Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security

The Science of Password Selection 340

Posted by timothy
from the insert-horror-stories-here dept.
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
This discussion has been archived. No new comments can be posted.

The Science of Password Selection

Comments Filter:
  • What's the inspiration for choosing short, simple passwords? They are short and simple, so you don't forget them. Similar reason to using the same password for a variety of different purposes. For bank accounts, use the strongest possible password, and don't write it on a sticky note. For Facebook, use "asdf1234" and don't put *any* important information on there.
    • > What's the inspiration for choosing short, simple passwords?

      The execrable admonition to never write down a password.

    • Simple? Yes. Short? NO.

      Please consider that not every character in a password needs to contribute a high level of entropy; As long as a few do (to increase the search space) the length of a password can contain relatively low entropic character streams.

      0#f$%aEx
      6.7e15 search space (cracked in 3.35e15 brute force attempts on average).

      Sl@5h--------------------VortexCortex
      1.51e73 (cracked in 75.5e72 brute force attempts on average).

      (Sl@5h, twenty dashes, user name -- easy to remember -- not my real algo, make up your own)

      A short string of upper and lower case, with symbols increases the search space required per character. However, each character thereafter, even if it repeats, increases the search space size by a factor of the search character set size...

      The biggest problem with passwords is that they are not hashed, thus many sites place limitations on the characters and length. If any sites do: I write a scathing e-mail to the moronic IT staff and I refuse to use the insecure service (if I can, otherwise, for places like my previous bank, Wells Fargo, I just bitch about it every so often until my account gets hacked and I'm forced to choose a more secure service...).

      • by mjwx (966435) on Tuesday July 19, 2011 @12:04AM (#36808070)
        Please consider that not every character in a password needs to contribute a high level of entropy

        Exactly, so repeating patterns are OK as far as brute force is concerned.

        The way I tell my users to create a password is to think of a four or five letter word, lets use "bill" and a number, say "4". Now the simple way to get a 10 character complex password is to use the word with the first letter capitalised, follows by the number, then the special character associated with that number followed by the word (again, capitalised), for example:

        Bill4$Bil

        All the user has to remember is Bill4, simple to remember, not based on a dictionary word (because as soon as a cracker has gone through the dictionary and common names they'll go through he dictionary and common names + $number) as long as its repeated at least once and it can be repeated as many times as you like and it's still only five characters to remember.

        Although, with password lengths I think you start to get diminishing returns after a while, the more characters you have, the more likely you'll have a typo and the more frustrating for the user it becomes and then the user will just switch to a simpler password. Remember that most users dont have a password on their home machines simply because they cant be arsed.

        Passwords should also be cycled if they are important. Length, complexity and password cycling are all useful and work together in creating robust security but they do so at the expense of user friendliness. If a security system is too unfriendly to it's users they simply wont use it, so we make trade offs to ensure that the system is used correctly.

        So realistically, length, complexity, password cycling and user friendliness need to work together in creating robust security and work well in the right mix. However getting 3 IT security to agree on what that mix is like negotiating peace in the Middle East.

        And now we have reached the end of anther long and exciting post about passwords.

      • by wvmarle (1070040) on Tuesday July 19, 2011 @01:19AM (#36808406)

        A totally underrated (and largely ignored) issue with long passwords, is the user's typing accuracy. I'm typing reasonably accurate I guess, but at least every 20 keystrokes I will mistype one. So a 10-character password has already a reasonable chance for a mistype, a 20-character phrase will have a very high chance to mistype. That would mean I have to re-try typing that long password a few times before it is finally accepted. And having your password hidden while you type it in doesn't help of course.

        The 7-9 character passwords that I use normally are hard enough in that respect. I often have to re-type because of a typo. And that are strings that I type often, so have muscle memory developed for them already. I dread the idea of having to use 20-character phrases for that. Too much risk of re-typing, and too much work in having to re-type it five times until you're finally exactly right.

        • by hldn (1085833) on Tuesday July 19, 2011 @02:38AM (#36808764) Homepage

          learn to type.

          my regular password is 16 characters and i rarely mistype it, even if just for muscle memory.

          • My password is just as long, and like you, I rarely ever get it wrong.... More to the point though.. I have no idea what my actual password is, if you ask me to write it down, I am liable to get it wrong most of the time, but I can certainly type it out without any issues.

