If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Carbon Black)   Sorry, but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph and the blood of a virgin   (carbonblack.com) divider line 158
    More: Interesting, blood  
•       •       •

11923 clicks; posted to Geek » on 08 Jul 2013 at 5:07 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



158 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | 4 | » | Last | Show all
 
2013-07-08 03:24:12 PM  
I just created this great website. You simply put in your login information for your bank, Gmail or any other secure site, and I'll run a security audit that will tell you how secure both your login details and the site are.

Try it here!

/Strong passwords are useless for morons.
 
2013-07-08 04:25:43 PM  
imgs.xkcd.com

Oblig.
 
2013-07-08 04:40:33 PM  

Donnchadha: [imgs.xkcd.com image 740x601]

Oblig.


And we're done here.
 
2013-07-08 04:44:03 PM  
i236.photobucket.com

Oblig
 
2013-07-08 04:44:45 PM  
And all this is negated by someone knowing your mother maiden name and the street you grew up on.
 
2013-07-08 05:08:45 PM  

Donnchadha: [imgs.xkcd.com image 740x601]

Oblig.


This.

These farking idiots need to stop putting out these password guides with horrible information.
 
2013-07-08 05:11:54 PM  

EvilEgg: And all this is negated by someone knowing your mother maiden name and the street you grew up on.


Best alternate recovery questions are when you can put in your own questions in. Then this allows you to put a question with an answer that only you can answer because you know the context. Plus if someone in a chat asks you a question about it, it'd be pretty obvious what they're trying to do.
 
2013-07-08 05:12:28 PM  
We have gone way past the point where security does more harm than good.

And I'm not just talking about passwords.
 
2013-07-08 05:13:38 PM  

EvilEgg: And all this is negated by someone knowing your mother maiden name and the street you grew up on.


Who puts factual answers to those security questions?
 
2013-07-08 05:14:40 PM  
My password for most stuff is the first 16 characters of the 16th line of one of many, many flash files saved on my desktop.
So, it's...
ctrl+c ctrl+v

It's that easy.
 
2013-07-08 05:14:48 PM  

EvilEgg: And all this is negated by someone knowing your mother maiden name and the street you grew up on.


I was so pissed off at Yahoo! Mail. I had a bunch of letters saved from my Father, who is now dead, and I went to go check on them so that I could download/print them.  I knew my password, but my answers to my security questions are usually something like aposdir90834utokajfhdljkrfhgjfhglsakfjigh9348843584u5t9pasodkljflkdfj: üdkjf;flksadé.  I thought I'd never get in, but when I tried to login from my phone, it worked without having to answer a security question. Weird.  (This was a very old e-mail address, no one yell at me for using Yahoo! Mail.)
 
2013-07-08 05:15:41 PM  

EvilEgg: And all this is negated by someone knowing your mother maiden name and the street you grew up on.


I always supply wrong answers to such questions. Not just secure, but humorous as well.
 
2013-07-08 05:15:54 PM  
'Password managers' are stupid.

You make 16 extremely complex passwords for all your individual accounts, then stick them all in one place where anyone only has to crack that one password and they have them all.

*sigh*
 
2013-07-08 05:16:04 PM  
Someone didn't bother reading my carefully prepared memo on commonly-used passwords.
 
2013-07-08 05:16:22 PM  
And the article gives bruteforce times yet fails to mention what hash they are for (and whether salt is involved).  That kinda matters.  If you're dumb enough to use unsalted MD5 to hash your passwords, well, sure they're gonna be bruteforced easily.  If you use bcrypt with a larger-than-default number of rounds, or a mix of two algorithms, it'll be a lot harder even if you have a small pile of Radeons.

Longer is better than more complex.
 
2013-07-08 05:18:21 PM  
This article is terrible. It is more than now than just guessing. Like most people will stick to 2 dictionary words max and replace a's with @, e with 3, etc. or put a special character at the end and the capital at the start. This allows you limit what you need to guess.

Just make sentences and stop being stupid.
 
2013-07-08 05:18:58 PM  
I don't have a problem with password security. My issue is more with what sites think they need the max security. I don't think I really need 8 characters, 1 upper-case, 1 special, and can't be like any of the previous 12 passwords to post on a forum.

My bank doesn't even require that.
 
2013-07-08 05:19:23 PM  
 
2013-07-08 05:19:31 PM  
The numbers this kid is pulling out of their ass for crack times must have been calculated based on his ipad or some other similarly inept processor.  You put a real one to work and those times get cut down immensely...and the math behind his increased complexity seems just a tad too exponential, like way way too exponential.  CorrectHorseStapleBattery is still the much better summary of effective password creation.

EvilEgg: And all this is negated by someone knowing your mother maiden name and the street you grew up on.


NateAsbestos: Who puts factual answers to those security questions?


And both of you hit the solid points when it comes to the sad state of common account recovery technologies.
 
