Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Some Guy)   Passwords: why "This Is Fun" is 10x safer than "J4fS2"   ( baekdal.com) divider line
    More: Interesting, common words, passwords  
•       •       •

12550 clicks; posted to Geek » on 22 Apr 2011 at 2:03 PM (7 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



150 Comments     (+0 »)
 


Oldest | « | 1 | 2 | 3 | » | Newest | Show all

 
2011-04-22 11:43:42 AM  
I'm not an IT wonk, but I'm just wondering: What percentage of passwords are permitted to have spaces?
 
2011-04-22 11:53:16 AM  

dahmers love zombie: I'm not an IT wonk, but I'm just wondering: What percentage of passwords are permitted to have spaces?


From his FAQ: Q: Many websites do not allow spaces in password, what then?

A: True, but again that is a server problem, not a user problem. Fix the damn server!

The guy has a point.

This is an argument I've been having with IT for ages. Our system requires a certain level of complexity, and they force us to change every 6 months. End result: most people write their passwords down somewhere. *facepalm*
 
2011-04-22 12:12:44 PM  
I don't know of any websites that don't allow spaces in passwords. But, yeah, passphrases are better than passwords up to a point.

The ideas about using passwords that look like line noise come from the days when eight characters were all you got. Unfortunately, there's still plenty of systems out there using unix crypt, so those days arent' really behind us, and it doesn't matter how good a password "alaskan grizzly mcdonalds judas priest" is if all the server is storing is "alaskan ". And if your passphrase is as easy to remember as this guy is harping about... realistically, it's probably not much more secure from the people most likely to actually be poking at your password than your old eight-character password that was the name of your cat was.
 
2011-04-22 12:50:23 PM  
So I choose a strong password, but then the system makes me choose a very weak password reminder.
 
2011-04-22 01:00:04 PM  
So, change my passwords to "This Is Fun"?

Got it.

Done.
 
2011-04-22 02:12:19 PM  
This is Fun may be a great password. However, no one will ever guess my password, hunter2. Nobody.

See, it even appears as asterisks when I type it.
 
2011-04-22 02:12:54 PM  

A Dark Evil Omen: I don't know of any websites that don't allow spaces in passwords. But, yeah, passphrases are better than passwords up to a point.

The ideas about using passwords that look like line noise come from the days when eight characters were all you got. Unfortunately, there's still plenty of systems out there using unix crypt, so those days arent' really behind us, and it doesn't matter how good a password "alaskan grizzly mcdonalds judas priest" is if all the server is storing is "alaskan ". And if your passphrase is as easy to remember as this guy is harping about... realistically, it's probably not much more secure from the people most likely to actually be poking at your password than your old eight-character password that was the name of your cat was.


I would think Microsoft's crap .NET default crypt function would be a bit more prevalent.

And win xp has and will always be vulnerable thanks to LANman.

Still, pass phrases are the bees knees

/and never set the answer to a password hint to something honest
 
2011-04-22 02:14:35 PM  
Link (new window)
 
2011-04-22 02:17:51 PM  
pass phrases are significantly better than passwords.

Our IT people require us to have 4 accounts (Microsoft, UNIX, Oracle and VPN). UNIX, Oracle, and VPN passwords must be 8 characters, with 2 upper, 2 lower, 2 number, and 2 special characters. Microsoft passwords must be 14 characters, 2 upper, 2 lower, 2 number, and 2 special. Passwords must be changed every 90 days, and cannot be a password you have used before. Plus you must have your ID card inserted in your computer and your PIN number entered.

Really the only way to remember any of this is to memorize them once, have the last digit be a letter or number and incremement every time you change you password. I don't know anyone who doesn't have theirs written down somewhere.
 
2011-04-22 02:19:05 PM  
Misleading info. How many sites today allow more than a few login attempts before requiring Captcha verification or simply forcing 60-second delays between password attempts? Of the ones which do not have these security measures in place, how many could accept 100 logins per second from a single IP? How long could that go on before the security suite scanning the Apache logs throws a flag to the admin? You are parsing your logs, right? Why are you even running a site, you jack-off?

The kind of attacks we're talking about are only really feasible if the attacker obtains some kind of seed reflecting the value of your password (hash, etc.). That assumption throws these time frames out the window, though, because comparing 100 permutations per second against a known hash is laughable... any modern desktop could do thousands or tens of thousands per second. Distribute the workload over several workstations, and there's no such thing as a secure password.

