside the organisation is close to zero (eg a home office with no external cleaning contractor where all staff have equal network access) but the threat from outside is high (eg remote access to email or desktop) then it's a better outcome than an easy-to-guess password that exists only in the users head... and in the dictionary.

You know, what is more shocking (2, Insightful)

Chicken_Kickers (1062164) | about 3 years ago | (#36805920)

You know, what is more shocking is that clueless "security experts" still relying on passwords as their primary security measure. Passwords are bad because they are not natural. Humans are not computers, i.e. we are have not evolved to memorise random string of letters and numbers. Our brain has evolved to make the most of connecting and contextializing information, not memorizing 1 and 0s. This is the mistake you computer people always make, whether designing GUIs or security systems.

Re:You know, what is more shocking (0)

Anonymous Coward | about 3 years ago | (#36806058)

You know what's worse? Security questions! Especially when you can't type your own.

Favorite Color? Too easy - people aren't going to say FF1A16. Most will say black, red, green, blue, white, or a handful of other labels.

With all these favorite questions, I either don't have one. I really lack strong favorites in all areas. And the next time it asks me that, it will have likely changed.

OR, it's information that's know to my entire household. Even if they don't do anything nefarious, I'm sure someone can wrangle out of my mother what street I lived on as a kid in a casual conversation.

I hate SQs with a passion. Whoever thinks this is security is nuts.

Pass phrases work in security questions too (1)

perpenso (1613749) | about 3 years ago | (#36806264)

You know what's worse? Security questions! Especially when you can't type your own.

They can ask for your favorite color but you don't have to answer that particular question. If you are a fan of pass phrases you can enter some sort of phrase indicating the color. For example if your favorite color is red you could enter "The BBC first aired Red Dwarf in 1988".

Re:You know, what is more shocking (1)

tompaulco (629533) | about 3 years ago | (#36806528)

Security questions also fail when they are case sensitive, so if you entered "Blue" instead of "blue" for your favorite color, it says "I never knew you. Depart from me, you who practice lawlessness."

Re:You know, what is more shocking (5, Insightful)

rolfwind (528248) | about 3 years ago | (#36806074)

You know what's worse? Security questions! Especially when you can't type your own.

Favorite Color? Too easy - people aren't going to say FF1A16. Most will say black, red, green, blue, white, or a handful of other labels.

With all these favorite questions, I either don't have one. I really lack strong favorites in all areas. And the next time it asks me that, it will have likely changed.

OR, it's information that's know to my entire household. Even if they don't do anything nefarious, I'm sure someone can wrangle out of my mother what street I lived on as a kid in a casual conversation.

I hate SQs with a passion. Whoever thinks this is security is nuts.

(Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)

Re:You know, what is more shocking (3, Funny)

perpenso (1613749) | about 3 years ago | (#36806292)

You know what's worse? Security questions! Especially when you can't type your own.

They can ask for your favorite color but you don't have to answer that particular question. If you are a fan of pass phrases you can enter some sort of phrase indicating the color. For example if your favorite color is red you could enter "The BBC first aired Red Dwarf in 1988". For extra security use the wrong year. :-)

Re:You know, what is more shocking (1)

jamesh (87723) | about 3 years ago | (#36806610)

(Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)

Couldn't remember your password?

Re:You know, what is more shocking (4, Insightful)

bill_mcgonigle (4333) | about 3 years ago | (#36807054)

I hate SQs with a passion. Whoever thinks this is security is nuts.

Simply put, security questions reduce your account's security to the strength of the security questions. Mostly, they're weaker than average passwords. Lord help you if you've got a Facebook profile. Mother's maiden name. Hell, that's public information today.

Re:You know, what is more shocking (1)

Archangel Michael (180766) | about 3 years ago | (#36806100)

Look, it isn't that hard to come up with a passphrase that you turn into a password.

It was the best of times, it was the worst of times

becomes

1wtb0t1wtw0t!

Then, you find a creative phrase that nobody else will figure out based on nothing about yourself and bam, you have a password. The longer the phrase, the more keystrokes to enter, and that is a good thing.

But still, there is the one person I know who's password is PI, to the 27th decimal, Most PW systems don't let you have that many, and when they don't, she uses something ridiculously easy, "because it already isn't secured". Takes her, and I'm not kidding, about 7 seconds to tap it out on a keypad.

