The Case For Lousy Passwords

itwbennett writes "Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments against using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."

Bad usernames too

[alphatel]

Anytime I visit a site that wants a signup, I use a garbage email account, with the same username and weak password. If someone hacks my identity, it's not even "me".
It's not as if the right to post or read is such a valuable commodity that can't be replicated next time you visit the site.

Re:Bad usernames too

[Anonymous Coward]

Anytime I visit a site that wants a signup, I don't bother signing up.

Re:

[oldspewey]

But what if you want to participate on a discussion board? (And don't worry, I'll wait 10 minutes until you're allowed to post your response AC).

Re:Bad usernames too

[Anonymous Coward]

Look it didn't even take me three minutes to crack his account.

Re:

[mark72005]

Personally, I keep an extra gmail account to sign up for websites that is only used for that purpose. My real email address is never entered into a signup form, only my spamtarget address.

I don't share passwords between my spam target email or accounts and my real life email and accounts.

But yes, the day I (sign up for and) am worried about a useless account like gawker getting cracked is the day I know that I truly have no life.

Re:Bad usernames too

[zwei2stein]

Ever heard of http://www.bugmenot.com/ [bugmenot.com] ?

It's nifty, use that instead ...

Re:

[clone52431]

IMHO bugmenot is pretty much useless since (a) permitting websites to opt themselves out and (b) webmasters got savvy and started banning accounts listed on bugmenot.

Re:Bad usernames too

[sideslash]

Yeah, bugmenot is cool. I use it for my online banking.

Re:Bad usernames too

[eln]

If none of these work, register an account with a throwaway email address (mailinator etc.) and share it on bugmenot and its clones.

This seems like a good idea in theory, but it can backfire. For example, I used to use a particular email address for certain...less reputable sites. Since those sites occasionally do various email verification things, I had to check that email address every so often so I couldn't just throw it away. Over time, I started to use that address for more and more sites until I eventually remembered that address better than my actual email address. After that, it wasn't long before I instinctively started using is for *everything*.

Anyway, long story short my primary email address is now midgetgrannyhorseporn@donttellmywife.org.

Re:Bad usernames too

[stonewallred]

So you are the prick that made me have to use midgetgrannyhorseporn22@donttellmywife.org.

Re:

[aardvarkjoe]

There are several tools you can use to make the whole "required registration for everything" a little less annoying:

http://www.bugmenot.com/ [bugmenot.com] has usernames and passwords that people have submitted for a bunch of sites. Very handy when you want to read something in a web forum (or other site, but I've found forums to be the worst) that has really obnoxious registration requirements.

http://mytrashmail.com/ [mytrashmail.com] is an anonymous email service that lets you use a temporary email address, without requiring registrat

Re:

[clang_jangle]

...use a password manager... I don't have any idea what most of my passwords are.

To me that's unacceptable. What happens when a bad update or a hardware failure renders your passwords inaccessible? But I guess most people are so dull they have no choice -- it's software or 123456, otherwise their pitiful little brains will be overwhelmed. No doubt this laziness and apathy is precisely why everyone will be chipped soon.

Re:

[TheRaven64]

What happens when a bad update or a hardware failure renders your passwords inaccessible?

That's what backups are for...

Re:

[icebraining]

I have terrible memory, you insensitive clod. It has nothing to do with being lazy.

But I don't use password managers, I use an algorithm based password generator. I can recreate any password with a SHA-1 hasher.

Of course, I still have about 9 or 10 memorized passwords for important stuff (root accounts, bank, etc), but it would be completely impossible for me to remember the dozens of passwords for every random website that requires me to register.

Re:

[mjeffers]

It's not laziness, it's that the password system of authentication is fundamentally broken. You tell a person that they have to remember a long, unique, random string of characters that has no connection to anything they've done or anything about them in real life. They have to use a different one of these for each place they go to that requires a password and they have to change them frequently every few weeks/months. If you've got 10 sites you belong to and you change your password every month that's 120

Re:

[Lumpy]

Actually in that case, I grab all the weapons and ammo I have along with all the camping gear, throw it all in the small suzuki 4X4 an kill everyone at the nearest gas station so I can fill all the jerry cans I have, then drive as far north as I can to get away from civilization, find a nice hunting cabin in Canada and live there until most of society eat's it's self.

