If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Usingalongpassphrasedoesnot makeyourpasswordmoresecure123   (arstechnica.com) divider line 128
    More: Interesting, password cracking, scriptures, YouTube, STRATFOR, matrix exponential, dictionary attack  
•       •       •

4853 clicks; posted to Geek » on 09 Oct 2013 at 8:34 PM (27 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



128 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | » | Last | Show all
 
2013-10-09 08:33:13 PM
So my universal passcode of abcdefghijklmnopqrstuvwxyz1234567890 is not secure? What if I capitalized a letter?
 
2013-10-09 08:36:11 PM

Mangoose: So my universal passcode of abcdefghijklmnopqrstuvwxyz1234567890 is not secure? What if I capitalized a letter?


you know, qwertyuiopasdfghjklzxcvbnm1234567890 is easier to type
 
2013-10-09 08:36:31 PM
Correct!

/horsebatterystaple
 
2013-10-09 08:37:01 PM
Good.  That means my password, "A", is very secure.
 
2013-10-09 08:37:23 PM
So, he added a lot more words to his MD5 rainbow table.  wooo.
 
2013-10-09 08:37:36 PM
 
2013-10-09 08:41:53 PM
Well yeah, using actual common phrases would be rather stupid.
 
2013-10-09 08:45:21 PM

Hand Banana: Well yeah, using actual common phrases would be rather stupid.


You mean HairyBoobsAreGodsGiftToZebras isn't going to work anymore?
 
2013-10-09 08:46:40 PM

Hand Banana: Well yeah, using actual common phrases would be rather stupid.


That phrase from The Call of Cthulhu wasn't very common.
 
2013-10-09 08:51:24 PM
Newsflash: If a site allows unlimited brute force attacks, you are doomed no matter the password.  Also, the sky is blue.
 
2013-10-09 08:52:16 PM
Being somewhat obscure helps a bit, though. My just expired company password was "Bro0mhildaV0nShaft" for example. It may be on a rainbow table somewhere, but it is a recent enough reference where it may be still relatively safe.
 
2013-10-09 09:01:04 PM
i.imgur.com
 
2013-10-09 09:06:18 PM

Hand Banana: Well yeah, using actual common phrases would be rather stupid.


This is why I include misspellings and inane, made up phrases with spaces in incorrect places.

CoontFlow er and Pap aSmurf ate TielorSwift's ashoole
 
2013-10-09 09:12:45 PM
It actually isn't that difficult to remember a long random string of letters and numbers. The trick is to do it slowly. For example, start with a six digit random password. Use that on a site you use frequently, like e-mail. Once you have that committed to memory and one more random digit (making it seven digits). Change your old password to the new one. Keep using it until you have it perfectly memorized. Then add another digit to the password. In the course of a year one can easily work their way up to remembering a 20 digit random password that no dictionary attack in the world can crack. The key is doing it slowly and using the password every day (multiple times a day is even better).

BTW, those who are posting the Kxcd comic totally missed the point of the article. The tag line should now read "It doesn't matter what you do anymore, they can crack it." because that was the point of the article.
 
2013-10-09 09:13:19 PM
One of my passwords is over 40 characters long, isn't in English, is misspelled, and uses special characters. Still don't think it's uncrackable, but it's going to be a huge pain in the ass if somebody really wants to get into my midget tranny porn email.
 
2013-10-09 09:14:35 PM
Does the Fark filter still * out your password if you type it in? I'll try:

************

Did it work?
 
2013-10-09 09:16:38 PM
CXEEN FTHMC IIXNY KWXNX LHYAR  LIULI NSIUP OSSXO NXXAT

Simple columnar transposition, keyword is "FLINTLOCK".
 
2013-10-09 09:18:16 PM
Find a dictionary. pick two random words that are at least 6 letters. Add the last name of the first school teacher you can remember capitalize the last letter. Now do a simple keyword cipher. Pick 4 digits of pi at random put 2 at the front two at the end.