Re:You know, what is more shocking (1)

El_Oscuro (1022477) | about 3 years ago | (#36806210)

Why not just allow

  1. "It was the best of times, it was the worst of times"

As your actual password? It is a lot easier to remember than 1wtb0t1wtw0t!, and if you have any kind of lockout policy no script is going to ever guess it.

Re:You know, what is more shocking (0)

Anonymous Coward | about 3 years ago | (#36806286)

That would be highly annoying to type in 10 times a day with echo disabled, and no indication of what part was wrong when you mis-type.

Too much to type (1)

Roger W Moore (538166) | about 3 years ago | (#36806310)

It is a lot quicker to type '1wtb0t1wtw0t!' though, especially if you are used to it. I usually add a number somewhere which I can increment though to workaround the stupid password expiry policies some places have.

Re:You know, what is more shocking (2)

Daniel Dvorkin (106857) | about 3 years ago | (#36806344)

Why not just allow

"It was the best of times, it was the worst of times"

As your actual password? It is a lot easier to remember than 1wtb0t1wtw0t!, and if you have any kind of lockout policy no script is going to ever guess it.

That's a damn good point. It's not like modern systems can't afford the few extra tens of bytes. Arbitrary character limits made a certain amount of sense in the days when data storage and transmission were expensive and there was a real cost to using large strings, but we're long past the days when a password that's any shorter than a novel is going to cost any more, in practical terms, than "password123".

Now, there are certain phrases that would best be avoided in creating such passwords, and particularly famous opening lines are among them, since it would be reasonable to try such lines in a brute-force attack. But I'll bet most users could come up with one- or two-sentence passwords that they would find easy to remember, but which attackers would be very unlikely to guess.

Re:You know, what is more shocking (1)

jamesh (87723) | about 3 years ago | (#36806634)

That's a damn good point. It's not like modern systems can't afford the few extra tens of bytes.

For user authentication there is no need to store the plaintext password, a hash is all you should need to store, which is fixed length. That way anyone who gains access to the password database still has to bruteforce a hash.

Re:You know, what is more shocking (1)

Daniel Dvorkin (106857) | about 3 years ago | (#36806906)

Point. I suppose I should have said "dictionary attack" rather than "brute-force attack," since what I was thinking of was trying common names and words (or, in the long-password scenario, common lines like "it was the best of times", "to be or not to be", "fourscore and seven years ago", etc.) rather than just random ASCII. As far as the hash length vs. string length goes, even if it's stored hashed, the plaintext has to be processed at some point. Once upon a time, there was a real cost to the number of bytes allocated for a string, but that time is long gone.

Re:You know, what is more shocking (1)

tepples (727027) | about 3 years ago | (#36807050)

Good luck keying that in error-free on your cell phone's touch screen.

Re:You know, what is more shocking (0)

Anonymous Coward | about 3 years ago | (#36806578)

I had a colleague who used PI to 30 places ...and then he came off his motorcycle, which lead to two conversations in the Intensive Care Unit:
"John, what's your password?" and then the next day "John, here's a book with PI to 200 decimal places, what's your password again?" In less than a second he pointed to two digits that were transposed. ...Never did get to the bottom of which version of PI was wrong.

Re:You know, what is more shocking (1)

PCM2 (4486) | about 3 years ago | (#36806690)

But still, there is the one person I know who's password is PI, to the 27th decimal, Most PW systems don't let you have that many, and when they don't, she uses something ridiculously easy, "because it already isn't secured".

Is any password that you can look up in a book (or generate using an algorithm) really all that secure? How long would it take a dictionary attack based on the digits of pi to reach the 27th digit of pi?

Re:You know, what is more shocking (2)

Centurix (249778) | about 3 years ago | (#36806824)

I SMS'd that password to Charles Dickens, and he sent back "T1my iz a kriple lol!".

Re:You know, what is more shocking (1)

kangsterizer (1698322) | about 3 years ago | (#36806392)

I agree.
I am trying to pass this messages among the security folks I meet, and I am "one" myself. Well this is difficult.
To many, security means password. It's that bad :-)

To me, password, digital key, etc is just one of the aspect of security - but I certainly would be happier if we got rid of the passwords. They're not secure, they're hard to remember, type, etc.

