If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(SeattlePI)   38 percent of adults would rather scrub a toilet than come up with a new online password, which explains why so many accounts get hacked and so many more toilets go unscrubbed   (blog.seattlepi.com) divider line 75
    More: Stupid, Harris Interactive, online banking  
•       •       •

1763 clicks; posted to Main » on 24 Aug 2012 at 12:31 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



75 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2012-08-24 12:32:32 PM
Mine is 12345, so it's easy to remember.
 
2012-08-24 12:33:02 PM
I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark
 
2012-08-24 12:35:06 PM

Heamer: Mine is 12345, so it's easy to remember.


I have the same combination on my luggage
 
2012-08-24 12:37:30 PM
Ugh. That why God invented housekeepers.

/They always come up with the most secure ones.
 
2012-08-24 12:38:07 PM
In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.
 
2012-08-24 12:38:48 PM
I can't recall who posted it but I read it on Fark about using a song line. Use the first letter of each word in a line in your favorite song. Which is easy because my favorite song is All Together Now so it's just 1234
 
2012-08-24 12:40:32 PM
I needed eight characters including a number so I chose Snow White and the seven dwarfs.

/Old, I know.
 
2012-08-24 12:40:37 PM
I keep all my passwords on a file in "My Documents" so no problem coming up with new passwords.
 
2012-08-24 12:41:10 PM
Mine is the same for everything: *******************
 
2012-08-24 12:41:10 PM

Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.


I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.
 
2012-08-24 12:41:32 PM

Gleeman: In before 'correct horse battery staple'.




imgs.xkcd.com
 
2012-08-24 12:42:02 PM

Alonjar: I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark


Pretty much this. The password recovery button is my friend :( You're not supposed to have your passwords be the same, I get it. I just wish there were easy ways to remember the type of passwords that are the 'safest'.
 
2012-08-24 12:42:44 PM
Scrubtoilet was my password.
 
2012-08-24 12:44:12 PM

rudemix: Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.

I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.



You should never have to tell someone in IT your password. Their should be an IT user on the machine for maintenance.
 
2012-08-24 12:49:55 PM
Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.
 
2012-08-24 12:50:06 PM
password1

the "1" is to throw them off
 
2012-08-24 12:50:40 PM

rudemix: Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.

I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.


Forgot to add that you couldn't use any dictionary words, had to be gibberish. Sigh...
 
2012-08-24 12:53:17 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


It would be easy to remember, but offer a challenge due to the size/number of 'guesses' required to blunt force crack it. 26 possible characters not including spaces vs your typical 8 character password.
 
2012-08-24 12:57:43 PM

AliceBToklasLives: I keep all my passwords on a file in "My Documents" so no problem coming up with new passwords.


Unfortunately do the same. Only passwords i don't write down is my online banking access and my computer unlock. The latter is simple but the hint requires specific knowledge that i don't have written down anywhere.
 
Zel
2012-08-24 12:59:01 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


That's called a dictionary attack, and yes, the computer is very good at breaking passwords like "banana" and even longer ones like "democracy" because the total number of words in a dictionary is Way smaller than the number of possible random combinations.

Similarly, I once had a virus waltz right into my PC because its dictionary had qwertyuiop. so it's not all regular words, but common stuff like p4ssw0rd.

Nowadays I make random long baloney passwords and just do a reset every time I have to type it.
 
2012-08-24 01:00:41 PM
Passwords by themselves are bad enough. My company just instituted two-factor authentication, so we have to use a USB token key as well. Then we have to change the password every 60 days (which is really a very bad security practice, but don't try to explain why to a 24 year old security "expert"). If you forget your token key, which is easy to do, since it is a violation of company policy to store it with your portable computer, you must call the help desk to have them generate a token that you have to manually punch in. That doesn't sound bad, but they also have a 60 minute idle time-out that will kick you out of the network. So if you go to a meeting or lunch, you have to call help desk again.

Now when one considers that most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.
 
2012-08-24 01:04:15 PM
Please enter a Password
******
We're sorry. Your password is too short. Please enter a new password
******************
We're sorry. Your password does not contain a number. Please enter a new password
*******************
We're sorry. Your password does not contain a special character. Please enter a new password
********************
We're sorry. Your password contains an unauthorized special character. Please enter a new password
********************
We're sorry. Your password exceeds the allowable number of characters. Please enter a new password
 
2012-08-24 01:04:32 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


No. It's mathematically pretty secure even with the full knowledge that you're using four common English words.

