Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

487 comments

Can't fix stupid. (-1)

Anonymous Coward | more than 2 years ago | (#40047335)

Don't you stupid /. virgin fags already know that?

Who gives a rats ass? (-1)

Anonymous Coward | more than 2 years ago | (#40047833)

Unban Ethanol-fueled!

This is too simple to fix (4, Funny)

Anonymous Coward | more than 2 years ago | (#40047375)

Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"

Re:This is too simple to fix (2, Funny)

ClintJCL (264898) | more than 2 years ago | (#40047411)

because it would take longer to type

Re:This is too simple to fix (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40047509)

because it would take longer to type

I disagree, my ability to type words in sequence each day has made me quite efficient at doing so, a garbled string on the other hand I am not. The lowercase, uppercase, numbers and symbols make passwords longer to type.

With different passwords for each site (or at least each serious one such as banks) the garbled text approach is very inappropriate.

As passwords are stored in as a hash created with a salt the password is always stored as a fixed value (128bit for MD5 etc) it requires no additional storage for the servers/databases.

Re:This is too simple to fix (2, Interesting)

Anonymous Coward | more than 2 years ago | (#40047653)

When sites like slashdot impose a maximum password length limit like 22 characters, it suggests to me that they don't infact store the passwords as hashes as you would expect. Also garbled passwords are going to be far harder for people to memorize if seen by accident.

Re:This is too simple to fix (1)

gtbritishskull (1435843) | more than 2 years ago | (#40047753)

Of course... if I can't memorize it, how the hell is anyone else going to memorize it?

Re:This is too simple to fix (0)

Anonymous Coward | more than 2 years ago | (#40047781)

The point is that the password would never be written down. It is so easy to remember that they would never have to write it down.

another password revealed (5, Funny)

ozduo (2043408) | more than 2 years ago | (#40047417)

A white jacketed southern gentlemen's password is "This secret spice makes shit taste like chicken"

Re:This is too simple to fix (4, Funny)

SomeJoel (1061138) | more than 2 years ago | (#40047423)

Every time a see a password like this "12ol3jkh!!asrdfw9g8"

That's the password on my luggage!

Re:This is too simple to fix (2)

JoeMerchant (803320) | more than 2 years ago | (#40047921)

Good job printing it on the outside...

Re:This is too simple to fix (-1)

Anonymous Coward | more than 2 years ago | (#40047431)

Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"

because there is no nigger anywhere who wouldn't like chicken and if you disagree with them you are a racist. thats why.

what's the fastest land animal on earth? the ethiopian chicken of course.

Re:This is too simple to fix (4, Informative)

The Raven (30575) | more than 2 years ago | (#40047453)

The reason to avoid understandable sentences is they have extremely low entropy per character. Or, put another way, they are easier to hack than their length would indicate. An xkcd password has about 1.5 bits per character of entropy; a normal English sentence has as low as 0.6 to 1.3 bits per letter, according to one study [wikipedia.org] . Given the simple and trite short sentences people would use for passwords, it's likely closer to 0.6, or about 20 bits of entropy for your example 'chicken' password, compared to 44 bits for a shorter xkcd password [xkcd.com] .

Re:This is too simple to fix (3, Interesting)

SilverJets (131916) | more than 2 years ago | (#40047607)

Funny.

  According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"

Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

Re:This is too simple to fix (3, Informative)

sexconker (1179573) | more than 2 years ago | (#40047695)

Funny.

  According to the Passfault demo (that's the link in the summary above) it would take 18384672610116790 centuries to crack "This chicken tastes like shit!"

Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

That estimate is generated by assuming brute force and a specific character set that contains all of your input characters.
No one cracks passwords starting with brute force.

Re:This is too simple to fix (3, Funny)

roc97007 (608802) | more than 2 years ago | (#40047889)

Where the xkcd password "Correct horse staple battery" would take 72624497 centuries to crack. That is if it wasn't already on the internet for everyone to see and try.

Yep. (nods). Now if you excuse me, I have to change my password right now.

Re:This is too simple to fix (0)

Anonymous Coward | more than 2 years ago | (#40047679)

As well, you are not accounting for the addition of the ! or capitalization. If you wanted to really be good make it a count of objects you own " I have 2 blue cars and one black" Easily remembered.. The key here is getting users to not write the password down because the idiot admin trained them to do character substitution or worse(like the keyboard smack). Although I must admit, I make service passwords 4 keyboard smacks or more with salt.

Re:This is too simple to fix (3, Interesting)

Kvasio (127200) | more than 2 years ago | (#40047529)

because "This chicken tastes like shit!" password is more or less a "5-character password", but characters are selected not from ~26 but from say 50000.

My guess is that after the referred xkcd strip brut force algoritms also put more emphasis to natural language sentences, etc.

Re:This is too simple to fix (0)

Anonymous Coward | more than 2 years ago | (#40047597)

I am not sure how you consider this a 5 character password. The breakdown in usage is
4 spaces(special character)
4 i
3 s
3 h
3 e
3 t
2 c
2 k
1 T
1 n
1 a
1 s
1 l
1 ! (special character)

A lot more than 5.. That are 14 unique characters in that phrase.

