I'm in the wrong job!
Like many will say here, it's stating the bleeding obvious.
Password1! = Great
jodfnbjiobioebvjiowrbvhuirbkomefbjonerinbkowmbvjibefirkobjoernobneriobvjklfnbjonfon = Bad
Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley (@MarkStockley) revisited his examination of …
This post has been deleted by its author
My company's website doesn't have any sort of password meter. I always thought them to be a bit suspect at the best of times.Nor does it limit choice of password characters.
What it does do though, is force a password length of 10 characters or more
It's about time we got rid of annoying character restrictions and focussed more on password length. The number of sites which still accept 6-character passwords is amazing.
perhaps the obvious isn't good enough.
back in the day, CompuServe generated a password for you, consisting of two unrelated words and something from the 'shift number' row on your keyboard. Same basic idea.
besides, abc123-fart would be just fine. It doesn't take much to destroy a dictionary attack. they're not that sophisticated. most of them are probably done by non-native English speakers or script kiddies anyway...
(but don't use 'fart' as it's probably going to go into a dictionary now)
so go ahead and use your easily remembered password, then add something else that's unrelated with a shift-number figure in between.
There are lots of sites out there that seem to be stuck in the 1980's when an 8 character password would have been enough. Times have changed. Storage space is now so cheap we can afford for our users to have passphrases hundreds of characters long.
While correcthorsebatterystaple style passwords have some flaws they are still several orders of magnitude better than Password1. The other "solution" used by US government sites is to force the users to change their password every few weeks - this gives another illusion of security as many users simply increment the number at the end of the password or write it on the monitor - I saw someone enter Password35 a while back.
Personally I always use Passowrd1 ... (OK, I'm kidding).
"The other "solution" used by US government sites is to force the users to change their password every few weeks"
That's mainly to close or detect undetected breaches. Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected as the user is prevented from changing the password (because the crook did it first) and raises the alarm with IT.
@Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected...
It also means, especially since the users cannot use passwords similar to old ones (along the lines of Password34->Password35), that a (more) significant portion of the user population gives up on mnemonics and starts writing passwords down. The overall effect is that the probability of breach increases.
Thumbs up to the initial letters method.
I favour lines, couplets, or even stanzas from poems or Shakespeare plays. You can include punctuation, it's far more memorable than horses, batteries and staples, and it's moderately incomprehensible to anyone who doesn't know the source quotation. If numerics are required, it's easy to add a bit of 1337 substitution.
For example: Nadwh,nafn,4hcttrwh - long and obscure, yet absurdly easy to remember when you know the secret. You can probably guess it, but it may take a while.
"I favour lines, couplets, or even stanzas from poems or Shakespeare plays"
Most people would likely choose one of the most well known quotes, and they are susceptible to dictionary attacks. Great if you have an interest and knowledge of more obscure quotations, but most people don't. One government dept, I did work for assigned passwords to users, non-changable by the users and were invariably the initials from common nursery rhyme lines. Randomly capitalising letters or adding unexpected punctuation would help if it's long enough. A personally memorable phrase that's not a literature quote would be even better.
The company I used to work for had two systems, both of which demanded you changed your password every few weeks- usually at random times during the day when you were in the middle of something more important (like speaking to a customer), and which couldn't be anything you had used before or something similar (So if you had used Password1, then Password<n> was verboten).
Several of us got into the habit of changing the password on the first of the month (which reset the timer) and instead of trying to think of something secure we just used the date. March2015 was sufficiently different from April2015 etc, and of course wouldn't be used again! Since it ended up with half the office using the same password, the system obviously didn't recognise that this was going on!
Why thay did this is unknown, it wasn't an environment where operator security was relevant.
"The funny thing about that xkcd is that instead of encouraging better passwords it has simply lead to 'correcthorsebatterystaple' climbing up the most popular password lists!"
And what about those with terrible memories, who take that and end up instead mixing it up with "enginestapledonkeywrong" and getting all lost?
Passwords always have been difficult for the non-spellers.
I remember a group shared account where the password was set to 'pterodactyl'. The non-spellers were complaining within the hour.
It is better to write it down in e.g. a diary, rather than on a post-it note by the screen.
I thought of a very efficient hashing system. Only store the length of the password. Up to 65,535 character length can be identified in 2 bytes. Oh wait - 32,767 characters; it's signed. And, yes, I'm allowing password length zero; someone's going to want it. Pedants, I expect.
How long ago was XKCD/936?
way back in the dard ages, I used passwords with about 60 bits of entropy, a long time before XKCD suggested that using something with 44 bits of entropy was a good idea, and now I'm happy using passwords with 150 bits of entropy (the XKCD scheme would require a dozen or more English words to match that); I guess our salvations is the good ole password safe.
Actually, given how many passwords I want (and how reluctant I am to use the same one twice) I's probably have to use a password safe even to hold that many passwords with 44 bits each of entropy (even more so with 64 bits of entropy, which I believe is more like the correct number for a sequence of 4 English words than XKCD's underestimate); and once I'm doing that, I can passwords as complex as I like, all I need to remember is a decent pass phrase (decent means more that 500 bits of entropy, and using famous bits of Shakrspeare or Chaucer or the like) in case someone gets access to my safe or its backup.