You're talking about the equal of an 8-character pure gibberish password.

90 ~= number of ASCII characters you're likely to use in a password

90^8 = 4 quadrillion passwords

90^8 = 8100^4

So, the 'correct horse' example drawn from an 8100 word constrained vocabulary (which is about most people's day-to-day vocabulary) is equal to an 8-character pure gibberish password. Except that you can actually remember the four words but would have to be a savant to remember more than one or two pure gibberish passwords. The point is, most people's 8-character passwords *aren't* pure gibberish or even close.

/ or you could use KeyPass already
 
2012-08-24 01:07:26 PM

Eps05: AliceBToklasLives: I keep all my passwords on a file in "My Documents" so no problem coming up with new passwords.

Unfortunately do the same. Only passwords i don't write down is my online banking access and my computer unlock. The latter is simple but the hint requires specific knowledge that i don't have written down anywhere.


Actually I was joking about the file, but I do use the same password for everything that is not money or work-related. Otherwise, I would have hundreds of passwords to memorize or write down.
 
2012-08-24 01:16:12 PM
correcthorsebatterystapleatthetilkemcisedhockenheimring

And if,for some reason, you have to meet the AKO password standard (minimum 2 each of caps, lowercase, numbers and symbols; and at least 10 total characters):

#3Train@7thAveAndBrooklynExpressExceptNights

/Note that these are useless on systems with a MAXIMUM password size, being 55 and 44 characters long each, respectively
 
2012-08-24 01:22:45 PM

Alonjar: I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark


There are definitely some websites that I wish would put a reminder of their stupid password rules on the login page. I'd actually be able to recreate my thought process if I knew it required at least three uppercase letters, two numbers and two punctuation marks. Those ones I just leave the password in my email inbox, which is I suppose more secure than on a desktop post-it note.

\Passphrases are more secure anyways, but too many places limit the number of characters.
 
2012-08-24 01:25:51 PM

JackieRabbit: never bother to attempt to get in via the front door


Kinky.
 
2012-08-24 01:27:14 PM
The headline should read... and so many toilets are scrubbed. Actually, now that I think about it... People do change their passwords. Nevermind, damn it
 
2012-08-24 01:27:40 PM
*sigh*...didn't we just go over this two days ago?

www.keepassx.org It's free, uncrackable and indispensible. One password to rule them all. One password to find them and in the darkness, bind them.

You're welcome.
 
2012-08-24 01:29:33 PM
I used to come up with different egregiously complicated passwords for every site and then compile those passwords into a microscopic file I had embedded in my shin readable only by a scanning device. I realized later what a monumental waste of effort this was.

Unless you have an incredible memory for random strings of numbers/letters don't bother IMHO. Exceptions made for really important sites related to banking etc. If someone wants to hijack my FARK account be my guest.
 
2012-08-24 01:34:41 PM

JackieRabbit: Passwords by themselves are bad enough. My company just instituted two-factor authentication, so we have to use a USB token key as well. Then we have to change the password every 60 days (which is really a very bad security practice, but don't try to explain why to a 24 year old security "expert"). If you forget your token key, which is easy to do, since it is a violation of company policy to store it with your portable computer, you must call the help desk to have them generate a token that you have to manually punch in. That doesn't sound bad, but they also have a 60 minute idle time-out that will kick you out of the network. So if you go to a meeting or lunch, you have to call help desk again.

Now when one considers that most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.



One company I worked for instituted a new password policy, where everyone's passwords were wiped and new rules were put in place: One capital letter, one number, at least eight characters long, set to expire every thirty days. They helpfully reset everyones password to 'Company1' where 'company' was the name of the place we were working.

Every thirty days the password expired for everyone, all at once, since no one had bothered to change them from the default 'Company1'. Since people don't like having to think up new passwords, the first time it expired, everyone simply changed their passwords to 'Company2' Thirty days later, 'Company3' was the standard. A good ninety percent of the company ended up using the same exact password. You could walk up to almost any computer and log on with it.

When I left the company a while later for another job, we were up to Company17 and the 'security' office still refused to admit anything was wrong. Sadly, this wasn't anywhere near the most screwed up thing about the place.
 
2012-08-24 01:37:30 PM
Won't someone think of the toilets?!
 
2012-08-24 01:38:09 PM

Lawnchair: Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.

No. It's mathematically pretty secure even with the full knowledge that you're using four common English words.