2013-07-08 05:19:42 PM  
Ah yes. The solution according to the article is online password managers. The best ones do server side encryption so that the NSA would just read your passwords. Nice try NSAbmitter :)
 
2013-07-08 05:20:01 PM  
How I choose my passwords (and each site I go to has its own unique password):
1) Keyboard mash. Just randomly mash down on the keys to generate one. or
2)Use a foreign word with random numbers thrown in. How many dictionaries will they use in a dictionary attack?
 
2013-07-08 05:20:27 PM  

Mike: And the article gives bruteforce times yet fails to mention what hash they are for (and whether salt is involved).  That kinda matters.  If you're dumb enough to use unsalted MD5 to hash your passwords, well, sure they're gonna be bruteforced easily.  If you use bcrypt with a larger-than-default number of rounds, or a mix of two algorithms, it'll be a lot harder even if you have a small pile of Radeons.

Longer is better than more complex.


That's what my wife tells me, too!
 
2013-07-08 05:21:34 PM  

LZeitgeist: 'Password managers' are stupid.

You make 16 extremely complex passwords for all your individual accounts, then stick them all in one place where anyone only has to crack that one password and they have them all.

*sigh*


Yes, cause having the same password on all your accounts instead of one strong password that is hashed 10k times is so much better.
 
2013-07-08 05:22:24 PM  

skinink: How I choose my passwords (and each site I go to has its own unique password):
1) Keyboard mash. Just randomly mash down on the keys to generate one. or
2)Use a foreign word with random numbers thrown in. How many dictionaries will they use in a dictionary attack?


Rainbow tables bro.
 
2013-07-08 05:23:30 PM  

Intrepid00: Rainbow tables bro.


Salt.
 
2013-07-08 05:24:47 PM  

Mike: Intrepid00: Rainbow tables bro.

Salt.


Assuming the site even salts.
 
2013-07-08 05:24:50 PM  
FTFA:

"You can turn a window into shattered glass, but it'd be near impossible to turn that shattered glass back into a window. It's a one-way street."

I think a little heat would make this a rather simple process, actually.
 
2013-07-08 05:26:05 PM  
Subby,
You win one interwebz. I lol'd.
 
2013-07-08 05:26:34 PM  

Intrepid00: LZeitgeist: 'Password managers' are stupid.

You make 16 extremely complex passwords for all your individual accounts, then stick them all in one place where anyone only has to crack that one password and they have them all.

*sigh*

Yes, cause having the same password on all your accounts instead of one strong password that is hashed 10k times is so much better.


I recommend "password". It's so obvious, no one would believe it.

\Hide in plain sight, Grasshopper...
\\*snerk*
 
2013-07-08 05:27:02 PM  

NateAsbestos: EvilEgg: And all this is negated by someone knowing your mother maiden name and the street you grew up on.

Who puts factual answers to those security questions?


You mean you weren't born in Mordor?
 
2013-07-08 05:27:20 PM  

BgJonson79: Mike: And the article gives bruteforce times yet fails to mention what hash they are for (and whether salt is involved).  That kinda matters.  If you're dumb enough to use unsalted MD5 to hash your passwords, well, sure they're gonna be bruteforced easily.  If you use bcrypt with a larger-than-default number of rounds, or a mix of two algorithms, it'll be a lot harder even if you have a small pile of Radeons.

Longer is better than more complex.

That's what my wife tells me, too!


ZING!
 
2013-07-08 05:27:54 PM  
old school...  bonus... squirrel noises...

dilbert.com
 
2013-07-08 05:27:57 PM  
A single point of failure, like an online password manager), is retarded. Password security depends on site-security and phishing-awareness more than the characters in your password itself.

Also, who the hell brute-forces passwords anymore?
 
2013-07-08 05:30:30 PM  
Password incorrect!
Once again, I try and fail.
Where is sledge hammer?


/Haiku king.
 
2013-07-08 05:31:26 PM  
A license plate number may very well be the best password you can use...
 
2013-07-08 05:31:30 PM  
My wife and I developed a by-hand algorithm to produce a password based on the domain for the site. The resulting passwords are long, random, unique, and easy to reproduce later.

Meh.
 
2013-07-08 05:32:25 PM  

BgJonson79: Mike: And the article gives bruteforce times yet fails to mention what hash they are for (and whether salt is involved).  That kinda matters.  If you're dumb enough to use unsalted MD5 to hash your passwords, well, sure they're gonna be bruteforced easily.  If you use bcrypt with a larger-than-default number of rounds, or a mix of two algorithms, it'll be a lot harder even if you have a small pile of Radeons.

Longer is better than more complex.

That's what my wife tells me, too!


You say that like Mike has a wife.

/grin
//actually, if Mike is a real nerd with a real-nerd job, he's probably got a hot wife
 
2013-07-08 05:32:46 PM  

scottydoesntknow: Donnchadha: [imgs.xkcd.com image 740x601]

Oblig.

And we're done here.


