Adapted from a /. post

I'd like to start this with an xkcd comic:



There's tons of passphrases that look like the first one above. They use common (or sometime uncommon) base words, with common substitutions, that make them hard to remember. This makes them easily crackable to most password crackers. However, if I have a password like "Washington invites the five-hundred theives.", even though it uses common words, combines them in a way that no password cracker would anticipate. People just can't create good passphrases when they believe what people tell them about what makes them secure. This misbelief even pervades our greatest reference: the man page:

man passwd wrote:
Choose a hard-to-guess password.
passwd through the calls to the pam_cracklib PAM module will try to prevent you from choosing a really bad password, but it isn't foolproof; create
your password wisely. Don't use something you'd find in a dictionary (in any language or jargon). Don't use a name (including that of a spouse,
parent, child, pet, fantasy character, famous person, and location) or any variation of your personal or account name. Don't use accessible informa‐
tion about you (such as your phone number, license plate, or social security number) or your environment. Don't use a birthday or a simple pattern
(such as "qwerty", "abc", or "aaa"). Don't use any of those backwards, followed by a digit, or preceded by a digit. Instead, use a mixture of upper
and lower case letters, as well as digits or punctuation. When choosing a new password, make sure it's unrelated to any previous password. Use long
passwords (say at least 8 characters long). You might use a word pair with punctuation inserted, a passphrase (an understandable sequence of words),
or the first letter of each word in a passphrase.


Everything said there (except the bits about not useing your name and the patterns) is BS. This is the worst bit in the entire thing: "Instead, use a mixture of upper and lower case letters, as well as digits or punctuation." That implys wasswords that look like Rk)gbK!eQCI. Gibberish. Although it may only be able to be cracked by brute force, it's not even near the ability of the average person to memorize. Those types of passwords end up on a sticky note attached to their monitor. Will people ever learn about how to make them right?

The other half of this is sites that have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus decreasing security, instead of increasing it. The only requirement that is actually legit, and that should be on every site, in minimum passphrase length. Sadly, some sites are deluded into putting max passphrase length (Which means they're storing it as plaintext in a database like idiots). It doesn't f***ing matter how long a passphrase is. When it's hashed, a one word password will turn out the same as a 200 word passphrase, in terms of length. Any other restrictions just make it harder to remember.

This whole "password" thing is crap as well. That's a relic from the 80s when you only had enough of your previous space to store one word at most. In the modern world where space is cheap, all "passwords" should be passphrases.

For example, my school recently changed its restrictions on passwords. After I got locked out of my account, they decided to change my passphrase to the school name, because that was the easiest way they knew how to fix locked accounts (Dumb Windows). Of couse, now I can't use spaces, punctuation, or anything else to increase the strength of my password. So I didn't even bother changing it to something stronger, because I'd never remember where I put the underscores and- whoops, I forgot, I can't use punctuation now. Forcing users to go from a multi-word, secure passphrase, to a one-word password that's easily guessable, is ludicrous. The restrictions have to have an end put to them, and now is the time.
Quote:
The other half of this is sites that have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus decreasing security, instead of increasing it.

This is blatantly incorrect. Restricting the range of special characters you can use narrows the passphrase space a bit, but forcing normal users to include non-alphabetical characters is a HUGE step forward. 75^n is much larger than 52^n, and much much better than the 26^n you can rightfully expect.
elfprince13 wrote:
Quote:
The other half of this is sites that have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus decreasing security, instead of increasing it.

This is blatantly incorrect. Restricting the range of special characters you can use narrows the passphrase space a bit, but forcing normal users to include non-alphabetical characters is a HUGE step forward. 75^n is much larger than 52^n, and much much better than the 26^n you can rightfully expect.
To play a bit of Devil's advocate, I'd say it's closer to 26n-1*75. It'll add a little bit of entropy, but perhaps the benefit of the slightly increased entropy is an unusual password that's harder to remember and then gets written down somewhere even more insecure?

Far more egregious are those applications that don't allow me to use characters like '/' or '&' in passwords, however, since that both reduces the entropy and forces me to use an unusual password which is harder to remember.
Passwords can be easy to remember and yet hard to crack, just depending on what you use for them. My dad uses fake Bible citations for all of his passwords, which are easy to remember AND use a capital letter, several lowercase letters, a space, and a colon. For instance, his old password "Ahaz 1:1" returns a 79% strength rating on http://www.passwordmeter.com.
elfprince13 wrote:
Quote:
The other half of this is sites that have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus decreasing security, instead of increasing it.