Re:This is too simple to fix (1)

sexconker (1179573) | more than 2 years ago | (#40047719)

The characters are "words in a dictionary" not "glyphs on a keyboard".

But when cracking a password, you look at "words morons on the internet use a lot" and there are probably closer to 5000 of those (compared to 50000 regular words). Combine with noun / verb / article classes and weight words with frequency and you can narrow that down to a LOT less in practice.

Pass phrases are dumb.

Re:This is too simple to fix (0)

Anonymous Coward | more than 2 years ago | (#40047725)

Each word is a "character".

Re:This is too simple to fix (1)

Anonymous Coward | more than 2 years ago | (#40047841)

So the " " and "!" or the case sensitive "T" do not count as additional words?

Re:This is too simple to fix (1)

hawguy (1600213) | more than 2 years ago | (#40047741)

I am not sure how you consider this a 5 character password. The breakdown in usage is

...

A lot more than 5.. That are 14 unique characters in that phrase.

Because there are 5 unique tokens:


this
chicken
tastes
like
shit
! (actually 6 tokens including this special character).

But I don't think it's true to say that each token is drawn from a pool of 50,000. These are common english words that probably exist in a dictionary of 1000 common words. A strong password would use less common words:

        the aforementioned fowl has a sapidity analogous to excrement

but you really don't want a complete sentence since grammar rules could be used to brute force it, so just put the words together without proper grammatical structure:

        aforementioned fowl sapidity analogous excrement

But, of course, this makes it harder to memorize

Re:This is too simple to fix (0)

Anonymous Coward | more than 2 years ago | (#40047717)

Why use English when there are 10,000+ characters in Chinese. Pick a another language or symbol if you want.
Combine that with the order you write/draw the character on a touch pad, that's countless combination.

Re:This is too simple to fix (2, Interesting)

sexconker (1179573) | more than 2 years ago | (#40047683)

Every time a see a password like this "12ol3jkh!!asrdfw9g8" or "^TFGY78UH" I want to vomit. Why not make your password something like "This chicken tastes like shit!"

Because 12ol3jkh!!asrdfw9g8 is a good password and This chicken tastes like shit! is a terrible password.
Please quote that XKCD comic all you like, it doesn't make it right.

"Entropy" (can we please stop misusing this word?) is only a useful measure of password strength if you're brute forcing.
Password crackers employ methods that are a teeny bit more sophisticated than brute forcing.

Re:This is too simple to fix (0)

Anonymous Coward | more than 2 years ago | (#40047723)

I was not quoting the comic at all actually. From an entropy standpoint, there is little difference in the two passwords.

Re:This is too simple to fix (1)

spazdor (902907) | more than 2 years ago | (#40047737)

Why exactly do you think 'entropy' is the wrong word? It's a pretty well-formed concept in information theory.

Re:This is too simple to fix (1)

gtbritishskull (1435843) | more than 2 years ago | (#40047813)

Depends on how you define a "good" password. If I have to store my passwords in a note-taking program on my phone (probably without any encryption), then how "good" are they really? Or on a post-it note stuck on the monitor. Or written on the bottom of the keyboard. That is the fine line you have to walk with security. You want to make it as hard as possible for the bad guys, but that adds complication/inconvenience for your customers. And if you make it too inconvenient, then your customers will circumvent it and add new points of entry for the bad guys.

Re:This is too simple to fix (0)

Anonymous Coward | more than 2 years ago | (#40047831)

"Entropy" (can we please stop misusing this word?)

The word "entropy" is being misused to the extend that you don't recognize its correct usage [wikipedia.org] anymore. Message to all nerds: check out Claude Shannon [wikipedia.org] if you haven't already.

testing the password (0)

Anonymous Coward | more than 2 years ago | (#40047393)

I'm not sure who's wrong or right

http://www.wolframalpha.com/input/?i=password+strength+correcthousebatterystaple

Re:testing the password (1)

del_diablo (1747634) | more than 2 years ago | (#40047557)

Its not a good calculator either:
Compare a scandinavia sentence with a number in it [wolframalpha.com] with Same text with the number written [wolframalpha.com] . This clearly shows us that the XKCD scheme is more than good enough. And we can still add in things like spaces, underscores instead of spaces, and replacing letters with numbers.

Re:testing the password (1)

JonySuede (1908576) | more than 2 years ago | (#40047605)

they are conflicted with themselves :
security:6 weak
entropy: 117.5 bits
but try that one:
http://www.wolframalpha.com/input/?i=password+strength+Correct_house_battery_staple [wolframalpha.com] :
security: 151 very strong
entropy: 185.4 bits

Re:testing the password (1)

JonySuede (1908576) | more than 2 years ago | (#40047617)

there was a dot that disappears at the end of the url

Re:testing the password (0)

Anonymous Coward | more than 2 years ago | (#40047637)

I don't consider anything from Wolfram Alpha correct.