Then I can access my passwords from the thumb drive I keep in my anus.

Re:

[horatio]

Finally, if you use a password manager (I've been using KeePassX, it's pretty good and cross-platform), then you don't have to remember passwords anymore, so there's no reason to use a weak password for anything. I don't have any idea what most of my passwords are.

Yep. I use 1Password and have the encrypted file synced through dropbox to my iPhone and other systems. I really don't know what most of my passwords are anymore.

Re:

[mcgrew]

Yes, and it depends on the site as well. I use 111111 for newspaper sites, I have a strong password for slashdot simply because I like my user name and have excellent karma. I have an even stronger password for my computers.

Re:Password keychains?

[mcvos]

And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?

As you can probably guess, I use the same, simple password for every single web forum. I use complex passwords only for stuff that matters: my computers, my banking site, my PayPal account (until I canceled it), etc.

What really pisses me off, by the way, is when sites want to restrict my choice of password. The most stupid example is my bank, that doesn't allow (most?) non-alphanumeric characters in a password. Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

Re:Password keychains?

[clone52431]

Yeah, I just registered an online banking account and their password requirements were 8-12 characters, no special characters.

WTF people?

But then they use security questions as a second line of defense, which is just another password, and a much longer and therefore stronger one at that (if it’s done properly – which most people don’t do, of course). Now, hopefully they’d require someone logging in from an unrecognized IP address to pass a security question...

Re:

[icebraining]

My bank allows for weakish passwords, but then they use SMS verification for any operation that involves transferring money.

Re:

[clone52431]

Perhaps, but if someone was able to log in with your password could they also just turn off the SMS notifications?

Re:

[mcvos]

I've got a 15 year-old piece of paper with codes that I need to enter when I want to transfer money.

It's quite an amazing system.

Re:

[icebraining]

But much less safer. My phone has a PIN you need to insert to unlock its keyboard or turn it on. Even if they steal it, they can't use it for transferring money.

You either have to leave the paper at home (meaning you won't be able to use internet backing somewhere else), or you risk much more if someone steals your wallet with it and you don't notice in time to tell the bank.

Re:

[DZign]

Their web app probably dumps your password into an ascii file that's uploaded to a mainframe which cannot handle anything else because of incompatible character sets..

Re:

[mcvos]

That's also an option. I was wondering if this was about preventing SQL injection, and they'd never heard of parameterized queries.

Re:

[clone52431]

I was wondering if this was about preventing SQL injection, and they'd never heard of parameterized queries.

That would have been my first guess, though any SQL system, even if it doesn’t support paramaterized queries, can (and should) be secure if you correctly escape your data, so there’s really no excuse.

Re:

[John Hasler]

> ...it's usually not that difficult to track down some of that information.

Tell them your mother's maiden name is ct!h0Zf&.

Re:Password keychains?

[Red Flayer]

Tell them your mother's maiden name is ct!h0Zf&.

I usually just tell them my mother's maiden name is cthulhu, and then the bank gives me all their money.

Re:

[nabsltd]

Tell them your mother's maiden name is ct!h0Zf&.

Most of these "security" questions ignore anything but [A-Za-z] in the answer and fold case.

So, although you are a bit more secure by not using the correct, searchable answer, any answer that wasn't correct would accomplish the same thing.

Re:

[rjstanford]

Which is why you lie. Consistently and constantly to those questions.

What was your birth place? Pizza Hut, Luna City
What was your first pet's name? Sir Fucks-a-lot
What was your mother's maiden name? Jack Daniels
What is your favorite food? Glass

If you do so, no amount of digging into your personal life is going to come up with the right answers and as long as you give the same answers each time, it's not that difficult to remember.

