Why People Are So Bad At Picking Passwords

mrspoonsi writes "Studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst. These studies also reveal that when it comes to passwords, women prefer length and men diversity. On the internet, the most popular colour is blue, at least when it comes to passwords. If you are wondering why, it is largely because so many popular websites and services (Facebook, Twitter and Google to name but three) use the colour in their logo. That has a subtle impact on the choices people make when signing up and picking a word or phrase to form a supposedly super-secret password. The number one conclusion from looking at that data — people are lousy at picking good passwords. 'You have to remember we are all human and we all make mistakes,' says Mr Thorsheim. In this sense, he says, a good password would be a phrase or combination of characters that has little or no connection to the person picking it. All too often, Mr Thorsheim adds, people use words or numbers intimately linked to them. They use birthdays, wedding days, the names of siblings or children or pets. They use their house number, street name or pick on a favourite pop star. This bias is most noticeable when it comes to the numbers people pick when told to choose a four digit pin. Analysis of their choices suggests that people drift towards a small subset of the 10,000 available. In some cases, up to 80% of choices come from just 100 different numbers."

Huh?

[hduff]

These studies also reveal that when it comes to passwords, women prefer length and men diversity.

We are still talking about passwords, right?

Re:Huh?

[Thanshin]

Probably not.

Studies suggest that news about studies are only vaguely related to the studies themselves.

Re:Huh?

[QQBoss]

Is it too obvious to point out that it isn't so much the length of the password that is important, but how you use it? The luckiest, of course, are able to take advantage of both.

Crutch

[AliasMarlowe]

Here's a crutch for those with too few passwords on too many sites. Just paste it to something like safepassword.sh in /usr/local/bin or similar:

#!/bin/bash
# script: safepassword
# this script depends on sha512sum
if [ "$2" = "" ]
then
echo "usage: safepassword constant_key password_purpose"
echo " where constant_key is a string of printable non-whitespace characters,"
echo " and password_purpose is a memorable string related to the purpose of"
echo " the password, e.g. a website address and ye

Re:

[KDN]

That is, ....interesting. Great way to wake everyone up monday morning :-).

Re:Huh?

[Anonymous Coward]

This is why women never use 'penis' as their password since it's never long enough.

Obligatory xkcd

[DexPleiadian]

http://xkcd.com/936/ [xkcd.com]

Re:936-style passwords are kinda easy to crack now

[TheLink]

If they can crack a website's passwords at GPU speeds it means the site is already been compromised.

That's why I don't bother making really strong passwords for most websites. It's a waste of my time - the site is more likely to get hacked then my password bruteforced over network connections. Every few months there's a web service getting pwned.

It's silly to waste time making your password much stronger than a typical website's admin password.

FWIW I've encountered at least one online bank that actually limits passwords to 8 characters for some unknown stupid reason.

Re:936-style passwords are kinda easy to crack now

[jandrese]

That's only true if you never reuse passwords, which means you're pretty much forced to use something like Keypass anyway, and might as well make the password secure since it's just as easy to use a 32 character random string as it is a normal human password. If you don't use a password manager, then it's hard to come up with a memorable password for every goddamn site that needs a login these days. It's so damn annoying to google a problem and find a potential solution, but then click on the link and bet told "you must register a free account before you can view this forum."

Every time someone sets up forum software to require an account to simply read it, they should be kicked in the nuts. Requiring an account to post is totally ok, but requiring an account to read is not.

Re:936-style passwords are kinda easy to crack now

[Entropius]

I don't think you understand the concept that the xkcd advocates.

The ars technica article is pointing out that context can grossly reduce the entropy in any given search space. If you're going to test combinations of words from different languages, for instance, you shouldn't bother with "crotalus fthagn" or "Cthulhu atrox" until you've already tried "crotalux atrox" and "Cthulhu fthagn". The point is that you can't beat the password crackers by picking something from an obscure search space -- in other words, it's a classic point against security by obscurity.

The XKCD is making a different point: that passwords comprised of unrelated words deprive the attacker of such information and are resistant to attack not because of the obscurity of the search space in which they're found, but because of its size. Perhaps 44 bits of entropy isn't enough to defeat extensive computational resources, but the point is that six words chosen out of the dictionary at random, all in lowercase, with spaces between them is a better password than "Cthulhu fthagn" because modern datamining techniques mean that it's likely to appear in someone's dictionary after all.