Re:testing the password (4, Funny)

JustOK (667959) | more than 2 years ago | (#40047729)

wait for the beta

XKCD (0, Informative)

Anonymous Coward | more than 2 years ago | (#40047401)

The problem I have with that comic is that the "strong" password is lowercase only.

Sure, its 28 characters, but its still lowercase only.
That makes it a lot weaker, no? I personally use a 17 character long password (for anything important) at this time, being somewhat random and including lowercase, uppercase, numbers and special characters. If there is one thing I have seen from hashtables, its that adding in special characters makes it a lot harder, and sometimes outside the realm of possible.
Never mind that if you know the person is using special characters, you still gonna have a lot longer time cracking, if you know he is only using words, with the help of dictionary attacks you gonna run through them a lot faster.

Oh, and the way I manage to remember my long password is that I take the short, I assume random, passwords that I have been forced to remember for a few years, like for school, and add those together with a special character in between. Makes it very doable to remember.

Re:XKCD (4, Informative)

spazdor (902907) | more than 2 years ago | (#40047481)

Sure, its 28 characters, but its still lowercase only.
That makes it a lot weaker, no?

It makes it weaker by a factor of about 2^28.
Which sounds like a lot, but when the lowercase password space is already 26^28, it's not much.

XKCD's math is sound.

Re:XKCD (0)

Anonymous Coward | more than 2 years ago | (#40047563)

It makes it weaker by a half. Which is definitely a lot. That roughly halves the time that it would take to crack and doubles the likelihood of randomly guessing the password. The only thing going for it is that you don't know that it's only lower case letters.

Re:XKCD (3, Interesting)

spazdor (902907) | more than 2 years ago | (#40047621)

No, it would be "weaker by half" if the alternative was a single capital letter at the beginning of the password.

In fact, the alternative is that any, some, or all of the 28 characters could be capitalized or not.

So the first character halves the password's strength if it is predictably lower-case.
and the second halves it again.
and so does the third.

Incidentally, halving or doubling the key space is not "a lot," not by any cryptologist's standards.

Re:XKCD (4, Interesting)

baileydau (1037622) | more than 2 years ago | (#40047699)

The only thing going for it is that you don't know that it's only lower case letters.

I think this is a very important point that lots of people overlook.

By prescribing the use of various character classes, you are actually weakening the password.

A proper password should allow the use of those classes, but not prescribe them.

When I was a kid, we had a game called "Mastermind". One person selected various coloured buttons and hid them behind a screen. The other person had to guess the colours / sequence.

We had various house rules about difficulty levels. One of the easiest ones was if they had to tell you the pattern. eg:
* double colour
* blank
etc

Same thing with passwords

Re:XKCD (2)

aztracker1 (702135) | more than 2 years ago | (#40047487)

I will usually do something that is a short phrase, separated by hyphens or spaces, with the first letter capitalized, and one of the words l33tified. Tends to work very will with 12+ character passwords. Though I've been considering doing something new using a generator.

I really wish that more places would simply let you use a long password, and use confidence testing with something like this, or like the Wolfram Alpha algorithm for password strength. I get sick when I'm limited in length, or need certain characters, or others are disallowed. anything in the ascii 32-126 range should be allowed.. with the input trimmed so leading/trailing spaces aren't included. (For that matter, if you can use UTF-8, do it, again trimming, and eliminating control characters (<ascii 30)

Re:XKCD (3, Informative)

Zocalo (252965) | more than 2 years ago | (#40047539)

Well, you can probably blame Little Bobby Tables [xkcd.com] for that. Depending on the programming language there are plenty of "control characters" in the ASCII 32-126 range, and it's much easier when deadlines are pressing to just restrict input to alphanumerics than try and sanitize against passwords that contain some variant of "'); drop table students;"

Re:XKCD (0)

Anonymous Coward | more than 2 years ago | (#40047601)

sanitize against passwords that contain some variant of "'); drop table students;"

Uh...methinks you're doing it wrong. What if I wanted "'); drop table students;" to be my password??

We had to reject several applicants because when asked how to prevent SQL injection, they said "Strip out words like UPDATE, DELETE, INSERT" ... well, what if we want to use those words??

Re:XKCD (2)

sexconker (1179573) | more than 2 years ago | (#40047743)

sanitize against passwords that contain some variant of "'); drop table students;"

Uh...methinks you're doing it wrong. What if I wanted "'); drop table students;" to be my password??

We had to reject several applicants because when asked how to prevent SQL injection, they said "Strip out words like UPDATE, DELETE, INSERT" ... well, what if we want to use those words??

Parameterize user input and stop worrying about SQL injection. This isn't 1992.

Re:XKCD (2)

Zocalo (252965) | more than 2 years ago | (#40047791)

The problem isn't the use of the phrase "drop table students" so much as programmers under pressure, or just being lazy, having to code for the use of characters like semi-colons, brackets, braces, pipes and all those other symbols that tend to cause problems if not correctly handled when returned in a variable. It's an even more tricky situation if the person coding the password input routine is not the same one coding the authentication routine, which happens quite a lot on large projects. It's much easier to code a simple "if password contains {list of symbols} then reject password" than it is to escape each of those symbols and then liaise with everyone else who is using the password variable to make sure they can deal with the escaped characters.