That said, since you need at least 2 factors of authentication to feel reasonably secure, and that there's not so much that is as versatile as passwords, I'd live with digital keys that are additionally encrypted and protected by password. The digital key then sign some keys that you can use for different services. Keys that you can revoke and regenerate at will (so you can rotate them every 7 days for example, with zero pain). You (almost) never have to change password and have only one. If the master key is compromise, of course, you've to redo all that.
You might want to rotate the master key every 5 or 10 years I suppose!

Note: the master key password should be secure, however, even if it is not, it's not such a big deal anymore.
The master key should eventually be taken great care of, having a separate physical pad and reader isn't out of the question (like the gpg cards).
The master key can be protected by non-password means as well, but sometimes its hard to find the proper replacement.

Re:You know, what is more shocking (1)

lgw (121541) | about 3 years ago | (#36807082)

You know, ATM cards work really well for protecting easily-obtainable cash. I can't think of better proof that 2-factor auth with the simplest of passwords and the simplest of tokens works great.

The approch I'd take with software is: your endpoint device generates a GUID - this is your actual password. The user provides a simple password which is used to locally encrypt the real password. The first time any new device is used, some additional protocal is needed to authorize the user out of band, and generate and sync the GUID. That should work well in any situation where the user frequently re-uses the same endpoint, and is likely to report if that endpoint is stolen.

Re:You know, what is more shocking (1)

Sinthet (2081954) | about 3 years ago | (#36806820)

Personally, I think a physical key would work best. For example, taking a USB-key and filling the first 512 bytes with a totally randomly generated string which you use to login. You plug it in, click on authenticate, the computer reads the information, checks it against a database, and if it matches, allows you entry.

This could be expanded upon so that a simple byte for byte copy wouldn't work. It also reduces the chances of someone guessing the password to essentially zero.

Fantastic advice (1)

drb226 (1938360) | about 3 years ago | (#36805940)

FTA:

The only secure password is the one you can’t remember.

Great. So remember to write your password on a sticky note that you leave on your monitor, and you'll be golden.

Re:Fantastic advice (1)

paleo2002 (1079697) | about 3 years ago | (#36806076)

I share an office and computer with a colleague at work. The school's network requires us to change our login and password every 60 days (I think) and won't let us reuse any entries. So, we've got a piece of paper taped to the desk next to the keyboard with an ongoing record of logins and passwords. Whoever's turn it is to come up with the new login info crosses out the last one and writes down a new one.

Fortunately, we keep the login list key encrypted - we're always careful to lock the office door on our way out.

Re:Fantastic advice (1)

nzac (1822298) | about 3 years ago | (#36806772)

Just insert the month and year into your standard password assuming they are using a hash to detect repeats it looks very difference on the other side.

What science?? (0)

Average_Joe_Sixpack (534373) | about 3 years ago | (#36805952)

Use month, underscore + year

JULY_2011
or
July_2011 for systems that insist upon mixed case

Re:What science?? (1)

blair1q (305137) | about 3 years ago | (#36805982)

Rejected by dictionary checker in password widget in security-conscious software application.

Re:What science?? (1)

swalve (1980968) | about 3 years ago | (#36806744)

If it was really security conscious, it wouldn't have access to the plain text password.

Re:What science?? (0)

Anonymous Coward | about 3 years ago | (#36806290)

I used to use 2 words, plus number and symbol. They were as effective as they needed to be - hard enough to guess/crack, easy enough to remember. My favorite was beerjug$1
 
These days I think of a word, then mis-spell it for use as a password, e.g. fibreoptic becomes fibauptick. Easy to remember, and it wouldn't be found in the first pass through a dictionary - hopefully whoever is trying to guess or crack it will give up and move on to the next user ID in whatever list they have.

Non-alphanumerics (5, Insightful)

paleo2002 (1079697) | about 3 years ago | (#36806008)

To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.

Re:Non-alphanumerics (5, Interesting)

Nationless (2123580) | about 3 years ago | (#36806120)

Symbols are a double edged sword. I once had a username/password combo using unusual symbols and lo and behold when they upgraded the system they decided in all their wisdom to remove support for those symbols.

I was fucked.

Had to contact them and have someone manually change my username and password (hardly ideal) and then I had to set up a new password as soon as I regained access.

Re:Non-alphanumerics (4, Interesting)

mirix (1649853) | about 3 years ago | (#36806220)

I seem to find that banks seem to continuously be the worst for not allowing things other than [a-zA-Z0-9]. Which is rather funny, if it weren't sad. Usually stupid limits on length too, like 8 chars.

