Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Stack)   How to turn your terrible password into one that will take 13 nonillion years to crack - without really changing it   (thestack.com) divider line 96
    More: Interesting, password strength, data security, evergreens, Touch ID, computer clusters, management software  
•       •       •

8245 clicks; posted to Geek » on 19 Aug 2014 at 10:26 AM (23 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



96 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
2014-08-19 08:13:25 AM  
correcthorsestaplerbattery.xkcd.jpg
 
2014-08-19 08:27:31 AM  
My job requires me to remotely log into various systems. Virtually all of them are admin/admin, admin/password, or root/root. If a nefarious person were to get into these, they could Shut. Down. Everythi
 
2014-08-19 08:35:41 AM  
Personal password sentinels such as 1Password [5], which offer locally-encrypted cross-platform solutions to password management and which do not store users' passwords on their own servers, have to contend with a user-base so technologically inept that 10% of them are still using 'password1'.

I really wish security mongers would stop farking that particular chicken.  The sites that are unimportant enough for me to use a weak password are the same sites that are unimportant enough for the developers to spend their time on things other than security.

Has nothing to do with technical ineptitude, just that I don't think it's that big of a problem if somebody takes my account on the free web site I use to rate public restrooms or whatever.  I'm not going to use the same super-secret password there that I do at my bank, and I'm sure as hell not going to remember a million of those things.

Looks great for the Russian Mafia to inflate their number of passwords stolen, though.  Yeah you're getting a real big score if you buy this one.  1.2 billion unique logins to things that didn't even need a login in the first place.
 
2014-08-19 08:40:24 AM  

PreMortem: My job requires me to remotely log into various systems. Virtually all of them are admin/admin, admin/password, or root/root. If a nefarious person were to get into these, they could Shut. Down. Everythi


That is a way bigger problem in the corporate world than I ever thought it would be growing up.  It's just hard to manage getting multiple people access to multiple machines, especially when they need to get on some firefight right away.
My favorite example was one of the customers at my old company, who sent our support team an RSA token that would allow them access to the customer's VPN.  There were multiple support guys working round the clock shifts, sometimes in different geographical locations, but customer's bureaucrats would only allow the one token.  So, one of our guys just put it on his desk and set up a web cam pointing at it, then gave everybody the URL.  Problem solved.
 
2014-08-19 08:57:12 AM  

PreMortem: My job requires me to remotely log into various systems. Virtually all of them are admin/admin, admin/password, or root/root. If a nefarious person were to get into these, they could Shut. Down. Everythi


I have a few passwords like that but they don't go into critical systems. The rest are 10-12 characters randomly generated and go into lastpass.
 
2014-08-19 09:12:53 AM  
Numbers are more susceptible to brute-force attack than letters, since they can refer to only 10 possible character spaces vs. 26 for alphabetic characters...

This is true, but only if the attacker knows that you're limited to numbers. If the attacker has no such knowledge, then they have a search space of 36 characters (or 62 if it's caps-sensitive, or more if symbols are included). Accordingly, the password "1111 1111 1111 1111" is very easy to remember, but significantly tougher to brute force than "as6G#vb1" (provided this is a remote attack, rather than someone watching over your shoulder).

There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters. That's just idiotic. In fact, by requiring all three character features, their rules actually reduce the search space compared to simply 8 characters with the option of capital letters, numbers, and non-alphanumeric characters.
 
2014-08-19 09:15:10 AM  

vudukungfu: correcthorsestaplerbattery.xkcd.jpg


It's "correct horse battery staple", but maybe you're just making it harder to guess by switching it up?
 
2014-08-19 09:15:13 AM  

Theaetetus: Numbers are more susceptible to brute-force attack than letters, since they can refer to only 10 possible character spaces vs. 26 for alphabetic characters...

This is true, but only if the attacker knows that you're limited to numbers. If the attacker has no such knowledge, then they have a search space of 36 characters (or 62 if it's caps-sensitive, or more if symbols are included). Accordingly, the password "1111 1111 1111 1111" is very easy to remember, but significantly tougher to brute force than "as6G#vb1" (provided this is a remote attack, rather than someone watching over your shoulder).

There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters. That's just idiotic. In fact, by requiring all three character features, their rules actually reduce the search space compared to simply 8 characters with the option of capital letters, numbers, and non-alphanumeric characters.


What he said.
And you would think that in the last 5 decades of computer science, they would figure that out.
Idiots.
 