            My password scheme..

            I use 4 random words, separated by spaces and punctuation, 1 of those words will have something to do with the the application or site I am connecting to. Every few months, I will change the password, using those same

        • by vegiVamp (518171)

          I have full-sentence keyphrases on things like the truecrypt vault that holds my SSH keys. I mean 50+ character sentences.

          Most of the time, I have it right on the first shot. Muscle memory helps a lot with things you type regularly, like some passwords.

      • by mcelrath (8027)

        TFA complains about simple passwords (containing no non-alphanumeric characters). Over the years I found that every single little stupid corner of the internet decided they had a better idea what should be in a password than everyone else. Each of them excludes a random subset of non-alphanumeric characters from being valid. Another subset of stupid little corners of the internet can't code their way out of a paper bag, and can't properly escape non-alphanumeric characters, especially ['"\%&=] which

        • by Quirkz (1206400)
          And then there's code like PHPbb, where it will let you create an admin password with an @ in it during site setup, but then just mysteriously strips the @ out of the actual password when the site is set up. I rebuilt a site three times before (for some crazy reason, can't recall how I thought of it) deciding to type the password and leave out the special character, and finally getting in.
    • by Teancum (67324) <robert_horning@ n e tzero.net> on Tuesday July 19, 2011 @03:47AM (#36809032) Homepage Journal

      If you want to secure something like a bank account, you don't use a security measure like a password in the first place. Passwords are strictly for low security applications where you openly know that others are going to be getting into the data that you have stored behind that password.

      For something that you really want to protect from prying eyes, you use something like an SHA-512 encryption hash with a public/private pair or something else along that line. I declare it is the whole notion that a password actually does more than provides a simple roadblock for pure idiots and to "keep the honest people honest" is a mistaken notion.

      I should also note that the number of possible physical keys to most locks is shockingly low. I had a locksmith point out that for most cash registers in grocery stores (at least for a great many years) used only one of five basic keys. I even had all five of them in my possession at one time. Yes, they worked too! Again, it is to keep people from pushing the buttons when they really shouldn't be there. Even now, most cash registers are "protected" with nothing more than a 4-digit key that can be hacked through social engineering alone... if they use something other than the register keys. Some stores are getting fancy with barcodes that need to be scanned indicating some supervisor ID, but even that is not a complicated string of numbers.

      Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name. It doesn't matter how complicated you make your passwords or encryption key, the information can be "hacked" with other very simple social engineering if you really want to get into somebody else's information. Of course, I find the whole notion of "identity theft" to usually be something absurd like this as those confirming identity are using information that really can't establish identity in the first place. Biometrics really are the only true way to establish identity, ranging from a handwritten signature to a finger print, a blood test, a DNA sample, and perhaps something like a retinal scan (something even twins have different). Identity establishment is intimately tied to passwords, as the point of a password is to prove that you are authorized to use a particular resource of some kind.

      • by Anrego (830717) *

        Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name. It doesn't matter how complicated you make your passwords or encryption key, the information can be "hacked" with other very simple social engineering if you really want to get into somebody else's information. Of course, I find the whole notion of "identity theft" to usually be something absurd like this as those confirming identity are using information that really can't establish identity in the first place. Biometrics really are the only true way to establish identity, ranging from a handwritten signature to a finger print, a blood test, a DNA sample, and perhaps something like a retinal scan (something even twins have different). Identity establishment is intimately tied to passwords, as the point of a password is to prove that you are authorized to use a particular resource of some kind.

        So much agree!

        Personally I think using my credit card (or accessing my bank account, or changing my address, etc..) should involve some kind of two-factor authentication. I'm a big fan of the keyfob type systems ... but even the "SMS a code to your phone" thing is ok. Combine that with a password and you have to be fairly determined to get at my account. I'm not a big fan of biometrics in the day-to-day login .. and definitely don't think it should ever be the sole means of authentication... simply because

  • by WrongSizeGlass (838941) on Monday July 18, 2011 @06:57PM (#36805890)
    That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

    The problem with passwords is that if they are too complex people can't remember them or write them down in plain sight. Pass phrases can be very effective, easy to type and don't rely on the cleverness of people who can't remember 10 random letters, numbers and special characters.
    • Re:TL; DR (Score:5, Insightful)

      by fish waffle (179067) on Monday July 18, 2011 @07:15PM (#36806086)

      The problem with passwords is that if they are too complex..