Of course, then you have the problem where THAT database is compromised, given unlike the password data base the answers probably weren't encrypted...

Yup. The only way someone could ever get them is if you posted the list of questions and answers to some kind of non-anonymous messaging board. Luckily, nobody would eve be that foolish. ;)

Re:

[treeves]

So don't use the real answer to the father's middle name question. Say it's 1y1g2r3fs5cxy4 or something.

Re:Password keychains?

[horatio]

Then there are completely unimportant webfora that insist my password has to be at least 8 characters long and contain letters, numbers and non-alphanumeric characters.

When I worked for a major university a few short years ago, they contracted our paperless pay statements and W2s to Talx -- who only allowed numbers in the "password". Super frustrating, and of course no one in HR understood why I had a problem with this. They may have gotten smarter since then, but doubtful.

Re:

[eleuthero]

I have the same problem with my ... bank card. In what world is a four digit password based off of ten numbers a secure method of doing business. The immediate answer is, "you have to have a passcard too" but this is no longer true since someone can walk past your wallet with a fancy phone attachment and get your number just by bumping into you to put onto their own fake card. Ah well.

Re:

[mcvos]

The real security in bank cards is the secrecy of the algorithm. Which is probably over 20 years old by now.

If any criminal had access to the algorithm, it would of course be trivial to run through the 10000 possible options to find the pin number that goes with the stolen bank card, but fortunately in the past 20 years nobody has ever been able to bribe anyone for access to that algorithm. We're safe, guys.

Re:

[horza]

Not the same problem at all. Nobody should have a copy of your bank card number, so that can be seen as part of the 'secret' number in addition to the PIN code. So you need the card as well as the PIN. If somebody steals the card number, and fakes a bank card, you have already reduced the number of people that can do this as well as increased the cost of doing it. Then you only get 3 tries before your card is locked. The best way of capturing the PIN is a fake ATM with camera to capture your pin number, and

Re:

[JackieBrown]

And then you only need to figure out how to sync those various keyrings across multiple PCs, browsers, OSs and smartphones. Easy as pie, right?

Use last pass, keeypass, password hasher, etc

Single point failure [Re:Password keychains?]

[Geoffrey.landis]

Today computers offer keychains like Gnome Keyring and KWallet for Linux, and often offer a password-generating tools, browsers also remember the passwords. Creating a complex 30 character password and keeping in the browser takes 4 clicks, creating a complex password and keeping it in the keyring and browser takes 8-9 clicks, creating a stupid password that anyone can crack takes thinking, 6-7 keystrokes and then having to remember it. Laziness is no excuse when you're encouraged to be even more lazy with the complex ones.

Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.

And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.

Your browser burps, and you're toast.

Your keychain freezes, and you're toast.

You're accessing from some other system, and you're locked out of eve

Re:

[c6gunner]

Well, yes. Of course, this means you now have a single-point failure mode for ALL of your accounts now; somebody sneaks into your browser, and your complex passwords are all useless.

Which is why my browser resides on a truecrypt volume, and my computer locks itself after I've been away for 2 minutes. Plus I'm in the habit of manually locking the computer when there are others around. Not really an issue.

And it doesn't help, because when the sites you have to log into vary their URL and you have to log in to their site and your browser doesn't know which password to use, you're toast.

No, you can go and manually look at the password for the site.

Your browser burps, and you're toast.

You don't do backups?

You're accessing from some other system, and you're locked out of everything.

I have a way around that, but yeah, it would be an issue for most people.

Doesn't help against phishing, either.

Doesn't hurt, either.

hard passwords just lead to post it's even more so

[Joe The Dragon]

hard passwords just lead to post it's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

Re:

[Tim C]

There's nothing wrong with writing down important passwords, as long as you protect the bit of paper.

For example, if I write down my password for my domain account at work and put the piece of paper in my wallet, the password would be the least of my worries if my wallet went missing.