After you do all that turn on two stage verification because if someone is determined they will still crack it
 
2013-10-09 09:21:33 PM
I use a password manager (keepass 2) that just generates a random password from any length and specification I need..  There are versions of the client  for Android.. So if I update my password data base I upload the database file to cloud storage, grab my tablet/phone download the new database and I'm good..  I have 67 passwords with me at all times.
 
2013-10-09 09:22:27 PM

Hand Banana: Well yeah, using actual common phrases would be rather stupid.


The point of the article is that with enough computing power all phrases are common. This is because (1) hackers can devise rule sets faster than people can think of ways around them because (2) you only think you passphrase is random but it's really not, it follows rules. It has to follow rules because a human has to remember it and human memory follows rules.

As cute as the kxcd comic is it is no longer true, it is wrong.
 
2013-10-09 09:23:31 PM

worlddan: It actually isn't that difficult to remember a long random string of letters and numbers. The trick is to do it slowly. For example, start with a six digit random password. Use that on a site you use frequently, like e-mail. Once you have that committed to memory and one more random digit (making it seven digits). Change your old password to the new one. Keep using it until you have it perfectly memorized. Then add another digit to the password. In the course of a year one can easily work their way up to remembering a 20 digit random password that no dictionary attack in the world can crack. The key is doing it slowly and using the password every day (multiple times a day is even better).

BTW, those who are posting the Kxcd comic totally missed the point of the article. The tag line should now read "It doesn't matter what you do anymore, they can crack it." because that was the point of the article.


No, you missed the point. The point is you make it take longer so by the time they can you already changed it. You also make rainbow tables unattractive and in the incomplete 20 TB+ range.

A good method is to use a random, farked sentence with a mangle that is phonetic.
 
2013-10-09 09:24:21 PM

worlddan: Hand Banana: Well yeah, using actual common phrases would be rather stupid.

The point of the article is that with enough computing power all phrases are common. This is because (1) hackers can devise rule sets faster than people can think of ways around them because (2) you only think you passphrase is random but it's really not, it follows rules. It has to follow rules because a human has to remember it and human memory follows rules.

As cute as the kxcd comic is it is no longer true, it is wrong.


I don't know a  phrase that combined a few languages run through a cipher would still be pretty hard even with a ton of computing power.
 
2013-10-09 09:28:38 PM

styckx: I use a password manager (keepass 2) that just generates a random password from any length and specification I need..  There are versions of the client  for Android.. So if I update my password data base I upload the database file to cloud storage, grab my tablet/phone download the new database and I'm good..  I have 67 passwords with me at all times.


Yes, this works for most cases. The only problem with it is that the password manager has a password and if someone can crack your master password you are toast. Either that or you lose your device. Using cloud storage is smart but then that service too has a password, which can be cracked. So you still need to remember at least two strong passwords: one for the password manager and one for cloud storage.
 
2013-10-09 09:29:52 PM
Did anyone else read this is only based on MD5 encryption? That's only 128 bit, which has know vulnerabilities. Once someone gets a hold of these encrypted passwords it would be much more easier to crack them than modern encryption techniques.
 
2013-10-09 09:34:40 PM

Smeggy Smurf: Hand Banana: Well yeah, using actual common phrases would be rather stupid.

You mean HairyBoobsAreGodsGiftToZebras isn't going to work anymore?


Not now that you've posted it here.

Mitch Taylor's Bro: Hand Banana: Well yeah, using actual common phrases would be rather stupid.

That phrase from The Call of Cthulhu wasn't very common.


If it was easily identified it was common enough.
 
2013-10-09 09:35:54 PM

Intrepid00: No, you missed the point. The point is you make it take longer so by the time they can you already changed it. You also make rainbow tables unattractive and in the incomplete 20 TB+ range.


The average user changes their password: never.  The article is talking about the average user. It notes that specifically, right at the beginning. Hackers do not care if a single person outruns them. You may can about that but hackers don't. They care about the weakest links. And the average user changes their password: never.
 