      Partly. There are also too damned many of them. Every pissant site seems to require a login/passwd, it's best to keep them all distinct, and the difficulty of remembering all these passwords is in a continuum with their complexity.

      • Yup. I think we really need to knuckle down and come up with a good universal-authentication scheme, maybe based on private-key encryption. It's not just a problem that people have so many passwords that they struggle to remember several strong ones, but one of the solutions that people employ is to reuse the same password for everything. Password reuse is a huge security flaw.

        It's important to remember that security isn't much stronger than the weakest link. If you use the same password for everything

    • by c0lo (1497653)

      That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

      Last chart of the article reveals that 69% of the people are actually dumb in regards to picking their password.

      • You placed emphasis on the wrong part of the quote.

        That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

        FTFY E.g. 6969 is not a clever password, but someone may think it is.

  • But the intention of this post was always to identify how people are presently choosing their passwords and we have good insight into that now. Of course the next question is âoehow should people be choosing passwordsâ? The answer to this is simple: The only secure password is the one you canâ(TM)t remember.

    This is why, when you have a password policy from hell, there are post-its stuck under keyboards or to the monitor. Users won't put up with your tyranny.

    --
    BMO

    • Exactly. Having reasonable policies such as "passwords may not consist solely of names or common dictionary words" strengthens security; going further than that and insisting that all passwords must consist of strings such as "kjf83i3n!mnc_79d" weakens security, because it practically begs people to write their passwords down. Similarly, requiring users to change their passwords every month will result in nothing but the use of weak passwords and/or constant tech support requests from users who can't log

      • by tompaulco (629533)
        My IT department was not even able to tell me what our password policy is. My password expired and I had to pick a new one. I could not get one to work that passed our policy. I had one with four symbols four upper case four lowercase and four numbers that I would never be able to remember and it still would not take it. Finally, in desperation I logged in as a domain administrator (which I happen to know and which the password never changes because the entire system would break) and set my password to some
      • by tverbeek (457094)

        I spend a whole-number-percentage of my work week advising users to select passwords that fall into the kinda-weak range, ones that meet the letter - but not the spirit - of our complexity requirements. For example, our company policy requires a combination of caps, lower, and something else. Rather than encouraging users to use a "strong" password such as d3K4jmS, I encourage them to pick the name of a city at random from a map, capitalize it, and put a digit on the end. Even though Munich7 is objective

    • by jamesh (87723)

      Having a hard-to-guess password on a post-it note stuck to your monitor is entirely appropriate in a lot of places. If the threat from inside the organisation is close to zero (eg a home office with no external cleaning contractor where all staff have equal network access) but the threat from outside is high (eg remote access to email or desktop) then it's a better outcome than an easy-to-guess password that exists only in the users head... and in the dictionary.

      • by sfm (195458)

        NEVER put your password on a post-it note stuck to your monitor!!

        The correct place for it is under the keyboard

  • by Chicken_Kickers (1062164) on Monday July 18, 2011 @07:00PM (#36805920)

    You know, what is more shocking is that clueless "security experts" still relying on passwords as their primary security measure. Passwords are bad because they are not natural. Humans are not computers, i.e. we are have not evolved to memorise random string of letters and numbers. Our brain has evolved to make the most of connecting and contextializing information, not memorizing 1 and 0s. This is the mistake you computer people always make, whether designing GUIs or security systems.

    • by rolfwind (528248) on Monday July 18, 2011 @07:14PM (#36806074)

      You know what's worse? Security questions! Especially when you can't type your own.

      Favorite Color? Too easy - people aren't going to say FF1A16. Most will say black, red, green, blue, white, or a handful of other labels.

      With all these favorite questions, I either don't have one. I really lack strong favorites in all areas. And the next time it asks me that, it will have likely changed.

      OR, it's information that's know to my entire household. Even if they don't do anything nefarious, I'm sure someone can wrangle out of my mother what street I lived on as a kid in a casual conversation.