Meh...
 
2011-04-22 02:20:51 PM  
I'd be all for a pass phrase, though then instead of dictionary attacks, you have common phrase attacks (e.g. slogans, song titles, popular quotes). The way, of course, to get around this is to require punctuation and mixed case...

it's not News
Its not news!
its not News?
etc
 
2011-04-22 02:26:49 PM  
Blizzard is quietly solving the password problem by giving away core-hound pups.
 
2011-04-22 02:27:54 PM  

EvilEgg: So I choose a strong password, but then the system makes me choose a very weak password reminder.


Yeah, what was the name of your first pet? "durr <common pet name>." Oh my real name is in my profile, my security question was "what is your mother's maiden name?" This person said they grew up in city X, their security question was "what was your high school mascot?"

Idiots!
 
2011-04-22 02:30:24 PM  
There are two big questions about passwords: one is the probability of cracking the password and two is the risk once it is cracked.

The probability of a password being cracked is determined by the number of guesses it takes to get the right password. The risk, on the other hand, depends on the damage that might occur if the password is violated. The risk may vary greatly--the password may be protecting little of value or it may be protecting national security.

A simple password is adequate if the likelihood of anybody profiting or being harmed by a violation is very small.

The time it takes a password to be cracked, like the time it takes a code to be cracked, should be proportionate to the time that the content needs to remain secure

For example, many of the documents that I have seen are classified Top Secret or Secret although there is nothing truly secret about their contents: they are classified because they are drafts. When they cease to be drafts, they are declassified (we hope). An example is Memoranda to Cabinet. It might do some political harm, or even real harm, if cabinet documents are published in the media before they are finalized. The wrong numbers, wrong information and wrong actions might be in an early draft, but removed well before the draft is finalized. It might be of value to know how a decision was reached rather than what decision was reached, and if a lot of drafts fall into the "wrong hands", this can be determined. It could be embarassing, even when the most competitent and informed people are involved, because there will be arguments and often foolish politics or politically incorrect side notes.

Thus, time is an important factor in security as well as risk and probability.

It is difficult to determine for each user and each document the real level of security needed, so things are systematically over-classified, and passwords, which are not really understood, even by many security personnel, IT personnel and management personnel, tend to be wrong-sized for the job systematically.

This was an interesting article, though, and I might consider changing some of my passwords to make them easier to remember and harder to crack.

I try to do this anyway, but choosing a password in context.

One trick I find easy is to use a sentence (or a line of poetry) as the basis of the password. My best passwords contain a spelling or typing mistake as well. Even if you knew which line of poetry I used, you would still have to find the mistake, which makes the password several hundred times more difficult to crack by brute force.

Mistakes can be your friends!
 
2011-04-22 02:33:19 PM  

Meat's dream: Blizzard is quietly solving the password problem by giving away core-hound pups.


Had a person still get hacked with the authenticator. In fact, the authenticator ended up working against them after they were successfully hacked. Apparently those things aren't quite as advanced and unpredictable as some might think. I quit posting on their forum back when the RealID bs came out, but can people expose their email addresses in their profile? Like, the same email address you now log in with?
 
2011-04-22 02:34:21 PM  

MusicMakeMyHeadPound: /and never set the answer to a password hint to something honest


No shiat!

Name of your first dog. First street you lived on. Mother's maiden name.

Are you farking serious?

This is why I can never remember the answers to password hints though.

Also, it pisses me off that so many companies demand you use the last 4 digits of your SSN to identify yourself.

The first 5 digits are easy enough to guess if you know approximately when and where someone was born, so they expect you to just give up the last 4 to some flunky answering the phone so you can tell them that the cable TV went out in your house.

Great! I live in fear that some imposter will report the cable is out in my house when it's really not.
 
2011-04-22 02:36:04 PM  
blog.candy.comView Full Size


/made me think of this
 
2011-04-22 02:36:43 PM  
use a very long phrase like Tobeornottobe123 or Ilikeicecream456 . It uses both letters and numbers, fits almost all online password rules, is extremely secure and is easy to remember.
 
2011-04-22 02:38:15 PM  
The safest password is one that you absolutely can not remember.

I think I'll call that Brantgoose's Law of Passwords.
 
2011-04-22 02:40:07 PM  

brantgoose: The safest password is one that you absolutely can not remember.

I think I'll call that Brantgoose's Law of Passwords.


My e-mail is so secure that even I can't access it.
 