You're talking about the equal of an 8-character pure gibberish password.

90 ~= number of ASCII characters you're likely to use in a password

90^8 = 4 quadrillion passwords

90^8 = 8100^4

So, the 'correct horse' example drawn from an 8100 word constrained vocabulary (which is about most people's day-to-day vocabulary) is equal to an 8-character pure gibberish password. Except that you can actually remember the four words but would have to be a savant to remember more than one or two pure gibberish passwords. The point is, most people's 8-character passwords *aren't* pure gibberish or even close.

/ or you could use KeyPass already


Exactly. Randomly trying combinations of 4 out of the 5000 most common English words is already about as hard as trying 8 digit combinations of lower and upper case letters, numbers, and symbols. And no one needs to write it down to remember it.
 
2012-08-24 01:40:41 PM
Yeah. I get upset only when something random makes me come up with some super complicated password instead of my common one I normally use. I understand having a very secure one for things like banking or company security. But, unless I use it often it's getting written down somewhere.

And, I imagine like most thievery there's more than one way in and someone that really wants to get in will find a way regardless of how super secure the password is.
 
2012-08-24 01:43:28 PM

toraque: A good ninety percent of the company ended up using the same exact password. You could walk up to almost any computer and log on with it.

When I left the company a while later for another job, we were up to Company17 and the 'security' office still refused to admit anything was wrong. Sadly, this wasn't anywhere near the most screwed up thing about the place.


Richard Stallman fixed this back in the 70s ... http://www.youtube.com/watch?v=CjaC8Pq9-V0&t=5m5s

When I run into an asnine PW policy, I use something like "ass9 IT admins with no clue suck!" and hope that it gets stored as plaintext and actually looked at by said ass9 admins...
 
2012-08-24 01:49:42 PM
My password is the same for everything I log into, everywhere, all the time.

Because honestly, I could give a rat's ass if someone "hijacks" my Fark account, and real hackers aren't going to be stealing my password to access my bank account anyway; they'll just get the number via a hacker bbs.
 
2012-08-24 02:00:27 PM
I will happily come up with new passwords for anyone who wants to scrub my toilet.

/Difficulty: have teenagers.
 
2012-08-24 02:05:03 PM
I don't remember the password to my toilet...
 
2012-08-24 02:07:03 PM

JackieRabbit: most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.


It's actually harmful. Forgetting a password is so common that they have to have a nice, easy to con way to reset it.

Keep control of your farking password hash files and let us use anything we want for passwords. (If the password hash file isn't stolen, then just about anything is fine - its only when crackers get the hash file to chew on that password strength matters.)
 
2012-08-24 02:08:31 PM
Came here for my own password, "correct horse battery staple", leaving satisfied
 
2012-08-24 02:13:21 PM

Gyrfalcon: My password is the same for everything I log into, everywhere, all the time.

Because honestly, I could give a rat's ass if someone "hijacks" my Fark account, and real hackers aren't going to be stealing my password to access my bank account anyway; they'll just get the number via a hacker bbs.


I had my checking account drained by two people physically going into my bank (in another state) and filling out a withdrawl slip.

Four on friday, three more on monday. i was enjoying a four day weekend fishing. tgey used the same teller, and the bank wouldnt reveal to me or the investigator which id document they used.

Best part? The bank blamed it on me and said my computer must have been hacked. No, asswipes, all they needed was your lazy (or complicit) teller and any of the thousand places my checking account number is at. Or actually just a drivers license really.

farking ridiculous. Thank god we live in a socialist nightmare where the banks are insured and i got reimbursed.
 
2012-08-24 02:17:23 PM
Most password policies are asinine and counter-productive. Want your employees to make a 10 character alpha-numeric case sensitive password with inclusion of at least one symbol with a 3 month expiration? Awesome, I guarantee every password in your freaking company is written down somewhere near the computer it's used on, making all of that worthless by creating an even larger security risk than the one you were addressing. And about the only thing they are good against are brute force attacks that focus on dictionary words, hardly the most common or easiest form of system penetration. Your security is far more likely to get penetrated through other less obvious weakness, an employee downloading something (like a keylogger), or just good old fashioned social engineering. In the meantime, you've reduced company efficiency and created a headache for employees in a policy worthy of Dilbert's PHB.

And don't get me started on websites. I have no problem with forums and such having passwords, but they don't need the same level of security as my farking bank, especially when most of them have no personal info. I love it when they tell me a password is too weak, when I couldn't care less if someone else logged in as me most places. Oh no, someone might post as me on Fark, heaven forfend!