2013-10-09 09:38:08 PM

Intrepid00: worlddan: It actually isn't that difficult to remember a long random string of letters and numbers. The trick is to do it slowly. For example, start with a six digit random password. Use that on a site you use frequently, like e-mail. Once you have that committed to memory and one more random digit (making it seven digits). Change your old password to the new one. Keep using it until you have it perfectly memorized. Then add another digit to the password. In the course of a year one can easily work their way up to remembering a 20 digit random password that no dictionary attack in the world can crack. The key is doing it slowly and using the password every day (multiple times a day is even better).

BTW, those who are posting the Kxcd comic totally missed the point of the article. The tag line should now read "It doesn't matter what you do anymore, they can crack it." because that was the point of the article.

No, you missed the point. The point is you make it take longer so by the time they can you already changed it. You also make rainbow tables unattractive and in the incomplete 20 TB+ range.

A good method is to use a random, farked sentence with a mangle that is phonetic.


So, Zappa lyrics from "Joes Garage" then?
 
2013-10-09 09:38:10 PM

Carth: worlddan: Hand Banana: Well yeah, using actual common phrases would be rather stupid.

The point of the article is that with enough computing power all phrases are common. This is because (1) hackers can devise rule sets faster than people can think of ways around them because (2) you only think you passphrase is random but it's really not, it follows rules. It has to follow rules because a human has to remember it and human memory follows rules.

As cute as the kxcd comic is it is no longer true, it is wrong.

I don't know a  phrase that combined a few languages run through a cipher would still be pretty hard even with a ton of computing power.


What's the point of even starting with a phrase if you're going to translate it into several languages and then run it through a cipher? Remembering the phrase won't help a person if they have to mentally translate it and cipher it everytime they need to enter it.  If you're going to memorize it as the output of the process, then there is no point in going to such lengths to create a password that appears random but has a meaningful source, when you could instead just memorize a password that has no meaningful source.
 
2013-10-09 09:39:55 PM
Don't use phrases or combinations that make sense or can be found on the internet.

I mean, backwards mixed up misspelled phrases with numbers and special characters...good luck with that shiat.
 
2013-10-09 09:43:16 PM

worlddan: styckx: I use a password manager (keepass 2) that just generates a random password from any length and specification I need..  There are versions of the client  for Android.. So if I update my password data base I upload the database file to cloud storage, grab my tablet/phone download the new database and I'm good..  I have 67 passwords with me at all times.

Yes, this works for most cases. The only problem with it is that the password manager has a password and if someone can crack your master password you are toast. Either that or you lose your device. Using cloud storage is smart but then that service too has a password, which can be cracked. So you still need to remember at least two strong passwords: one for the password manager and one for cloud storage.


Indeed. But ya know.. There is only so much worrying and over the top redundancy methods to "protect yourself" you can do ya know? I know for a fact I do more than the average person does and have been using this method for a long time..

/and my phone and tablet are encrypted.
 
2013-10-09 09:46:15 PM

Mytch: Carth: worlddan: Hand Banana: Well yeah, using actual common phrases would be rather stupid.

The point of the article is that with enough computing power all phrases are common. This is because (1) hackers can devise rule sets faster than people can think of ways around them because (2) you only think you passphrase is random but it's really not, it follows rules. It has to follow rules because a human has to remember it and human memory follows rules.

As cute as the kxcd comic is it is no longer true, it is wrong.

I don't know a  phrase that combined a few languages run through a cipher would still be pretty hard even with a ton of computing power.

What's the point of even starting with a phrase if you're going to translate it into several languages and then run it through a cipher? Remembering the phrase won't help a person if they have to mentally translate it and cipher it everytime they need to enter it.  If you're going to memorize it as the output of the process, then there is no point in going to such lengths to create a password that appears random but has a meaningful source, when you could instead just memorize a password that has no meaningful source.



I have no chance of mentally remembering a random 20-40 character phrase and since  work makes us change out passwords every 4 weeks (and you can't use the same password more than once a year) i had great motivation to find a way to remember them.

If you speak more than one language language translating a simple phrase like  you won't ever forget like "A screaming comes across the sky" into two languages is easy to do in your head. A key cipher would take a couple minutes to do without a computer and a few seconds if you have a smartphone.  You end up with a password that appears random that won't be forgotten because you can recreate it.
 