Re:hard passwords just lead to post it's even more

[Vanderhoth]

I would assume he meant "post it's" as in people just write all their passwords down and stick them all over their PCs

Punctuation would have been useful

hard passwords just lead to post it's. Even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

Re:

[oliverthered]

I think the problem was as follows.

the plural of 'post it's is not obvious, often I use quotes for plurals of nouns like that.

but then there's also this problem. the it's fits two ways, I've put two in below.

hard passwords just lead to 'post it's. It's even more so if you need to change it all the time and can't reuse old ones or even parts of old ones.

Re:

[clone52431]

I think a lot of the confusion would be eliminated if you called them Post-Its. Just my 2 cents...

Re:

[pyrr]

I call them "sticky notes".

Re:

[Vanderhoth]

I get a lot of practice as a developer. Finding missing semi-colons, quotation marks and brackets in code is practically my specialty.

people write down hard passwords

[alen]

one time i worked at a place where every 6 months they would randomly change your password to a random 8 letter string of letters, numbers and a special character. and your username was some cryptic combination of initials, numbers and department. needless to say most people would keep a copy under the keyboard. meanwhile the admins thought they were james bond with their cool security

Re:people write down hard passwords

[hey!]

Actually having a hard password and writing it down is not such a bad idea. It's leaving the password under the keyboard that's a bad idea.

Look at this this way. That guy driving a Ferrari around town unlocks it with a key that *anyone* can use. It's reasonably safe, however, because he keeps the key in his pocket.

Of course, wallets get stolen. So what you do is this: you generate a strong eight character password, print it on a laminated card and keep it in your pocket. You choose a memorable six character password and keep it in your head. Then concatenate the two to form your working password. That's poor man's two factor security.

Re:

[mdarksbane]

So write it on a scrap of paper and stick it in your pocket. If it isn't meant to last more than 4 weeks a scrap of printer paper will last plenty long enough.

Re:

[Chanc_Gorkon]

Or keep it in an unencrypted spreadsheet.

Re:

[Cro Magnon]

Or keep it in an unencrypted spreadsheet.

And name it "passwords.xls".

Re:

[clone52431]

Or keep it in an unencrypted spreadsheet.

And name it "passwords.xls".

And put it in My Documents, which they’re sharing on Limewire.

Re:

[eleuthero]

or maybe just use a basic cipher or memory peg for all passwords... at least, that's what I did until someone hacked all of my email addresses (but forgot to change the "I forgot my password" setting and this allowed me to regain control).

Re:

[Vanderhoth]

So what's harder to crack, a Secure password you've described above written on a sticky note stuck to a monitor or under a keyboard or a slightly less secure password most people can remember?

We have similar password requirements where I work only you can't reuse a password with in the last 14 passwords and it's changed every 3 months. I manage several databases, have 10 different application accounts, 3 HR accounts (for requesting time off, training and such), 3 e-mail accounts and at least four web foru

160 seconds? Windows? Bad example

[fahlenkp]

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

Re:160 seconds? Windows? Bad example

[Culture20]

The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

I'm sure you've noticed from your logs that brute force attempts are made from botnets now too? A lot harder to block.

Re:

[gparent]

Yeah, they've been trying to bruteforce my RSA key for a while now. Oops.

Re:

[Z00L00K]

Sure, but many of the bots are running the same password list, and if you block an IP address after a certain number of connections you will make it harder to penetrate your server.

Re:

[fahlenkp]

A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 second

Re:

[Lloyd_Bryant]

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

You missed the point of using rainbow tables in the first place. It's not about brute force guessing a password - any system that's still vulnerable to that sort of attack should have the admin taken out and shot. It's in the case where an attacker get hold of the file containing *hashed* passwords, and want to work out what passwords correspond to those hashes (which is what happened in this case).

