Adapted from a /. post
I'd like to start this with an xkcd comic:
There's tons of passphrases that look like the first one above. They use common (or sometime uncommon) base words, with common substitutions, that make them hard to remember. This makes them easily crackable to most password crackers. However, if I have a password like "Washington invites the five-hundred theives.", even though it uses common words, combines them in a way that no password cracker would anticipate. People just can't create good passphrases when they believe what people tell them about what makes them secure. This misbelief even pervades our greatest reference: the man page:
Everything said there (except the bits about not useing your name and the patterns) is BS. This is the worst bit in the entire thing: "Instead, use a mixture of upper and lower case letters, as well as digits or punctuation." That implys wasswords that look like Rk)gbK!eQCI. Gibberish. Although it may only be able to be cracked by brute force, it's not even near the ability of the average person to memorize. Those types of passwords end up on a sticky note attached to their monitor. Will people ever learn about how to make them right?
The other half of this is sites that have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus decreasing security, instead of increasing it. The only requirement that is actually legit, and that should be on every site, in minimum passphrase length. Sadly, some sites are deluded into putting max passphrase length (Which means they're storing it as plaintext in a database like idiots). It doesn't f***ing matter how long a passphrase is. When it's hashed, a one word password will turn out the same as a 200 word passphrase, in terms of length. Any other restrictions just make it harder to remember.
This whole "password" thing is crap as well. That's a relic from the 80s when you only had enough of your previous space to store one word at most. In the modern world where space is cheap, all "passwords" should be passphrases.
For example, my school recently changed its restrictions on passwords. After I got locked out of my account, they decided to change my passphrase to the school name, because that was the easiest way they knew how to fix locked accounts (Dumb Windows). Of couse, now I can't use spaces, punctuation, or anything else to increase the strength of my password. So I didn't even bother changing it to something stronger, because I'd never remember where I put the underscores and- whoops, I forgot, I can't use punctuation now. Forcing users to go from a multi-word, secure passphrase, to a one-word password that's easily guessable, is ludicrous. The restrictions have to have an end put to them, and now is the time.
I'd like to start this with an xkcd comic:
There's tons of passphrases that look like the first one above. They use common (or sometime uncommon) base words, with common substitutions, that make them hard to remember. This makes them easily crackable to most password crackers. However, if I have a password like "Washington invites the five-hundred theives.", even though it uses common words, combines them in a way that no password cracker would anticipate. People just can't create good passphrases when they believe what people tell them about what makes them secure. This misbelief even pervades our greatest reference: the man page:
man passwd wrote:
Choose a hard-to-guess password.
passwd through the calls to the pam_cracklib PAM module will try to prevent you from choosing a really bad password, but it isn't foolproof; create
your password wisely. Don't use something you'd find in a dictionary (in any language or jargon). Don't use a name (including that of a spouse,
parent, child, pet, fantasy character, famous person, and location) or any variation of your personal or account name. Don't use accessible informa‐
tion about you (such as your phone number, license plate, or social security number) or your environment. Don't use a birthday or a simple pattern
(such as "qwerty", "abc", or "aaa"). Don't use any of those backwards, followed by a digit, or preceded by a digit. Instead, use a mixture of upper
and lower case letters, as well as digits or punctuation. When choosing a new password, make sure it's unrelated to any previous password. Use long
passwords (say at least 8 characters long). You might use a word pair with punctuation inserted, a passphrase (an understandable sequence of words),
or the first letter of each word in a passphrase.
passwd through the calls to the pam_cracklib PAM module will try to prevent you from choosing a really bad password, but it isn't foolproof; create
your password wisely. Don't use something you'd find in a dictionary (in any language or jargon). Don't use a name (including that of a spouse,
parent, child, pet, fantasy character, famous person, and location) or any variation of your personal or account name. Don't use accessible informa‐
tion about you (such as your phone number, license plate, or social security number) or your environment. Don't use a birthday or a simple pattern
(such as "qwerty", "abc", or "aaa"). Don't use any of those backwards, followed by a digit, or preceded by a digit. Instead, use a mixture of upper
and lower case letters, as well as digits or punctuation. When choosing a new password, make sure it's unrelated to any previous password. Use long
passwords (say at least 8 characters long). You might use a word pair with punctuation inserted, a passphrase (an understandable sequence of words),
or the first letter of each word in a passphrase.
Everything said there (except the bits about not useing your name and the patterns) is BS. This is the worst bit in the entire thing: "Instead, use a mixture of upper and lower case letters, as well as digits or punctuation." That implys wasswords that look like Rk)gbK!eQCI. Gibberish. Although it may only be able to be cracked by brute force, it's not even near the ability of the average person to memorize. Those types of passwords end up on a sticky note attached to their monitor. Will people ever learn about how to make them right?
The other half of this is sites that have the obnoxious rules to increase passphrase "safety". What they're really doing is narrowing down the possible passphrases, thus decreasing security, instead of increasing it. The only requirement that is actually legit, and that should be on every site, in minimum passphrase length. Sadly, some sites are deluded into putting max passphrase length (Which means they're storing it as plaintext in a database like idiots). It doesn't f***ing matter how long a passphrase is. When it's hashed, a one word password will turn out the same as a 200 word passphrase, in terms of length. Any other restrictions just make it harder to remember.
This whole "password" thing is crap as well. That's a relic from the 80s when you only had enough of your previous space to store one word at most. In the modern world where space is cheap, all "passwords" should be passphrases.
For example, my school recently changed its restrictions on passwords. After I got locked out of my account, they decided to change my passphrase to the school name, because that was the easiest way they knew how to fix locked accounts (Dumb Windows). Of couse, now I can't use spaces, punctuation, or anything else to increase the strength of my password. So I didn't even bother changing it to something stronger, because I'd never remember where I put the underscores and- whoops, I forgot, I can't use punctuation now. Forcing users to go from a multi-word, secure passphrase, to a one-word password that's easily guessable, is ludicrous. The restrictions have to have an end put to them, and now is the time.