Re:936-style passwords are kinda easy to crack now

[swillden]

Perhaps everyone quoting that xkcd should be aware that such passwords are no longer safe.

Nonsense. You don't understand the approach XKCD was suggesting; you can't defeat entropy by getting a bigger dictionary. If that were true, then AES-128 would be trivially easy to crack because I can enumerate all of the possible keys. I have a 100% perfect dictionary.

The point that by selecting a set of randomly-chosen words (do not do the selection yourself; use a random number generator) words, you can get a great deal of entropy in a fairly memorable form. It doesn't matter if the attacker knows the exact method you used (as long as it's random), and knows the exact dictionary you selected your words from; he's still going to have to try 2^n possibilities, where n is large enough to make brute force impractical.

Before choosing an important password

[LongearedBat]

So, before choosing an important password make sure you have shaved, had a haircut and dyed your hair red.

(A sex change is asking too much though.)

Re:Before choosing an important password

[emag]

Especially every 90 days...

Horse Battery Staple is common too

[Dave Whiteside]

http://xkcd.com/936/ [xkcd.com]

Re:

[oodaloop]

Correct!

Re:

[Dave Whiteside]

exactly ;-p

Re:

[gmack]

Not all of my passwords can be that long. My bank password (the one I care about the most) has a 5 char limit and and I hate random passwords. I came across a good method a few years ago for generating passwords that need to be short: Take a song and chose a line then take the first character of each word and you have an easy to remember but hard to guess password.

Re:Horse Battery Staple is common too

[BobNET]

Presumably the same one that designed the air shield for planet Druidia.

Re:Horse Battery Staple is common too

[14erCleaner]

What value is there in having a low limit on password lengths?

When they store it in clear text on a laptop, it takes up less disk space.

Re:

[Joce640k]

Serious question: What value is there in having a low limit on password lengths?

It fits in a database field declared as VARCHAR(8)

Re:Horse Battery Staple is common too

[arth1]

My favorite way of achieving easy to remember and hard to guess is to use qwerty encoding. Simply move your hands from the f/j row to the r/u row and then type a memorable word or simple phrase. The password 'password' would become '0qww294e' and yet can be typed just as quickly and remembered just as easily. The only downside is that it's less effective for people who don't touch type.

That's not the only downside. It also makes it very hard to enter passwords from other devices, like cell phones. But most of all, it doesn't add much security - the standard crackers have rules for shifting the letters as they would be shifted on a keyboard. Both John the Ripper and Crack, at least.

Re:

[petermgreen]

Of course now you have posted your scheme on slashdot then you have to assume the password cracker writers will know about it, if indeed they hadn't guessed already.

Re:

[Wootery]

if indeed they hadn't guessed already

Don't worry, they have. [slashdot.org]

(Direct link [grc.com] to relevant resource.)

Re:

[gmack]

If I had to guess, I'd guess that the website uses the password to authenticate to a mainframe somewhere and is just a front end for some EDBIC based protocol so cracking the website wouldn't get access to the actual list.

Not that it excuses the short limit, but then I'm hard pressed to find something better considering our banks all got together and designed a PayPal competitor that
A. Is designed not to compete with their credit card processing system.
B. Is designed around clicking links in emails.

Red haired women

[xednieht]

Also are the most passionate lovers.

Bad news ....

[amalcolm]

... for RMS !

Re:

[Wdi]

His password is open source and everybody is entitled to read it, modify it, or to sell it as text source if he can find a buyer, as long as the copyright notice remains attached!

Pretty much the only good passwords are random

[tlhIngan]

A modern day password cracker (brute force) with a reasonably large dictionary can basically break all human generated paswords these days.

First - besides the dictionary, they also try variations - including l33t 5p34k variations, various capitalizations and putting numbers at the beginning or end of the word.

Second, the old trick of picking a phrase and using it? Also done - the dictionaries often pick phrases out of the Bible and other texts and run with those, too. You'd think this would be difficult, bu

Re:

[east coast]

If a system is making it possible for you to do a brute for attack for "days" then your system is the problem more than your password.

