Forgot your password?
typodupeerror
Security

The Science of Password Selection 340

Posted by timothy
from the insert-horror-stories-here dept.
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
This discussion has been archived. No new comments can be posted.

The Science of Password Selection

Comments Filter:
  • by 101010_or_0x2A (1001372) on Monday July 18, 2011 @07:54PM (#36805864)
    What's the inspiration for choosing short, simple passwords? They are short and simple, so you don't forget them. Similar reason to using the same password for a variety of different purposes. For bank accounts, use the strongest possible password, and don't write it on a sticky note. For Facebook, use "asdf1234" and don't put *any* important information on there.
    • by John Hasler (414242) on Monday July 18, 2011 @08:41PM (#36806332) Homepage

      > What's the inspiration for choosing short, simple passwords?

      The execrable admonition to never write down a password.

    • Simple? Yes. Short? NO.

      Please consider that not every character in a password needs to contribute a high level of entropy; As long as a few do (to increase the search space) the length of a password can contain relatively low entropic character streams.

      0#f$%aEx
      6.7e15 search space (cracked in 3.35e15 brute force attempts on average).

      Sl@5h--------------------VortexCortex
      1.51e73 (cracked in 75.5e72 brute force attempts on average).

      (Sl@5h, twenty dashes, user name -- easy to remember -- not my real algo, make up your own)

      A short string of upper and lower case, with symbols increases the search space required per character. However, each character thereafter, even if it repeats, increases the search space size by a factor of the search character set size...

      The biggest problem with passwords is that they are not hashed, thus many sites place limitations on the characters and length. If any sites do: I write a scathing e-mail to the moronic IT staff and I refuse to use the insecure service (if I can, otherwise, for places like my previous bank, Wells Fargo, I just bitch about it every so often until my account gets hacked and I'm forced to choose a more secure service...).

      • by mjwx (966435) on Tuesday July 19, 2011 @01:04AM (#36808070)
        Please consider that not every character in a password needs to contribute a high level of entropy

        Exactly, so repeating patterns are OK as far as brute force is concerned.

        The way I tell my users to create a password is to think of a four or five letter word, lets use "bill" and a number, say "4". Now the simple way to get a 10 character complex password is to use the word with the first letter capitalised, follows by the number, then the special character associated with that number followed by the word (again, capitalised), for example:

        Bill4$Bil

        All the user has to remember is Bill4, simple to remember, not based on a dictionary word (because as soon as a cracker has gone through the dictionary and common names they'll go through he dictionary and common names + $number) as long as its repeated at least once and it can be repeated as many times as you like and it's still only five characters to remember.

        Although, with password lengths I think you start to get diminishing returns after a while, the more characters you have, the more likely you'll have a typo and the more frustrating for the user it becomes and then the user will just switch to a simpler password. Remember that most users dont have a password on their home machines simply because they cant be arsed.

        Passwords should also be cycled if they are important. Length, complexity and password cycling are all useful and work together in creating robust security but they do so at the expense of user friendliness. If a security system is too unfriendly to it's users they simply wont use it, so we make trade offs to ensure that the system is used correctly.

        So realistically, length, complexity, password cycling and user friendliness need to work together in creating robust security and work well in the right mix. However getting 3 IT security to agree on what that mix is like negotiating peace in the Middle East.

        And now we have reached the end of anther long and exciting post about passwords.

      • by wvmarle (1070040) on Tuesday July 19, 2011 @02:19AM (#36808406)

        A totally underrated (and largely ignored) issue with long passwords, is the user's typing accuracy. I'm typing reasonably accurate I guess, but at least every 20 keystrokes I will mistype one. So a 10-character password has already a reasonable chance for a mistype, a 20-character phrase will have a very high chance to mistype. That would mean I have to re-try typing that long password a few times before it is finally accepted. And having your password hidden while you type it in doesn't help of course.

        The 7-9 character passwords that I use normally are hard enough in that respect. I often have to re-type because of a typo. And that are strings that I type often, so have muscle memory developed for them already. I dread the idea of having to use 20-character phrases for that. Too much risk of re-typing, and too much work in having to re-type it five times until you're finally exactly right.