      I hate SQs with a passion. Whoever thinks this is security is nuts.

      (Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)

      • by perpenso (1613749) on Monday July 18, 2011 @07:36PM (#36806292)

        You know what's worse? Security questions! Especially when you can't type your own.

        They can ask for your favorite color but you don't have to answer that particular question. If you are a fan of pass phrases you can enter some sort of phrase indicating the color. For example if your favorite color is red you could enter "The BBC first aired Red Dwarf in 1988". For extra security use the wrong year. :-)

        • by hedwards (940851)

          The problem is that if you don't remember the answer then you're completely screwed in most cases. For some things it's perfectly acceptable to require the person to fill out a form and have it notarized, but it's more problematic on sites like Facebook where the value is somewhat dubious

      • by jamesh (87723)

        (Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)

        Couldn't remember your password?

      • by bill_mcgonigle (4333) * on Monday July 18, 2011 @09:14PM (#36807054) Homepage Journal

        I hate SQs with a passion. Whoever thinks this is security is nuts.

        Simply put, security questions reduce your account's security to the strength of the security questions. Mostly, they're weaker than average passwords. Lord help you if you've got a Facebook profile. Mother's maiden name. Hell, that's public information today.

      • Security questions are only meant to enable a password reminder to a known email address. The only reason they even bother having any question at that stage is so that random 3rd parties don't spam you password reminders to your email account.

        It's actually something Slashdot doesn't have. Third parties on Slashdot can spam you password reminders due to the lack of a simple security question.

    • Look, it isn't that hard to come up with a passphrase that you turn into a password.

      It was the best of times, it was the worst of times

      becomes

      1wtb0t1wtw0t!

      Then, you find a creative phrase that nobody else will figure out based on nothing about yourself and bam, you have a password. The longer the phrase, the more keystrokes to enter, and that is a good thing.

      But still, there is the one person I know who's password is PI, to the 27th decimal, Most PW systems don't let you have that many, and when they don't

      • Why not just allow

        1. "It was the best of times, it was the worst of times"

        As your actual password? It is a lot easier to remember than 1wtb0t1wtw0t!, and if you have any kind of lockout policy no script is going to ever guess it.

        • It is a lot quicker to type '1wtb0t1wtw0t!' though, especially if you are used to it. I usually add a number somewhere which I can increment though to workaround the stupid password expiry policies some places have.
        • Why not just allow

          "It was the best of times, it was the worst of times"

          As your actual password? It is a lot easier to remember than 1wtb0t1wtw0t!, and if you have any kind of lockout policy no script is going to ever guess it.

          That's a damn good point. It's not like modern systems can't afford the few extra tens of bytes. Arbitrary character limits made a certain amount of sense in the days when data storage and transmission were expensive and there was a real cost to using large strings, but we're long past the days when a password that's any shorter than a novel is going to cost any more, in practical terms, than "password123".

          Now, there are certain phrases that would best be avoided in creating such passwords, and particular

          • by jamesh (87723)

            That's a damn good point. It's not like modern systems can't afford the few extra tens of bytes.

            For user authentication there is no need to store the plaintext password, a hash is all you should need to store, which is fixed length. That way anyone who gains access to the password database still has to bruteforce a hash.

            • Point. I suppose I should have said "dictionary attack" rather than "brute-force attack," since what I was thinking of was trying common names and words (or, in the long-password scenario, common lines like "it was the best of times", "to be or not to be", "fourscore and seven years ago", etc.) rather than just random ASCII. As far as the hash length vs. string length goes, even if it's stored hashed, the plaintext has to be processed at some point. Once upon a time, there was a real cost to the number o

        • by tepples (727027)
          Good luck keying that in error-free on your cell phone's touch screen.
      • by PCM2 (4486)

        But still, there is the one person I know who's password is PI, to the 27th decimal, Most PW systems don't let you have that many, and when they don't, she uses something ridiculously easy, "because it already isn't secured".

        Is any password that you can look up in a book (or generate using an algorithm) really all that secure? How long would it take a dictionary attack based on the digits of pi to reach the 27th digit of pi?

      • by Centurix (249778)

        I SMS'd that password to Charles Dickens, and he sent back "T1my iz a kriple lol!".

