0936: "Password Strength"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Magistrates, Prelates, Moderators General

0936: "Password Strength"

Postby LucasBrown » Wed Aug 10, 2011 4:03 am UTC

Image
Alt text: "To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize."

:shock: changes password
Last edited by LucasBrown on Wed Aug 10, 2011 5:24 am UTC, edited 2 times in total.
You are hereby warned that I occasionally make liberal use of the edit button in the few minutes immediately following the submission of my posts.
Image
User avatar
LucasBrown
 
Posts: 243
Joined: Thu Apr 15, 2010 2:57 am UTC
Location: Poway, CA

Re: 0936: "Password Strength"

Postby lingomaniac88 » Wed Aug 10, 2011 4:05 am UTC

Now I won't be able to get "correct horse battery staple" out of my head.
"It is common sense to take a method and try it. If it fails, admit it frankly and try another. But above all, try something."
-- Franklin D. Roosevelt
lingomaniac88
 
Posts: 125
Joined: Wed Apr 09, 2008 2:52 am UTC

Re: 0936: "Password Strength"

Postby glasnt » Wed Aug 10, 2011 4:05 am UTC

What's the guess that next year, the top passwords in use will be:

123456
password
correcthorsebatterystaple
654321
...
User avatar
glasnt
 
Posts: 529
Joined: Fri Jan 25, 2008 5:18 am UTC
Location: SQUEE!

Re: 0936: "Password Strength"

Postby KShrike » Wed Aug 10, 2011 4:05 am UTC

What the frick? How'd he get my password!!!
On 10/10/10, My Little Pony started to appeal to adult males. Ya rly!
Forget the /b/ memes, and go watch the show and see what I mean. After all, the /b/ memes exist because the show itself is so cleverly written. Check it out!
User avatar
KShrike
 
Posts: 130
Joined: Wed Dec 15, 2010 5:47 am UTC

Re: 0936: "Password Strength"

Postby Drooling Iguana » Wed Aug 10, 2011 4:06 am UTC

So now I'm going to have to change all my passwords to correct horse battery staple.

I guess it's a small price to pay for security, but I'm going to miss hunter2.
Drooling Iguana
 
Posts: 24
Joined: Tue Jun 05, 2007 12:41 am UTC

Re: 0936: "Password Strength"

Postby ShuRugal » Wed Aug 10, 2011 4:08 am UTC

Drooling Iguana wrote:So now I'm going to have to change all my passwords to correct horse battery staple.

I guess it's a small price to pay for security, but I'm going to miss hunter2.


I'm not entirely certain how sad it is that i laughed aloud at that, but i am certain that there is a non-zero degree of sad involved somewhere.
ShuRugal
 
Posts: 28
Joined: Wed Jan 26, 2011 5:19 am UTC

Re: 0936: "Password Strength"

Postby jpk » Wed Aug 10, 2011 4:12 am UTC

Oh, no... now we're going to have a bunch of people resorting to easily guessed passwords because [they think?]* Randall said so...

(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

*edited this in and out about four times... if this is a troll on his part, I give him great props for his deadpan... )
Last edited by jpk on Wed Aug 10, 2011 4:24 am UTC, edited 2 times in total.
jpk
 
Posts: 606
Joined: Sat Nov 13, 2010 7:33 am UTC

Re: 0936: "Password Strength"

Postby Jorpho » Wed Aug 10, 2011 4:13 am UTC

Teehee, hunter2. I laugh to further intimidate those who don't get the joke. (I was going to write something along the lines of "squeamish ossifrage".)

And I am posting in the first place because this is pretty damn cool – assuming it's legit, and why wouldn't it be?
User avatar
Jorpho
 
Posts: 5547
Joined: Wed Dec 12, 2007 5:31 am UTC
Location: Canada

Re: 0936: "Password Strength"

Postby KShrike » Wed Aug 10, 2011 4:14 am UTC

jpk wrote:Oh, no... now we're going to have a bunch of people resorting to easily guessed passwords because they think Randall said so...

(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")


I think he's just trolling us. To be honest, you could always include a random character somewhere to screw it up.