        • by hldn (1085833) on Tuesday July 19, 2011 @03:38AM (#36808764) Homepage

          learn to type.

          my regular password is 16 characters and i rarely mistype it, even if just for muscle memory.

          • by bleh-of-the-huns (17740) on Tuesday July 19, 2011 @08:30AM (#36809936)

            My password is just as long, and like you, I rarely ever get it wrong.... More to the point though.. I have no idea what my actual password is, if you ask me to write it down, I am liable to get it wrong most of the time, but I can certainly type it out without any issues.

            My password scheme..

            I use 4 random words, separated by spaces and punctuation, 1 of those words will have something to do with the the application or site I am connecting to. Every few months, I will change the password, using those same 4 words, changing the order, and the location of the punctuation. Throughout the password I will also randomly replace letters with their related number or special character symbols.

            I have yet to forget my password (except on sites where I will log in once every 4 or 5 months, the Startek website being one of those (the user and parts site for my car), where I do a password reset and pick a new password.

        • by vegiVamp (518171) on Tuesday July 19, 2011 @03:58AM (#36808852) Homepage

          I have full-sentence keyphrases on things like the truecrypt vault that holds my SSH keys. I mean 50+ character sentences.

          Most of the time, I have it right on the first shot. Muscle memory helps a lot with things you type regularly, like some passwords.

      • by mcelrath (8027) on Tuesday July 19, 2011 @05:25AM (#36809140) Homepage

        TFA complains about simple passwords (containing no non-alphanumeric characters). Over the years I found that every single little stupid corner of the internet decided they had a better idea what should be in a password than everyone else. Each of them excludes a random subset of non-alphanumeric characters from being valid. Another subset of stupid little corners of the internet can't code their way out of a paper bag, and can't properly escape non-alphanumeric characters, especially ['"\%&=] which need to be escaped in certain contexts or are contained in urls. Yet another subset of stupid corners of the internet place arbitrary length restrictions on your password (here on slashdot: 20 characters). Working on wiki software for a while, I watched as time and time again, contributors couldn't understand the basics of properly escaping strings, so they invented stupid crazy regexes that always failed. Then they would pile on more hacks to catch corner cases. On web forms it usually takes the form of some javascript that "checks" the password, and other javascript that has to encode it into a URL or POST request.

        So I gave up. As you argue, increasing the length increases the complexity exponentially fast, while increasing the character set increases the complexity only logarithmically fast. So it's better to use a long alphanumeric password than to discover that you can't log in, because the password form can't encode what you typed properly. These days I find it's extremely rare to run across a site or application that requires a non-alphanumeric character to be present.

        • by Quirkz (1206400) on Tuesday July 19, 2011 @11:15AM (#36811950) Homepage
          And then there's code like PHPbb, where it will let you create an admin password with an @ in it during site setup, but then just mysteriously strips the @ out of the actual password when the site is set up. I rebuilt a site three times before (for some crazy reason, can't recall how I thought of it) deciding to type the password and leave out the special character, and finally getting in.
    • by Teancum (67324) <robert_horning.netzero@net> on Tuesday July 19, 2011 @04:47AM (#36809032) Homepage Journal

      If you want to secure something like a bank account, you don't use a security measure like a password in the first place. Passwords are strictly for low security applications where you openly know that others are going to be getting into the data that you have stored behind that password.

      For something that you really want to protect from prying eyes, you use something like an SHA-512 encryption hash with a public/private pair or something else along that line. I declare it is the whole notion that a password actually does more than provides a simple roadblock for pure idiots and to "keep the honest people honest" is a mistaken notion.

      I should also note that the number of possible physical keys to most locks is shockingly low. I had a locksmith point out that for most cash registers in grocery stores (at least for a great many years) used only one of five basic keys. I even had all five of them in my possession at one time. Yes, they worked too! Again, it is to keep people from pushing the buttons when they really shouldn't be there. Even now, most cash registers are "protected" with nothing more than a 4-digit key that can be hacked through social engineering alone... if they use something other than the register keys. Some stores are getting fancy with barcodes that need to be scanned indicating some supervisor ID, but even that is not a complicated string of numbers.

      Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name. It doesn't matter how complicated you make your passwords or encryption key, the information can be "hacked" with other very simple social engineering if you really want to get into somebody else's information. Of course, I find the whole notion of "identity theft" to usually be something absurd like this as those confirming identity are using information that really can't establish identity in the first place. Biometrics really are the only true way to establish identity, ranging from a handwritten signature to a finger print, a blood test, a DNA sample, and perhaps something like a retinal scan (something even twins have different). Identity establishment is intimately tied to passwords, as the point of a password is to prove that you are authorized to use a particular resource of some kind.

      • by Anrego (830717) * on Tuesday July 19, 2011 @08:44AM (#36810094)

        Then again, most bank data is "protected" by such amazing "identity" information like a social security number and your mother's maiden name. It doesn't matter how complicated you make your passwords or encryption key, the information can be "hacked" with other very simple social engineering if you really want to get into somebody else's information. Of course, I find the whole notion of "identity theft" to usually be something absurd like this as those confirming identity are using information that really can't establish identity in the first place. Biometrics really are the only true way to establish identity, ranging from a handwritten signature to a finger print, a blood test, a DNA sample, and perhaps something like a retinal scan (something even twins have different). Identity establishment is intimately tied to passwords, as the point of a password is to prove that you are authorized to use a particular resource of some kind.

        So much agree!

        Personally I think using my credit card (or accessing my bank account, or changing my address, etc..) should involve some kind of two-factor authentication. I'm a big fan of the keyfob type systems ... but even the "SMS a code to your phone" thing is ok. Combine that with a password and you have to be fairly determined to get at my account. I'm not a big fan of biometrics in the day-to-day login .. and definitely don't think it should ever be the sole means of authentication... simply because you only have one set of fingerprints... and you'd be using those same fingerprints at your bank and at the grocery store. You'd just end up with a cat and mouse game of copiers and people detecting copies of biometric info.

        The problem becomes though, that users will lose those keyfobs and forget their password. This is where the weakness in these systems is. If I can call someone up and recover my password or get a new keyfob with a little social engineering... then what is the point. And then this is where biometrics should come in. To recover my password/get a new keyfob should be a _chore_ of epic proportions. I should have to go somewhere and have all kinds of biometric tests done to confirm I'm me.

        The problem is most users value convenience over all else. They would totally baulk at a system like this. "Just let me into my damn account".

  • by WrongSizeGlass (838941) on Monday July 18, 2011 @07:57PM (#36805890)
    That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

    The problem with passwords is that if they are too complex people can't remember them or write them down in plain sight. Pass phrases can be very effective, easy to type and don't rely on the cleverness of people who can't remember 10 random letters, numbers and special characters.
    • Re:TL; DR (Score:5, Insightful)

      by fish waffle (179067) on Monday July 18, 2011 @08:15PM (#36806086)

      The problem with passwords is that if they are too complex..

      Partly. There are also too damned many of them. Every pissant site seems to require a login/passwd, it's best to keep them all distinct, and the difficulty of remembering all these passwords is in a continuum with their complexity.

      • by nine-times (778537) <nine.times@gmail.com> on Monday July 18, 2011 @10:32PM (#36807156) Homepage

        Yup. I think we really need to knuckle down and come up with a good universal-authentication scheme, maybe based on private-key encryption. It's not just a problem that people have so many passwords that they struggle to remember several strong ones, but one of the solutions that people employ is to reuse the same password for everything. Password reuse is a huge security flaw.

        It's important to remember that security isn't much stronger than the weakest link. If you use the same password for everything, and then a single service gets compromised, then everything is compromised. You use the same password for PSN, Gmail, and your bank? Well the Playstation network got hacked, and now those hackers have your bank password. What fun!