Windows, Linux, whatever - if a file of hashed passwords can be obtained, and those hashes aren't salted, th

Not really

[Sycraft-fu]

The problem is rainbow tables quickly get too large to be of practical use, and take too long to generate. This fast cracking is again people banging on about old LM passwords. The old 3com/MS LanMan OS used a really weak hashing system. Passwords were limited to 14 characters in length, and were case insensitive. Further, they were stored as 2 7 character hashes. Windows versions prior to Vista stored these LM hashes by default unless you changed the security settings or used a password longer than 14 char

Re:

[abolitiontheory]

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

Right, but the issue is, they weren't cracking over an IP. They made off with a hash file. This is why system-level security is more important than user-level security. The problem isn't that the users had weak passwords, it's that Gawker's servers were compromised. Now the hackers don't have to worry about IP auth denial.

A hacker making off with a hash file is like a thief making off with your portable safe. Sure, it's fire proof and has a padlock, but he has all the time in the world now, in a safe envir

Re:

[jimicus]

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP.

Any attacker worth their salt won't carry out the attack directly themselves, they'll instruct a botnet of 20,000 PCs to make 3 attempts each and log any that come back as working.

Unrealistic time to crack a password?

[GreatBunzinni]

The coding horrors article claims that that given password was "cracked" in 160 seconds with a cracker kit but it fails to claim that it is a brute force attack where the attacker has physical access to the system (the cracker software is a bootable DVD, for fuck's sake). Meanwhile, in the real world, this sort of attack is practically impossible to pull off from any site which has any semblance of security. I mean, you only need to place a delay of a fraction of a second between login attempts to drive the time needed to "crack" the login/password combo to months, if not years. Adding to that the fact that it has become pretty much standard for sites to simply block any login attempt after N failed attempts then this reference to this so called cracking software goes from irrelevant to pathetic.

Re:

[Xenna]

That was a rainbow table attack. A way of cracking password hashes by having all possible character combinations and their corresponding hashes in a huge precomputed table. You need access to the password hashes for that and the security system needs to be badly designed. Rainbow tables are easily defeated by using large salt values that would require the rainbow tables to be not simply huge but impossibly huge.

http://en.wikipedia.org/wiki/Rainbow_table [wikipedia.org]

Re:

[Spy der Mann]

In addition to salting the password, I design my systems to sleep for one second after each failed password attempt, and for 3 seconds before booting the guy off. That should take care of brute force attacks.

Re:

[anegg]

Hash table-based password attacks depend on having access to the hashed password value; they are not used in a brute-force front-door attack. The article should have been clear about this, as it is essentially pointing out that passwords aren't safe from discovery if the password database itself has been taken, even though the password values are hashed.

From a belt-and-suspenders security viewpoint, it is reasonable to want the database of hashed password values to be secure against "reversing" the hash t

It was also being done against an LM hash

[Sycraft-fu]

Which is extremely weak. Now I'll grant you it could be an issue: If someone gets access to your system and your SAM file and if you are running XP or earlier and if your password is 14 characters or less then there will be an LM hash. Vista or 7? No LM hash by default. Longer password? No LM hash (as LM is limited to 14 characters).

So let's say this password was on 7 instead. Ok so it is 13 characters and uses upper, lower and numeric. Surf over to Ophcrack's site and... no tables that could get it. Their

Re:

[Pollardito]

The recent Gawker hack where the entire username/password table was leaked is exactly the kind of "unrealistic attack" that you're calling "practically impossible to pull off". You don't need physical access to the system with the passwords, you just need a copy of the encypted passwords from the system to be moved onto a system that you have physical access to.

Passwords are stupid

[betterunixthanunix]

Passwords are a very poorly designed security mechanism, yet no matter how many times this is pointed out, people still seem to think that the solution is to educate users about password security. Human brains just do not generate or remember random strings very well, and it is ludicrous to expect users to do so. Of course, passwords will always be around because password based systems are convenient.

Re:

[Chanc_Gorkon]

And cheap.

You're doing it wrong.

[Ihlosi]

Human brains just do not generate or remember random strings very well,

If you keep your password in your brain by remembering a random string, you're either a genius or you're doing it wrong.

The brain is bad a remembering random strings, but it's excellent at remembering sequences of movements, like the one necessary to type those random strings. If you wanted to know one of my passwords, I'd have to ask you for a keyboard first.