Re:Non-alphanumerics (0)

Anonymous Coward | about 3 years ago | (#36806748)

My online banking passcode is 6 numerals. :\

Luckily they do couple it with a random security question (1 of 3; e.g.: favorite instrument). That's.... kind of better.

And then you realize that if you call the telephone line and tell them you don't have the passcode, they just ask for Date of Birth, name, address, bank card number, and *something* personal about the account. If someone stole my wallet, they'd have all of that except the last bit. If they saw I drive a 2005 Honda Civic, they'd have the last bit ("I began making car loan payments to Honda starting in 2005" was all I needed)

Re:Non-alphanumerics (1)

jader3rd (2222716) | about 3 years ago | (#36806602)

Not only that, but different websites will scoled you for different symbols. Making it difficult to come up with one password for the same 'class' of websites.

Re:Non-alphanumerics (0)

Anonymous Coward | about 3 years ago | (#36806704)

i create all my passwords from the same base, e.g. (not my real passwords~)

kati@$%EL#&^aura

if a site disallows symbols, just replace with the equivalent number:

kati245EL376aura

if 16 chars is too long, just lop some off the end:

kati@$%E

and yes my real password is based off a girl's name and the numbers are for her birthday. zzZZZzZ

Stupid password rules (1)

El_Oscuro (1022477) | about 3 years ago | (#36806116)

Like most everyone else, managing passwords is a nightmare for me:

Some websites require a 15 character password with at least 2 upper case letters 3 digits, at least 2 UNICODE characters, and must be changed weekly. Others require from 5 to 7 characters with no numbers and cannot be changed for at least 2 months. The password rules bear no relationship to the sensitivity of the data.

Managing all of this crap is a royal pain in the ass. I use keypassX with an IronKey to make things manageable, but it is still ridiculous.

Why not just all the user to put anything they want as a password, including spaces, commas, etc. Ban passwords under 5 characters, the top 500 easiest ones, anything matching personal info, etc. But otherwise all other things - and have a lockout policy after, say 5 bad attempts. While a script can run through the 190,000 words in a dictionary in a few minutes, it is a lot harder if the account is locked out after the first 5.

While lots of people hate PayPal for various reasons, they have one thing that is really slick: The ability to use your cellphone as a FOB. Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password. So even if someone gets your password, unless they also have your cell phone, they still can't login. Why every bank doesn't have this security feature is beyond me.

Re:Stupid password rules (1)

DiSKiLLeR (17651) | about 3 years ago | (#36806242)

While lots of people hate PayPal for various reasons, they have one thing that is really slick: The ability to use your cellphone as a FOB. Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password. So even if someone gets your password, unless they also have your cell phone, they still can't login. Why every bank doesn't have this security feature is beyond me.

Both my banks do.... CBA in Australia, and ASB in New Zealand.

US Banks don't do it?

Re:Stupid password rules (1)

El_Oscuro (1022477) | about 3 years ago | (#36806646)

I have yet to see one. Then again we can't get beer right either. Fosters (drinking one now) might not be very good but is a damn site better than Budweiser.

Re:Stupid password rules (1)

PCM2 (4486) | about 3 years ago | (#36806718)

US Banks don't do it?

Bank of America certainly offers it as a free option (and I use it).

Re:Stupid password rules (1)

Daniel_Staal (609844) | about 3 years ago | (#36806792)

US Banks don't do it?

USAA does it. They also let you use your email (or not allow your email; configurable) and you can set some computers as 'authenticated', which means you only need your password and PIN on that computer. (Which will reset after a few months, or if you clear cookies, or do something which looks fishy, like use two browsers at once from the same computer.)

Re:Stupid password rules (1)

swalve (1980968) | about 3 years ago | (#36806864)

Chase does it for password recovery. Not sure I'd like to have to go find my phone every time I wanted to log into my bank account.

For work passwords, I use the same ones, and just force myself to get into the habit of logging into every system when the first password expires and changing them all at once. This works especially well for sites that get used rarely, as they don't end up auto expiring without me ever knowing it, and then locking me out because I KNOW I've got the right password.

Re:Stupid password rules (0)

Anonymous Coward | about 3 years ago | (#36806300)

Netbank in Australia does this.

To move money from account to account or just check your accounts, you only need the password.