So I believe that the thing about passwords that needs rethinking isn't a switch from things we can't remember to things we can, but a switch to acceptance that passwords we can't remember are what we have to live with - I'm happy to remember one nice long pass phrase, bu I'm not going to truy to remember a hundred (and anyone who does try is crazy).
I never relied on those strength meters anyway. I use KeePass, and it has a built-in password generator which seems to be pretty good at coming up with complex passwords, and has configurable options as well. And, because KeePass is a password manager I don't have to remember those passwords, just the hellishly long one I use for the master password. I also use a keyfile, so it's not just a case of getting hold of my master password to try and get my online passwords. And, because it's KeePass, it's a local solution with no cloud interaction that means my password database stays out of other people's hands.
@Captain Scarlet
Yes, writing down passwords for online accounts is recommended by no less a provenance than Qi:
http://qi.com/infocloud/passwords
"The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware"
"Dream on."
"Oh? How do they get to it if it never goes online?"
-----
Your machine is compromised by visiting a website with an exploit.
Or is your machine free & your holy Keepass free from all past, present and future vulnerabilities.
Security is about being paranoid all the time, you sound smug and complacent, an accident waiting to happen.
"my password database stays out of other people's hands"
Dream on.
Er, well, short of the NSA or GCHQ breaking in to where I live and cracking the password on my laptop, then cracking the password for my encrypted partition; and bearing in mind I am absolutely not putting my password database file anywhere near a cloud service; and noting that I don't let most javascript run in my browser so there's little hope that a script could get a virus onto my laptop via web browsing; and no-one else has a login to my laptop so they can't get anything on to it; and it runs Linux Mint for general work; I don't quite see how anyone else is going to get hold of the database file. So what is my dream exactly?
This post has been deleted by its author
I was trying to configure our Virgin Superhub* 3 the other day, and I'd got as far as the wireless password, so I put in the one that we'd been using previously, which is eleven characters long, and a mix of upper/lower and numeric (with a token symbol).
Nope, the password strength meter stays on "bad".
OK, I think, maybe they don't allow symbols.
Nope, still no joy. It's only after really carefully reading the password restrictions that I notice "and must contain one or two numbers". The password I was trying to use had three numbers, and thus was deemed to be insecure.
Yup, nice work there Virgin, and by nice I mean crappy.
* (actual hub may be 60% less super than advertised)
My first email password was 'ncc1701' (and here's me thinking I was being clever! <facepalm>) because the email system only allowed a max of eight characters. Even now, the same email system allows a max of 10 characters (although they didn't tell me this until I gave it a 16 char password and it wouldn't let me login afterwards - that when support told me it had only registered the first 10 characters and when I was trying to login with all 16 - it wasn't actually the same password...)
I like long passwords, but ones that make sense to me, but are therefore very easy to remember.
2bOR!2bThatIsThe? is one I used for quite a while (where systems allowed for sufficient length)
But can you do that over and over again, hundreds of times, with different sites with different rules, without getting them mixed up? One or two good passwords can be doable for most, but most people have to manage well over 100, and any breach can result in a cascade as the knowledge gained from weaker sites can be used to break stronger ones.
"Paul C. van Oorschot of Carleton University, Canada, joined the password provocateurs in a paper published months earlier in which they rammed a research rod into best practice security spokes arguing crap passwords should be reused on low risk websites so users can concentrate on recalling a couple of really good passwords for important sites."
The problem here is that weak sites can still be stepping stones to identity theft which can then be used to gain the credentials needed to break the higher-security sites.
"weak sites can still be stepping stones to identity theft"
Only if you're stupid enough to give your real details to sites that don't need them, instead of signing up as Jethro Q. Walrus-Titty, with an address in the Svalbard Archipelago.
But unfortunately, as George Carlin said, “Think of how stupid the average person is, and realize half of them are stupider than that.”
They can still match you by IP and other habits, which can be gleaned no matter how much you try to cover it up
Hell, my IP points back to my domain name (RDNS). Nothing to hide there.
I use a number of throwaway email addresses (no idea how many, they're single use) eg 10minutemail.com for sites I want a quick answer from that I am not likely to visit again where I have to create an account to get the answer (and I can't find it reasonably quickly enough elsewhere). Cracking those sites would give you nothing, you don't have a valid or even existing email address. You might get my external IP (which gives you a few thousand possibilities for internal IPs) but that's about it.
For more secure things (bank, email etc including my spam address) I have unique passwords which hopefully are plenty secure enough, and not stored somewhere obvious (yes all are written or typed but even if you had the list you wouldn't know what belongs where).
Now tell me.. if you have my email address (as many hundreds or thousands of people do) but not my log in details for my email address, what use is that? If you have a couple of hundred of my weak passwords and can deduce what pattern I use, what use is that? So you can log in as me on a few dozen sites I've forgotten about (and probably did not use any identifying info on) - how can you breach anything that matters?
I would honestly like to know if there is some risk I've overlooked.