Re:

[Vanderhoth]

A sequence of movements is great until you're required to change your password every 30-60 days. At which point by the time I get the sequence down so I don't need to remember the password it's changed and I have to learn a new one.

That method works well with some things, like phone numbers. I can't remember my wife's cell number so I have an excuse not to give it out to people, but I can still dial it when I have to call her.

Re:

[HappyHead]

I use a movement sequence, and change my starting key when I need to change my password on a "schedule". All I need to remember is what key to start on. I have six different movement sequences that I use depending on what account it is, and have never had trouble keeping them separate. Then again, I also remember all phone numbers as movement sequences, and need to look at a keypad to tell people what my own phone number is.

Also, it makes using the ipod screen-keyboard to log into anything really annoyin

Re:

[Anubis IV]

Likewise. Back before I started using a password generation/management tool, I produced and memorized my passwords by trying "1337" variations of misspelled words (ones that wouldn't be in a dictionary) with some special characters mixed in somewhat randomly until I found a sequence that was easy to type and "felt" right as I typed it. I'd then toss in camel-cased capitalization based on when it was natural for my hands to hit the Shift key, rather than picking them arbitrarily. There were a few legitimate

Re:

[at_slashdot]

PIN number for debit cards are only 4 digits and they work pretty well. The problem doesn't seem to be the password but the system that allows too many automatic tries. There's a problem with denial of service, but there are solutions for that....

Re:

[MobyDisk]

Agreed. Passphrases solve these problems, and cost nothing to implement. Yet most systems still insist on passwords 10 characters or some other such nonsense.

Re:

[Haedrian]

A good way of generating a random string...

Is to think of a sentence that has letters and numbers - and then take the first letter of each word and all the numbers.

Ex: My best friend Joseph was born on the 15th of December = MbfJwbot15oD. Mixed letters and numbers of different cases - and its pretty easy to remember.
-
What you could also try I guess is to get some sort of hash+salt - type in your password, and use that hash of the password as your password (which will also get rehashed). Bit hard on computer

Password lock outs

[Rik Sweeney]

the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker

I've noticed that some websites will lock you out for 5, 10 or 15 minutes if you get the password wrong too many times in a row. That might slightly deter the hacker.

Although they might simply start hacking other accounts and simply cycle through them...

This is why...

[RivenAleem]

12345 has always worked for me, on every site I've used. Some sites require a 6, and some even 7 and 8. I've never been hacked once!

I'd also like to add that I'm a giant douche and a poopy-head!

Lots of bad password advice out there

[ron_ivi]

This was one of the best password articles I've seen.

I think the worst advice I've seen is when people recommend using some algorithm to make long painful "good" passwords that are variations of each other.

Someone who uses:
      mysecr1tword4gawker.com
for fun and
      mysecr1tword4mybank.com
for their bank isn't that much safer than if they had just used the same password for both.

Much better to use throwaway ones for sites like gawker; and truly random ones for banking.

IMHO OpenID is the best idea. You only need to put your trust in 1 identity provider - where it's worth the effort to set up a good password and 2-factor auth (easy to do for $0 at myopenid.com, and for a few bucks at Verisign's openid provider); rather than needing to trust every site you come across.

Re:

[pnuema]

Why is that algorithm a bad idea? It is certainly safer than using the same password for both. Bonus points if you add other algorithmic goodness (capitalize the 2nd vowel in the site name, replace the third letter with a number, etc...). Look, I need a password to log into my bank. My newspaper. My email. My blog. My kid's school. I actively use dozens of passwords. Algorithms like this are certainly no worse than writing everything down, and are certainly better than using the same password for everythin

It is not true that your passwords are insecure

[junglebeast]

To quote the referenced article,

"Why is Ophcrack so fast? Because it uses Rainbow Tables. ....If you've salted your password hashes, an attacker can't use a rainbow table attack against you-"

In other words, any service with 1/10 of a brain will salt their passwords and be immune. They are also only vulnerable if they let their system get hacked and database stolen.