Of course, if it were understood that the password input routine was going to immediately hash the password into a suitably safe string and that was what would be returned in the password variable, then most of these problems simply go away.

Re:XKCD (2)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#40047491)

The OED Second Edition contains entries for 171,476 words.

If you choose at random from the complete set, there are 8.6E20 possible four-word passphrases.

This is enough to rule out brute-forcing. But notice of course that both assumptions are critical. An average person doesn't have a 171,476 word vocabulary and humans can't make genuinely random choices.

I recommend the Diceware system: a list of 6^5 short words, from which you select each word of your passphrase by rolling five dice.

All of which addresses the wrong problem. Online guessing can be suppressed with rate limits on login attempts. Offline guessing is greatly hindered by adequate salting of the hashes. Today's most dangerous threat is phishing (well, that and password reuse, but that's a related problem).

Re:XKCD (1)

fiziko (97143) | more than 2 years ago | (#40047561)

This is enough to rule out brute-forcing. But notice of course that both assumptions are critical. An average person doesn't have a 171,476 word vocabulary and humans can't make genuinely random choices.

True, but humans can download large electronic dictionaries and use a computer to pick, say, 4-8 words at random. Since that XKCD came out, I've used a non-random 35 character string followed by one of my old 8 character gobbledegook passwords as a new 43 character password that I can remember. Takes time to type, but I figure it's the "best of both worlds" for security. Unfortunately, a lot of websites I've tried to do this with have an upper limit on password length that is shorter than this.

Re:XKCD (0)

Anonymous Coward | more than 2 years ago | (#40047493)

The problem I have with that comic is that the "strong" password is lowercase only.

Then you're missing the point. Adding in special characters and casing would, of course, add more entropy to your password but even a string of four common words is significantly stronger than a 17 character password with random letters and symbols. The point of the comic is that the passwords we've trained ourselves to use are very difficult for a human to remember, and very easy for a computer to guess, whereas nonsensical normal language sentences are much easier for humans to remember and much harder for computers to guess.

Re:XKCD (0, Interesting)

Anonymous Coward | more than 2 years ago | (#40047609)

But its not?

Its 4 WORDS

that is extremely important. You can use a dictionary attack on words. Not on random characters.
A dictionary attack rules out a lot of tries. A huge lot.

While I don't doubt that his math is in essence correct, I doubt that he takes care of the fact that this is words vs random characters. That said, his example of the other password was a word as well, so thats not exactly a lot better.

Of course, you still have to know your user is using 4 words. But on the average site, anything harder then the easiest 50% is probably enough to keep yourself safe. Why would you waste a lot more time as an attacker breaking the lot harder passwords then all the simple ones that are up for grabs. But even then, a dictionary attack isn't exactly that much more effort. While the password is a lot longer, it requires a lot less possible combinations. And if you allow users to use dictionary words, they are going to chose easy ones. All in all. I still doubt that it would be a lot better to use his kind of passwords. In the end, if you want your password to be hard to guess for others, you gonna have to make it hard enough for yourself as well.

Re:XKCD (1)

spazdor (902907) | more than 2 years ago | (#40047685)

I doubt that he takes care of the fact that this is words vs random characters.

Yes, he does.

Just a question: Do you actually understand what is meant by those "bits of entropy" tallies that he's counting using rows of squares? If you don't know about http://en.wikipedia.org/wiki/Shannon_entropy [wikipedia.org] then you're ill equipped to understand what this comic is trying to say.

Re:XKCD (0)

Anonymous Coward | more than 2 years ago | (#40047763)

You're wrong. Really. You don't understand what a dictionary attack is in detail. Putting four random words...

Oh, forget it. Let's keep it simple. Even if the dictionary was complete enough to handle a password phrases of two composite "words," this would still be like trying to solve for two passwords at the same time. Just because the word is found in a regular dictionary does not mean a dictionary attack susses it out automatically.

Re:XKCD (2, Insightful)

hawguy (1600213) | more than 2 years ago | (#40047551)

The problem I have with that comic is that the "strong" password is lowercase only.

Sure, its 28 characters, but its still lowercase only.
That makes it a lot weaker, no? I personally use a 17 character long password (for anything important) at this time, being somewhat random and including lowercase, uppercase, numbers and special characters. If there is one thing I have seen from hashtables, its that adding in special characters makes it a lot harder, and sometimes outside the realm of possible.
Never mind that if you know the person is using special characters, you still gonna have a lot longer time cracking, if you know he is only using words, with the help of dictionary attacks you gonna run through them a lot faster.

Oh, and the way I manage to remember my long password is that I take the short, I assume random, passwords that I have been forced to remember for a few years, like for school, and add those together with a special character in between. Makes it very doable to remember.