2014-08-19 09:15:51 AM  

Donnchadha: vudukungfu: correcthorsestaplerbattery.xkcd.jpg

It's "correct horse battery staple", but maybe you're just making it harder to guess by switching it up?


gatdangit!
Now I gotta change it agin'
 
2014-08-19 09:17:20 AM  

Theaetetus: There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters. That's just idiotic. In fact, by requiring all three character features, their rules actually reduce the search space compared to simply 8 characters with the option of capital letters, numbers, and non-alphanumeric characters.


I'd like to see the password that satisfies all three conditions, but is only 2 characters long.

Unless you really meant "between" and an 8 character password is too long.
 
2014-08-19 09:21:54 AM  

Donnchadha: Theaetetus: There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters. That's just idiotic. In fact, by requiring all three character features, their rules actually reduce the search space compared to simply 8 characters with the option of capital letters, numbers, and non-alphanumeric characters.

I'd like to see the password that satisfies all three conditions, but is only 2 characters long.

Unless you really meant "between" and an 8 character password is too long.


Good point. I'm just going by what their password guidelines say.
 
2014-08-19 09:26:36 AM  

serial_crusher: Has nothing to do with technical ineptitude, just that I don't think it's that big of a problem if somebody takes my account on the free web site I use to rate public restrooms or whatever. I'm not going to use the same super-secret password there that I do at my bank, and I'm sure as hell not going to remember a million of those things.


This reminds that the most stringent, complicated password requirements that I've yet to encounter anywhere online for "gotta have this/can't have that/etc." -- more so than banks, government sites, you name it -- was Consumer Reports. TOP SECRET blender ratings!!! HIGHLY CLASSIFIED vacuum cleaner evaluations!!! Sheesh.
 
2014-08-19 09:46:03 AM  
I try to use song lyrics from my childhood to strengthen my password.  Like "123456789101112" from that old Sesame Street song.  They'll never crack that one.
 
2014-08-19 09:50:58 AM  

Three Crooked Squirrels: I try to use song lyrics from my childhood to strengthen my password.  Like "123456789101112" from that old Sesame Street song.  They'll never crack that one.


Damit, now I have to change the one on my luggage, too.
 
vpb [TotalFark]
2014-08-19 09:53:06 AM  
I just bought one of those USB keys.  Having to remember multiple passwords and remember to change them is unrealistic.  I think two factor security with a physical key is going to replace passwords.
 
2014-08-19 10:23:18 AM  
Keepass and 2 form factor. I don't even know my passwords.  Don't need to....of course, if the idiots running these apps get hacked, doesn't matter what your password is......

/there is no security
 
2014-08-19 10:33:42 AM  

Three Crooked Squirrels: I try to use song lyrics from my childhood to strengthen my password.  Like "123456789101112" from that old Sesame Street song.  They'll never crack that one.


daa daduh daduh da daa daduh daduh dada dun dah....
 
2014-08-19 10:33:49 AM  
The worst is "You must change your password every 90 days". Frequent changing of passwords actually reduces security, not improves it.
 
2014-08-19 10:35:56 AM  
This article is suggesting I remember something like an 18-digit number.

Ain't nobody got brains for that.
 
2014-08-19 10:45:14 AM  

Parallax: This article is suggesting I remember something like an 18-digit number.

Ain't nobody got brains for that.


0118999881999119725..... 3
 
2014-08-19 10:46:40 AM  

serial_crusher: There were multiple support guys working round the clock shifts, sometimes in different geographical locations, but customer's bureaucrats would only allow the one token.  So, one of our guys just put it on his desk and set up a web cam pointing at it, then gave everybody the URL.  Problem solved.


You solve this problem by create a token by proxy.  You give the token to your NOC.  When the support personal need access to a system they must call in and obtain the token.  The access is recorded and its regularly reviewed.
 
2014-08-19 10:47:09 AM  
I translate my passwords into LOLcat
 
2014-08-19 10:48:00 AM  
Listen. I use nice complicated passwords for things that are actually important to me. Banking. Email. Anywhere that has credit card info. I also use different passwords for each of those. For everything else, I don't give a crap if I use the same password to log into the comment section at website A as I do at website B. The only thing that matters is that my throwaway, reusable password is nothing close to my passwords for things that I'd actually care about if they were broken into.
 
2014-08-19 10:48:28 AM  
Or take an event (or similar) and it's date.. put it together and voila...

