• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Passwords: Before I write my article about this, can someone explain its "logic"?

Funny thing, I was trying to research more on William Burr (the guy who created the whole password restriction thing, and recently admitted that he regrets it), and I found his actual e-mail address. So I sent him an e mail asking him if I could ask him a couple of questions for an article I'm writing on the subject, but the e-mail bounced back with a message saying the e-mail was not a valid address. So either the e-mail is incorrect, or there's also a secret password to contact the guy who invented password restrictions!
 
Definitely, the longer the password is, the better. I've heard this from a couple of security experts. I try to have at least fifteen characters in mine these days.
 
You can use the local sport team and insert numbers between the letters. Basically you're combining the local sports team with 1,2,3, that'll learn'em.*


*For even more security you can use the shift key for some of the numbers. And apply that same pattern to all of your passwords.
 
Modified said:
Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.
Click to expand...

True, I was just using a common one as an example. You should definitely choose something more specific to you.

deadrose said:
The point of having upper and lower case, numbers and symbols is that the pool of possibilities for each character is enlarged massively. Instead of 26 letters, you have 52, plus 0-9, and whatever symbols are allowed. It makes a dictionary attack useless, and a brute force attack much more difficult.

So even if you license plate it, l33t it or just turn it to txtspk, unless it's the current hot catchphrase or song title, it's unlikely to be broken, and yet is easy to remember.
Click to expand...

A couple points. One, just making those characters available expands the character space; requiring them for everyone doesn't add anything to that. IN fact, if I know passwords require special characters and numbers, I can immediately through out a standard dictionary attack, because I know your password can't be a dictionary word.

In addition, most dictionary attacks these days include common substitutions, like 3 for E and @ for a and so forth. Relying on "license plating" or txtspk is not safe.

Also, can't recall who mentioned the hashed passwords as being a server problem, not necessarily. Hashed passwords are also what gets sent across a network. Now hopefully, the connection itself is encrypted, but not always. Not to mention passwords (well, hashed versions anyway) are often cached locally on user machines, at least for some small number of users (often the last user, sometimes the last three). To add to that, if I can compromise a single user's system (say, your sales guy with that laptop he connects to public networks while he's travelling), then I can put software in it that will sniff out hashed passwords on the wire when he gets back to the office network.

Just FYI, this particular type of crack (attacking a list of hashed passwords by trying to match hashes) is called a Rainbow attack, IIRC. And it's not just brute-force, often they'll use a dictionary, along with l33t speak and text speak substitutions, as well as lists of common passwords. And it's MUCH faster because everything is local.

But generally, there does have to be a security failure somewhere for an attacker to gain access to hashed passwords, just doesn't have to be the server.
 
Modified said:
Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.
Click to expand...

You wouldn't but tragically too many others still would. My 80 year old parents use one password for everything whenever possible, and all their passwords are written down on a piece of paper taped to their 2nd monitor (which they have not been able to figure out how to use, so it's a $500 cork board).

I'm not doing much UX these days, but I still try to keep up with the literature. Recently, we had to absorb the results from a OECD Skills Research paper. [Skills for a Digital World]. 40% of the participants surveyed could not perform the following task: "Delete email message."

They are also not going to be able to break the bad habit of reusing easy passwords. I think the number one password across the Internet is still "password," with the 2nd runner up being "Passw0rd"
 
I go for the simple

I have a password which is basic and just has a slight variant depending on the app (that have no access to anything sensitive), for most things, as I dont keep anything worth knowing on most things.

And just save the trendy complicated ones for stuff I actually care about.

It is amazing how few you really need

I do the same with emails

One important one I only use for important things and then dummy ones, that I don't mind being filled with crap and can just ditch if it gets annoying
 
The ones I use to tell my students to use were things like taking the 2nd line of the first verse of your favourite song and using the first two letters of each word, or making a sentence up, and then doing substitutions. So things like...

Using Flash Gordon Theme by Queen...

"Flash, a-ah, he'll save everyone of us"

Becomes.... Flaahesaevofus
Which becomes... Fla@hesaev0fu5

Of you could have something like..

"The brown dog barked"

which would become.... Th3browndogb@rk3d

Both systems create hard to crack easy to remember passwords.
 
Hellbound said:
You'll be happy to see this, then:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

:D

ETA: NIST's new password recommendations say get rid of all that crazy stuff that makes users either use the same password everywhere or forget them all the time. You don't need artificial complexity to generate a strong password.

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.
Click to expand...
One of mine (at least) does exactly that. Use words (etc.) that are familiar to you but adapted to not be obvious to outsiders.
 
fuelair said:
One of mine (at least) does exactly that. Use words (etc.) that are familiar to you but adapted to not be obvious to outsiders.
Click to expand...

For example 8 lends itself to a number of words: lamin8, frustr8, abomin8, intest8, coron8, toler8. And adding s gives you 12, Adding ing gives you 18, adding ed takes you to 24. Easy/peasey!!!!!
 
Well, update: I contacted someone from the NIST staff and asked them if I could have mr Burr's e mail address to ask him something, and they gave it to me.

I just e-mailed him a couple brief questions to add to my article. What started as a casual rant that was gonna be posted in a free blog, is going to turn into an actual serious article with an interview to the man himself, which I'm gonna try to get into this online magazine where I once contributed before.

So, something good came out of the bad.
 
I logged into this topic to post the Gizmodo article about Bill Burr, so I'm glad that you saw that.