    • by c0lo (1497653) on Monday July 18, 2011 @08:15PM (#36806088)

      That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

      Last chart of the article reveals that 69% of the people are actually dumb in regards to picking their password.

      • by adamofgreyskull (640712) on Monday July 18, 2011 @08:33PM (#36806252)
        You placed emphasis on the wrong part of the quote.

        That article is way too long. Here's my observation: People pick passwords that are easy to remember, easy to type and or something they think is clever.

        FTFY E.g. 6969 is not a clever password, but someone may think it is.

  • by bmo (77928) on Monday July 18, 2011 @07:58PM (#36805900)

    But the intention of this post was always to identify how people are presently choosing their passwords and we have good insight into that now. Of course the next question is âoehow should people be choosing passwordsâ? The answer to this is simple: The only secure password is the one you canâ(TM)t remember.

    This is why, when you have a password policy from hell, there are post-its stuck under keyboards or to the monitor. Users won't put up with your tyranny.

    --
    BMO

    • Exactly. Having reasonable policies such as "passwords may not consist solely of names or common dictionary words" strengthens security; going further than that and insisting that all passwords must consist of strings such as "kjf83i3n!mnc_79d" weakens security, because it practically begs people to write their passwords down. Similarly, requiring users to change their passwords every month will result in nothing but the use of weak passwords and/or constant tech support requests from users who can't log in.

      • by tompaulco (629533) on Monday July 18, 2011 @09:02PM (#36806506) Homepage Journal
        My IT department was not even able to tell me what our password policy is. My password expired and I had to pick a new one. I could not get one to work that passed our policy. I had one with four symbols four upper case four lowercase and four numbers that I would never be able to remember and it still would not take it. Finally, in desperation I logged in as a domain administrator (which I happen to know and which the password never changes because the entire system would break) and set my password to something that has a reasonable complexity that no one would randomly figure out and that I can remember.
      • by tverbeek (457094) on Monday July 18, 2011 @10:43PM (#36807218) Homepage

        I spend a whole-number-percentage of my work week advising users to select passwords that fall into the kinda-weak range, ones that meet the letter - but not the spirit - of our complexity requirements. For example, our company policy requires a combination of caps, lower, and something else. Rather than encouraging users to use a "strong" password such as d3K4jmS, I encourage them to pick the name of a city at random from a map, capitalize it, and put a digit on the end. Even though Munich7 is objectively lousier the earlier example, there is at least a 1-in-10 chance that they will not be calling me back within the next week asking me to reset their password because they've forgotten it. If I actually encouraged these people to come up with a password that is difficult to guess or unlikely to survive a dictionary attack, they will a) forget ir, or b) put it on a post-it note.

        P.S. Never allow your users to use a password manager or check the "remember my password for me" box. It only ensures that they'll forget the password and waste the time of your support staff resetting it. Make them type the password every time they access the system, or they will forget it. Even the few with a functioning hippocampus.

    • by jamesh (87723) on Monday July 18, 2011 @09:12PM (#36806604)

      Having a hard-to-guess password on a post-it note stuck to your monitor is entirely appropriate in a lot of places. If the threat from inside the organisation is close to zero (eg a home office with no external cleaning contractor where all staff have equal network access) but the threat from outside is high (eg remote access to email or desktop) then it's a better outcome than an easy-to-guess password that exists only in the users head... and in the dictionary.

  • by Chicken_Kickers (1062164) on Monday July 18, 2011 @08:00PM (#36805920)

    You know, what is more shocking is that clueless "security experts" still relying on passwords as their primary security measure. Passwords are bad because they are not natural. Humans are not computers, i.e. we are have not evolved to memorise random string of letters and numbers. Our brain has evolved to make the most of connecting and contextializing information, not memorizing 1 and 0s. This is the mistake you computer people always make, whether designing GUIs or security systems.

    • by rolfwind (528248) on Monday July 18, 2011 @08:14PM (#36806074)

      You know what's worse? Security questions! Especially when you can't type your own.

      Favorite Color? Too easy - people aren't going to say FF1A16. Most will say black, red, green, blue, white, or a handful of other labels.

      With all these favorite questions, I either don't have one. I really lack strong favorites in all areas. And the next time it asks me that, it will have likely changed.

      OR, it's information that's know to my entire household. Even if they don't do anything nefarious, I'm sure someone can wrangle out of my mother what street I lived on as a kid in a casual conversation.

      I hate SQs with a passion. Whoever thinks this is security is nuts.

      (Srry, posted as anon before, dang sign-in isn't as convenient as it used to be.)

    • by Archangel Michael (180766) on Monday July 18, 2011 @08:16PM (#36806100) Journal

      Look, it isn't that hard to come up with a passphrase that you turn into a password.

      It was the best of times, it was the worst of times

      becomes

      1wtb0t1wtw0t!

      Then, you find a creative phrase that nobody else will figure out based on nothing about yourself and bam, you have a password. The longer the phrase, the more keystrokes to enter, and that is a good thing.

      But still, there is the one person I know who's password is PI, to the 27th decimal, Most PW systems don't let you have that many, and when they don't, she uses something ridiculously easy, "because it already isn't secured". Takes her, and I'm not kidding, about 7 seconds to tap it out on a keypad.

    • by kangsterizer (1698322) on Monday July 18, 2011 @08:49PM (#36806392)

      I agree.
      I am trying to pass this messages among the security folks I meet, and I am "one" myself. Well this is difficult.
      To many, security means password. It's that bad :-)

      To me, password, digital key, etc is just one of the aspect of security - but I certainly would be happier if we got rid of the passwords. They're not secure, they're hard to remember, type, etc.

      That said, since you need at least 2 factors of authentication to feel reasonably secure, and that there's not so much that is as versatile as passwords, I'd live with digital keys that are additionally encrypted and protected by password. The digital key then sign some keys that you can use for different services. Keys that you can revoke and regenerate at will (so you can rotate them every 7 days for example, with zero pain). You (almost) never have to change password and have only one. If the master key is compromise, of course, you've to redo all that.
      You might want to rotate the master key every 5 or 10 years I suppose!

      Note: the master key password should be secure, however, even if it is not, it's not such a big deal anymore.
      The master key should eventually be taken great care of, having a separate physical pad and reader isn't out of the question (like the gpg cards).
      The master key can be protected by non-password means as well, but sometimes its hard to find the proper replacement.

      • by lgw (121541) on Monday July 18, 2011 @10:19PM (#36807082) Journal

        You know, ATM cards work really well for protecting easily-obtainable cash. I can't think of better proof that 2-factor auth with the simplest of passwords and the simplest of tokens works great.

        The approch I'd take with software is: your endpoint device generates a GUID - this is your actual password. The user provides a simple password which is used to locally encrypt the real password. The first time any new device is used, some additional protocal is needed to authorize the user out of band, and generate and sync the GUID. That should work well in any situation where the user frequently re-uses the same endpoint, and is likely to report if that endpoint is stolen.

  • by drb226 (1938360) on Monday July 18, 2011 @08:01PM (#36805940)
    FTA:

    The only secure password is the one you can’t remember.

    Great. So remember to write your password on a sticky note that you leave on your monitor, and you'll be golden.

    • by paleo2002 (1079697) on Monday July 18, 2011 @08:14PM (#36806076)
      I share an office and computer with a colleague at work. The school's network requires us to change our login and password every 60 days (I think) and won't let us reuse any entries. So, we've got a piece of paper taped to the desk next to the keyboard with an ongoing record of logins and passwords. Whoever's turn it is to come up with the new login info crosses out the last one and writes down a new one.

      Fortunately, we keep the login list key encrypted - we're always careful to lock the office door on our way out.
  • Non-alphanumerics (Score:5, Insightful)

    by paleo2002 (1079697) on Monday July 18, 2011 @08:08PM (#36806008)
    To be fair, I doubt the average person is aware that a password can include symbols unless they are specifically advised that they are allowable. I know I've been scolded by many computers, web sites, and electronic systems for using symbols in the past so its no wonder that they are rarely used.
    • Re:Non-alphanumerics (Score:5, Interesting)

      by Nationless (2123580) on Monday July 18, 2011 @08:17PM (#36806120)

      Symbols are a double edged sword. I once had a username/password combo using unusual symbols and lo and behold when they upgraded the system they decided in all their wisdom to remove support for those symbols.