Sorry, but brute force attacks should throw up a red flag in a way that any well designed system can automatically detect it and shut down the user account. Most already do this in more roundabout fashions such as locking the account after a number of invalid tries or by forcing the user to wait between failed attempts or a combination of both.

Re:

[Anonymous Coward]

A brute force attack is typically done on a stolen list of hashed passwords, not on the running system.

Re:

[mlts]

If an attacker were brute-forcing against an account, something like sshguard or a lockout mechanism [1]. However, since hashed password lists like /etc/shadow are the target, once those are snarfed, those can be cracked at the blackhat's leisure. Stuff like bcrypt helps, but there is a balance between having a number of rounds high enough to slow down an attacker, versus it interfering with legitimate uses.

I have a dedicated appliance that is in testing stages which just stores usernames and hashes, and

Re:

[petermgreen]

The problem is many webapps are designed with the password hashes stored in a database that is directly accessible to the webapp. So if there is a security hole in the webapp that allows arbitary database queries then the attacker can simply steal the password database and brute force it at their leisure.

Re:

[xorsyst]

yep [wikipedia.org]

Re:

[silas_moeckel]

WTF brute force still? All password system should enforce at least x failed attempts in y time lockouts if not requiring multiple things (time+seed based passwords are trivial with everybody having a smartphone). If they have the hashes and salts your pretty much damned anyways.

Re:

[melikamp]

This. But the problem, as I see it, is not with people designing poor passwords. The password authentication itself is the problem. One basic issue is that passwords, ostensibly, authenticate a person, but in practice they do not. It is the computer that gets the direct access, not a person, so we could as well be consistent and have a procedure designed to authenticate a person+computer pair. And that leads us to a much more secure way to authenticate: using the strong encryption, either symmetric or asymm

What about red headed women with beards?

[toonces33]

What is the quality of the password then?

Re:

[tool462]

Their password is usually just 'friend' in elvish...

Fixation on pass'words'.

[Junta]

As a very well known xkcd points out, a great deal of the problem could be averted if people weer encouraged to use long passphrases with spaces and everything rather than a pass'word'. password as a concept was good enough for the time of it's popularity, to defend against people typing their way into someone else's account. When the model fell apart in a world with much more automation and network connectivity, the 'fix' was 'keep length about the same, but toss some numbers and maybe some punctuation in there'.

The madness comes in when a great deal of the sites I visit put a 12 character *maximum* on a password for their site.

My personal strategy: base64.b64encode(os.urandom(12)) for every site and store the values on a couple of my devices with a phrase that is about 32 characters long (but easy for me to remember and easy to type). hashing a master key with the domain to generate passwords like some chrome and firefox plugins (password hasher) can do is similarly nice without having to worry that you won't have access to the copy of the database.. Of course, the annoying thing is my 16 random numbers and letters frequently fail the 'complexity' check and I have to add some punctuation character to it.

Re:

[sjwt]

I was somewhere the other day that needed at lest one Upper Case, one Lowecase, one Number and a symbol. Not too bad, except they also limited you to 6 chr only.

Re:

[bill_mcgonigle]

Not too bad, except they also limited you to 6 chr only.

How nice of them to completely reduce the complexity space of the 6-character search!

We needed a study for this?!?

[tiberus]

Please tell me no one is surprised by the general conclusion (haven't we been here a time or ten before?) of these studies. Add to this the corporate or government attitude demonstrated so equivalently here [xkcd.com], the lack of effective computer security training, including a complete failing of organizations to have or heaven forbid enforce policies about password practices and you've got a pretty pickle.

Sadly, it took the recent Adobe compromise, to get me to finally start using a password wallet and use different passwords for each Internet service I use. Have to admit I was stunned, by the number of accounts I had when I got through most of the sites I access.

After hearing a few disturbing stories from my wife, about how computer security and passwords are treated at her place of work, I stepped up my training for her and her co-workers that will listen. Based on what I've heard from her the choice of poor passwords is the least of our troubles.

• Passwords on sticky notes on monitors.
• Passwords shared with co-workers, that have not been granted access.
• System does not require default password to be changed.
• Default password is a known pattern.
• Techs routinely ask users for passwords
• Co-workers say, "Just give them your password".
• And so on . . .

Unless the underlying problem of poor culture surrounding computer security is changed and an understanding of the associated risks is cultivated, it won't matter one whip whether users can choose "Good Passwords TM".