2011-04-22 02:47:15 PM  

Schrodinger's Petting Zoo: brantgoose: The safest password is one that you absolutely can not remember.

I think I'll call that Brantgoose's Law of Passwords.

My e-mail is so secure that even I can't access it.


And I just sent you BIE.

Sucks to be you.
 
2011-04-22 02:49:23 PM  
FTA:the only thing that stops a brute force attack is higher complexity and longer passwords

Invalid attempt counters and account lockouts work very well against brute force attacks.

I'm tired of password complexity requirements increasing while 3 attempts seems to be written in stone from on high. If my password is 14 characters long and requires a few Upers a few lowers a few numbers and a few symbols expires every 30 days and can not be a repeat of the last 6 passwords then for Gods sake you're going to have to give me more than 3 tries.

For craps sake when I started at University passwords only needed to be 6 letters and you got 3 attempts.

/I had to learn ordinary generating Functions to figure out how many possible combinations of passwords are possible at work.
//Oh and the minimum requirements (at least 3 symbols 4 numbers etc) actually decrease the amount of passwords.
//Still only gonna get 3 GD attempts!
 
2011-04-22 02:54:02 PM  

wmoonfox: Misleading info. ...

Meh...


You do realize that the article addressed every point you just made, right?
 
2011-04-22 02:57:04 PM  

jonny_q: You do realize that the article addressed every point you just made, right?


No. I kinda skimmed it after the author mentioned making 100 password attempts per second against a remote server. I have little patience for BS. Sorry if my info was redundant.
 
2011-04-22 02:58:21 PM  
What about a passphrase in l33t5p34k?
I suppose leetspeak isn't something one can expect of the typical user.
 
2011-04-22 02:58:36 PM  

TheBlackrose: This is Fun may be a great password. However, no one will ever guess my password, hunter2. Nobody.

See, it even appears as asterisks when I type it.


Dude, you farked up, you have to hit Ctrl+F12 just prior to the password...watch this: My password is ************.

See?
 
2011-04-22 02:58:55 PM  

maxximillian: FTA:the only thing that stops a brute force attack is higher complexity and longer passwords

Invalid attempt counters and account lockouts work very well against brute force attacks.

I'm tired of password complexity requirements increasing while 3 attempts seems to be written in stone from on high. If my password is 14 characters long and requires a few Upers a few lowers a few numbers and a few symbols expires every 30 days and can not be a repeat of the last 6 passwords then for Gods sake you're going to have to give me more than 3 tries.

For craps sake when I started at University passwords only needed to be 6 letters and you got 3 attempts.

/I had to learn ordinary generating Functions to figure out how many possible combinations of passwords are possible at work.
//Oh and the minimum requirements (at least 3 symbols 4 numbers etc) actually decrease the amount of passwords.
//Still only gonna get 3 GD attempts!


They only work so long as the brute force is done against the login rather then the actual password file that the hackers skuttled off with last month when they found a user to piggy back their way in with.

This is why rotating passwords are 'good security', the threat that someone is brute-forcing your system's password database. The idea is by the time the brute force finds the match they need the rotation has kicked in and its not the same anymore.

/Phrases do rock and I use them when possible, screw spaces
 
2011-04-22 02:59:03 PM  

Grables'Daughter: bosco.jpg


images.wikia.comView Full Size
 
2011-04-22 02:59:06 PM  
We're required to change our server access passwords every three months. But the only time any of us are disconnected from the server is when our PC crashes. After you reboot, you have to log back in. The rest of the time, all our computers are sitting there connected to the server, so that anybody who wanted to could go in and delete everything!
 
2011-04-22 02:59:11 PM  
Is this one safe? (new window)
 
2011-04-22 02:59:34 PM  

Happy Hours: MusicMakeMyHeadPound: /and never set the answer to a password hint to something honest

No shiat!

Name of your first dog. First street you lived on. Mother's maiden name.


Mother's maiden name is especially useless in the era of Facebook, where every woman publicly displays her maiden name so that her old high school friends can more easily find her. If you've friended your mother on Facebook, that question is pretty much out the window. Even prior Facebook it was a pretty useless security question for many people of Hispanic origin. ("Mr. Cortez-Diaz, could you please give us your mother's maiden name?")
 