    • I agree.
      I am trying to pass this messages among the security folks I meet, and I am "one" myself. Well this is difficult.
      To many, security means password. It's that bad :-)

      To me, password, digital key, etc is just one of the aspect of security - but I certainly would be happier if we got rid of the passwords. They're not secure, they're hard to remember, type, etc.

      That said, since you need at least 2 factors of authentication to feel reasonably secure, and that there's not so much that is as versatile as pa

      • by lgw (121541)

        You know, ATM cards work really well for protecting easily-obtainable cash. I can't think of better proof that 2-factor auth with the simplest of passwords and the simplest of tokens works great.

        The approch I'd take with software is: your endpoint device generates a GUID - this is your actual password. The user provides a simple password which is used to locally encrypt the real password. The first time any new device is used, some additional protocal is needed to authorize the user out of band, and gene

  • FTA:

    The only secure password is the one you can’t remember.

    Great. So remember to write your password on a sticky note that you leave on your monitor, and you'll be golden.

    • I share an office and computer with a colleague at work. The school's network requires us to change our login and password every 60 days (I think) and won't let us reuse any entries. So, we've got a piece of paper taped to the desk next to the keyboard with an ongoing record of logins and passwords. Whoever's turn it is to come up with the new login info crosses out the last one and writes down a new one.

      Fortunately, we keep the login list key encrypted - we're always careful to lock the office door on o
      • by nzac (1822298)

        Just insert the month and year into your standard password assuming they are using a hash to detect repeats it looks very difference on the other side.

  • Non-alphanumerics (Score:5, Insightful)

    by paleo2002 (1079697) on Monday July 18, 2011 @07:08PM (#36806008)
    To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.
    • Re:Non-alphanumerics (Score:5, Interesting)

      by Nationless (2123580) on Monday July 18, 2011 @07:17PM (#36806120)

      Symbols are a double edged sword. I once had a username/password combo using unusual symbols and lo and behold when they upgraded the system they decided in all their wisdom to remove support for those symbols.

      I was fucked.

      Had to contact them and have someone manually change my username and password (hardly ideal) and then I had to set up a new password as soon as I regained access.

    • Re:Non-alphanumerics (Score:5, Interesting)

      by mirix (1649853) on Monday July 18, 2011 @07:29PM (#36806220)

      I seem to find that banks seem to continuously be the worst for not allowing things other than [a-zA-Z0-9]. Which is rather funny, if it weren't sad. Usually stupid limits on length too, like 8 chars.

      • by Rary (566291)

        I seem to find that banks seem to continuously be the worst for not allowing things other than [a-zA-Z0-9]

        Even worse: my bank requires a numeric-only password, with a max of 7 digits, which basically ensures that everyone is going to use a phone number as their password.

      • by sootman (158191)

        I thought it was odd that my bank only allowed A-Z, 0-9 for online access. Then I called up one day on the phone and was asked to punch in my password, so I guess that's why.

  • Like most everyone else, managing passwords is a nightmare for me:

    Some websites require a 15 character password with at least 2 upper case letters 3 digits, at least 2 UNICODE characters, and must be changed weekly. Others require from 5 to 7 characters with no numbers and cannot be changed for at least 2 months. The password rules bear no relationship to the sensitivity of the data.

    Managing all of this crap is a royal pain in the ass. I use keypassX with an IronKey to make things manageable, but it is s

    • by DiSKiLLeR (17651)

      While lots of people hate PayPal for various reasons, they have one thing that is really slick: The ability to use your cellphone as a FOB. Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password. So even if someone gets your password, unless they also have your cell phone, they still can't login. Why every bank doesn't have this security feature is beyond me.

      Both my banks do.... CBA in Australia, and ASB in New Zealand.

      US Banks don't do it?

      • I have yet to see one. Then again we can't get beer right either. Fosters (drinking one now) might not be very good but is a damn site better than Budweiser.
      • by PCM2 (4486)

        US Banks don't do it?

        Bank of America certainly offers it as a free option (and I use it).

      • US Banks don't do it?

        USAA does it. They also let you use your email (or not allow your email; configurable) and you can set some computers as 'authenticated', which means you only need your password and PIN on that computer. (Which will reset after a few months, or if you clear cookies, or do something which looks fishy, like use two browsers at once from the same computer.)