Re:We needed a study for this?!?

[ccguy]

complete failing of organizations to have or heaven forbid enforce policies about password practices

Most of the time the problem is the opposite. Absurd policies and a delusion of the password being important to the user. And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).

For like 95% of the sites I don't give a shit if my account if hacked. I use the same password for most of those sites (if they are too retarded with requirements I might add a few 0s or #s at the end). If you make me change the password even if once a year then I'm not going back to your site because I don't care much about it in the first place. So I'll forget the new password.

-Passwords on sticky notes on monitors.
-Passwords shared with co-workers, that have not been granted access.
System does not require default password to be changed.

None of these are user problems. They are system design problems which I can translate to this:

- They make me change the password every 90 days, so I have to write it down.
- Danny needs to access credit card information because it's part of his job to do refunds but they won't give him access because for some reason that also means they have to give him access to XXX (they have one permission for two things) so I have to type my password at his terminal 10 a day. I cannot be interrupted that much, or I might not be around, etc, so I just let him use my password.
- My sysadmin uses the same default password for everyone.

Re:

[pla]

And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).

You realize you don't need to answer those accurately?

I treat security questions as the emergency sticky-note under my desk, in that I will answer them however the hell I want, then just make a note (not sticky, but yes, an actual physical offline note) as a clue to what I picked.

I figure if someone wants to impersonate me, they already know my mother's

Meaning

[gmuslera]

If we start with the asumption that that passwords must be memorized somewhat, we are better remembering things with an attached meaning than something random, and those meanings make usually bad passwords. But, we don't need to remember all passwords, there are password managers for making and storing a bunch of meaningless, secure passwords, and for the keys you must remember (the password manager one at the very least) there are some mnemonic tricks [xkcd.com] that can help to have safe enough passwords.

...really?

[Seta]

Must be an idle day at the BBC. A couple paragraphs of statistical wank about physical attributes seeming to correlate with password quality. Then a rehash of old news about bad passwords being easy to crack. My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)

Re:

[camperdave]

My hair is unkempt and I have a 62 character password encompassing a good chunk of ASCII printable characters. Bring on the "compensating for something" jokes. ;)

Okay... 62 character password? Are you compensating for not being ginger [youtube.com]?

People are taught wrong

[Archangel Michael]

On passwords, what was once thought to be good password security is no longer true. The length of a password matters more than diversity and given the right instructions, can be much easier to remember than complex passwords.

My current suggestion for passwords is this: Pick three (or more) random words. mongoose, screwdriver, automobile. Now you have a password you can remember, but is very hard for a computer to "crack" and you only have to remember three things, as opposed to memorizing eight (or more) things that don't make any sense.

And, to make it unique for each System you log in to, add in the name: Amazon Mongoose Screwdriver Automobile, or Ebay or whatever.

Complexity != Security

[CaptainNerdCave]

I've been saying it for years: length! Thisshittasteslikechicken! Will take many, many years for any algorithm to crack. http://www.securityadminisanidiot.com/ [securityad...nidiot.com] will also assure security. Why don't management and administrators understand this?

Re:

[Archangel Michael]

I used to do this, until I couldn't remember if that was a 1 or l or L, or @ or A or a or 4. Or was that $, S or s .... And it is really hard to tell if that was a 0 or O or o.

But I never forgot the three words I used. I have a mental picture of a Mongoose fixing a car with a screwdriver (not my real password)

What I do

[JustOK]

I devised my best password for my luggage. I'm too tired after doing that to worry about online passwords

Re:

[bobbied]

One... Two... Three...

"I need to change my luggage combination..."

Posted passwrod lists..

[sjwt]

I love them.. I trawl through them laughing at the passwords on them, at least so far as mine have never shown or close variants of them.

weak, because they don't care

[jessepdx]

there are a lot of sites, that require setting up and account, i could care less about. i use a junk email account and a simple junk password. those accounts, if they are hacked, won't give you any useful information to get into another site's account that i do care about. i think many people do the same. those junk sites also get hacked and the stolen lists get published. then the appalling headlines stating "OMG these passwords are so easy!!!" get published... so what...

Who works for whom?