Something like

BangedSubbysMom19082014

I hate any password approach that makes it impossible to remember, and requiring a password for a password software is pretty counter-intuitive.
 
2014-08-19 10:49:37 AM  

Theaetetus: There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters.


Their backend system is a mainframe and they haven't updated RACF in a few years.   But I would still put the security of that system up against the vast majority of cloud based services created out of someone's garage.
 
2014-08-19 10:59:56 AM  

gingerjet: serial_crusher: There were multiple support guys working round the clock shifts, sometimes in different geographical locations, but customer's bureaucrats would only allow the one token.  So, one of our guys just put it on his desk and set up a web cam pointing at it, then gave everybody the URL.  Problem solved.

You solve this problem by create a token by proxy.  You give the token to your NOC.  When the support personal need access to a system they must call in and obtain the token.  The access is recorded and its regularly reviewed.


Yeah, I'd love to see the aggregate cost of man hours spent each year reading digits off an RSA token over the phone.
"Yeah, it's 1 - 4 - 5 - 2 - 7 - 7- 3 - 9 - 0 - 3"
"Wait, wait, slow down.  I've got 1 - 4 - 5 - 2 - was that two 7s in a row, or just one?"
"Aw shiat, it just rotated.  The new number is..."
 
GBB
2014-08-19 11:01:28 AM  

imfallen_angel: Or take an event (or similar) and it's date.. put it together and voila...

Something like

BangedSubbysMom19082014

I hate any password approach that makes it impossible to remember, and requiring a password for a password software is pretty counter-intuitive.


She was born in 1908, and this happened in 2014?
 
2014-08-19 11:01:42 AM  
My password is from a Mothers of Invention album.
 
2014-08-19 11:06:31 AM  

Theaetetus: There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters. That's just idiotic. In fact, by requiring all three character features, their rules actually reduce the search space compared to simply 8 characters with the option of capital letters, numbers, and non-alphanumeric characters.


Since the attacker wouldn't know where the capital letter, the number or the non-alphanumeric character is, wouldn't they still need to run all combinations?

/Ignoring tendencies to simply add a non-alphanumeric character to the end
 
2014-08-19 11:07:43 AM  

vudukungfu: Three Crooked Squirrels: I try to use song lyrics from my childhood to strengthen my password.  Like "123456789101112" from that old Sesame Street song.  They'll never crack that one.

Damit, now I have to change the one on my luggage, too.


www.shadowlocked.com
 
2014-08-19 11:15:31 AM  

FoxKelfonne: For everything else, I don't give a crap if I use the same password to log into the comment section at website A as I do at website B.


This gets annoying when website C has a different of how strong a password should be so that you have to throw in some numbers or punctuation. I'm never able to remember what I changed exactly in my password.
 
2014-08-19 11:17:41 AM  
'Sasquatch' takes long enough to type out on a touch screen, let alone 'Sasquatchsixtyninefouryou'
 
2014-08-19 11:18:35 AM  
to create passowrds i just open up notepad, mash the keyboard, then changed letters randomly to upper case, then write it down
 
2014-08-19 11:18:55 AM  

serial_crusher: It's just hard to manage getting multiple people access to multiple machines, especially when they need to get on some firefight right away.


I guess I'm too old skool or something, but the notion that people *share* logins makes my head hurt.  Not setting up individual, auditable, limited-to-what-your-role-needs access is at _best_ lazy, and, typically, *horrible*/ignorant management.  But, noooooo, I'm the weirdo who wants everyone to have more ass pain, apparently.

Also overlooked (at least in thread; who has time to rtfa?) is the notion that there are different reasons for passwords.  If you're logging into something remote / publicly accessible, then creating something long and complex *and writing it down* somewhere secure is better than password1 "cuz anything else is hard to remember."  If you're concerned about securing a machine against physical access, something simple, memorable, and not easily caught over-the-shoulder is probably a good idea... then again, a machine (if unencrypted) is pretty much insecure to anyone with physical access, if they have enough time.  And, yeah, "change your password every 90 days" is stupid, but without requiring that, admins need to do more monitoring, so it's an oft-employed easy cop out that winds up being counterproductive.
 
2014-08-19 11:31:21 AM  

Donnchadha: Parallax: This article is suggesting I remember something like an 18-digit number.

Ain't nobody got brains for that.

0118999881999119725..... 3


Dammit. Now I've got that song stuck in my head.
 