And even if you outright tell the crackers you're using four random lowercase words drawn from a vocabulary of 1000 words or so (a first grade child's vocabulary...)   1000^4 = 1,000,000,000,000.   An order of magnitude better than your standard unmemorable enforced password. Using a 6th grader's vocabulary (10,000 words or so), you improve that by four more orders of magnitude.

/   Conclusion. IT managers are idiots.
 
2013-07-08 05:32:52 PM  

LZeitgeist: 'Password managers' are stupid.

You make 16 extremely complex passwords for all your individual accounts, then stick them all in one place where anyone only has to crack that one password and they have them all.

*sigh*


Actually there is a way to do that and still make it extremely secure.

Your password will be the first names of a President, Vice President and Chief Justice.  Then all you need to do is create a file that has the number of which one it was.  Such as 6-13-12

JohnWilliamHarlan

All your file will ever have is a series of three numbers associated with what file it is.  A hacker will have nothing to go on.  Now if you want even more complexity you can add another level of complexity wither by adding a modifier to your three digit series.  Such as the code now reading 6-13-12-U6.  Now you go up 6 places.  Remembering your lengthy passwords is now easy.  Adding the alphanumeric stuff is also easy.  Your code now will read 6*-13A-12-U6.  The appropriate leetspeek characters will now be used for the first name.  The second name will be capitalized every other letter.  The third name will be left alone.  And so forth.  Your code file can even have the necessary information on how to make the adjustments.  The only thing anybody has to remember is President, Vice President and Chief Justice.

It can get even better.  In an organization where passwords change every day the same code system can be used.  You get the correct combination as you come in and get the corresponding word, name, etc. out of a book that's been issued.  Even a dictionary can be used.

Will a system like that be used?  Not likely.  But it would work.
 
2013-07-08 05:33:27 PM  
Back in the day when us old farts had to wait in line to buy tickets to concerts (sometimes overnight) we had a brilliant plan to make a helluva heist.
Wait for Rush ticket buying time. Rob everyone standing in line of their atm cards.

/css, well, more like css, not!
//tubular
 
2013-07-08 05:33:39 PM  
I just use Klingon
 
2013-07-08 05:35:13 PM  
Man I read that as "blood of a vagina" and thought this will lead to some awkward break room conversations.
 
2013-07-08 05:35:27 PM  

Electrify: A license plate number may very well be the best password you can use...


Worst idea ever.
 
2013-07-08 05:36:11 PM  

skinink: How I choose my passwords (and each site I go to has its own unique password):
1) Keyboard mash. Just randomly mash down on the keys to generate one. or
2)Use a foreign word with random numbers thrown in. How many dictionaries will they use in a dictionary attack?



My nipples explode with delight
 
2013-07-08 05:36:53 PM  

bobrktb: I just use Klingon


the Klingon word for password?
 
2013-07-08 05:40:14 PM  
If I funk a virgin and she bleeds, is that considered the blood of a vjrgin? Because she's not like a virgin anymore when I collect it. Oh, and is it alright if some of my spunk is mixed in. Don't want to wrap it if I don't have to.

Thanks... I'll take my answer on the air.
 
2013-07-08 05:40:23 PM  
www.stevenverhelst.nl

/hot like Al
 
2013-07-08 05:42:04 PM  
Passwords don't have to be complex to be secure.

My pet peeve: Sites that require stuff in your passwords. Thanks guys, you've just told every hacker out there how to narrow down their attack. Must have an upper case letter? Remove all lower-case only passwords from a search. Must have a "symbol"? Remove all passwords without a symbol.

Here's a stupid set of rules from a university website:
Your new password:
Must be between eight and fourteen characters longShould consist of some combination of letters and numbers, and must include at least one special character (for example, +, @, #, or $)Cannot include the following characters: _ ' < > & !
 I don't even know what stupid legacy crap leads to this kind of thing.

Security might start by just eliminating the 10,000 most used passwords by giving an error that says that password is insecure and to try making the password longer.

Oddly enough "mySite.com-password-password-password-password" is secure (and easy to remember). It beats anything that's 8 characters long and "must include at least one special character'.
 
2013-07-08 05:42:53 PM  
I have a password that's somewhat remotely similar to ppret11. But now...they require it be 8 letters, not 7. So now it's ppret111. Then sites require it not have 3 consecutive letters the same. So now it's ppret112. Then they require a capital letter. So now it's Ppret112. Then they require it have a special letter... so now it's Ppret11@. What the hell is going to be next?!?!?

The evolution of my passwords.

/The problem is each site is a different stage of that evolution, so every site's password is different so I have to keep guessing to figure out where on that evolution my password from that site is at.
//Ugh.
 
2013-07-08 05:45:16 PM  

BumpInTheNight: CorrectHorseStapleBattery is still the much better summary of effective password creation.


I have to admit that I don't know much about password creation. I did a quick training bit with a past employer that said to avoid using real words, because there are hacking programs that can search for them. So would that make XKCD wrong about CorrectHorseStapleBattery, or is there something the training bit was missing?
 
Displayed 50 of 158 comments

First | « | 1 | 2 | 3 | 4 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report