[mcmonkey]

"people are lousy at picking good passwords"

This begs the question. There is some reasonable expectation that people should learn to properly use the tools of modern society, but in the end, the tools should serve the people, not the other way around. If your car pulled to the left, would you say you were lousy at driving in a straight line? No, you'd say your car was out of alignment and get it fixed.

A password is something we're expected to remember, but we're wrong to pick words or numbers that might be easy to remember, such as familiar names or dates. Even if you say pick a system of choosing passwords to remember rather than an individual password, that's impossible. Every different system and site has different password requirements, so no single easy to remember system will work for all of them.

"You have to remember we are all human and we all make mistakes"

Yes, and Mr Thorsheim's mistake is assuming the issue is with the people who are using the system and not the people designing the system. The truth is,

"password systems are lousy at serving people."

(as an aside, WTF is up with systems that do not allow special characters in passwords? Are they worried about SQL injection? If that's possible from a password field, the system is FUBAR.)

10,000 pins?

[damn_registrars]

I would hope the list of allowable PINs is shorter than that. The 10 possibilities with the same number repeated all the way through should be disallowed (and usually are), as well as 1234, 4321, and anything else with four consecutive digits. While taking those 24 possibilities out doesn't dramatically reduce the number of possible PINs (only 2.4% reduction) it is still a list of less than 10,000.

Re:

[Qzukk]

The 10 possibilities with the same number repeated all the way through should be disallowed

If it's good enough for nuclear launch code, it's good enough for my bank card!

Say what?

[BringsApples]

I have a really really good password that I use to get into my server at home. All other passwords are for random sites (like slashdot) and I use a very simple password for them. Does this make me 'bad at picking passwords', or do I simply not care if someone hijacks my slashdot account, ruining my excellent karma?

A good password is one that you don't mentally consider a word or string of words, as much as it is a dance that you do with your hands and fingers, really really fast.

Re:

[mcmonkey]

A good password is one that you don't mentally consider a word or string of words, as much as it is a dance that you do with your hands and fingers, really really fast.

On that note, non-printing characters should be allowed as part of a password. E.g. "12345" is a bad password. But why shouldn't we be able to use "12356[backspace][backspace]45"?

My Password solution

[OzPeter]

I use regexes related to the site name/function. (*)

Now the hackers have 2 two problems when they want to break into my account!

* I actually I do incorporate regex like strings.

Why do I need to remember passwords?

[ISoldat53]

Why can't my home computer manage passwords. Seems like it's smart enough to generate a password, pass it to the secure site, then at log off generate another password pass it to the site and then log off. Let the computers handle the task. Then have one master password or some other technique to log onto the computer that can only be used from the keyboard.

1Password

[ilsaloving]

Every time I see articles like this, I feel compelled to bring up the solution I'm using, which is (so far) the single best solution I have been able to find.

It's called 1Password. Runs on Mac, Windows, Linux (read only I think), iOS, Android, and has plugins for all major browsers.

It records your login details for you, has a password generator that you can customize in various ways, and stores an AES encrypted archive on dropbox so that all your devices can sync together.

Now I can safely create new logins everywhere with abandon, because I'm not afraid that if one service is compromised (*cough*Adobe*cough*) I'm not afraid something else is at risk.
It can generate passwords up to 50 characters in length with your choice of number of digits and symbols. It can even make easily pronounceable passwords if you need, and avoid ambiguous characters (eg O (oh) and 0 (zero) ).

It's a little pricey, but IMO it's worth every penny because there is no other product out there that is this easy to use, AND supports so many platforms all at once.

Re:

[Jason Levine]

I use a similar product called Password Safe. http://passwordsafe.sourceforge.net/ It lets you store your passwords in an encrypted file with a master password. It can also generate passwords for you (in a configurable manner so you can go from "p%qLr%&Vb9" to "+R0WeeDUck" to "PiGhtEdraN" and anywhere in between - and yes, those were Password Safe generated). There are also ports for Android, iOS, Mac, Windows, Linux, etc: http://passwordsafe.sourceforge.net/relatedprojects.shtml All free and open

hmm

[nomadic]

I also blame sysadmins who frequently don't understand that security is contextual; you do not need the same level of password complexity for a gardening forum or slashdot that you need for your bank account. But you still see ridiculous requirements for low-security sites.