2014-08-19 11:35:41 AM  

SFSailor: serial_crusher: It's just hard to manage getting multiple people access to multiple machines, especially when they need to get on some firefight right away.

I guess I'm too old skool or something, but the notion that people *share* logins makes my head hurt.  Not setting up individual, auditable, limited-to-what-your-role-needs access is at _best_ lazy, and, typically, *horrible*/ignorant management.  But, noooooo, I'm the weirdo who wants everyone to have more ass pain, apparently.


The problem is the hours and hours of bickering over whether or not your role needs access to a particular thing or not.  Can really grind progress to a halt when the only guy who knows how to troubleshoot an app doesn't have access to the log files that the guy filing the ticket neglected to include.  Now it's 2:00AM and the night shift IT guy won't give you access until your manager signs off.
It straddles the line between "horrible/ignorant management" and "the management you see at every company with more than 20 employees"

Also in the case of the app I work on (which isn't necessarily a good example), the app itself runs as a particular user (same user on every machine).  There are a few manual cleanup tasks on occasion when things go horribly wrong, and those tasks require that you be running as the same user as the app, lest Windows fark you over with file permission nightmares.  The password for that account is like 32 random characters though.  (everybody has a copy of it flagged in their email box though)
 
2014-08-19 11:37:08 AM  

DerAppie: Theaetetus: There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters. That's just idiotic. In fact, by requiring all three character features, their rules actually reduce the search space compared to simply 8 characters with the option of capital letters, numbers, and non-alphanumeric characters.

Since the attacker wouldn't know where the capital letter, the number or the non-alphanumeric character is, wouldn't they still need to run all combinations?


Yes, but since you couldn't have, say, all capital letters or all numbers, then the search space would be 72^5*26*10*10 (assuming 10 possible non-alphanumerics), rather than 72^8... a 99.3% reduction.
 
2014-08-19 11:49:00 AM  
Stop limiting me to a certain number of characters and I will put in a password that likely wont be cracked. Tried to buy something last night and I had to go through 4 different log in pages all with apologies.
 
2014-08-19 11:52:22 AM  
FTA: 'GoodLuckGuessingThisPassword'.  --  Additionally the capital letters at the start of each English word act as a delimiter as obvious to a hacker as the 'space' character which most password criteria ban.

If a hacker steals a file of password hashes, they can look at the hashes and say "there's a capital letter in the first, fifth, ninth, seventeenth and twenty-first positions of this 28-character-long password'?  I thought, and I'm not a security expert, that password encryption removes the ability to see what's in any particular position in a password string.  What am I not understanding?
 
2014-08-19 11:53:39 AM  
For all you web developers out there, let me tell you what I hate even more then length restrictions or "no-whitespace" rules - restricting copy/pasta. If you want me to have a good password, let me copy it in from a password manager. If I have to actually type it, it's probably going to suck.
 
2014-08-19 11:55:32 AM  

vudukungfu: correcthorsestaplerbattery.xkcd.jpg


Let's get it right:

imgs.xkcd.com
 
2014-08-19 11:57:56 AM  
I hate when "security" websites mention that a password will take 70 bazillion years to brute-force. It is called brute-force because it is dumb and eventually works. Password crackers have gotten very smart. I used to think that a good password wasn't that hard to come up with until I read this Ars article. From the second page:

Using techniques described in this article, the following passphrases were all deciphered:
!)@(#*$&%^Test123
!@#$%^&*()_+lisa
!@#wasdqweszxc
!rightchoice!!
!tryagainfarkoff
#1modernstuff
$current_keyword
&?"'(-?_??qwerty
"frequency modulation"
(dontlookbackinanger)
********fadhilah
********noorhisam
********pengawal
********zulkhairi
*tecno9654postgres
,fnfhtqrf_ijrjkflrf
...........bentong
..........0008000
.36987410svetlana
/,infra18postgres
00009999@4!@#$%@
04.03.2011annalena
0708JonasCharlie
078KFW78bandrew
090798Elite159753
091192-090392
0987POIUqwerasdf
1 2 3 4 5 6 HACK
10009!@#robben!@#
100200123@4!@#$%@


Some of those clearly follow some patterns but they meet typical password strength requirements. The full list even has passphrases that were cracked. It seems that if your password is memorable in any way, it will be cracked.
 