"correct pony ba|ttery staple"

Boom, now the algorithm won't see it.
On 10/10/10, My Little Pony started to appeal to adult males. Ya rly!
Forget the /b/ memes, and go watch the show and see what I mean. After all, the /b/ memes exist because the show itself is so cleverly written. Check it out!
User avatar
KShrike
 
Posts: 130
Joined: Wed Dec 15, 2010 5:47 am UTC

Re: 0936: "Password Strength"

Postby Alex-J » Wed Aug 10, 2011 4:15 am UTC

I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal). As long as your pissed off friend/boy/girlfriend can’t get into something that’s important to you by typing “password”. Honestly, how many people want to mess-up your xkcd forum account? The password is only there so someone can’t, on a complete whim, decide to be you.
(but if you like making nerdy arch-enemies, watch out)

On an unrelated note my friend has had a 42-letter password for his laptop for years. Apparently he's far ahead of the game.
User avatar
Alex-J
 
Posts: 31
Joined: Thu Feb 18, 2010 5:08 am UTC

Re: 0936: "Password Strength"

Postby Kaldra » Wed Aug 10, 2011 4:21 am UTC

My employer (who shall remain nameless) has somewhat silly password requirements. Exactly 8 characters, only numbers and lowercase letters. Which (at 1000 guesses/sec) would take up to 89.4 years if it were completely random, but it rarely is. Luckily we require a PGP pass phrase to turn the computer on, but the account passwords on their own aren't terribly secure
Kaldra
 
Posts: 32
Joined: Mon Apr 20, 2009 3:28 am UTC

Re: 0936: "Password Strength"

Postby cheeseheadtotherescue » Wed Aug 10, 2011 4:22 am UTC

we're sorry, your password must be between 6 and 10 characters and may not include any of the following special characters !@#$%^&*(){}-=+\|/><,.":;'[].
.
.
.
*cries*
cheeseheadtotherescue
 
Posts: 11
Joined: Wed Jun 03, 2009 5:18 pm UTC

Re: 0936: "Password Strength"

Postby TaylorP » Wed Aug 10, 2011 4:24 am UTC

Haha, I liked this one. My passwords are somewhere in between, in that they have at least one number and capital letter, but they're also composed out of somewhat meaningful couple of words. It's not like any of my accounts are worth the time it would take to guess the password, though.

BTW Alex-J, your forum avatar is great. :)
User avatar
TaylorP
 
Posts: 60
Joined: Mon Jul 18, 2011 5:08 am UTC
Location: Ontario, Canada

Re: 0936: "Password Strength"

Postby jpk » Wed Aug 10, 2011 4:28 am UTC

Alex-J wrote:I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal).



Do you really think J. Random Loser actually uses a more secure password for their gmail account than they do for their xkcd forum account? I don't.
And guess how much trouble I could get into if I have your primary email account... the one that all of your other accounts send password resets to...
jpk
 
Posts: 606
Joined: Sat Nov 13, 2010 7:33 am UTC

Re: 0936: "Password Strength"

Postby dysprog » Wed Aug 10, 2011 4:28 am UTC

Well the the gibberish is not that hard to remember if you use the same one for 10+ years.
Never to change it even that skeezy website emailed it back to you in plaintext, or that time you had a virus.
And use it on every website you visit, from your bank to facebook, to HotChicksEatingIceCeamInThePool.com

ummm... I'll be riiight back

<changes password.>
dysprog
 
Posts: 21
Joined: Tue Aug 24, 2010 5:45 am UTC

Re: 0936: "Password Strength"

Postby ConMan » Wed Aug 10, 2011 4:29 am UTC

My standard disclaimer about the strength of passwords is that no matter how strong it may be algorithmically, a password is immediately weak once it's used as an example of a strong password (which I expect means I am "explaining the joke" of Drooling Iguana's post). Particularly if you have draconian password requirements on a system, and so have to demonstrate a kind of password that will fit the rules - for a big enough system, I can practically guarantee that a sizeable number of users will take that example password and use it.
pollywog wrote:
Wikihow wrote:* Smile a lot! Give a gay girl a knowing "Hey, I'm a lesbian too!" smile.
I want to learn this smile, perfect it, and then go around smiling at lesbians and freaking them out.
User avatar
ConMan
Shepherd's Pie?
 
Posts: 1402
Joined: Tue Jan 01, 2008 11:56 am UTC
Location: Beacon Alpha

Re: 0936: "Password Strength"

Postby Rephistorch » Wed Aug 10, 2011 4:30 am UTC

Personally, I have a sucky password for things like forums (which I could care less if they got hacked), I have a moderate password for things like personal info without credit card data, and then I have a mecha-sheeva password for all things financial.