To move money to a third party account or change your contact details, you need a netcode, which is a 6 digit number they send you by SMS. (sadly they still don't all symbols in your password :( )

Texting sold separately (1)

tepples (727027) | about 3 years ago | (#36807066)

But otherwise all other things - and have a lockout policy after, say 5 bad attempts.

Which lets anyone who knows your username DOS you.

Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password.

Even those who have a cell phone and a PayPal account don't necessarily have an unlimited SMS plan.

Generating and remembering passwords (5, Interesting)

chroma (33185) | about 3 years ago | (#36806126)

I've become a recent convert to the idea of using a password card [passwordcard.org] or
password chart [passwordchart.com] to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.

Length is your friend (1)

spaceyhackerlady (462530) | about 3 years ago | (#36806130)

Passwords with patterns are easy for humans to remember, but any short password i vulnerable to a bruteforce attack.

My favourite way to generate passwords is the first letter of each word in a phrase. Somebody looking over your shoulder sees you type TbonoTbTitQ, don't see a pattern, and can't remember it. While you think To be or not To be, That is the Question. Not that this makes any difference to a computer that starts at aaaaaaaaa and works up to zzzzzzzzz.

No, I've never used this password on any computer system. One I did use, though (20-odd years ago, at a company that has long since ceased to exist), was MRwitdtEssahtuwws. If you can tell me the underlying phrase I'll be impressed. And scared. :-)

...laura

Re:Length is your friend (1)

Roger W Moore (538166) | about 3 years ago | (#36806364)

...but any short password i vulnerable to a bruteforce attack.

Only if they can get the encrypted hash and with increasing CPU (or rather GPU) power longer passwords are becoming brute-forceable too.

Re:Length is your friend (1)

Bengie (1121981) | about 3 years ago | (#36806884)

Bcrypt hash. Good luck brute-forcing that. Slow in software as well as hardware. Customizable computational time. Make even a dictionary attack take forever.

Re:Length is your friend (1)

dwarfsoft (461760) | about 3 years ago | (#36806530)

Reminds me of the "company" name my friend "created" when he was writing small apps in high school. Tpwwpffbfnr. The people who write programs for fun but for no reason. :D

Girth is everything (0)

Anonymous Coward | about 3 years ago | (#36806900)

and that is all

Pie? (1)

BadPirate (1572721) | about 3 years ago | (#36806186)

All those pie charts make me hungry.

Random password generators (4, Interesting)

Freddybear (1805256) | about 3 years ago | (#36806240)

A function that returns a string of 12 random ASCII characters including upper and lowercase alphas, numerics and symbols will score 100% on a password strength test like http://www.passwordmeter.com/ [passwordmeter.com] but I find that a password like that will be hard to type, much less to remember.

Another way is to return two random words from a list of less-used English words, separated by two or three random numerics. That won't score as high but it will be plenty secure against dictionary attacks and will be easier to remember.

Re:Random password generators (1)

walbourn (749165) | about 3 years ago | (#36806424)

So does a GUID in registry format... but nobody is going to remember that one either.

Gibson's Password Haystacks (5, Interesting)

sqrt(2) (786011) | about 3 years ago | (#36806260)

I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.

https://www.grc.com/haystack.htm [grc.com]

Re:Gibson's Password Haystacks (1)

realityimpaired (1668397) | about 3 years ago | (#36806664)

I wouldn't trust the Gibson. It got hacked by a high school kid in 1995....

He is right about length trumping entropy when you're going against a hash or a dictionary attack, though. Personally, I'll take a phrase, translate it into some other language (preferably one that isn't written with the latin alphabet), romanize it, and then deliberately misspell it with leetspeak. The result is usually a password that's very long, resilient against dictionary attacks, and is easy enough to regenerate that you don't have to remember the actual password.

Re:Gibson's Password Haystacks (1)

jamesh (87723) | about 3 years ago | (#36806680)

length trumps entropy

Sounds reasonable. And if you look at what the typical non-targeted brute force dictionary contains, it really is only picking off the most low hanging fruit. It is reasonable that the password 1111111111111111111111111111111111111111112 is unlikely to be guessed in a useful amount of time unless you had specific knowledge of the users password habits.

Re:Gibson's Password Haystacks (0)

Anonymous Coward | about 3 years ago | (#36806804)

I knew that domain sounded familiar. Screw Steve Gibson, because screw "shields up".

Re:Gibson's Password Haystacks (1)

Bengie (1121981) | about 3 years ago | (#36806898)

This guy is the John Carmack of security.