Use a good password manager

[Nimey]

The proper way is to use a good password manager with the following features:
1) cloud-based sync, so you can access it from any computer or mobile device
2) multifactor authentication, such as a USB stick or a grid or biometrics
3) a configurable password generator (i.e. you can choose length, complexity, etc.)

I use LastPass and like it enough to have bought a year's subscription for $12, but there are other good choices out there like 1Password, or you could homebrew up something with e.g. DropBox + KeePass or Google Drive + TrueCrypt + something that can read TC volumes on iOS/Android.

Generate a different random password for each site needing an account, as complex and as long as the site will allow for, and with LastPass at least you can attach a note to each site's entry so you could enter random line-noise answers for security questions like "What is your mother's maiden name?", thus making crackers work much harder. I've also got LP set up for multifactor authentication and with a strong master password.

Special Characters

[wideBlueSkies]

Oh yeah.... I really love it when I go to a site and try to create a password with punctuation, and it gets kicked because the site doesn't support it.

Really????

I'm talking about some major sites... financial institutions too. Scary and unacceptable.

Re:

[Cro Magnon]

Agreed! One of my credit card sites used to allow only alphanumerics, so my "standard" pw wasn't allowed because of special characters. They've fixed that problem, but I'm sure there's still plenty that still do that.

Rule 34?

[PPH]

red-haired women tend to choose the best ...... and men with bushy beards or unkempt hair, the worst. .....women prefer length and men diversity.

I was beginning to wonder where this summary was going after the first few sentences.

Amazing!

[dskoll]

I used to have a beard and bushy hair and my password was "test123". After I neatened my hair and shaved, I had this overwhelming compulsion to change my password, and now it's UjuW8LxttbsWKqMbDaA4SqSJVST783ty

Passwords short and long

[spaceyhackerlady]

My bank card PIN is four digits. It's not the year I was born, nor is it any other year (or other four-digit number, for that matter) that you will find in my personal information.

For computer passwords I like the "first letter of a phrase" algorithm, producing passwords like TbontbTitQ and MRwiTDtESSahtuwws. Or pick a phrase, l33t it up a bit, and come up with something like W1nd0ze1sTehSux0r3. Long passwords are good.

The worst public web site I've encountered for silly password requirements is U.S. Cu

Re:

[mlts]

These days, I just use a decent password manager (KeePass or Password Safe.) Of course, that comes with its own risks, but with so many passwords one uses, all should be unique [1], might as well have a system that uses a known good cryptographically secure RNG and a decent password length [2] does the trick.

[1]: That way, a cracked password from site "A" won't be able to get access to site "B".

[2]: Even now, some sites will choke at a password length greater than 8-10 characters.

Re:

[jonbryce]

A lot of these studies come from accounts where people do not care if someone else knows the password, because the password doesn't protect anything of use to the subscriber. For accounts like that, my password is the same as my username, and it is linked to a spamtrap email account that doesn't get used for anything else. I know it is insecure, but I don't care.

Re:because

[master_kaos]

Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all
Then you get redicoulous requirements on some websites, like can't use special characters, can't be longer than 10 chars. Why? You should be using a hashing algo which means special characters or max length shouldn't matter (within reason)

I have about 4 passwords
My low security one where I do not give a shit if people hack my account eg slashdot/most forums
Medium security - Password for sites I care a little about and that contain some personal information eg, some forums, some online shopping sites that don't store cc info, etc
High security - Mostly used for sites that are used for purchasing things and that have linked CC info to it
Very High security - Used for financial institutions

This way I always know when I go to a site which password it uses.

However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious). This may increase security of password a little, as well as benefit of most passwords being unique.. but not sure how much it increases the security by

Re:

[master_kaos]

and yes I butchered the spelling of ridiculous

Re:

[SuperCharlie]

Ive been doing the 4 tiered password thing for over 10 years now. There is NOTHING like hitting an old website you havent been to in years and logging in first try.

Re:

[AK Marc]

That's the good thing about tiers. If someone gets into my Slashdot account, I've lost nothing. If someone gets into my bank account, there's no reason to keep my second bank account separate, they've already compromised me financially, so I can use the same (weak) password on my forum accounts. There's nothing in them worth protecting. The only possible thing of note is that they'd get my email address, and possibly some home address (usually of somewhere I haven't lived in years).