      I was fucked.

      Had to contact them and have someone manually change my username and password (hardly ideal) and then I had to set up a new password as soon as I regained access.

    • Re:Non-alphanumerics (Score:5, Interesting)

      by mirix (1649853) on Monday July 18, 2011 @08:29PM (#36806220)

      I seem to find that banks seem to continuously be the worst for not allowing things other than [a-zA-Z0-9]. Which is rather funny, if it weren't sad. Usually stupid limits on length too, like 8 chars.

  • by El_Oscuro (1022477) on Monday July 18, 2011 @08:17PM (#36806116) Homepage

    Like most everyone else, managing passwords is a nightmare for me:

    Some websites require a 15 character password with at least 2 upper case letters 3 digits, at least 2 UNICODE characters, and must be changed weekly. Others require from 5 to 7 characters with no numbers and cannot be changed for at least 2 months. The password rules bear no relationship to the sensitivity of the data.

    Managing all of this crap is a royal pain in the ass. I use keypassX with an IronKey to make things manageable, but it is still ridiculous.

    Why not just all the user to put anything they want as a password, including spaces, commas, etc. Ban passwords under 5 characters, the top 500 easiest ones, anything matching personal info, etc. But otherwise all other things - and have a lockout policy after, say 5 bad attempts. While a script can run through the 190,000 words in a dictionary in a few minutes, it is a lot harder if the account is locked out after the first 5.

    While lots of people hate PayPal for various reasons, they have one thing that is really slick: The ability to use your cellphone as a FOB. Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password. So even if someone gets your password, unless they also have your cell phone, they still can't login. Why every bank doesn't have this security feature is beyond me.

    • by DiSKiLLeR (17651) on Monday July 18, 2011 @08:32PM (#36806242) Homepage Journal

      While lots of people hate PayPal for various reasons, they have one thing that is really slick: The ability to use your cellphone as a FOB. Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password. So even if someone gets your password, unless they also have your cell phone, they still can't login. Why every bank doesn't have this security feature is beyond me.

      Both my banks do.... CBA in Australia, and ASB in New Zealand.

      US Banks don't do it?

    • But otherwise all other things - and have a lockout policy after, say 5 bad attempts.

      Which lets anyone who knows your username DOS you.

      Everyone has a cell phone these days, and if you set it up, PayPal will text your phone with a secondary authentication code when you login with your password.

      Even those who have a cell phone and a PayPal account don't necessarily have an unlimited SMS plan.

    • by subreality (157447) on Monday July 18, 2011 @10:34PM (#36807170)

      I think a lot of these stupid password policies were the result of Lanman and L0phtcrack.

      First, there are two kinds of things that people call "passwords". #1, a secret phrase that you tell to a remote system to authenticate yourself. #2, a key that has to be cryptographically secure against local attacks.

      Traditional Windows NT domains essentially published a Lanman hash of everyone's password. Lanman had a bizarrely bad hashing scheme: it null-pads your password to 14 characters, then splits it in half to two 7 character passwords. Thus, an attacker gets a local copy of your hash and only has to crack a 7 character long portion of it, which is exactly what L0phtcrack does. Decently good passwords get cracked within hours.

      The band-aid attempt to secure this horrible situation was to try to make the most cryptographically secure 7 character password possible. That isn't a lot of key data to work with so you basically have to have an absurdly line-noised password - and even then it could be cracked given enough time, so NT admins forced changing passwords frequently (which actually doesn't help, since the attacker just picks up random-guessing on the new hashes as they come out - sooner or later they'll find one).