I think the point is that even with all lower case, it's still "good enough" and far better than a shorter password. Mixed case (assuming you capitalize the first letter of each word to keep it easy to remember) only adds one bit of entropy.

My problem with the xkcd scheme is that users are lazy and rather than pick 4 random words, they'll pick 4 words that are easy to remember in sequence: "haveityourway" "darksideofthemoon" "thesearenothtedroidsyourelookingfor", so with a phrase dictionary and some grammar rules, you still have a good chance at brute-forcing some user's passwords.

Re:XKCD (5, Insightful)

spazdor (902907) | more than 2 years ago | (#40047701)

My problem with the xkcd scheme is that users are lazy and rather than pick 4 random words, they'll pick 4 words that are easy to remember in sequence: "haveityourway" "darksideofthemoon" "thesearenothtedroidsyourelookingfor", so with a phrase dictionary and some grammar rules, you still have a good chance at brute-forcing some user's passwords.

You could perform this attack using Google's autocompletion database as a dictionary.

Re:XKCD (1)

nzac (1822298) | more than 2 years ago | (#40047829)

The problem I have with that comic is that the "strong" password is lowercase only.

I doubt Randal intended to make it an example of how to chose a password.
He made it to demonstrate that password policies are poor and alpha numeric passwords with special characters do not guarantee strength (as most people get taught).
Probably most significantly he wanted to say users suck at choosing a good password, they don't have a clue about what they are trying to stop. The number of tech people who think common substitutions make the password exponentially harder to crack too high.

Wrong (2, Insightful)

DarkOx (621550) | more than 2 years ago | (#40047415)

The trouble with the pass phrase concept is that the whole words just become tokens. Most people's vocabulary is not that large. You could use a common spelling dictionary and toss in the like substitutions 0 for o excetra and you don't really have a key space much larger than normal 7 character or so passwords offer

Re:Wrong (1)

del_diablo (1747634) | more than 2 years ago | (#40047511)

Well, a "common" dictionary is still 200-300 words. And you can also use the name of a pet. So that is a X variable that is fairly large. So basically we have 300*300*300*300*X, and X is most likely larger than 500. Its still a lot of passwords, and then we have the spelling mistakes, writing the words as their litteraly are spoken, and a lot more. Just replacing e with 3, i or l wih 1 and 0 with o is just more noise to the pattern.
Basically: XKCDs multiple word scheme is secure enough if its long enough. Just like normal passwords.

Re:Wrong (1)

gman003 (1693318) | more than 2 years ago | (#40047851)

It's best if the words are truly* random. Don't come up with them yourself - flip through a dictionary and pick random long-enough words, or better yet, use a computer program. Most estimates place the number of words in the English language at about a million. Even if you conservatively assume only 10% are long enough to be used in a password, four fully random words comes out to be 100,000,000,000,000,000,000 potential passwords (10^20), and if you throw in randomly capitalizing first letters, it goes up to 1,600,000,000,000,000,000,000 (20^20).

This probably spikes even faster if you use multiple languages, although that probably only words for people fluent in multiple languages. Still, a bilingual 4-word password would easily be in the 10^22 range, possibly much higher if which languages those are are not known.

Re:Wrong (5, Funny)

LordLucless (582312) | more than 2 years ago | (#40047521)

Of course, your fiendishly clever non-standard spelling of et cetera would fool any such dictionary attacks.

Re:Wrong (1)

jmottram08 (1886654) | more than 2 years ago | (#40047655)

And then you remove the reason to use pass phrases to begin with. Read the XKCD linked.

Re:Wrong (0)

LordLucless (582312) | more than 2 years ago | (#40047759)

Either you missed the joke, or you meant to reply to the parent.

Re:Wrong (4, Informative)

wrook (134116) | more than 2 years ago | (#40047569)

The average adult that has been to University knows 20,000 head words. A head word is a group of words with essentially the same meaning. For example, expect, expectation, is expecting, etc are all one head word. 26^7 is a little bit over 8x10^9. If a user picks 4 headwords for their passphrase, the search space is 20000^4 or 1.6x10^17. And that's if we just use headwords. If the user uses variations the search space is rather huge.

You might say that 20,000 headwords includes a lot of strange vocabulary. But for instance, to get 95% vocabulary coverage in reading a newspaper you need just under 16,000 headwords. However, even if we restrict vocabulary to the most common 5,000 headwords (the average vocabulary of a 5 year old) we get a search space of 6.25x10^14.

XKCD style passphrases are dramatically more robust than a 7 character alphabetic password.
 

Re:Wrong (0)

Anonymous Coward | more than 2 years ago | (#40047585)

Yeah, they're not doing it right.
Yeah, they're not doing it right!
Yeah. They're not doing it right.
Yeah! They're not doing it right.
Yeah! They're not doing it right.
yeah, they're not doing it right.
yeah they're not doing it right
yeah theyre not doing it right
yeah. they're not doing it right!

Get the picture? A passphrase can be rather short but still extremely complicated if done right. But yeah, if they're just typing a bunch of lowercase words with no punctuation, it's not very effective.