By the way using the ~2^44 is way less secure than actually using an 8 character password that is more random than a simple character appending and substitution. If you make an anagram of a phrase you like, make it upper and lower case, add numbers and symbols in random places, it's far more secure than a common english word mash-up. Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.
Rephistorch
 
Posts: 2
Joined: Wed Feb 24, 2010 6:01 am UTC

Re: 0936: "Password Strength"

Postby Eredian » Wed Aug 10, 2011 4:32 am UTC

I found a dictionary containing 118620 words quite easily. Assuming you use at least one unique word in there your password would be closer to log2(118620) * 4 =~ 64 bits of entropy.

To have only 28 bits of entropy with that solution your password would have to be findable by a dictionary containing only 128 words. That seems quite unlikely.
Eredian
 
Posts: 1
Joined: Wed Aug 10, 2011 4:26 am UTC

Re: 0936: "Password Strength"

Postby Briantho2010 » Wed Aug 10, 2011 4:34 am UTC

Having done some brute force password cracking this comic isn't truthful to real life from my experience. When brute forcing a password you can do various types of attacks but the larger the pool of characters for each character of a password, the higher total # of password possibilities. Example. A 5 character all lower case password provides 11,881,376 possibilities whereas a 5 character password using upper case, lower case and 0-9 produces 916,132,832 possibilities. That password would be potentially 77.10 times harder to crack using brute force methods than first example.
Briantho2010
 
Posts: 1
Joined: Wed Aug 10, 2011 4:26 am UTC

Re: 0936: "Password Strength"

Postby joee » Wed Aug 10, 2011 4:34 am UTC

OP: there's a typo in your link. http, not htpp

Damn, now I want to change all my passwords.
Hi glasnt.
User avatar
joee
 
Posts: 227
Joined: Mon Dec 03, 2007 5:53 am UTC

Re: 0936: "Password Strength"

Postby Alex-J » Wed Aug 10, 2011 4:35 am UTC

jpk wrote:
Alex-J wrote:I really don’t think it matters how secure your password is (except for more important things like online banking and PayPal).



Do you really think J. Random Loser actually uses a more secure password for their gmail account than they do for their xkcd forum account? I don't.
And guess how much trouble I could get into if I have your primary email account... the one that all of your other accounts send password resets to...


Most things that are important to me (ie: not my robozzle account) when asked to reset my password require you to answer one of those security questions you had to make when you created your account.

But I do see your point.
User avatar
Alex-J
 
Posts: 31
Joined: Thu Feb 18, 2010 5:08 am UTC

Re: 0936: "Password Strength"

Postby Unknownlight » Wed Aug 10, 2011 4:36 am UTC

Or you can just think of one, perfect, amazing password, and use LastPass for everything else.

You can have a fifty-digit stream of random characters for your bank account password if you want. :D
Unknownlight
 
Posts: 8
Joined: Tue Jan 11, 2011 7:49 am UTC

Re: 0936: "Password Strength"

Postby Se7enLC » Wed Aug 10, 2011 4:37 am UTC

Oh, where to start...

1). Most sites have a maximum password length, somewhere in the 10-15 character range. If you're lucky, the password will get truncated when it is set AND when you enter it, so you won't even notice that the extra bits are falling on the floor. Some sites *cough* NewEgg *cough* will truncate when you set the password but WON'T truncate when you enter it, so when you type EXTRA characters, it thinks your password is wrong. Irritating

2). A complex password with few characters is hard to remember (at first), but really fast to type when you get used to it. If you lock your screen every time you leave your desk, you're going to get pretty sick of typing a paragraph about horse batteries.

3). A lot of places will require capital, lowercase, numbers, and symbols anyway.
Se7enLC
 
Posts: 8
Joined: Fri Jul 20, 2007 12:49 pm UTC
Location: Brighton, MA

Re: 0936: "Password Strength"

Postby black_hat_guy » Wed Aug 10, 2011 4:40 am UTC

I would have posted before, but I forgot my password.
Billy was a chemist.
He isn't any more.
What he thought was H2O
was H2SO4.
black_hat_guy
 
Posts: 114
Joined: Tue Jul 20, 2010 8:34 pm UTC

Re: 0936: "Password Strength"

Postby Rashkavar » Wed Aug 10, 2011 4:44 am UTC

So why 11 bytes per word regardless of the word length? The password I use for higher security things is a 30 letter sentence - I was wondering how long the brute force calculation for that would take, but without a consistent bytes-per-letter, I can't calculate it.
Rashkavar
 
Posts: 4
Joined: Sat May 30, 2009 7:32 pm UTC

Re: 0936: "Password Strength"

Postby KShrike » Wed Aug 10, 2011 4:46 am UTC

Se7enLC wrote:Oh, where to start...

Most sites have a maximum password length, somewhere in the 10-15 character range.


Those sites piss me the hell off! Like you wouldn't believe how much they piss me the hell off!
On 10/10/10, My Little Pony started to appeal to adult males. Ya rly!
Forget the /b/ memes, and go watch the show and see what I mean. After all, the /b/ memes exist because the show itself is so cleverly written. Check it out!
User avatar
KShrike
 
Posts: 130
Joined: Wed Dec 15, 2010 5:47 am UTC

Re: 0936: "Password Strength"

Postby Wilhelm » Wed Aug 10, 2011 4:47 am UTC

That's it. I can't get that phrase out of my head.


Randall, put the words "correct horse battery staple" on a shirt, with the last panel (minus the words on the bottom) on the back- or gods help me, I will.
Where I sell a limited range of unofficial merchandise:

http://www.cafepress.com/from_the_internet
Wilhelm
 
Posts: 22
Joined: Sat Sep 11, 2010 3:33 am UTC

Re: 0936: "Password Strength"

Postby Graff » Wed Aug 10, 2011 4:47 am UTC

I think the best idea along these lines is the first letter of each word in a phrase. It's easy to remember and isn't susceptible to a dictionary attack that concatenates words. Make up a simple algorithm to make it unique to the website, like placing the length of the site's name and its last character at the third position, and you're golden.

Code: Select all
phrase: Everything should be made as simple as possible, but not simpler.
site: xkcd
password: esb4dmasapbns


The only problem with this is when sites require you to use numbers, odd characters, mixed case, and so on. Passwords would be a lot easier to generate if every site had the same requirements - or if they just accepted anything and let the consequences be on the password owner's head.
Last edited by Graff on Wed Aug 10, 2011 4:50 am UTC, edited 1 time in total.
Graff
 
Posts: 5
Joined: Mon Oct 19, 2009 8:37 pm UTC

Re: 0936: "Password Strength"

Postby Lem0n » Wed Aug 10, 2011 4:49 am UTC

I'd say a good yet easy to remember password is something like: bbbbbhunter2cccccddddd

entropy (in the sense generally used) is not really necessary, as long as most "bruteforcers" aren't trying to do
of course, if it gets common to repeat many letters in a password, bruteforcers will start to try that, but even then it's not easy (how many letters? which ones? in which position? case sensitive?)
Lem0n
 
Posts: 87
Joined: Tue Dec 15, 2009 8:15 pm UTC

Re: 0936: "Password Strength"

Postby Vebyast » Wed Aug 10, 2011 4:51 am UTC

Just use KeePass. One don't-care password for your hardware, one high-power password for your KeePass database, and then max-length random passwords everywhere else (including your TrueCrypt volumes, of course). Doesn't even matter if they limit you to 8 characters; nobody ever tries high ASCII.
Vebyast
 
Posts: 3
Joined: Thu Apr 23, 2009 5:22 am UTC

Re: 0936: "Password Strength"

Postby jpk » Wed Aug 10, 2011 4:53 am UTC

Rephistorch wrote:By the way using the ~2^44 is way less secure than actually using an 8 character password that is more random than a simple character appending and substitution.


One method that I used to use, and no longer use, was to pick a friend and interleave their name and phone number, or part of their phone number, ie if I have a friend Steve whose number is 555-3592, it would be S3t5e9v2e. This has two main advantages:
1) The pattern generated has semantic content for me - I can't forget the two elements that make it up, and they are strongly associated for me. In addition, I don't have any trouble typing interleaved words, so it's hard for me to mistype.
2) Part of the pattern is arbitrary: there isn't enough data to recover the phone number part unless you know me and start guessing at which friend is the key for this password.

It's also difficult to target in a dictionary attack, unless it becomes common enough that it's worth targetting this pattern, in which case it's no better than friend's name plus some digits, which is pretty bad. (how many names would exhaust 80% of the English-language namespace? around 100? That number * 10^5 is the size of your search space. That's tiny.)


Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.


If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.
jpk
 
Posts: 606
Joined: Sat Nov 13, 2010 7:33 am UTC

Re: 0936: "Password Strength"

Postby Eternal Density » Wed Aug 10, 2011 5:08 am UTC

brb, changing the password on my luggage.
User avatar
Eternal Density
 
Posts: 3707
Joined: Thu Oct 02, 2008 12:37 am UTC
Location: The Hotdog Cart

Re: 0936: "Password Strength"

Postby Rephistorch » Wed Aug 10, 2011 5:13 am UTC

jpk wrote:
jpk wrote: Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.


If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.


Which is of course what I meant. It's pretty easy to memorize if you type it often enough and maybe even create a mnemonic for yourself. I actually don't think anything can ever be truly random, but possibly so improbable to predict as to be as close as you're gonna get.
Rephistorch
 
Posts: 2
Joined: Wed Feb 24, 2010 6:01 am UTC

Re: 0936: "Password Strength"

Postby Eebster the Great » Wed Aug 10, 2011 5:15 am UTC

Rashkavar wrote:So why 11 bytes per word regardless of the word length? The password I use for higher security things is a 30 letter sentence - I was wondering how long the brute force calculation for that would take, but without a consistent bytes-per-letter, I can't calculate it.

I guess the assumption is that you are choosing it from a list of around 2000 random words and the attacker has access to the same list, and first searches only for pure (unsubstituted) English words off that list. It isn't a realistic scenario, but maybe a reasonable worst-case one.

jpk wrote:One method that I used to use, and no longer use, was to pick a friend and interleave their name and phone number, or part of their phone number, ie if I have a friend Steve whose number is 555-3592, it would be S3t5e9v2e. This has two main advantages:
1) The pattern generated has semantic content for me - I can't forget the two elements that make it up, and they are strongly associated for me. In addition, I don't have any trouble typing interleaved words, so it's hard for me to mistype.
2) Part of the pattern is arbitrary: there isn't enough data to recover the phone number part unless you know me and start guessing at which friend is the key for this password.

It's also difficult to target in a dictionary attack, unless it becomes common enough that it's worth targetting this pattern, in which case it's no better than friend's name plus some digits, which is pretty bad. (how many names would exhaust 80% of the English-language namespace? around 100? That number * 10^5 is the size of your search space. That's tiny.)

Most dictionary attacks now routinely include interleaving words or words and numbers. However, it still does increase the sample space considerably.
User avatar
Eebster the Great
 
Posts: 1687
Joined: Mon Nov 10, 2008 12:58 am UTC

Re: 0936: "Password Strength"

Postby rapturemachine » Wed Aug 10, 2011 5:17 am UTC

And really, how secure is Tr0ub4dor&3 when you use it for every site, like many people do? (http://xkcd.com/792/)
(#792 actually made me decide to revise my passwords to all the sites I visit at least somewhat frequently. Now, I use a different password for almost every site, and they consist of interspersed letters, numbers, and punctuation. In fact, they look a lot like troubador over there. And yes, I do remember them all :P )
User avatar
rapturemachine
 
Posts: 26
Joined: Sat Jan 01, 2011 7:53 pm UTC
Location: Asteroid B-612

Re: 0936: "Password Strength"

Postby Steve the Pocket » Wed Aug 10, 2011 5:20 am UTC

jpk wrote:(gee, what happens when you're trying to do a brute-force search and someone limits your search space to concatenated English words?... you jump around saying "yippee! yippee!")

I think the point is that both passwords are based on simple formulae, as are the programs used to crack them, and that even if the second formula became the new common one, it would still be really tough to crack compared to the first. Trying every word in the English language once is one thing, but getting the right four in the right order would require [total number of words]^4 guesses. So if, for example, there were only 1,000 words to pick from, and it took one second to run through them all as Randall assumes, guessing any four in any order would take 1,000,000,000 seconds — over 30 years. Fun how permutations work, eh?

Rephistorch wrote:Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.

Yep. That's what I've been doing since I was a kid. I even wrote an app to generate such strings automatically, with a switch to disable keyboard characters if some stupid website refuses to accept them. Also, that would actually be 68^8 on a US English keyboard.
cephalopod9 wrote:Only on Xkcd can you start a topic involving Hitler and people spend the better part of half a dozen pages arguing about the quality of Operating Systems.

Baige.
User avatar
Steve the Pocket
 
Posts: 456
Joined: Mon Apr 23, 2007 4:02 am UTC
Location: Going downtuuu in a Luleelurah!

Re: 0936: "Password Strength"

Postby cjmcjmcjmcjm » Wed Aug 10, 2011 5:20 am UTC

I've got some good password memorization skills. Mostly, I have important passwords for things that have my debit card number and other sensitive info, an unimportant password for everything else, and an old password for things that bitch at punctuation and longer than 8-12 chars. Yeah, all my uni records are under an old password. No, I'm not sharing. No, I'm not sharing my FB password because I also use it for Twitter.

Also Correct Horse Battery Staple sounds like an indie band naem.
frezik wrote:Anti-photons move at the speed of dark

DemonDeluxe wrote:Paying to have laws written that allow you to do what you want, is a lot cheaper than paying off the judge every time you want to get away with something shady.
User avatar
cjmcjmcjmcjm
 
Posts: 1113
Joined: Tue Jan 05, 2010 5:15 am UTC
Location: Anywhere the internet is strong

Re: 0936: "Password Strength"

Postby jpk » Wed Aug 10, 2011 5:21 am UTC

Rephistorch wrote:
jpk wrote:
jpk wrote: Hell if you make random passwords that are 8 characters long and take the time to memorize them, you're way ahead of the game. Truly random (or close enough) upper and lower case passwords with numbers, and your choice of any 5 symbols (your choice!), gives you a password with a strength of 67^8 which is ~23x better protection than four random common words.


If by "random enough" you mean generated with a good random number generator, yes, you can get random enough for password-sized objects. If you mean "picking random letters" then no, there's no such thing as "random enough" in that case - people can't do random.


Which is of course what I meant. It's pretty easy to memorize if you type it often enough and maybe even create a mnemonic for yourself. I actually don't think anything can ever be truly random, but possibly so improbable to predict as to be as close as you're gonna get.


I figured that was what you meant, just wanted to confirm.
I've always figured the correct way to handle passwords is to give people a handful of strong generated passwords to choose from, and let them learn them. Then, don't make them change them over and over, let them actually learn them. Changing passwords for security only makes sense if you know the password has been cracked. Changing the password every three months (or whatever) is idiotic: it enforces weak passwords, and no cracker is going to spend weeks on your password, so at any given time, they're dealing with only one (weak) password, unless you happen to hit it lucky and hit the three-month change while they're actually running their brute-force attack. Moronic.
jpk
 
Posts: 606
Joined: Sat Nov 13, 2010 7:33 am UTC

Re: 0936: "Password Strength"

Postby Aikanaro » Wed Aug 10, 2011 5:22 am UTC

What I often do if I need a strong password that has numbers and letters, is I use the production number of something from a bit of geekdom that will stick in my head. For example:

Type-40

I'm reasonably certain that that's decently strong, and if it's not, you can just add in more details about it, such as Type-40TimeTravelCapsule

:D

EDIT: Other possibilities, if you're me, include such things as DLN-001. 50 bonus points to anyone other than Marzipan who gets that one (-50 bonus points to Marzipan if he DOESN'T get that one).
Last edited by Aikanaro on Wed Aug 10, 2011 5:23 am UTC, edited 1 time in total.
Dear xkcd,

On behalf of my religion, I'm sorry so many of us do dumb shit. Please forgive us.

Love, Aikanaro.
User avatar
Aikanaro
 
Posts: 1797
Joined: Wed Sep 24, 2008 1:43 pm UTC
Location: Saint Louis, MO

Re: 0936: "Password Strength"

Postby Solandri » Wed Aug 10, 2011 5:23 am UTC

Graff wrote:
Code: Select all
phrase: Everything should be made as simple as possible, but not simpler.
site: xkcd
password: esb4dmasapbns

The only problem with this is when sites require you to use numbers, odd characters, mixed case, and so on.

That's the method I recommend to friends and family. If the site requires odd characters, just do what you did for the number - capitalize the nth letter, and toss a # or & in next to the number and you have most cases covered.

Problem is, after explaining this to friends and family, I find they still use the simple 1-word or 1-word + number method. I'm starting to think a password generator like KeePass or the ones that come with fingerprint scanners are the only practical answer. People are not just resistant to hard-to-remember passwords, they're also resistant to hard-to-type passwords. The generators do the typing of the hard-to-type hard-to-remember for you, making it much more likely to be used.

Also keep in mind that you're supposed to use a different password for every site (or at least the important ones). My dad typed his password into a phising email, and unfortunately it was the password he used for everything including bank accounts. It took a few days to hit all the sites he could think of where he had accounts, and change every password. Having a different password for each account is still hard to do with memorized passwords. But using a generator makes it easy.

The main drawback of the generator in my experience is that if you lose access to the machine(s) with the generator installed, you're locked out of all your accounts. I keep my email as a memorized password, so worst-case I can reset the password on an account and get in that way.
Solandri
 
Posts: 6
Joined: Fri Jan 21, 2011 9:27 am UTC

Next

Return to Individual XKCD Comic Threads

Who is online

Users browsing this forum: rick.s and 14 guests