Re:Gibson's Password Haystacks (1)

Anonymous Coward | about 3 years ago | (#36806950)

I just took a look at the gibson haystack calculator and I think it is Arse backwards.

A lot of what he has calculated is based on the knowledge that he knows what types of Characters are in the password. i.e. it contains an Uppercase, lowercase, number or Symbol. The problem with this theory is that the person trying to brute force only knows that the password could contain one of the search domain characters. The brute forcer does not know that I only used lowercase, he only knows that I may have......He should not even know how many letters the password contains, just that I have a password and it could fit a set of criteria.

So the password a..b should be equivelant to a..B but it is not according to his criteria.

All of the Strength meters suffer the same problem, they all measure a password from the perspective of actually knowing the password, which an atttacker does not.

no leet speak? (2)

Danny Rathjens (8471) | about 3 years ago | (#36806346)

I'm surprised a large chunk of the obfuscation attempts didn't involve replacing letters with numbers. termin8, passw0rd, etc.
I used a password cracker once as a sysadmin many years ago and I recall that that was one of the higher priority alternates the password cracker tried after dictionary words. I also remember there were plenty of adjunct dictionaries for password crackers with things such as anime/book/movie/tv names and character names and places which might cover a lot of that "other" category.

Re:no leet speak? (1)

Estanislao Martnez (203477) | about 3 years ago | (#36806618)

I'm surprised a large chunk of the obfuscation attempts didn't involve replacing letters with numbers. termin8, passw0rd, etc.

Well, the article isn't completely clear in this regard, but I think the author just didn't actually look for examples like those. So their absence in the article doesn't tell you anything about their frequency.

Re:no leet speak? (1)

swalve (1980968) | about 3 years ago | (#36806888)

I think that's because only sysadmin types think of that. C0mp@Q was a favorite of an old sysadmin. Easy to remember, it's printed right on the keyboard.

Phones aren't helping (0)

Anonymous Coward | about 3 years ago | (#36806498)

I have long kept short-duration, complex passwords (10-15 characters with multiple symbols, letters, and numbers).

Until I got an Android Phone last year.

Do you know how much of a pain it is to switch back and forth between various cases, add letters, add symbols, etc? It takes 10 minutes to type your password, and then you invariably fat-finger a key.

The Cell Phone has to be a weak link in security these days. I know it has been for me.

Re:Phones aren't helping (1)

FoolishOwl (1698506) | about 3 years ago | (#36806656)

I find the ability to have an encrypted password safe always at hand more than makes up for the inconvenience of typing in my master password.

Re:Phones aren't helping (1)

Lehk228 (705449) | about 3 years ago | (#36807088)

Blackberry password vault and itaks generator have transitioned all my passwords that matter to 16 character random letter upper num sym type passwords

Who can't remember... (1)

Maximum Prophet (716608) | about 3 years ago | (#36806508)

Back in the day, we would trade off the duty of creating the root password, and changing it everywhere it needed to be changed. When it was my turn, I used a random set of letters and numbers that everyone said no-one could remember. That password had fewer people re-requesting it than any other. I still remember it today. I just Googled it, and nope, it's not there yet.

Re:Who can't remember... (1)

FoolishOwl (1698506) | about 3 years ago | (#36806670)

That fits my experience. I expect people are much better at remembering a random string of characters than they expect to be. It seems like a good subject for an experiment.

Re:Who can't remember... (1)

Zero__Kelvin (151819) | about 3 years ago | (#36806678)

"When it was my turn, I used a random set of letters and numbers that everyone said no-one could remember. That password had fewer people re-requesting it than any other"

That is because every single person wrote it on a sticky note somewhere, thereby greatly decreasing its security.

" I just Googled it, and nope, it's not there yet."

On the bright side, at least you know Google has it now ;-)

Password in a wallet (1)

tepples (727027) | about 3 years ago | (#36807090)

That is because every single person wrote it on a sticky note somewhere, thereby greatly decreasing its security.

How so, if "somewhere" is inside one's wallet?

Random mix of stuff... (1)

EmagGeek (574360) | about 3 years ago | (#36806514)

I pick 12 or so digit passwords with a mix of stuff that has nothing to do with anything. One of my more recent passwords was:

$8.3JOe$&#aW=

When I pick a new one, I just type it 20 or so times and my fingers remember it from then on. I usually cannot reproduce my passwords verbally without first typing them. The fingers remember. The brain does not.