Re:Wrong (1)

sexconker (1179573) | more than 2 years ago | (#40047765)

EFWWH!Bypc,IaCP!

1 bitcoin to anyone who can tell me what that means.

Re:Wrong (0)

Anonymous Coward | more than 2 years ago | (#40047661)

Still much better comexity. From 26 chars to 36, 62 if it's case sensitive, then throw in special chars... Even the leet speak method adds a significant level of comexity.

Besides, what system doesn't temp ban after 3-5 attempts? Short of testing against a hash file, your problem isn't coming from brute force.

Re:Wrong (1)

Belial6 (794905) | more than 2 years ago | (#40047819)

Add to that the fact that you wouldn't even need to use the persons entire vocabulary.

Re:Wrong (4, Insightful)

pongo000 (97357) | more than 2 years ago | (#40047919)

The trouble with the pass phrase concept is that the whole words just become tokens. Most people's vocabulary is not that large.

That's why you use a standardized list of tokens (mostly words, but some non-word tokens as well) such as Diceware [std.com] . With 7776 tokens, the keyspace is far larger than the "normal 7 character" password. The trick is to ensure that you are choosing the tokens randomly. You can use dice, your favorite random number generator [random.org] , etc. I use several 4- and 5-token passphrases that I have remembered literally for years, each one unique. Type them enough times, and muscle memory takes care of the rest. Even after a period of non-use, it amazes me how my fingers will remember the passphrase but yet I can't recall the passphrase itself.

8fri)st psot!? (-1)

Anonymous Coward | more than 2 years ago | (#40047441)

First, you have to Share. *BsD is

On the other hand, they could (0)

Anonymous Coward | more than 2 years ago | (#40047443)

at the very least, just show what the password requirements were.

Terrible password policies (5, Insightful)

bu11d0zer (1074683) | more than 2 years ago | (#40047445)

Any password policy that basically forces you to write down your password somewhere is broken. Sure, you can use a password vault but that's cumbersome for the various dozens of passwords strewn about the web and on mobile devices. But my biggest gripe is sites that lock you out (requiring a phone call) after 3 incorrect guesses. I could understand 100 incorrect guesses, but 3 guesses is not enough to recall a password when you have not used it in several months. One hundred guesses by a computer/hacker is nothing compared to the full password space.

What puzzles me... (3, Informative)

jbwolfe (241413) | more than 2 years ago | (#40047461)

...is why is it all so difficult to come up with some scheme to secure internet accessible resources. Corporate policy for me require password changes every 90 days and disallows any of the last eight passwords, and the use of letters and numbers. Effectively, I'm forced to write it down, negating all their efforts at obscurity. When will some bright CS geek invent a real solution to this problem. Is it that hard? Can't it be as simple as probing me for dynamic info that only I would know? How about visual methods- ask me who's in this picture of my co-workers or what is this family snapshot from my past, etc.?

Re:What puzzles me... (1)

DragonWriter (970822) | more than 2 years ago | (#40047537)

why is it all so difficult to come up with some scheme to secure internet accessible resources.

Its not.

Its hard to come up with a scheme to do all of the following simultaneously:
* Secure access to internet accessible resources from unauthorized use,
* Permit access to internet accessible resources to authorized use,
* Have a low per-user cost to implement and support
* Be convenient for common users

Can't it be as simple as probing me for dynamic info that only I would know?

If its dynamic (rather than static, in which case its effectively just a password with a -- possibly visual -- hint), and only you know it, how is the system going to get the correct answer in order to probe you for it?

Re:What puzzles me... (0)

Anonymous Coward | more than 2 years ago | (#40047559)

Well, do you think your methods would work very well? If not, then maybe the reason why nobody comes up with a new method without a problem is because there are some problems.

For example identifying people in a picture. For starters, you would have to give the site/corporation/whatever pictures of your family. Anybody who happens to know you and your family could also use it to log in. Passwords don't just protect you from some outside hackers, they also protect you from people that know you trying to access your stuff. If you have to know somebodies password, social engineering already works very well, if the only thing you have to do is name their family, you will be done very fast. Just go to facebook.

Passwords ideally contain nothing linked to you. No date of birth, not your name reversed, no nothing. For a strong system to provide access to only a specific person, that is somewhat necessary. If the password is something that can be linked to you, then some other people may be able to figure it out quickly.

I assume that biometrics will be what takes over passwords. They are reasonable secure, in the fact that they shouldn't be able to use your biometrics without your knowledge (they could cut off your finger of course).

There are some compromises to be made. If you want a password that other people wouldn't be able to guess, then maybe you gonna have to get one that isn't extremely easy for you as well. That said, a combination of multiple systems may make it easy for you but hard for them. Say we use your picture system, but instead of just having to enter their name you have to enter their name + a somewhat easy password before it lets you in, that would stop scrips running through the password while also stopping people that know you. But then we return to the problem of, what are you willing to let a site know about you just to have an easy password?