2014-08-19 11:59:36 AM  

RickN99: FTA: 'GoodLuckGuessingThisPassword'.  --  Additionally the capital letters at the start of each English word act as a delimiter as obvious to a hacker as the 'space' character which most password criteria ban.

If a hacker steals a file of password hashes, they can look at the hashes and say "there's a capital letter in the first, fifth, ninth, seventeenth and twenty-first positions of this 28-character-long password'?  I thought, and I'm not a security expert, that password encryption removes the ability to see what's in any particular position in a password string.  What am I not understanding?


That it's impossible to read hashes that way nowadays.
 
2014-08-19 12:01:11 PM  
You could get pretty tough passwords by just using easy phrases - and leaving out one character, or leaving out characters in a pattern...

e hold these truths to be self evident

W hold ths truths to b slf vident

Or even just using a common phrase and leaving out a word or two:

You can't always get what
 
2014-08-19 12:01:20 PM  

RickN99: FTA: 'GoodLuckGuessingThisPassword'.  --  Additionally the capital letters at the start of each English word act as a delimiter as obvious to a hacker as the 'space' character which most password criteria ban.

If a hacker steals a file of password hashes, they can look at the hashes and say "there's a capital letter in the first, fifth, ninth, seventeenth and twenty-first positions of this 28-character-long password'?  I thought, and I'm not a security expert, that password encryption removes the ability to see what's in any particular position in a password string.  What am I not understanding?


What that means is that if "goodluckguessingthispassword" and "good luck guessing this password" don't work, "GoodLuckGuessingThisPassword" is the next obvious choice.
 
2014-08-19 12:05:15 PM  

Tobin_Lam: What that means is that if "goodluckguessingthispassword" and "good luck guessing this password" don't work, "GoodLuckGuessingThisPassword" is the next obvious choice.


Would I be wrong in saying that the key is that only you would be able to remember the password because it's something you'd remember pretty easily but even the most sophisticated of hackers/crackers would find it very hard to crack?
 
2014-08-19 12:06:34 PM  

Theaetetus: DerAppie: Theaetetus: There's one bank out there that has stringent password rules, requiring a capital letter, a number, and a non-alphanumeric character... but limiting your password to between 2 and 8 characters. That's just idiotic. In fact, by requiring all three character features, their rules actually reduce the search space compared to simply 8 characters with the option of capital letters, numbers, and non-alphanumeric characters.

Since the attacker wouldn't know where the capital letter, the number or the non-alphanumeric character is, wouldn't they still need to run all combinations?

Yes, but since you couldn't have, say, all capital letters or all numbers, then the search space would be 72^5*26*10*10 (assuming 10 possible non-alphanumerics), rather than 72^8... a 99.3% reduction.


I got that there were fewer possible combinations.

I just didn't immediately make the connection that an algorithm could easily be constructed to skip combinations which didn't have at least one of each required characters.
 
2014-08-19 12:06:52 PM  
I use passphrases any time I get to choose and yes, systems that require me to use numbers, upper and lower case, plus special characters piss me off.

My passphrases are comprised of made up words, munged real words, or representations of non-verbal utterances.  Example: sbLatsmargelPhltpttingly
 
2014-08-19 12:11:59 PM  

SansNeural: I use passphrases any time I get to choose and yes, systems that require me to use numbers, upper and lower case, plus special characters piss me off.

My passphrases are comprised of made up words, munged real words, or representations of non-verbal utterances.  Example: sbLatsmargelPhltpttingly


Honestly, I don't even see why that's necessary. 'Bob ate 5 muffins at Panera Bread!' is a passphrase that no one is going to reverse anytime soon. You can follow it up with a phrase outlining Bob's upcoming stint at the hospital.
 
2014-08-19 12:16:43 PM  

Rwa2play: Tobin_Lam: What that means is that if "goodluckguessingthispassword" and "good luck guessing this password" don't work, "GoodLuckGuessingThisPassword" is the next obvious choice.

Would I be wrong in saying that the key is that only you would be able to remember the password because it's something you'd remember pretty easily but even the most sophisticated of hackers/crackers would find it very hard to crack?


It depends on the nature of what you are remembering, I guess. Common phrases and sentences are out. If you can find it in a book, don't use it. If it was the most retarded YouTube comment you've ever seen, don't use it. Keyboard patterns are out, no matter how clever you think it is. ,fnfhtqrf_ijrjkflrf is just two words converted from Russian. Best case is likely something randomly created that you find particularly memorable for some reason.
 
Displayed 50 of 96 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report