In other words its the same classic trade off as ever: you have to trust the person who runs the service to know what they are doing with your password. But if they do know what they are doing, then you shouldn't have to worry.

Ophcrack

[Kiaser Zohsay]

If "Fgpyyih804423" had at least one non-alpha-numeric character in it, it would have survived at least the free download ophcrack.

Lastpass

[defaria]

In a word - Lastpass. 'Nuff said.

Re:

[gsmalleus]

Absolutely! A co-worker of mine has been using it and stated that it worked well for him. After these recent break-ins, I decided to sign up for LastPass. I wen through all the websites I use on a regular basis and used LastPass' password generator to generate secure passwords for each. I feel much safer now knowing all my passwords are extremely strong. While the free service should suffice most of your needs, I signed up for the premium service ($12/year) to get the mobile app for my phone.

Re:

[darkmeridian]

I use Keepass to maintain all of my passwords. It's open-source and encrypted using AES 256. I save the password database on Dropbox, which keeps an updated copy available on all of my computers. The only problem is that I cannot login to the websites on public computers, but I think that's an added security bonus. I have my Blackberry with me to check my email, which is what I really need to check on the road.

Re:

[definate]

Best $12 a year service, and now they're doing Xmarks for $8 per year.

Two of my favorite add on's to any browser!

Now I audit my passwords regularly, and maintain passwords WAY stronger than necessary, which are different per login.

Re:

[rsborg]

In a word - Lastpass. 'Nuff said.

Similarly, I use 1password (Win/Mac). Main benefit with 1password over Lastpass that I can see is that my keychain lives locally (but can be shared amongst users/computers uisng dropbox).

A password manager is absolutely essential, IMHO and a graceful happy medium between usability and security.

TFS Fail...

[fuzzyfuzzyfungus]

The summary makes the incredibly naive and misleading mistake of conflating online trial-and-error attacks with offline hash attacks.

Against a system you do not control, the system has total power over how frequently you may try a username/password combination, how informative it is about your success/failure(ie. does it just say "no" does it say "wrong password" does it say "username not recognized"?), as well as being able to, if it wishes, just start ignoring all attempts from your IP/terminal or all attempts against a specific account(subject to the risk of denial of service techniques exploiting this). In this scenario, the difference between a terrible password and an OK password is enormous. The 12345 or 'password' are quite likely to be simple enough to crack by trial and error, even against a remote system. Modestly more complex ones will either be impossible or require days/weeks of low-speed guessing, or careful guessing from multiple hosts.

With an offline hash attack, you have total control over the hashes, and the only limiting factor in how fast you can attack them is your computer(and hash attacks generally parallelize really well). Here, the difference between a terrible password and a merely mediocre one will likely be less than the refresh rate of the attacker's monitor, and the difference between an OK password and a superb one will still be fairly small. Only a password so good that it is basically a nonstandardized type of private key will be of any use. However, offline hash attacks only happen against compromized systems, you can't get the hash table otherwise. They are an excellent argument for not re-using passwords, since systems get cracked all the time; but they are of only limited relevance in discussing the importance of password complexity, or lack thereof, for online attack scenarios...

Having second thoughts about passwords

[DrXym]

After Gawker got hacked I changed my duplicate passwords and made most of them unique or variants on a theme. So all of them stronger and over 10 chars in length. But I got to thinking that probably I should be bothering nearly as much about choosing password variants for throwaways because I'll never remember them all. I think for forums / chat boards it would suffice to just take the domain name (e.g. gawker) and append it to a fairly strong throwaway password shared everywhere. For example say my throwaw

Why only ASCII?

[Plekto]

Having spent a few years working for a company that dealt with files from Asia on a daily basis, it strikes me as odd that more sites don't allow unicode characters. Adding a single Chinese or Arabic character to the password is enough to force most cracking utilities *even when you have the machine in your hands* to have to resort to brute-force measures that can take days. What's awful, though, is how sites restrict you to A-Z and 0-9 98% of the time, which defeats the entire reason for a password. I suspect that they want to be able to maybe crack it themselves in case they feel the need to do so. Because 10 characters max, with a simple 36 character ASCII limit is going to be cracked exactly as it was in the example.