Re:

[js3]

I ended up using something similar. I just have a bunch of memorized passwords using a very simple 3 keyed format

like "AB#" "EF#" "I#K"

This way whenever I need a new password to add to my list I write anything that pops into my head on a note. for example..

J92bd3Yp4. "J92" "bd3" "Yp4". write it down, use it for a week until it's memorized and it's done. I have about 6 passwords in this format completely memorized and cycle them everywhere.

Re:

[femtobyte]

Re-using the same "high security" or "very high security" password across financial institutions, etc., is a recipe for disaster. You may have very high security standards... but it turns out sometimes those tasked with taking care of the peons' data don't (and fail on simple precautions like salted hash password storage). Whichever institution has the crappiest security gets hacked (maybe even that old bank you moved your money out of years ago), and suddenly all your accounts are vulnerable.

The proper and

Re:

[Wycliffe]

The only realistic way to fullfill all these requirements:
1) 100+ passwords
2) every password unique
3) every password good
4) no password stored or written down.
is to create an algorithm that only you know. For instance, the 3rd letter of the url + a pin + the inverse color of the company logo, etc...
That's simple enough but my problem is that as soon as I create one every 3rd website has some stupid password requirement that
won't allow it so I'm back to writing down all the exceptions.

Re:

[Culture20]

Then has it with a salt and use the hash as your password. Unfortunately password character limits always rear their ugly heads.

Re:because

[ottothecow]

Exactly. The problem with the algorithm method is that there is no end to the stupidity that is present in password requirements.

• Site A requires a symbol, but only accepts !?#$%.
• Site B requires a number, but god-forbid that number is at the beginning or end of your password.
• Site C won't accept any symbols, but needs upper/lower/number
• Site D has reasonable complexity requirements, but requires you to change the password every 30 days, despite being a service that you only access if something is wrong, and even then, never more than once a month (one of my student loan providers used to do this. I think I complained enough that they realized that password change requirements were stupid...especially on a website where the worst thing you could do would be pay my bill for me).

I like the algorithm method (and even if the algorithm would be obvious to a human with access to 3-4 passwords, it would save you from some bot getting one password and simply trying the same pair at every major service), but when you have sets of requirements like this, it is impossible to implement. A and C are mutually exclusive, B is annoying (and actually reduces brute force complexity) but avoidable, and D will break your whole algorithm the first time it changes (unless you add a counter, but then you have to remember what iteration you are on).

I keep a little list in a google doc of the rarely accessed but important sites that have weird password requirements (since it is rare they tell you the requirements on the login page)...then at least I know that I may have had to modify my algorithm because '^*()' aren't valid characters, or that the requirements were dumb enough that I just said "screw it" and used some old insecure password that has probably been unknowingly leaked 15 times while hoping for the best.

Re:because

[Nemyst]

I use LastPass and the two-factor authentication adds a lot to the security. If someone can guess my password and obtain my two factor secret, I'm probably screwed regardless of what I did. I also enable two-factor on as many sites as I can (stupidly most banks don't have that).

Re:

[RivenAleem]

However, I have been thinking about changing slightly how I do my passwords... the base password will always stay the same, but I may prepend or append the the first 3 characters of the sites name or something (maybe not quite this obvious).

Yeah, but almost every site begins with "www" so you are still stuck with a single password everywhere

Re:

[MobyDisk]

Just add the site name to the password:

Main password: stinkybutt
Home password: stinkybuttHome
Work password: stinkybuttWork
Slashdot password: stinkybuttSlashdot

If you want to get more secure, add something like the number of vowels in the word "Home" or the ASCII value of the 3rd consonant, or something like that.

Re:

[lhunath]

It is my opinion that you cannot trust a human to make a good password.

You also cannot trust anything, a hard-disk, a notebook, a company(!) to store your passwords.

Which is why I use http://masterpasswordapp.com/ [masterpasswordapp.com] and I unlock it with a passphrase. The key elements here being: stateless, no storage, strong passwords.

Re:

[dargaud]

I have a different scheme: first one email per site, simply website@mydns.com, so that I know who the fuckers are that sell my email to spammers. Then a standard hard password, appended with the site's name, appended with some scheme (like the number of letters in the site's name, or the last and 1st letter, whatever). This way every site has different login info and it's very easy to remember.