/there have been plenty of websites with ridiculous password requirements I've didn't register with and just never went back to as a result
 
2012-08-24 02:23:46 PM
Amusingly, asinine password restrictions make an attacker's job easier by reducing search space. Must have at least one lowercase and one uppercase letter? Great. Now the attacker doesn't have to check for anything with no lowercase letters or no uppercase letters. Must have at least one digit? That culls anything with no digits. Each little restriction on what must or must not be in a password cuts out millions of possible passwords to search for.
 
2012-08-24 02:24:52 PM
I only remember a very small number of passwords:
- The master password to my LastPass account.
- My primary email account.
- A few passwords for TrueCrypt volumes.

LastPass stores all my passwords for everything else (each one is long and random). Need to change the password? Ok. No big deal, just a click or two of the mouse and a new random one is generated.

My LastPass and email accounts are protected with one-time passwords (I use Google Authenticator and compatible TOTP clients). My home computer and laptop are "trusted" and don't require one-time passwords to access my accounts but any other system out there does.

Naturally, I have a backup of all the saved passwords, the seeds for the OTP generator, my LastPass master password, and my email password saved to digital media and printed out on paper and kept in a sealed envelope in geographically remote secure locations. I update the paper copies twice a year. Useful if I ever get hit by a bus and my wife needs to close my various accounts.

Most people pick incredibly stupid passwords that are insecure and hard to remember. Screw that.
 
2012-08-24 02:29:14 PM
Why are we even still using passwords? It seems to me, putting a smartcard in your computer and a simple passcode to use with it is infinitely more secure than a password that you have to change every month.
 
2012-08-24 02:40:50 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


The computer doesn't look for "words" in the same sense you do. correct horse battery stapler is more secure for the simple reason that there are more bits to guess at than 034#5!3^. From a brute force standpoint, the former is much harder than the latter.
 
2012-08-24 02:40:53 PM
Oh, is this where we tell people how fark automatically filters our passwords?

Like this: drewisafarkhead

Isn't that cool?
 
2012-08-24 02:46:12 PM

lemurs: Amusingly, asinine password restrictions make an attacker's job easier by reducing search space. Must have at least one lowercase and one uppercase letter? Great. Now the attacker doesn't have to check for anything with no lowercase letters or no uppercase letters. Must have at least one digit? That culls anything with no digits. Each little restriction on what must or must not be in a password cuts out millions of possible passwords to search for.


Hmm, I would argue for a straight brute force attack it probably doesn't matter much (assuming it is truly a "random" string for a password), the combinations are large enough that even with those limitations taken into account it's going to be hard to just push through. Not impossible mind you, but without those restrictions you can bet someone would cleverly pick "password" and then wonder why they got hacked.

Of courses, if we require, say, an 8 character minimum password with caps and numbers, I'd be looking to refine my attack to try capitalizing the first letter of a word and adding either a single number, a two digit number, or a four digit number on at the end (either tacking on a single number or a date for 'YY, MMDD, or YYYY format, likely their birthday) for any combination that gives me 8-10 characters. Still potentially harder to crack than someone using "password", but I'd be surprised if you didn't find many passwords for any group didn't fall within these parameters.

In reality, I'd actually just look to get physical access to the site and either talk a login out of someone or just look surreptitiously under a few mouse pads for the sticky note with a single nonsense word written on it. The weakest point in most security systems are the people, no sense in going through the trouble to break into a box the hard way.
 
2012-08-24 02:52:17 PM

fracto: rudemix: Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.

I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.


You should never have to tell someone in IT your password. Their should be an IT user on the machine for maintenance.


I was worried about my inordinate amount of browsing getting discovered also so I didn't even consider something like that. I did change it as soon as she left the office.
 
2012-08-24 02:59:11 PM

Surpheon: JackieRabbit: most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.

It's actually harmful. Forgetting a password is so common that they have to have a nice, easy to con way to reset it.

Keep control of your farking password hash files and let us use anything we want for passwords. (If the password hash file isn't stolen, then just about anything is fine - its only when crackers get the hash file to chew on that password strength matters.)


Agreed. Let the users select a good password and don't make them change it. If someone from outside gets the hashed passwords, you have a mole on your IT department.

But professional hackers never try to hack using passwords; that's too easy to detect. They usually exploit a known vulnerability and come in via an open protocol.
 
Displayed 50 of 75 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report