Re:What puzzles me... (1)

Daniel_Staal (609844) | more than 2 years ago | (#40047565)

If they know it, it's not something 'only you would know' (or it's a password, effectively). Family or coworker snapshots can be defeated with a bit of time on Facebook. Etc. The article above seems to think switching to a physical token is a solution - effectively switching from a combination lock to a keyed one. Which works in a controlled, corporate environment.

But the problem is fairly complex: You need to come up with a simple, secure, easily implemented, quick way to distinguish a human from a machine, and one human from another. Oh, and it needs to be accessible: your visual idea only works if the person you are trying to verify isn't blind. (Even temporarily.) Security in general has been a problem for as far back as at least the Romans, if not further; there's a lot of value in breaking the other side's security, and a lot of value in not having them break yours. (Heck, I've seen tribal huts using the traditional design that had locks on their doors, though they don't look like what you'd think of as locks.)

Re:What puzzles me... (0)

Anonymous Coward | more than 2 years ago | (#40047671)

I have over 300 log ins with more being added regularly because of all the web 2.0 bullshit.

Unless I start giving up entire days to maintain my passwords it's not going to happen. I've tried in the past and it takes forever to change that many log ins, even with a proper password manager.

Some more fun passphrases (1)

Anonymous Coward | more than 2 years ago | (#40047471)

sandra bullock upload virus
good luck with that i have a zero balance
cowboy neal is the joke reply

You'll have to imagine there are no spaces, because it won't pass the /. filters as a concatenated string.

We do this at work (1)

smartin (942) | more than 2 years ago | (#40047483)

i.e. 7 characters one must be a non-character or capital.
The result is that people like me chose passwords that a keyboard patterns that anyone could guess if they watched me type it.

It isn't that passwords are a dead end. (0)

Anonymous Coward | more than 2 years ago | (#40047495)

Passwords are fine - they are the only thing that identifies the mind behind the input device (as long as you aren't stupid about it).

Especially since everything else is worse.

Biometrics suffer many flaws.
Fingerprints - easily duplicated. Blood flow patterns - a bit harder.

Both fail if you get a bad cut/scar on the finger.

Facial recognition? - just use a photo - or better yet, a bust with color added (especially now that people are using them for avatars). As long as the image has a higher resolution than the camera being used, not much of a problem.

Retina/iris scan? Bit tricky, but can be duplicated on a glass eye. Again, need a higher resolution than the scanner/camera.

The main problem is... (5, Insightful)

k3vlar (979024) | more than 2 years ago | (#40047501)

The main problem is indeed the policies. While I (mostly) agree with the main statements TFA makes, I have my own note to add:

My bank's website enforces a MAXIMUM length. I'd love to have a password like "c0rr3c7 h0r53 b4773ry st4p13", but I can't use more than 6 characters.
Yes, you read that right. 6 characters. Maximum.

I fear for my online bank info constantly .
Why would there ever be a reason to enforce such a small maximum length? I don't get it.

Re:The main problem is... (0)

Anonymous Coward | more than 2 years ago | (#40047629)

LEGACY !

Re:The main problem is... (4, Insightful)

John Hasler (414242) | more than 2 years ago | (#40047645)

> I fear for my online bank info constantly .

And yet you continue to deal with that bank. Why?

Re:The main problem is... (1)

del_diablo (1747634) | more than 2 years ago | (#40047691)

Getting a new account and transfering everything is always a mess. Its hard to do. Human nature at its best.

Re:The main problem is... (1)

nzac (1822298) | more than 2 years ago | (#40047721)

Did you understand the XKCD comic?
the whole idea is random. Those similar looking numeric substitutions are binary at best adding 13 bits at best.
It's hard to remember the ones you chose and if you chose all of them you would only add 1 bit.

Re:The main problem is... (0)

Anonymous Coward | more than 2 years ago | (#40047757)

My credit card force only 4 numeric character on their "smart" chip...

Re:The main problem is... (1)

maglor_83 (856254) | more than 2 years ago | (#40047825)

Mine used to be like that.

Exactly 6 characters.
First 2 must be alpha.
Last 4 at least 2 consecutive digits.
No special characters.

Fortunately they've changed that now.

Typos (1)

Xian97 (714198) | more than 2 years ago | (#40047507)

The problem with XKCD style passwords is the more characters in a password, the more likely I am to make a typo while entering it. I mistype a typical 8 character password a couple times a day. I can imagine what it would be like with a 25 character password.

Re:Typos (1)

gtbritishskull (1435843) | more than 2 years ago | (#40047881)

I feel that I am more likely to mistype weird capitalizations, numbers, and symbols than a much longer string of words with (possibly) normal punctuation.

Passwords DO suck (0)

Anonymous Coward | more than 2 years ago | (#40047513)

...It's too bad there's no way for two hosts to authenticate on a pre-shared key system with a public half and private half for each key, so bob and alice trade public keys and can communicate safely even if eve has both public keys....

Re:Passwords DO suck (0)

Anonymous Coward | more than 2 years ago | (#40047573)

It's too bad that Alice can't know that Bob really is Bob without talking to Carol who Bob talked to first and then having to trust Carol and that Alice still has to keep her key secure from Dave with something, usually a PASSWORD and so on.