Re:

[master_kaos]

True, but I guess my issue is that I log into websites from home, work, multiple mobile devices, friends house.
Now I haven't done very much (well any) research into these applications, but I would need something that is compatible with all of those device, and preferably one that I don't need to lug around on a usb key (which can be lost/stolen)
I may decide to look into it, because I can't be the only one with these requirements, so I assume solutions exist

Re:because

[xelah]

Given that it's widespread across huge numbers of people, presumably of all kinds and intelligence levels, I think that dismissing the problem as being because people are too lazy/stupid is...well....lazy and stupid.

Remember that people treat their computers like a social being - and a subordinate one at that. Every morning, someone will go and sit down at their office computer and find it's forgotten who he is, even though it sees him every day. He can walk away for an hour and it'll forget again. It'll fail to understand that he's him over and over again as he uses websites, servers, etc, stopping each time to refuse his instructions and demand that he perform some silly little task purely to help the computer out in functioning correctly: remember an irrelevant string of nonsense. And, very occasionally, the computer will fail and do something like send banking details to someone in Russia, or show his ex-wife his e-mails to his lawyer.....even though it's blatantly obvious to even an imbecile that these are the wrong things to do.

We all know that computers are unintelligent tools that are not capable of doing better than this - on slashdot, at least. But it still feels like talking to a forgetful, obstructive, naive, reckless, stupid and insubordinate little shit. Even the most stupid of assistants should be expected to do better most of the time.

People can certainly do better, but we have to accept that humans behave like humans and recognize that we're going to need to improve the technology as well as people's habits. In the short term that could mean things like providing ways to generate secure passphrases and asking them to write them down, using authentication devices and using UIs to promote better practices....and we need security researchers who stop looking a memory dumps for a while and look for more secure ways to interact with users.

Re:

[ewibble]

I agree, we all know people choose bad passwords, we have to design systems that take that into consideration. This is my current thinking:

A smart key that plugs into a usb slot that will provide a (you may have multiple) public key to a web site.
When you log on to a website you press a button on the "smart key" it will respond to exactly 1 challenge response.

You could password protect the smart key if you wished, but this is not the primary protection mechanism, that is possession of the key.

You could als

Re:PI-N?

[gazbo]

All of us. We just choose a different place to start.

Re:

[camperdave]

I don't. Pi is wrong [youtube.com]. Tau is the proper circle constant. I pick my pins from there.

Re:

[arth1]

Actually it's not a good password if you can't remember it.

From my experience as a sysadmin for a generation is that women do forget their passwords more often. I'm sure that men are to blame...

A few users even use password reset tools every time they access services without even trying a password first.

Re:

[Cryacin]

A few users even use password reset tools every time they access services without even trying a password first.

Why blame someone who doesn't get their ambitions and capabilities mixed up?

Re:Except

[bobbied]

your favorite color".

Blue... No, RED!

Cart meet horse

[Joce640k]

I think the website's logos are blue because the marketing department saw that everybody was choosing "blue" for their password...

No, RED! Aaaaaaaaargh!

Re:

[Chrisq]

... and your favorite color".

green ... no blue [youtube.com].

Re:

[Joce640k]

Epic fail! Not the correct colors even with a video link...

Re:

[bobbied]

Well, nobody broke into HER accounts....

Re:

[aaarrrgggh]

It will always be easier for a computer to evaluate likely passwords that a human would create than for the human to come up with an algorithm that the computer would not anticipate. Password generators eliminate this break point, but create a new weak point in that the password must be stored somewhere other than memory.

My wife might do a great job of creating passwords, but if they are stored in an unencrypted and unobscured place then they aren't necessarily more secure.

Re:

[serviscope_minor]

Hire Allyson Hannigan to choose your passwords. PROBLEM SOLVED in sexiest way possible.

The problem with "restraining order" is that it's too short to be a useful passphrase.

Re:

[arth1]

Why are we still using passwords?

Time to deploy client certificates. That can be done pseudonymously. And with Tor even anonymously.

Because a certificate isn't something you can carry in your brain.

A certificate can also get lost, while a password can at most be forgotten. That matters, because you have to keep the certificate in a storage. When that becomes unavailable, and you then lose all your certificates, instead of just forgetting a password.