DailyDirt: How Many Passwords Do You Know?

from the urls-we-dig-up dept

If you've been online for more than a few years, you've probably collected a fairly sizable number of logins for various things. When the next cool social network you discover asks you to register with an email and password, a surprisingly large number of people choose "123456", "p@ssw0rd" or something easy to remember (and use that same password for multiple services). That's not a good idea, especially as more services are being broken into due to bad (or no!) password hashing. Password attackers aren't usually doing trial-and-error to guess your password; they're scraping password databases and doing the brute-force cracking offline, based on all the hints that can be gleaned from a huge pool of passwords that likely have duplicate passwords or passwords susceptible to dictionary-attacks. If you have some time, turn on two-factor authentication and peruse the following links. If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, hashing, login, password manager, passwords, salting, security, two-factor authentication


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Jeffrey Nonken (profile), 13 Nov 2014 @ 5:24pm

    Keepass + BtSync FTW.

    link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 13 Nov 2014 @ 5:51pm

    Longer Is Better Than More Characters

    8 random characters, uppercase only → 37.6 bits of entropy
    8 random characters, uppercase + lowercase + digits → 47.6 bits
    10 random characters, uppercase only → 47.0 bits
    12 random characters, uppercase only → 56.4 bits

    In other words, don’t sweat the special characters, go for password length.

    link to this | view in chronology ]

    • icon
      Chronno S. Trigger (profile), 13 Nov 2014 @ 6:55pm

      Re: Longer Is Better Than More Characters

      I don't understand this rainbow tables and entropy. If I can have a password that's 8 character mixed case alphanumeric with specials, how is having an 8 character all lowercase password faster to crack?

      I really only understand brute force. The only reason lower case is faster to brute force is because lower case is usually tried first.

      link to this | view in chronology ]

      • identicon
        monkyyy, 13 Nov 2014 @ 9:47pm

        Re: Re: Longer Is Better Than More Characters

        You run the pure wordlist before you add the fuzz

        "sex" is a password you check before "s3x"

        link to this | view in chronology ]

        • icon
          Chronno S. Trigger (profile), 14 Nov 2014 @ 6:27am

          Re: Re: Re: Longer Is Better Than More Characters

          So this rainbow tables and entropy stuff doesn't mean crap? We just have to social engineer our passwords.

          If "sex" is checked first because it's a real word then "s3x" because it's a real word with a number replacing a letter, then "kmk" would be more secure because it will be checked last since it's just random lettering.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 14 Nov 2014 @ 7:43am

            Re: Re: Re: Re: Longer Is Better Than More Characters

            "kmk" ... [is] just random lettering.

            But "kmk" is a keyboard walk, at least on a QWERTY keyboard. The "k" key is diagonally-adjacent to the "m" key. Not good.

            On the plus side, you did include a repeated character. I notice that people attempting to create random sequences tend to include fewer repeats than expected from a uniform distribution. That is, they pick some random character, and then feel biased against it. Indeed, I'm always slightly surprised at the number of repeated characters I find in sequences drawn from a flat distribution.

            link to this | view in chronology ]

  • icon
    Christopher (profile), 13 Nov 2014 @ 6:07pm

    Bits of entropy

    but only if your "Entropic" character string isn't in a dictionary. Twelve characters in a dictionary is not the same as twelve non-word characters -- in any language. Dump a dictionary in English and then next four most used languages into your rainbow tables and you're still more successful than not.

    -C

    link to this | view in chronology ]

  • icon
    ChurchHatesTucker (profile), 13 Nov 2014 @ 6:22pm

    Less so than you'd think

    "correct battery horse staple" (which is probably a very insecure password now)

    Amusingly that was supposed to be easy to remember.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 6:52pm

    2 Factor Authenticate or Bust

    https://twofactorauth.org/

    Best list I've found of sites that support 2-factor authentication. If you aren't using 2-factor for your sensitive accounts... your stupid.

    link to this | view in chronology ]

    • icon
      Chronno S. Trigger (profile), 13 Nov 2014 @ 7:00pm

      Re: 2 Factor Authenticate or Bust

      and for all that you're worth, do not reinstall the software that controls your second factor. I had to spend half an hour on the phone with Blizzard after I factory wiped my phone thinking that it was all controlled by hardware address, not a random install code.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Nov 2014 @ 3:59am

        Re: Re: 2 Factor Authenticate or Bust

        If you're worried about that you can always save a screenshot of the QR code or print it out. As long as you keep it safe (encrypted volume or locked cabinet) the risks to your security are minimal.

        link to this | view in chronology ]

    • icon
      John Fenderson (profile), 14 Nov 2014 @ 8:33am

      Re: 2 Factor Authenticate or Bust

      The problem with 2 factor authentication is that you need to trust a third party with some sort of sensitive information. That's a no-go for me.

