Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

The Science of Password Selection 340

Posted by timothy from the insert-horror-stories-here dept.
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
This discussion has been archived. No new comments can be posted.

The Science of Password Selection More

The Science of Password Selection

Comments Filter:

  • Re:Non-alphanumerics (Score:5, Interesting)

    by Nationless ( 2123580 ) on Monday July 18, 2011 @08:17PM (#36806120)

    Symbols are a double edged sword. I once had a username/password combo using unusual symbols and lo and behold when they upgraded the system they decided in all their wisdom to remove support for those symbols.

    I was fucked.

    Had to contact them and have someone manually change my username and password (hardly ideal) and then I had to set up a new password as soon as I regained access.

  • Generating and remembering passwords (Score:5, Interesting)

    by chroma ( 33185 ) <chroma@nospam.mindspring.com> on Monday July 18, 2011 @08:19PM (#36806126) Homepage

    I've become a recent convert to the idea of using a password card [passwordcard.org] or
    password chart [passwordchart.com] to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.

  • Re:Non-alphanumerics (Score:5, Interesting)

    by mirix ( 1649853 ) on Monday July 18, 2011 @08:29PM (#36806220)

    I seem to find that banks seem to continuously be the worst for not allowing things other than [a-zA-Z0-9]. Which is rather funny, if it weren't sad. Usually stupid limits on length too, like 8 chars.

  • Random password generators (Score:5, Interesting)

    by Freddybear ( 1805256 ) on Monday July 18, 2011 @08:31PM (#36806240)

    A function that returns a string of 12 random ASCII characters including upper and lowercase alphas, numerics and symbols will score 100% on a password strength test like http://www.passwordmeter.com/ [passwordmeter.com] but I find that a password like that will be hard to type, much less to remember.

    Another way is to return two random words from a list of less-used English words, separated by two or three random numerics. That won't score as high but it will be plenty secure against dictionary attacks and will be easier to remember.

  • Gibson's Password Haystacks (Score:5, Interesting)

    by sqrt(2) ( 786011 ) on Monday July 18, 2011 @08:33PM (#36806260) Journal

    I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.

    https://www.grc.com/haystack.htm [grc.com]

  • Simple? Yes. Short? NO.

    Please consider that not every character in a password needs to contribute a high level of entropy; As long as a few do (to increase the search space) the length of a password can contain relatively low entropic character streams.

    0#f$%aEx
    6.7e15 search space (cracked in 3.35e15 brute force attempts on average).

    Sl@5h--------------------VortexCortex
    1.51e73 (cracked in 75.5e72 brute force attempts on average).

    (Sl@5h, twenty dashes, user name -- easy to remember -- not my real algo, make up your own)

    A short string of upper and lower case, with symbols increases the search space required per character. However, each character thereafter, even if it repeats, increases the search space size by a factor of the search character set size...

    The biggest problem with passwords is that they are not hashed, thus many sites place limitations on the characters and length. If any sites do: I write a scathing e-mail to the moronic IT staff and I refuse to use the insecure service (if I can, otherwise, for places like my previous bank, Wells Fargo, I just bitch about it every so often until my account gets hacked and I'm forced to choose a more secure service...).

  • Re:Simple vs Short. Round one: Fight! (Score:4, Interesting)

    by wvmarle ( 1070040 ) on Tuesday July 19, 2011 @02:19AM (#36808406)

    A totally underrated (and largely ignored) issue with long passwords, is the user's typing accuracy. I'm typing reasonably accurate I guess, but at least every 20 keystrokes I will mistype one. So a 10-character password has already a reasonable chance for a mistype, a 20-character phrase will have a very high chance to mistype. That would mean I have to re-try typing that long password a few times before it is finally accepted. And having your password hidden while you type it in doesn't help of course.

    The 7-9 character passwords that I use normally are hard enough in that respect. I often have to re-type because of a typo. And that are strings that I type often, so have muscle memory developed for them already. I dread the idea of having to use 20-character phrases for that. Too much risk of re-typing, and too much work in having to re-type it five times until you're finally exactly right.

Slashdot Top Deals

Genetics explains why you look like your father, and if you don't, why you should.

Close