Personally, I use LastPass, and I'm slowly saying "yes" to the Safari browser prompts to "remember" my password. I don't know any of my own passwords; they are auto-generated and remembered only by my devices. If someone has my thumbprint or my master password, and the authentication questions, they will get all of my passwords.

Writing them in a notebook seems super-sensible. Old-school solution to modern-day problem.
 
Ron_Tomkins said:
Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?
Click to expand...
My anecdotal evidence tells me that sports players and teams are going to be waaaaaaaaay more common than the other subjects that you mentioned. People strongly self-identify with sports teams, and in most places / socio-economic groups, sports are huge and players are the biggest celebrities around. It's probably purely a numbers exercise to keep the "most common" words and names out of the passwords.
 
The best password to use is "incorrect".

Because if you forget it and enter something wrong it will tell you, "The password is incorrect."
 
Molinaro said:
The best password to use is "incorrect".

Because if you forget it and enter something wrong it will tell you, "The password is incorrect."
Click to expand...

I always forget what the Elvish word for friend is.
 
Ron_Tomkins said:
Minimum password length must be 8 characters and consist of at least 2 alpha characters, 1 number and 1 special character.
A password must have no consecutive repeated characters.
A password must not include your user name or any part thereof.
A password must not include the names of a spouse, children, pets or one's own name.
A password must not include any regional sports teams or players.
A password must not include any office symbols.
A password must not include your social security number or any subset of your social security number that is more than a single number.
A password must not include words that can be found in any dictionary, whether English or any language.
A password must not be any of the 11 most recently used passwords for the account.
Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?
Click to expand...
As someone pointed out... many people identify themselves with sports teams. I suspect its probably more common with sports teams than (for example) movie directors. So having a password like 'YankeesFan' might be easy for a cracker to guess.

Some are, simply absurd: "A password must not include your social security number or any subset of your social security number that is more than a single number." First of all: If I'm a completely new user who's opening their account for the first time, then that means I haven't even entered such information as my Social Security Number. How in the Blue Hell then do you even know if any of the numbers I'm entering in my new password are found in my Social Security Number??
Click to expand...

In that case, I think the problem might be: If your password includes your social security number and someone someone gets it (maybe you have it written down somewhere...) they now have some identifying information on you.
Finally, they completely destroy any possibility for you to create a password that you would remember and that would make sense to you by dictating that "A password must not include words that can be found in any dictionary, whether English or any language." This means, you are left with nothing but strings of random letters, meaning, this will be something you will need to write down in a piece of paper and save it so you can remember it.
Click to expand...
Others have already touched on this... The best way is to find patterns. Pick a common word or sentence, and then drop out all the vowels, or take the first letter. For example: Could you guess "DTiai"? Hint: its all the first letters of the sentence "Donald Trump is an idiot". And if you need a password reminder, you don't need to write down your password, just a note about "What I think of president Trump". Need some numbers to tack on to the end of it? How about TDiai2113581. That's the same "Donald Trump is an idiot, then go the periodic table of the elements, and pick the first digit of the atomic weight in the last column.

The way I see it: it's my account, my responsibility. If I decide to create a password that's just "1234", and that means it has an extreme risk of being deciphered by others, that's MY PROBLEM.
Click to expand...
The thing is, it may not be just your problem. Depending on what service you're dealing with, having your password broken can affect other people.

Someone breaks your email password? They can start sending out spam in your name, and YOUR mail provider then has to handle all the angry responses. (Or they can overload your network connection or server with traffic, slowing down access for everyone.) Or sometimes getting access to a system from one password can help you get access to other accounts on the same system. (Sometimes security is multi-layer. Getting passed the first layer makes it easier to get past subsequent layers.)
Second of all, as I mentioned earlier, by introducing such a large list of demands, you make it so that I have to create a password that I wouldn't remember, because it ends up being something crafted to the site's individual desires. So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords. So, the rationale that this makes your password more secure, isn't precisely true.
Click to expand...
True, that is a big problem. Although from what I understand, the biggest problem is simply stupidity. Want to break into a system? Call people at random, say "I'm with tech support... we're having problems and need your user ID/password". Many will be foolish enough to give it to you.

I remember seeing an interview with a former "Hacker" (it might have been Kevin Mitnick) who said his most valuable piece of hacking equipment was a photocopier.... he could use it to make a fake ID, then hang out near the fire escapes near an office. People go out to smoke and leave the doors open. Just follow them inside (with your fake ID) and you have access to the building. You can then hunt for all of the written-down IDs you want.

This is an old NOVA documentary. Some of the technology in it is outdated, but its still an interesting look at computer security.
https://www.youtube.com/watch?v=EcKxaq1FTac
 
Last edited:
bytewizard said:
What's even funnier is that the administrators of the passwords create a backdoor username and password for the programmers to use so they don't have to try and remember a complex one when they have to repeatedly log in. The backdoor username/password is usually something as simple as "Admin5/Admin5". Hypocrites.
Click to expand...
Yeah no.

Maybe in small, incompetent shops. Here in the real world, we use tools to inscrutably store such secrets and use them at runtime without the programmers ever having to know or care what the password is.

As for hypocrisy? Think about it: Somebody, somewhere, is always going to have the keys to the kingdom. It's like airline pilots at airport security. If you don't trust them enough to let them bypass security, how do you trust them enough to let them fly the plane?

This signature is intended to irradiate people.
 
M3tS%4%EV4H

fits the parameters while being stupidly easy to remember and, for that matter, guess.
 
You must log in or register to reply here.

Back
Top Bottom