Why People Are So Bad At Picking Passwords 299
mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."
Horse Battery Staple is common too (Score:4, Informative)
http://xkcd.com/936/ [xkcd.com]
Use a good password manager (Score:4, Informative)
The proper way is to use a good password manager with the following features:
1) cloud-based sync, so you can access it from any computer or mobile device
2) multifactor authentication, such as a USB stick or a grid or biometrics
3) a configurable password generator (i.e. you can choose length, complexity, etc.)
I use LastPass and like it enough to have bought a year's subscription for $12, but there are other good choices out there like 1Password, or you could homebrew up something with e.g. DropBox + KeePass or Google Drive + TrueCrypt + something that can read TC volumes on iOS/Android.
Generate a different random password for each site needing an account, as complex and as long as the site will allow for, and with LastPass at least you can attach a note to each site's entry so you could enter random line-noise answers for security questions like "What is your mother's maiden name?", thus making crackers work much harder. I've also got LP set up for multifactor authentication and with a strong master password.
Re:Horse Battery Staple is common too (Score:5, Informative)
My favorite way of achieving easy to remember and hard to guess is to use qwerty encoding. Simply move your hands from the f/j row to the r/u row and then type a memorable word or simple phrase. The password 'password' would become '0qww294e' and yet can be typed just as quickly and remembered just as easily. The only downside is that it's less effective for people who don't touch type.
That's not the only downside. It also makes it very hard to enter passwords from other devices, like cell phones. But most of all, it doesn't add much security - the standard crackers have rules for shifting the letters as they would be shifted on a keyboard. Both John the Ripper and Crack, at least.
936-style passwords are kinda easy to crack now. (Score:2, Informative)
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe. [arstechnica.com]
If you think to yourself after reading the first page, "But all of those long passwords were phrases, not nonsense strings!" then you should keep reading to page 2's sidebar for the list of passwords that were cracked using the methods in the article. Crackers have dictionaries of billions of words now and can try combinations and variations at GPU-fueled speeds. Length only protects you if and only if you can exhaust dictionary attacks.
The only safe password is long and either randomly generated or indistinguishable from it. Using some other device to store and auto-fill your passwords like a password manager or a device like a YubiKey is the only long-term solution. Humans are the weakest link.
Re:936-style passwords are kinda easy to crack now (Score:5, Informative)
I don't think you understand the concept that the xkcd advocates.
The ars technica article is pointing out that context can grossly reduce the entropy in any given search space. If you're going to test combinations of words from different languages, for instance, you shouldn't bother with "crotalus fthagn" or "Cthulhu atrox" until you've already tried "crotalux atrox" and "Cthulhu fthagn". The point is that you can't beat the password crackers by picking something from an obscure search space -- in other words, it's a classic point against security by obscurity.
The XKCD is making a different point: that passwords comprised of unrelated words deprive the attacker of such information and are resistant to attack not because of the obscurity of the search space in which they're found, but because of its size. Perhaps 44 bits of entropy isn't enough to defeat extensive computational resources, but the point is that six words chosen out of the dictionary at random, all in lowercase, with spaces between them is a better password than "Cthulhu fthagn" because modern datamining techniques mean that it's likely to appear in someone's dictionary after all.
Re:936-style passwords are kinda easy to crack now (Score:2, Informative)
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe. [arstechnica.com]
If you think to yourself after reading the first page, "But all of those long passwords were phrases, not nonsense strings!" then you should keep reading to page 2's sidebar for the list of passwords that were cracked using the methods in the article. Crackers have dictionaries of billions of words now and can try combinations and variations at GPU-fueled speeds. Length only protects you if and only if you can exhaust dictionary attacks.
The only safe password is long and either randomly generated or indistinguishable from it. Using some other device to store and auto-fill your passwords like a password manager or a device like a YubiKey is the only long-term solution. Humans are the weakest link.
Using software to store and auto-fill your passwords is the worst possible solution (a post-it on the monitor is more secure in practice). The result of that thinking will be trojan key-stores that simply inform their creator what your password is.
The point of the XKCD is that if you select n random words instead of n random characters you can get a password that can be memorized easily, and exploits the larger search space of words (compared to the smaller search space of characters that exist on your keyboard) meaning your password will be more secure and easier to remember.
Re:936-style passwords are kinda easy to crack now (Score:5, Informative)
Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.
Nonsense. You don't understand the approach XKCD was suggesting; you can't defeat entropy by getting a bigger dictionary. If that were true, then AES-128 would be trivially easy to crack because I can enumerate all of the possible keys. I have a 100% perfect dictionary.
The point that by selecting a set of randomly-chosen words (do not do the selection yourself; use a random number generator) words, you can get a great deal of entropy in a fairly memorable form. It doesn't matter if the attacker knows the exact method you used (as long as it's random), and knows the exact dictionary you selected your words from; he's still going to have to try 2^n possibilities, where n is large enough to make brute force impractical.