But I'm sure you can fix the whole PKCS infrastructure mess with the power of glibness.

Re:Passwords DO suck (1)

hawguy (1600213) | more than 2 years ago | (#40047619)

...It's too bad there's no way for two hosts to authenticate on a pre-shared key system with a public half and private half for each key, so bob and alice trade public keys and can communicate safely even if eve has both public keys....

I'm not sure what problem you think you're solving with public key cryptography, but it still doesn't remove the password problem. Most people will still want their key to be protected by a passphrase (or some other method that keeps anyone with access to the computer from using it), so passwords won't go away even if everyone uses cryptographic keys to identify themselves.

Re:Passwords DO suck (4, Insightful)

sexconker (1179573) | more than 2 years ago | (#40047815)

All digital security boils down to the key sharing problem.

And the key sharing problem is "solved" in practice thusly:

Server: O hai! Give me your infos! Here's my certificate.
Computer: Warning! This certificate is not trusted!
User: Ignore warning, add certificate.
Computer: K.

OR

Server: O hai! Give me your infos! Here's my certificate.
Computer: This certificate is trusted because VeriSign totally vouches for these guys.
User: VeriSign?
Computer: Yeah yeah, we totally trust VeriSign. I mean, we've never met them, we don't know their policies, and we rely on VeriSign to tell us if their shit gets stolen, and we basically have no recourse if shit goes wrong, but we trust them.
User: K.

Nobody ever actually checks to see if something is legit because they want it to be painless and automatic. I'd love to be able to go to bank.com and view the certificate, then call the number on my credit card (or go in to an actual bank location) and see if the certificate matches up.

Wow... (5, Insightful)

NoMaster (142776) | more than 2 years ago | (#40047589)

Congratulations on winning the Slashdot trifecta - you managed to invoke the GPL, cite XKCD, and slashvertise your own project all in one!

Fix what? (1)

OldHawk777 (19923) | more than 2 years ago | (#40047627)

Pwds will always be an easy security bad idea, because by the time a new pwd sec-theme is common cracks have been emplace for about five years.

We need to get pass crazy/silly pwds to non-human dependent security. It will cost a little more, but increased productivity and better security will save oodles.

Pwds are in the trench of the Maginot-line of security, stop wasting time and money, get to bio-PKI and beyond. Easy (to manage/implement or cheap) security is bad security physically/virtually.

password managers make it easy (1)

w.hamra1987 (1193987) | more than 2 years ago | (#40047659)

they sure do make it a lot easier, with some downsides as well. i use keepassx on *nix, and keep a portable keepass on my USB thumb drive for windows computer. all my passwords are store in it, all are 25 characters, with around 200 bits of entropy each. the only thing to worry about, is the master password, which was created using keepassx's password generator as well. as long as i remember to exit it before leaving, or at least locking the computer, there's not much to worry about. all passwords different, all strong, and auto-type makes things very easy. the downside is... you dont really know any of your passwords, and become reliant on the program. that's why i keep at least 2 complex passwords committed to memory and use them for common stuff, like my email. it's quite embarrassing to sit by your university project partner, be asked to login to the university website, put hand in pocket, realize you forgot the thumbdrive home, and exclaim "i don't know my uni password at the moment".

I th1n5 1ts 2 l8 (0)

Anonymous Coward | more than 2 years ago | (#40047739)

I th1n5 1ts 2 l8

You can't check a passphrase like that (1)

arose (644256) | more than 2 years ago | (#40047747)

A computer can't tell if a passphrase is random or guessable, even a human wouldn't necceserily be able to. XKCD/diceware style passphrases however are supposed to be easy to remember despite being completely random, so the proper course is to let the computer generate the passphrase.

Survival of the fittest (1)

Flipstylee (1932884) | more than 2 years ago | (#40047821)

I use about 9 different passwords ranging from the 6 or 7 characters i'm allowed up to the 20's,
i tier them by importance, so if i ever come into any shit, i know what accounts will need to be checked.

I'll also add that i lock my doors and windows, and own a gun, but because i don't have top notch Ub3r l33t h4xoring
skills or a LOIC, i use the best passwords i'm able.

Randomly-generated passwords (4, Interesting)

dskoll (99328) | more than 2 years ago | (#40047867)

I use randomly-generated passwords (generated by reading /dev/random) that are at least 16 characters wrong. I restrict the character set to [A-Za-z0-9] which is a touch under 6 bits per characters, so I have about 95 bits of /dev/random-quality entropy.

The passwords are stored in a file encrypted with a long passphrase. The long passphrase is probably the weak link, but by not reusing passwords across different websites and using randomly-generated ones, I'm fairly well-protected if one of the sites I visit has its password file stolen.

Re:Randomly-generated passwords (1)

dskoll (99328) | more than 2 years ago | (#40047875)

16 characters wrong. long, of course. *sigh*

That reminds me (0)

Anonymous Coward | more than 2 years ago | (#40047883)

I need to pick up battery staples.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...