      So that got enshrined as what a "secure password policy" was supposed to be. Unfortunately, it was designed to protect against an absurdly-bad implementation of scenario #2, when for the most part, your password only needs to be secure in scenario #1, because the hash isn't published and you can only make a half-dozen attempts to guess it before it gets locked out.

  • by chroma (33185) <chroma.mindspring@com> on Monday July 18, 2011 @08:19PM (#36806126) Homepage

    I've become a recent convert to the idea of using a password card [passwordcard.org] or
    password chart [passwordchart.com] to remember my passwords for me. There's not nearly as much to remember, as you use a code to look up the password on a printed card. But if you lose the card, anybody finding it will only see a random sequence of letters and numbers.

    • by arth1 (260657) on Monday July 18, 2011 @10:57PM (#36807300) Homepage Journal

      But it doesn't help you have different passwords for different sites unless you already remember a password for each site.
      And that's the problem.

      • by slinches (1540051) on Tuesday July 19, 2011 @03:29AM (#36808706)

        You do still need to remember a "password" for each site, but that password is only a symbol, a color and the length of the password (or whatever you choose) rather than a long string of random characters, which makes it easier to remember multiple strong passwords. Although this system does trade stronger cryptographic security for weaker physical security, but this weakness could be addressed by keeping multiple cards or using additional encryption schemes. The idea is that the password would remain equally random, but having a physical device will allow you to choose a system that has a balance of physical security vs. memorability that you are comfortable with.

        tl;dr - It's better than having to remember strong passwords, reusing them everywhere or writing them in plaintext.

  • by spaceyhackerlady (462530) on Monday July 18, 2011 @08:19PM (#36806130)

    Passwords with patterns are easy for humans to remember, but any short password i vulnerable to a bruteforce attack.

    My favourite way to generate passwords is the first letter of each word in a phrase. Somebody looking over your shoulder sees you type TbonoTbTitQ, don't see a pattern, and can't remember it. While you think To be or not To be, That is the Question. Not that this makes any difference to a computer that starts at aaaaaaaaa and works up to zzzzzzzzz.

    No, I've never used this password on any computer system. One I did use, though (20-odd years ago, at a company that has long since ceased to exist), was MRwitdtEssahtuwws. If you can tell me the underlying phrase I'll be impressed. And scared. :-)

    ...laura

  • by Freddybear (1805256) on Monday July 18, 2011 @08:31PM (#36806240)

    A function that returns a string of 12 random ASCII characters including upper and lowercase alphas, numerics and symbols will score 100% on a password strength test like http://www.passwordmeter.com/ [passwordmeter.com] but I find that a password like that will be hard to type, much less to remember.

    Another way is to return two random words from a list of less-used English words, separated by two or three random numerics. That won't score as high but it will be plenty secure against dictionary attacks and will be easier to remember.

    • by cliffjumper222 (229876) on Monday July 18, 2011 @11:15PM (#36807404)

      My approach is something a security guy from Intel told me - take a phrase you can remember that is unique to you, e.g., "I love Jennie and Maggie my 2 kids" or "We moved to Portland 25 years ago in August" and then just take the first letter of each word and keep the numbers as is. You can also throw in some punctuation or make it a two phrase password as well. Then, when you type, you just say the phrase(s) in your head and tap the first letter. It's very simple. I've been using it to express my angst for years, so maybe there's a few too many "f's" in mine passwords, but there you go.

    • by slinches (1540051) on Tuesday July 19, 2011 @03:44AM (#36808802)

      Am I just paranoid or does it seem that those password meters could be a simple phishing scam trying to find commonly used strong passwords? (not necessarily implying the one you linked isn't legit)

  • by sqrt(2) (786011) on Monday July 18, 2011 @08:33PM (#36806260) Journal

    I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.

    https://www.grc.com/haystack.htm [grc.com]