2011-04-22 03:03:43 PM  

jibjabjobu: I'd be all for a pass phrase, though then instead of dictionary attacks, you have common phrase attacks (e.g. slogans, song titles, popular quotes). The way, of course, to get around this is to require punctuation and mixed case...

it's not News
Its not news!
its not News?
etc


I usually also throw some leetspeak into a semi-obscure phrase to meet the requirement that the password has a number in it.

For example: TheW1bblyLever!
 
2011-04-22 03:06:20 PM  
What makes the "space" key so special again? Isn't the space just another character/symbol? So it would be like adding another letter to the alphabet.

Or am I missing something?

This1is1equally1safe

This is equally safe
 
2011-04-22 03:08:51 PM  
Having password requirements can actually hurt security. If I'm trying to crack an account, knowing the format that the password must take limits the number of possibilities that I must try.
 
2011-04-22 03:09:22 PM  

RedbeardUH: What makes the "space" key so special again? Isn't the space just another character/symbol? So it would be like adding another letter to the alphabet.

Or am I missing something?

This1is1equally1safe

This is equally safe



Adding another character to the source increases the number of permutations by an order of magnitude. That said, any decent cracker has been including spaces in its source for years, so, no it really doesn't make it any "safer".
 
2011-04-22 03:11:17 PM  

RedbeardUH: What makes the "space" key so special again? Isn't the space just another character/symbol? So it would be like adding another letter to the alphabet.

Or am I missing something?

This1is1equally1safe

This is equally safe


They're problematic with lazy programming where things are stored in formats where spaces define the stop of one value and the start of the next. That's pretty much it.
 
2011-04-22 03:14:10 PM  

MostNutsEver: Grables'Daughter: bosco.jpg


I was hoping someone would get it!
 
2011-04-22 03:16:39 PM  

Genju: Meat's dream: Blizzard is quietly solving the password problem by giving away core-hound pups.

Had a person still get hacked with the authenticator. In fact, the authenticator ended up working against them after they were successfully hacked. Apparently those things aren't quite as advanced and unpredictable as some might think. I quit posting on their forum back when the RealID bs came out, but can people expose their email addresses in their profile? Like, the same email address you now log in with?


I'm going to call BS on this. Blizzard is using an RSA key for their authenticator. There has yet to be a good hack for it, and if someone were to do so, there are better things they could access by knowing how to do it.

That said, Blizzard has a few other weaknesses that hackers have exploited and allow people to gain access to players accounts. The authenticator can't protect against these.
 
2011-04-22 03:18:06 PM  

frestcrallen: Is this one safe? (new window)


I'm sorry but our passwords are required to have at least one capital letter and one character.
 
2011-04-22 03:18:38 PM  
Wait. Why is a space different from all other characters in that it exponentially increases the search time?
 
2011-04-22 03:21:12 PM  

EvilEgg: So I choose a strong password, but then the system makes me choose a very weak password reminder.


That shiat kills me.

What street did you live on when you were a kid?
What high school did you go to?
What is your father's name?

All that shiat is public domain. Anyone can look it up. Anyone with $30 can look up all sorts of things about you that many think are private.
 
2011-04-22 03:25:03 PM  

SJKebab: End result: most people write their passwords down somewhere.


The password is "PENCIL".

/Last week was "APPLE"
 
2011-04-22 03:30:22 PM  

jigger: All that shiat is public domain. Anyone can look it up. Anyone with $30 can look up all sorts of things about you that many think are private.


They let us write our own questions. When I have to call the help desk and get a password reset I'm always surprised by the questions they ask me; they are highly personal, highly subjective, and I respond almost instantaneously with a tinge of astonishment in my voice... even though I wrote the questions.


/..."Annie Sprinkle!!" [blush]
 
2011-04-22 03:31:26 PM  

wbgraphic: SJKebab: End result: most people write their passwords down somewhere.

The password is "PENCIL".

/Last week was "APPLE"

The current password is Pencil
The previous password was Double

/Obscure?
 
2011-04-22 03:31:36 PM  

palan: Genju: Meat's dream: Blizzard is quietly solving the password problem by giving away core-hound pups.

Had a person still get hacked with the authenticator. In fact, the authenticator ended up working against them after they were successfully hacked. Apparently those things aren't quite as advanced and unpredictable as some might think. I quit posting on their forum back when the RealID bs came out, but can people expose their email addresses in their profile? Like, the same email address you now log in with?

I'm going to call BS on this. Blizzard is using an RSA key for their authenticator. There has yet to be a good hack for it, and if someone were to do so, there are better things they could access by knowing how to do it.