      • by swalve (1980968)
        Chase does it for password recovery. Not sure I'd like to have to go find my phone every time I wanted to log into my bank account.

        For work passwords, I use the same ones, and just force myself to get into the habit of logging into every system when the first password expires and changing them all at once. This works especially well for sites that get used rarely, as they don't end up auto expiring without me ever knowing it, and then locking me out because I KNOW I've got the right password.
      • by hedwards (940851)

        Nope, there's no regulatory requirement and it's typically cheaper for them to just pay out when somebody successfully breaches security.

    • But otherwise all other things - and have a lockout policy after, say 5 bad attempts.

      Which lets anyone who knows your username DOS you.

      Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password.

      Even those who have a cell phone and a PayPal account don't necessarily have an unlimited SMS plan.

      • by shermo (1284310)

        Every time I see this I'm amazed that you have to pay to receive text messages in the US.

        Do you have to also pay when you send them?

    • I think a lot of these stupid password policies were the result of Lanman and L0phtcrack.

      First, there are two kinds of things that people call "passwords". #1, a secret phrase that you tell to a remote system to authenticate yourself. #2, a key that has to be cryptographically secure against local attacks.

      Traditional Windows NT domains essentially published a Lanman hash of everyone's password. Lanman had a bizarrely bad hashing scheme: it null-pads your password to 14 characters, then splits it in half

  • by chroma (33185) <chroma.mindspring@com> on Monday July 18, 2011 @07:19PM (#36806126) Homepage

    I've become a recent convert to the idea of using a password card [passwordcard.org] or
    password chart [passwordchart.com] to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.

    • by arth1 (260657)

      But it doesn't help you have different passwords for different sites unless you already remember a password for each site.
      And that's the problem.

      • by slinches (1540051)

        You do still need to remember a "password" for each site, but that password is only a symbol, a color and the length of the password (or whatever you choose) rather than a long string of random characters, which makes it easier to remember multiple strong passwords. Although this system does trade stronger cryptographic security for weaker physical security, but this weakness could be addressed by keeping multiple cards or using additional encryption schemes. The idea is that the password would remain equ

  • Passwords with patterns are easy for humans to remember, but any short password i vulnerable to a bruteforce attack.

    My favourite way to generate passwords is the first letter of each word in a phrase. Somebody looking over your shoulder sees you type TbonoTbTitQ, don't see a pattern, and can't remember it. While you think To be or not To be, That is the Question. Not that this makes any difference to a computer that starts at aaaaaaaaa and works up to zzzzzzzzz.

    No, I've never used this password on any c

    • ...but any short password i vulnerable to a bruteforce attack.

      Only if they can get the encrypted hash and with increasing CPU (or rather GPU) power longer passwords are becoming brute-forceable too.

      • by Bengie (1121981)

        Bcrypt hash. Good luck brute-forcing that. Slow in software as well as hardware. Customizable computational time. Make even a dictionary attack take forever.

  • by Freddybear (1805256) on Monday July 18, 2011 @07:31PM (#36806240)

    A function that returns a string of 12 random ASCII characters including upper and lowercase alphas, numerics and symbols will score 100% on a password strength test like http://www.passwordmeter.com/ [passwordmeter.com] but I find that a password like that will be hard to type, much less to remember.

    Another way is to return two random words from a list of less-used English words, separated by two or three random numerics. That won't score as high but it will be plenty secure against dictionary attacks and will be easier to remember.

    • My approach is something a security guy from Intel told me - take a phrase you can remember that is unique to you, e.g., "I love Jennie and Maggie my 2 kids" or "We moved to Portland 25 years ago in August" and then just take the first letter of each word and keep the numbers as is. You can also throw in some punctuation or make it a two phrase password as well. Then, when you type, you just say the phrase(s) in your head and tap the first letter. It's very simple. I've been using it to express my angst for

    • by slinches (1540051)

      Am I just paranoid or does it seem that those password meters could be a simple phishing scam trying to find commonly used strong passwords? (not necessarily implying the one you linked isn't legit)

  • by sqrt(2) (786011) on Monday July 18, 2011 @07:33PM (#36806260) Journal

    I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.

    https://www.grc.com/haystack.htm [grc.com]

    • I wouldn't trust the Gibson. It got hacked by a high school kid in 1995....