Re:Random mix of stuff... (0)

Anonymous Coward | about 3 years ago | (#36806892)

Sure, then you write it down so you can remember it.

only three routes (1)

Gravis Zero (934156) | about 3 years ago | (#36806534)

the rationale

1) easy to remember (weak)
2) it's good enough (average strength)
3) holy shit, hackers! (strong)

Some sites I just don't care about (2)

fishbowl (7759) | about 3 years ago | (#36806552)

Seriously, I don't care if someone guesses or bruteforces a password to some news site, or anything where I've used a totally random pseudonym in the first place. I will do things like use weak passwords, re-use them, etc. Because I don't care. I mean, I *really* don't care. Please hack these. Who cares? Not me.

Web sites and applications where I *do* care, get particularly long, entropy-rich randomly generated passwords. These passwords do get stored locally, on a well-encrypted medium that I would be most happy to surrender at the first hint of torture. But these aren't going to be casually guessed, and if you're trying to brute force one of these accounts, you're much better off attacking the next one over. (I take the same strategy with auto and home security as well -- all I really have to do is make YOUR car look more attractive to thieves.)

Discriminative stimulus or cueing (1)

koona (920057) | about 3 years ago | (#36806560)

I am as lazy as anyone else, but I guess I'm just lucky in that I understand a certain amount of english, binomial nomenclatural Latin, spanish, and 3 lesser known NA aboriginal languages. I use one language for username, and another for password. I'm so happy there is no dictionary for O'kmuK.

Two problems (1)

FoolishOwl (1698506) | about 3 years ago | (#36806566)

Problem #1: people don't have random password generators conveniently at hand when they need to create passwords. OS designers should make sure that good random password generator applets are installed by default and obvious. Designers of systems that require passwords should remind users to use random password generators, and suggest where they may be found in popular GUIs. Not every interface can offer that information, but certainly websites could, and if enough do, the information will get around.

Problem #2: people get the EXTREMELY BAD ADVICE that they should not write down passwords. They should be advised to write down their password and put it somewhere safe and out of sight, like their wallet.

Re:Two problems (0)

Anonymous Coward | about 3 years ago | (#36806994)

Fixed that for you:

They should be advised to write down their password and put it the first place someone would look.

The problem is trying to make it a word (1)

jader3rd (2222716) | about 3 years ago | (#36806590)

If they were called passphrases and required a space character, they'd be easy to remember and hard to brute force.

Key Based passwords: memorable, always unique (1)

toygeek (473120) | about 3 years ago | (#36806654)

I use a system that is similar to this: Take a phrase, mash it up very well and then add the name of the account to the end of it. Its very secure, but some sites don't support it because it contains plain text.

Phrase: Don't taze me bro! (remember that guy?)
lets mash it up a big
d0nT+A2eM3bR0!

After typing it in a few times it becomes natural. So, now you have a 14 character alphanumeric password with symbols. But, if some script kiddie hacks a site that you're signed up to (this happened to one of my various online accounts) then they will have access to all of your accounts using that password, rendering it useless, right? Well not so fast. Now we add the next part of protection.

Take the name of the site/account you're logging in to. Mash it up just once (one letter/number) and append it to the 14 character mashup. For example

d0nT+A2eM3bR0!f@cebook
d0nT+A2eM3bR0!sl@shdot
d0nT+A2eM3bR0!n3wegg
d0nT+A2eM3bR0!f@rk

In this case I replaced the first vowel in each site name with a symbol.

I consider this to be VERY secure, and if any of my accounts gets broken into, the likelihood of any other of my accounts being compromised is next to nil.

I'd love to hear the comments of my fellow slashdotters on this. Keep in mind that even a very simplified version is better than most of the passwords out there. I try to get my customers (neophytes mostly) to adopt this because at the very least they aren't using "password1" as their password for everything.

Re:Key Based passwords: memorable, always unique (0)

Anonymous Coward | about 3 years ago | (#36806946)

d0nT+A2eM3bR0!gma1l
d0nT+A2eM3bR0!tw1tt3r
d0nT+A2eM3bR0!thenextsiteIwanttoaccess

Your extension does nothing as it is obvious from the password and predictable.

stop makeing us change the password so much (1)

Joe_Dragon (2206452) | about 3 years ago | (#36806966)

stop makeing us change the password so much and get rid of the repeating rules.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...