That said, Blizzard has a few other weaknesses that hackers have exploited and allow people to gain access to players accounts. The authenticator can't protect against these.


Then perhaps that is how they did it to the guildie. All I know is, when he for some reason had a harder time than previous proving the account was actually his. I'll assume their authenticators don't use any kind of shared modulus?
 
2011-04-22 03:34:28 PM  

palan: Genju: Meat's dream: Blizzard is quietly solving the password problem by giving away core-hound pups.

Had a person still get hacked with the authenticator. In fact, the authenticator ended up working against them after they were successfully hacked. Apparently those things aren't quite as advanced and unpredictable as some might think. I quit posting on their forum back when the RealID bs came out, but can people expose their email addresses in their profile? Like, the same email address you now log in with?

I'm going to call BS on this. Blizzard is using an RSA key for their authenticator. There has yet to be a good hack for it, and if someone were to do so, there are better things they could access by knowing how to do it.

That said, Blizzard has a few other weaknesses that hackers have exploited and allow people to gain access to players accounts. The authenticator can't protect against these.


Either way, there's no doubt the percentage of hacked accounts drops dramatically with an authenticator. It's a great system and it's friendly enough for most people to use. I think it's great that Blizzard is able to make more people aware of the concept.
 
2011-04-22 03:38:02 PM  
Mother's maiden name: Bouvier
First car: Rolls Canardly
Favorite movie: Ernest Gets a Second Lobotomy
Street were you born on: Penny Lane
Your first pet's name: Gertrude the Wonder Poodle
Favorite author: I.P. Freely
 
2011-04-22 03:38:33 PM  

Meat's dream: palan: Genju: Meat's dream: Blizzard is quietly solving the password problem by giving away core-hound pups.

Had a person still get hacked with the authenticator. In fact, the authenticator ended up working against them after they were successfully hacked. Apparently those things aren't quite as advanced and unpredictable as some might think. I quit posting on their forum back when the RealID bs came out, but can people expose their email addresses in their profile? Like, the same email address you now log in with?

I'm going to call BS on this. Blizzard is using an RSA key for their authenticator. There has yet to be a good hack for it, and if someone were to do so, there are better things they could access by knowing how to do it.

That said, Blizzard has a few other weaknesses that hackers have exploited and allow people to gain access to players accounts. The authenticator can't protect against these.

Either way, there's no doubt the percentage of hacked accounts drops dramatically with an authenticator. It's a great system and it's friendly enough for most people to use. I think it's great that Blizzard is able to make more people aware of the concept.


Oh I wasn't saying it was bad or ineffective or anything. It just sounded like you were believing it to be bulletproof. I mean, it's an extra layer of security on top of the existing one. Sure it sucks when the person forgets their authenticator and want to play somewhere remote (friend's place, etc.) but then again that's their own damn fault for forgetting it. That and account sharers, but they tend to get "hacked" and deserve it.

/always a pet peeve when an account sharer says they were "hacked"
 
2011-04-22 03:42:07 PM  

jigger: Wait. Why is a space different from all other characters in that it exponentially increases the search time?


It doesn't... the minimum length of the password does.

If you have the alphabet with no space then you have 26 characters to play with. If you had a five character minimum then there would be 26 possible values for the first character, 26 possible values for the second character, and so on. This gives you 26*26*26*26*26 possible combinations, or 26^5. If you require a sixth character then you have 26^6 characters, an exponential increase.

If you expand your passwords so you can use an alphabet character OR a space for any character of your password then you have 27 possibilities for each character in your password. If you required five character passwords again then you'd have a total complexity of 27*27*27*27*27, or 27^5.

Just for comparision, if you can try 100 passwords per second, as in the article:
26^5 = 33 hours to exhaust every combination
27^5 = 40 hours to exhaust every combination
26^6 = 858 hours to exhaust every combination
 
2011-04-22 03:43:18 PM  
Want high security pass phrases and defeat social engineering? Force users to have horribly sexually graphic pass phrases that they'd be too embarrassed to say over the phone.

If your employee is willing to say to a stranger over the phone, "Ass rape tickles" the you should fire them anyway.
 
Displayed 50 of 150 comments


Oldest | « | 1 | 2 | 3 | » | Newest | Show all



This thread is archived, and closed to new comments.

Continue Farking





On Twitter



Top Commented
Javascript is required to view headlines in widget.
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report