      He is right about length trumping entropy when you're going against a hash or a dictionary attack, though. Personally, I'll take a phrase, translate it into some other language (preferably one that isn't written with the latin alphabet), romanize it, and then deliberately misspell it with leetspeak. The result is usually a password that's very long, resilient against dictionary attacks, and is easy enough to regenerate that you don't

    • by jamesh (87723)

      length trumps entropy

      Sounds reasonable. And if you look at what the typical non-targeted brute force dictionary contains, it really is only picking off the most low hanging fruit. It is reasonable that the password 1111111111111111111111111111111111111111112 is unlikely to be guessed in a useful amount of time unless you had specific knowledge of the users password habits.

    • by Bengie (1121981)

      This guy is the John Carmack of security.

  • by Danny Rathjens (8471) <slashdot2&rathjens,org> on Monday July 18, 2011 @07:43PM (#36806346)
    I'm surprised a large chunk of the obfuscation attempts didn't involve replacing letters with numbers. termin8, passw0rd, etc.
    I used a password cracker once as a sysadmin many years ago and I recall that that was one of the higher priority alternates the password cracker tried after dictionary words. I also remember there were plenty of adjunct dictionaries for password crackers with things such as anime/book/movie/tv names and character names and places which might cover a lot of that "other" category.
    • by swalve (1980968)
      I think that's because only sysadmin types think of that. C0mp@Q was a favorite of an old sysadmin. Easy to remember, it's printed right on the keyboard.
  • Back in the day, we would trade off the duty of creating the root password, and changing it everywhere it needed to be changed. When it was my turn, I used a random set of letters and numbers that everyone said no-one could remember. That password had fewer people re-requesting it than any other. I still remember it today. I just Googled it, and nope, it's not there yet.
    • That fits my experience. I expect people are much better at remembering a random string of characters than they expect to be. It seems like a good subject for an experiment.

    • "When it was my turn, I used a random set of letters and numbers that everyone said no-one could remember. That password had fewer people re-requesting it than any other"

      That is because every single person wrote it on a sticky note somewhere, thereby greatly decreasing its security.

      " I just Googled it, and nope, it's not there yet."

      On the bright side, at least you know Google has it now ;-)

      • That is because every single person wrote it on a sticky note somewhere, thereby greatly decreasing its security.

        How so, if "somewhere" is inside one's wallet?

  • Seriously, I don't care if someone guesses or bruteforces a password to some news site, or anything where I've used a totally random pseudonym in the first place. I will do things like use weak passwords, re-use them, etc. Because I don't care. I mean, I *really* don't care. Please hack these. Who cares? Not me.

    Web sites and applications where I *do* care, get particularly long, entropy-rich randomly generated passwords. These passwords do get stored locally, on a well-encrypted medium that I would b

  • Problem #1: people don't have random password generators conveniently at hand when they need to create passwords. OS designers should make sure that good random password generator applets are installed by default and obvious. Designers of systems that require passwords should remind users to use random password generators, and suggest where they may be found in popular GUIs. Not every interface can offer that information, but certainly websites could, and if enough do, the information will get around.

    Proble

  • I use a system that is similar to this: Take a phrase, mash it up very well and then add the name of the account to the end of it. Its very secure, but some sites don't support it because it contains plain text.

    Phrase: Don't taze me bro! (remember that guy?)
    lets mash it up a big
    d0nT+A2eM3bR0!

    After typing it in a few times it becomes natural. So, now you have a 14 character alphanumeric password with symbols. But, if some script kiddie hacks a site that you're signed up to (this happened to one of my various

  • stop makeing us change the password so much and get rid of the repeating rules.

  • "Shadowfax".

      You can thank Phillip Sutcliffe for telling us about it:

    http://www.theonion.com/articles/the-threat-of-cyberterrorism,14671/ [theonion.com] :)

  • by Sebastopol (189276) on Tuesday July 19, 2011 @12:41AM (#36808240) Homepage
    tools -->> generate secure password -->> generate -->> save -->> autofill done and done.

"The way of the world is to praise dead saints and prosecute live ones." -- Nathaniel Howe

Working...