The Case For Lousy Passwords 343
itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."
Bad usernames too (Score:5, Interesting)
It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.
160 seconds? Windows? Bad example (Score:5, Interesting)
Lots of bad password advice out there (Score:4, Interesting)
This was one of the best password articles I've seen.
I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.
Someone who uses:
mysecr1tword4gawker.com
for fun and
mysecr1tword4mybank.com
for their bank isn't that much safer than if they had just used the same password for both.
Much better to use throwaway ones for sites like gawker; and truly random ones for banking.
IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.
Re:Password keychains? (Score:4, Interesting)
Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.
When I worked for a major university a few short years ago, they contracted our paperless pay statements and W2s to Talx -- who only allowed numbers in the "password". Super frustrating, and of course no one in HR understood why I had a problem with this. They may have gotten smarter since then, but doubtful.
TFS Fail... (Score:5, Interesting)
Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.
With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...