It's the old obscure OS trick. If you are using an operating system that the hackers commands mean nothing to, you are secure. I know of a few people who run email servers(as an example) that use very obscure and old operating systems that no botnet or hacker is designed or has the knowledge any more to deal with. One friend a few years ago was using an old A/UX Macintosh as a router, precisely because the ability to remotely hack the code was essentially zero.(while there were easy ways ten years ago, everyone has forgotten them by now) If you can find a book on how to program some of these obscure OSs, good luck to you. If you want to really go crazy, run OpenVMS on your mail server. And watch anyone who gets into the system have a fit trying to take over. (I suppose there are some people who can, but criminals are lazy and I suspect less than 1% of people here on slashdot even have used OpenVMS in their lifetime)

While that's not usually workable, though, for modern computers, it IS easy to do with Unicode, since the latest version covers 109.000 characters. Figuring out what characters you used would probably take a cracker just to figure out a simple 2 character combination. It's just not something that the botnets are (currently) equipped to deal with.(though I suspect that they do check for simplified Chinese and Japanese and similar characters - the trick would be to pick something obscure like Sandscrit or another ancient language.

Don't use passwords!

[SanityInAnarchy]

This is what public-key cryptography is for. Someone insists on a password?

makepasswd --minchars 8 --maxchars 64

If that doesn't work, replace maxchars with whatever's relevant for the site. That's already fairly secure, but if a site insists you use non-alphanumeric characters,

makepasswd --minchars 8 --maxchars 64 --string 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789!@#$%^&*(){}?+[]/=;,.:'

And that's assuming they don't allow Unicode. Most websites will let my browser save the password, and a few others, I can copy it from a text file. On the very rare occasions a website insists I type the password every time, and I'm too lazy to work around it, I do this:

gpw

Then, just add some numbers that mean something to me, though after a week or so, I'll have memorized them -- so the next time I need one, there'll be other relevant numbers.

At this point, I never sign up for a new service with the same password I use anywhere else. I don't want to make it easy for someone else to crack my Slashdot account, for instance, but that's no reason to trust Slashdot with my PayPal password, or vice versa. TFA is moronic -- it's not about "lousy" passwords, it's about limiting the scope of passwords, and this isn't new. This time, the site in question didn't use salt. What if they'd actually been malicious?

I like trolling my co-workers with passwords

[GrumpySteen]

I have a post-it note labled "passwords" with about a dozen random 12 character strings stuck to my monitor at work. None of them are actual passwords that are used anywhere.

It's surprising how often I find my network login has been locked out.

Re:

[Culture20]

Agree here. Also try using that slider bar thing with a touchscreen. No hidden posts for you.

Re:

[clone52431]

Go to http://slashdot.org/my/comments [slashdot.org], turn off D2, Save, then Restore Defaults, re-customize the options on that page, Save, and then re-enable D2 and Save again. Might help.

Re:

[Tteddo]

Presuming it was working the way you wanted before, log out, delete all your SlashDot cookies, then log back in. I have to do that every couple of months since the CSS makeover. Last time I was horrified to see Facebook "like" icons! *shudder*

Re:

[clone52431]

I’ve adblocked Facebook’s content on non-Facebook sites.

And you might also try what I suggested to metrix007 in my other comment, next time /. breaks, if it’s a recurring problem for you. I had something screwy with my account that your method didn’t fix, and none of the controls in the D2 system would fix (that /my/comments page isn’t accessible from within D2).

Re:

[eleuthero]

speaking of adblock, (and yes, this is somewhat offtopic, and if someone wants to waste mod points on a nested comment so far down, kudos to you), have you noticed that more ads seem to be getting through on Chrome lately? Is this a "feature" of the browser or is this isolated to me (likely user error or some such)?

Re:

[Hatta]

I appear to have broken slashdot.

Slashdot has been broken for a very, very long time.