  • by Danny Rathjens (8471) <slashdot2 AT rathjens DOT org> on Monday July 18, 2011 @08:43PM (#36806346)
    I'm surprised a large chunk of the obfuscation attempts didn't involve replacing letters with numbers. termin8, passw0rd, etc.
    I used a password cracker once as a sysadmin many years ago and I recall that that was one of the higher priority alternates the password cracker tried after dictionary words. I also remember there were plenty of adjunct dictionaries for password crackers with things such as anime/book/movie/tv names and character names and places which might cover a lot of that "other" category.
  • by Maximum Prophet (716608) on Monday July 18, 2011 @09:02PM (#36806508)
    Back in the day, we would trade off the duty of creating the root password, and changing it everywhere it needed to be changed. When it was my turn, I used a random set of letters and numbers that everyone said no-one could remember. That password had fewer people re-requesting it than any other. I still remember it today. I just Googled it, and nope, it's not there yet.
  • by fishbowl (7759) on Monday July 18, 2011 @09:07PM (#36806552)

    Seriously, I don't care if someone guesses or bruteforces a password to some news site, or anything where I've used a totally random pseudonym in the first place. I will do things like use weak passwords, re-use them, etc. Because I don't care. I mean, I *really* don't care. Please hack these. Who cares? Not me.

    Web sites and applications where I *do* care, get particularly long, entropy-rich randomly generated passwords. These passwords do get stored locally, on a well-encrypted medium that I would be most happy to surrender at the first hint of torture. But these aren't going to be casually guessed, and if you're trying to brute force one of these accounts, you're much better off attacking the next one over. (I take the same strategy with auto and home security as well -- all I really have to do is make YOUR car look more attractive to thieves.)

  • by FoolishOwl (1698506) on Monday July 18, 2011 @09:08PM (#36806566) Journal

    Problem #1: people don't have random password generators conveniently at hand when they need to create passwords. OS designers should make sure that good random password generator applets are installed by default and obvious. Designers of systems that require passwords should remind users to use random password generators, and suggest where they may be found in popular GUIs. Not every interface can offer that information, but certainly websites could, and if enough do, the information will get around.

    Problem #2: people get the EXTREMELY BAD ADVICE that they should not write down passwords. They should be advised to write down their password and put it somewhere safe and out of sight, like their wallet.

  • I use a system that is similar to this: Take a phrase, mash it up very well and then add the name of the account to the end of it. Its very secure, but some sites don't support it because it contains plain text.

    Phrase: Don't taze me bro! (remember that guy?)
    lets mash it up a big
    d0nT+A2eM3bR0!

    After typing it in a few times it becomes natural. So, now you have a 14 character alphanumeric password with symbols. But, if some script kiddie hacks a site that you're signed up to (this happened to one of my various online accounts) then they will have access to all of your accounts using that password, rendering it useless, right? Well not so fast. Now we add the next part of protection.

    Take the name of the site/account you're logging in to. Mash it up just once (one letter/number) and append it to the 14 character mashup. For example

    d0nT+A2eM3bR0!f@cebook
    d0nT+A2eM3bR0!sl@shdot
    d0nT+A2eM3bR0!n3wegg
    d0nT+A2eM3bR0!f@rk

    In this case I replaced the first vowel in each site name with a symbol.

    I consider this to be VERY secure, and if any of my accounts gets broken into, the likelihood of any other of my accounts being compromised is next to nil.

    I'd love to hear the comments of my fellow slashdotters on this. Keep in mind that even a very simplified version is better than most of the passwords out there. I try to get my customers (neophytes mostly) to adopt this because at the very least they aren't using "password1" as their password for everything.

  • by Joe_Dragon (2206452) on Monday July 18, 2011 @10:01PM (#36806966)

    stop makeing us change the password so much and get rid of the repeating rules.

  • by plopez (54068) on Monday July 18, 2011 @10:23PM (#36807110) Journal

    "Shadowfax".

      You can thank Phillip Sutcliffe for telling us about it:

    http://www.theonion.com/articles/the-threat-of-cyberterrorism,14671/ [theonion.com] :)

  • by Sebastopol (189276) on Tuesday July 19, 2011 @01:41AM (#36808240) Homepage
    tools -->> generate secure password -->> generate -->> save -->> autofill done and done.

How much net work could a network work, if a network could net work?

Working...