2013-10-09 09:46:26 PM

AbuHashish: Intrepid00: worlddan: It actually isn't that difficult to remember a long random string of letters and numbers. The trick is to do it slowly. For example, start with a six digit random password. Use that on a site you use frequently, like e-mail. Once you have that committed to memory and one more random digit (making it seven digits). Change your old password to the new one. Keep using it until you have it perfectly memorized. Then add another digit to the password. In the course of a year one can easily work their way up to remembering a 20 digit random password that no dictionary attack in the world can crack. The key is doing it slowly and using the password every day (multiple times a day is even better).

BTW, those who are posting the Kxcd comic totally missed the point of the article. The tag line should now read "It doesn't matter what you do anymore, they can crack it." because that was the point of the article.

No, you missed the point. The point is you make it take longer so by the time they can you already changed it. You also make rainbow tables unattractive and in the incomplete 20 TB+ range.

A good method is to use a random, farked sentence with a mangle that is phonetic.

So, Zappa lyrics from "Joes Garage" then?


ItlooksjustlikEateleFunKenu47?
 
2013-10-09 09:46:51 PM
Hunter2


/someone had to
 
Al!
2013-10-09 09:47:21 PM
Duh.  But corporate passwords are generally required to be stupid long, because some idiot somewhere thought that a 22 character password was safer than a 12 character password.  Therefor passwords like carmechanic76toen@il17 are required, even though it's really no more secure than @Ynda$*.  Don't get me started on having to create a new PW every 14 days...
 
2013-10-09 09:58:41 PM

Al!: Duh.  But corporate passwords are generally required to be stupid long, because some idiot somewhere thought that a 22 character password was safer than a 12 character password.  Therefor passwords like carmechanic76toen@il17 are required, even though it's really no more secure than @Ynda$*.  Don't get me started on having to create a new PW every 14 days...


ChangingPaswordsEvery14DaysIsRetarded-001
OnlyARetardChangesPasswordsEvery14Days-002
RetardsAreInChargeOfOurComputerSystem-003
 
2013-10-09 10:00:01 PM
Could somebody tell our management? Also let them know that having us change our 12-character minimum, no duplicate character, upper, lower number, special characters, umlat, and accented characters, with no patterns matching the last 256 passwords, changed every month is not really helping make our systems secure.

Since it's so hard for me to remember, I have my trusty sticky note with the password written out handy on the monitor to help me log in.
 
2013-10-09 10:04:04 PM

LesserEvil: Could somebody tell our management? Also let them know that having us change our 12-character minimum, no duplicate character, upper, lower number, special characters, umlat, and accented characters, with no patterns matching the last 256 passwords, changed every month is not really helping make our systems secure.

Since it's so hard for me to remember, I have my trusty sticky note with the password written out handy on the monitor to help me log in.


The last job I had we had to change the terminal password one a month.. The hitch? WE couldn't change it.. It was changed by the corporate help desk without farking warning.. So we'd show up for work one day and couldn't even sign in to clock in for work. We'd have to call the help desk (along with every other store) to get out new password.
 
2013-10-09 10:06:53 PM

worlddan: Hand Banana: Well yeah, using actual common phrases would be rather stupid.

The point of the article is that with enough computing power all phrases are common. This is because (1) hackers can devise rule sets faster than people can think of ways around them because (2) you only think you passphrase is random but it's really not, it follows rules. It has to follow rules because a human has to remember it and human memory follows rules.

As cute as the kxcd comic is it is no longer true, it is wrong.


You don't understand the xkcd comic.  It's wrong only in that fact that 4 words is probably not enough, although it depends on what you're securing and what kind of attacker you want to protect against.

You randomly choose the password, using dice.  Then you come up with a story to remember it.  If you do it right, it's practically and theoretically impossible to break.  You can easily calculate the security of it, and it's easy to convince yourself of how easy they are to remember (just try it).

The main thrust of the article is that it's not necessarily good enough to have a long passphrase, if you use one that can be looked up somewhere or variants thereof.  That's it.