This is blatantly incorrect. Restricting the range of special characters you can use narrows the passphrase space a bit, but forcing normal users to include non-alphabetical characters is a HUGE step forward. 75^n is much larger than 52^n, and much much better than the 26^n you can rightfully expect.


Say you have the following restrictions: 8 chars or more with 2 non-alphanumerics. The normal user's password will look like bl@tan+ or something else with other common substitutions. Users are also wont to use the shortest passord possible; putting it at 8 chars and hoping that the substitutions will make it stringer just won't cut it. For any given user, the easiest way to go about this is to try all the 8 char strings with at least two symbols. An even faster way to do this would be to take a dictionary of 8-letter words and stick permutions of common substitutions in.

If they'd just stick the minimum password length at 15 characters or so, they'd have no problems, especially if they stuck some example multi-word passwords in by it.

Compynerd255 wrote:
Passwords can be easy to remember and yet hard to crack, just depending on what you use for them. My dad uses fake Bible citations for all of his passwords, which are easy to remember AND use a capital letter, several lowercase letters, a space, and a colon. For instance, his old password "Ahaz 1:1" returns a 79% strength rating on http://www.passwordmeter.com.


Those password ratings are BS. I know for a fact that my password atm is stronger than 98% or so of what they getfrom users, however, it is rated at 8-% or so because I didn't have any numbers in it. "correct horse battery staple", a very secure password, would only get about 40%, and most of that because of its length. The irrationale behind this is that the more cases your password has (upper, lower, number, symbol), and the longer the length,the more secure it is. This is patently false. A password like "Ab3@" could get 80% on most sites like that.
just for fun, if you want to see a perfect, super-powered password I crafted against www.passwordmeter.com, it's ^a(s*d~fG%S`DbF$q#w@e!1+2-3_4

EDIT: and interesting quote from the same site:

Quote:
Please note, that this application does not utilize the typical "days-to-crack" approach for strength determination. We have found that particular system to be severely lacking and unreliable for real-world scenarios.
Good luck remembering that without a sticky on the monitor. You'd probably mistype it as well.
seana11 wrote:
Good luck remembering that without a sticky on the monitor. You'd probably mistype it as well.


Nope, I've already memorized it. I remember it by keeping a phrase in my head that goes like "correct horse ^a(s*d~fG%S`DbF$q#w@e!1+2-3_4 staple". Works pretty well.

Curious, what are OLD, unused passwords some of your guys had that you consider strong? (please don't take the bold and italization lightly)
An old password that I used to think is funny is "hellokittyisthebesttvshowintheuniverse"

I highly doubt anyone would be able to brute force that and it's easy to remember, but it only gets a rating of 36%
I'm unlikely to trust any password strength rating that isn't rooted in information theory. That is, if it doesn't compute the entropy, I don't care.

"hellokittyisthebesttvshowintheuniverse" has an entropy of about 204 bits.
As for my old passwords. I used a lot of numbers. 29092012818641104103113328

^^ That was on of my old ones. My library number, my lunch number for school, and the password for my grades that are assigned to me. I will let you figure out the order. haha
Ashbad wrote:
Nope, I've already memorized it. I remember it by keeping a phrase in my head that goes like "correct horse ^a(s*d~fG%S`DbF$q#w@e!1+2-3_4 staple". Works pretty well.\


I l0l'd.
elfprince13 wrote:
Quote:
The other half of this is sites that have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus decreasing security, instead of increasing it.

This is blatantly incorrect. Restricting the range of special characters you can use narrows the passphrase space a bit, but forcing normal users to include non-alphabetical characters is a HUGE step forward. 75^n is much larger than 52^n, and much much better than the 26^n you can rightfully expect.


Not necessarily. They should be enforcing a length, not special characters. In 75^n, 52^n, and 26^n it is n that is important. 26^11 > 75^8
Ashbad wrote:
seana11 wrote:
Good luck remembering that without a sticky on the monitor. You'd probably mistype it as well.


Nope, I've already memorized it. I remember it by keeping a phrase in my head that goes like "correct horse ^a(s*d~fG%S`DbF$q#w@e!1+2-3_4 staple". Works pretty well.

Curious, what are OLD, unused passwords some of your guys had that you consider strong? (please don't take the bold and italization lightly)


"Could it really be that simple?" sometimes like that, sometimes all one word with no punctuation(depending on the constraints)

I had always hoped someone would hack me and then be super pissed off when they finally figured out what my password was.
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 1
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement