DailyDirt: How Many Passwords Do You Know?
from the urls-we-dig-up dept
If you've been online for more than a few years, you've probably collected a fairly sizable number of logins for various things. When the next cool social network you discover asks you to register with an email and password, a surprisingly large number of people choose "123456", "p@ssw0rd" or something easy to remember (and use that same password for multiple services). That's not a good idea, especially as more services are being broken into due to bad (or no!) password hashing. Password attackers aren't usually doing trial-and-error to guess your password; they're scraping password databases and doing the brute-force cracking offline, based on all the hints that can be gleaned from a huge pool of passwords that likely have duplicate passwords or passwords susceptible to dictionary-attacks. If you have some time, turn on two-factor authentication and peruse the following links.- Some password systems allow for convenient variable-length passwords, so users can choose if they want an 8-character password that requires special characters, numbers and an upper/lowercase mix or if they would prefer an all lowercase 20-character password. Allowing for really long passwords makes it possible for people to pick strings like "correct battery horse staple" (which is probably a very insecure password now). [url]
- If you have a gazillion passwords in a plaintext file somewhere, you might want to try a password manager. But if you're not that paranoid about your passwords, you probably can't be bothered to set up a password manager, either. [url]
- Ultimately, humans probably should not be choosing their own passwords for the best security. There really isn't anything preventing people from choosing bad passwords, and longer passwords don't necessarily make for better ones. (eg. facebookpasswordmyname) [url]
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, hashing, login, password manager, passwords, salting, security, two-factor authentication
Reader Comments
The First Word
“Re: 2 Factor Authenticate or Bust
and for all that you're worth, do not reinstall the software that controls your second factor. I had to spend half an hour on the phone with Blizzard after I factory wiped my phone thinking that it was all controlled by hardware address, not a random install code.Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Longer Is Better Than More Characters
8 random characters, uppercase + lowercase + digits → 47.6 bits
10 random characters, uppercase only → 47.0 bits
12 random characters, uppercase only → 56.4 bits
In other words, don’t sweat the special characters, go for password length.
[ link to this | view in chronology ]
Re: Longer Is Better Than More Characters
I really only understand brute force. The only reason lower case is faster to brute force is because lower case is usually tried first.
[ link to this | view in chronology ]
Re: Re: Longer Is Better Than More Characters
"sex" is a password you check before "s3x"
[ link to this | view in chronology ]
Re: Re: Re: Longer Is Better Than More Characters
If "sex" is checked first because it's a real word then "s3x" because it's a real word with a number replacing a letter, then "kmk" would be more secure because it will be checked last since it's just random lettering.
[ link to this | view in chronology ]
Re: Re: Re: Re: Longer Is Better Than More Characters
But "kmk" is a keyboard walk, at least on a QWERTY keyboard. The "k" key is diagonally-adjacent to the "m" key. Not good.
On the plus side, you did include a repeated character. I notice that people attempting to create random sequences tend to include fewer repeats than expected from a uniform distribution. That is, they pick some random character, and then feel biased against it. Indeed, I'm always slightly surprised at the number of repeated characters I find in sequences drawn from a flat distribution.
[ link to this | view in chronology ]
Bits of entropy
-C
[ link to this | view in chronology ]
Re: Bits of entropy
[ link to this | view in chronology ]
Less so than you'd think
Amusingly that was supposed to be easy to remember.
[ link to this | view in chronology ]
2 Factor Authenticate or Bust
Best list I've found of sites that support 2-factor authentication. If you aren't using 2-factor for your sensitive accounts... your stupid.
[ link to this | view in chronology ]
Re: 2 Factor Authenticate or Bust
[ link to this | view in chronology ]
Re: Re: 2 Factor Authenticate or Bust
[ link to this | view in chronology ]
Re: 2 Factor Authenticate or Bust
My preferred method is to use randomly generated passwords that get changed very frequently and to use a password keeper to keep track of them.
[ link to this | view in chronology ]
Secret decoder ring
[ link to this | view in chronology ]
Re: Secret decoder ring
[ link to this | view in chronology ]
Re: Re: Secret decoder ring
[ link to this | view in chronology ]
Re: Secret decoder ring
Either you can calculate a min entropy, or you can't.
[ link to this | view in chronology ]
No need to remember anything
[ link to this | view in chronology ]
Re: No need to remember anything
Did you notice that the card can be "regenerated" from a 16-hexadecimal digit identifier?
Further, the sample card has 8 rows and 29 columns. Then there are four cardinal and four intercardinal directions from any starting position.
[ link to this | view in chronology ]
Re: No need to remember anything
[ link to this | view in chronology ]
Re: Re: No need to remember anything
Well, on the surface, the (16*2^4) identifier space indicates that the sequences on the card are generated by some rule.
How would you backdoor the card-generation rule so that the 8 row * 29 column starting position loses some of its surprisal?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
hee hee hee
i'll mention again my 'system' for NON-CRITICAL passwords:
make a prefix (say, 3f) make a suffix (say, u9), then take the website 'name' (or organization, or whatever) and append those...
so, if this were for techdirt "3ftechdirtu9"...
works for me...
(AGAIN, NON-CRITICAL sites, for 'real' important sites, i use the random type stuff that is written down in my little black book...)
[ link to this | view in chronology ]
Unfortunately, it does mean I have to remember them but then, I don't have passwords for hundreds of sites either. I have only a dozen sites I use regularly where I need a password.
I don't sign up for membership and a lot of random sites. If you can't read or visit a site without signing up, I'll find somewhere else to get the information I need.
When it gets to the point that I can't remember a dozen or so passwords, I'll turn in my computer.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Too many sites where security is not necessary
The huge number of websites where I need a password login to read articles or download a technical manual: Nope.
We talk so frequently about password strength and a requirement for uniqueness. We never seem to address the proliferation of useless security. I really don't care if someone guesses my password and uses it to download extra copies of a technical manual. Most of those login systems are only in place to ensure the vendor has an email address for solicitation purposes anyway.
[ link to this | view in chronology ]
Re: Too many sites where security is not necessary
Then hackers get into the tech manual site because it's not very secure- come on, who would want to break into a tech manual site? They don't even store people's credit card information.
Yet once the hackers have the password, they can try it against the larger sites like Facebook, Amazon, or iTunes. And if any of the passwords match, the hackers have completely control of the account.
[ link to this | view in chronology ]
Better security
MTMSFY!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Check out Steve Gibsons article on generating passwords that are memorable and hard to guess https://www.grc.com/haystack.htm
my password manager password shows the following results for "crackability" using his tool and it's easy to remember, a pain in the ass to type, but easy to remember.
Couple with your approach to storing pass words with his approach to generating memorable passwords and you're almost unhackable.
[ link to this | view in chronology ]
Re: Re:
Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 26 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length) 2,663,234,997,260,162,
196,476,097,223,547,872,
948,519,727,017,017,120
Search Space Size (as a power of 10): 2.66 x 1051
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 8.47 hundred trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 8.47 million trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 8.47 thousand trillion trillion centuries
[ link to this | view in chronology ]
Re: Re: Re:
Extra credit: When is min entropy less than Shannon entropy?
[ link to this | view in chronology ]
https
[ link to this | view in chronology ]
Re: https
And make sure that the TLS certificate that your browser accepts is the expected one—chaining up to a trusted root CA.
Oh, what?
[ link to this | view in chronology ]
Dilbert: Tour of Accounting
xkcd: Random Number
[ link to this | view in chronology ]