There was a quote from a guy that seemed to be saying that all passphrases are doomed, but he's either talking about a bad way to generate them, or he's wrong.
 
2013-10-09 10:07:34 PM
Draw design on the keyboard, hold shift halfway through.
 
2013-10-09 10:09:03 PM
My company has an excel template so that we can keep track of our passwords, we need to have it open because we have to change passwords on certain programs every 14 days. It's a pity they don't have any enforcement of us using Ctrl-Alt-Delete to lock our system so you can often go to their computer and see all their password.
 
2013-10-09 10:09:12 PM

LesserEvil: Could somebody tell our management? Also let them know that having us change our 12-character minimum, no duplicate character, upper, lower number, special characters, umlat, and accented characters, with no patterns matching the last 256 passwords, changed every month is not really helping make our systems secure.

Since it's so hard for me to remember, I have my trusty sticky note with the password written out handy on the monitor to help me log in.


All the cool kids stick it under their keyboard so they don't get in trouble.
 
2013-10-09 10:09:15 PM
That's the password on my luggage.
 
2013-10-09 10:12:23 PM

Al!: Duh.  But corporate passwords are generally required to be stupid long, because some idiot somewhere thought that a 22 character password was safer than a 12 character password.  Therefor passwords like carmechanic76toen@il17 are required, even though it's really no more secure than @Ynda$*.  Don't get me started on having to create a new PW every 14 days...


Corporate passwords are generally never long because one application out of the 93 you use on a daily basis is still based on a 30 year old mainframe app that can't deal with password lengths of more than 8 character long.

/and requiring frequent password changes doesn't make the system any more secure - just the opposite because it encourages bad passwords and bad handling of said passwords
//can go on for hours on this subject
 
2013-10-09 10:13:44 PM

Carth: LesserEvil: Could somebody tell our management? Also let them know that having us change our 12-character minimum, no duplicate character, upper, lower number, special characters, umlat, and accented characters, with no patterns matching the last 256 passwords, changed every month is not really helping make our systems secure.

Since it's so hard for me to remember, I have my trusty sticky note with the password written out handy on the monitor to help me log in.

All the cool kids stick it under their keyboard so they don't get in trouble.


I telecommute from the local Starbucks, and my boss is halfway across the country. I'm good.

styckx: The last job I had we had to change the terminal password one a month.. The hitch? WE couldn't change it.. It was changed by the corporate help desk without farking warning.. So we'd show up for work one day and couldn't even sign in to clock in for work. We'd have to call the help desk (along with every other store) to get out new password.


That's messed up... our IT guys did something similar, changing ALL the service account (which we devs set up) passwords we were using for our network of web service apps, breaking every database update, dashboard and report our customers needed overnight. Took us days to get it straightened out.
 
2013-10-09 10:14:40 PM
my!mummyp00Psb4I_wakeup
 
2013-10-09 10:15:17 PM
Hey, why didn't that star out?  Am I the only one that can see my password?
 
2013-10-09 10:17:16 PM

Lsherm: Hand Banana: Well yeah, using actual common phrases would be rather stupid.

This is why I include misspellings and inane, made up phrases with spaces in incorrect places.

CoontFlow er and Pap aSmurf ate TielorSwift's ashoole


One of our old server admins was dyslexic. His passwords were astounding. The problem was he didn't realize he was misspelling anything.
 
2013-10-09 10:19:02 PM

MrHappyRotter: Hey, why didn't that star out?  Am I the only one that can see my password?


I sometimes make a comment when people are doing a virtual room, sharing their desktop, and they type in a password "hey, are we supposed to be able to read your password?"

I love the pause in typing while the gears grind in their head.
 
2013-10-09 10:25:14 PM
Article is just a plot to make us buy iPhones with biometric security that  let us unlock our phones with only the touch of a nipple.
 
2013-10-09 10:29:40 PM
The IT folks at work stopped asking me for my password when they needed to get onto my computer to fix something after I started using their names in creative passphrases.  Let's just say, Jim doesn't like when I loudly proclaim in front of everybody that my password is Jimtakesitintheasslikeapro.
 
Displayed 50 of 128 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report