      My preferred method is to use randomly generated passwords that get changed very frequently and to use a password keeper to keep track of them.

      link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 13 Nov 2014 @ 8:42pm

    Secret decoder ring

    Myself, I like passwords from 2000 year dead languages that are only relevant to myself, unguessable, and seeded with non-alphabetic characters. The chances of them being broken in a period shorter than that via a brute-force attack is unlikely. However, they are easy for me to remember, and the only way that they can be captured is if my system has had a key-logger installed that I don't know about. Given that all of my systems are not Windows-based, and have serious major anti-malware software and LAN hardware firewalls installed, the chances of that is pretty low...

    link to this | view in chronology ]

    • icon
      Togashi (profile), 13 Nov 2014 @ 9:16pm

      Re: Secret decoder ring

      Since I'm using LastPass, even a keylogger wouldn't get my passwords. I don't even know any of them, I just let LastPass generate as long a password as they'll let me with as many character classes as possible, then I move on with my life knowing I won't have to remember it.

      link to this | view in chronology ]

      • icon
        Ninja (profile), 14 Nov 2014 @ 2:26am

        Re: Re: Secret decoder ring

        God bless LastPass indeed. I even log into computers I don't trust with those one use master passwords! And it has multi-factor authentication too. I'm using Google Authenticator and I'm thinking of getting a Yubikey too. Password issues are a problem of the past.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Nov 2014 @ 8:26am

      Re: Secret decoder ring

      The chances ... is unlikely.

      Either you can calculate a min entropy, or you can't.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 10:15pm

    No need to remember anything

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Nov 2014 @ 9:06am

      Re: No need to remember anything

      http://www.passwordcard.org/

      Did you notice that the card can be "regenerated" from a 16-hexadecimal digit identifier?
      Number

      This is the number of your card. Store it somewhere safe! If you want to regenerate a card you lost, type the number here and press Enter:

      f2c4a95cb6809779

      Further, the sample card has 8 rows and 29 columns. Then there are four cardinal and four intercardinal directions from any starting position.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 14 Nov 2014 @ 11:23am

      Re: No need to remember anything

      Good lord, that thing seems like the worst of all worlds.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Nov 2014 @ 11:30am

        Re: Re: No need to remember anything

        Good lord, that thing seems like the worst of all worlds.

        Well, on the surface, the (16*2^4) identifier space indicates that the sequences on the card are generated by some rule.

        How would you backdoor the card-generation rule so that the 8 row * 29 column starting position loses some of its surprisal?

        link to this | view in chronology ]

  • icon
    Zoleen (profile), 13 Nov 2014 @ 10:50pm

    Since I always forget my password, I write it in my notepad with date.

    link to this | view in chronology ]

    • icon
      art guerrilla (profile), 14 Nov 2014 @ 8:59am

      Re:

      with your social security number and signature, too ? ? ?
      hee hee hee

      i'll mention again my 'system' for NON-CRITICAL passwords:
      make a prefix (say, 3f) make a suffix (say, u9), then take the website 'name' (or organization, or whatever) and append those...
      so, if this were for techdirt "3ftechdirtu9"...
      works for me...
      (AGAIN, NON-CRITICAL sites, for 'real' important sites, i use the random type stuff that is written down in my little black book...)

      link to this | view in chronology ]

  • icon
    Gracey (profile), 14 Nov 2014 @ 2:08am

    I have an index card for each site I have a password for (a real paper one, not digital). I store them in a most unlikely place. Where they're stored is written in a letter and kept with my will. That's for my 2 girls (hopefully, long into the future).

    Unfortunately, it does mean I have to remember them but then, I don't have passwords for hundreds of sites either. I have only a dozen sites I use regularly where I need a password.

    I don't sign up for membership and a lot of random sites. If you can't read or visit a site without signing up, I'll find somewhere else to get the information I need.

    When it gets to the point that I can't remember a dozen or so passwords, I'll turn in my computer.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2014 @ 2:21am

    I tend to use a handful for the serious stuff. For banks I use a generated high entropy password of maximum allowable length. Really, I'd prefer it if my bank account could be set to operate on public private key pairs SSH-style.

    link to this | view in chronology ]

    • icon
      Ninja (profile), 14 Nov 2014 @ 2:30am

      Re:

      My bank recently introduced fingerprints for physical use (ie: ATMs) and it has a google auth style authentication method for online banking. I can use an independent code generator, my phone or receive a sms with the code. I'm not quite comfortable with fingerprints though, the palm scanner another bank introduced seems much more secure for physical interactions.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2014 @ 3:18am

    Too many sites where security is not necessary

    Bank, Professional society, the place I post my original writing: Strong password required.
    The huge number of websites where I need a password login to read articles or download a technical manual: Nope.

    We talk so frequently about password strength and a requirement for uniqueness. We never seem to address the proliferation of useless security. I really don't care if someone guesses my password and uses it to download extra copies of a technical manual. Most of those login systems are only in place to ensure the vendor has an email address for solicitation purposes anyway.

    link to this | view in chronology ]

    • icon
      John85851 (profile), 14 Nov 2014 @ 7:28am

      Re: Too many sites where security is not necessary

      You're correct that tech manual sites shouldn't need a name and password, but this is exactly where security fails. Too many people will simply use their usual password so they don't have to remember yet another password for yet another site.
      Then hackers get into the tech manual site because it's not very secure- come on, who would want to break into a tech manual site? They don't even store people's credit card information.

      Yet once the hackers have the password, they can try it against the larger sites like Facebook, Amazon, or iTunes. And if any of the passwords match, the hackers have completely control of the account.

      link to this | view in chronology ]

  • icon
    Sheogorath (profile), 14 Nov 2014 @ 4:58am

    Better security

    F@c3b00kp@s$w0rdmyn@m3
    MTMSFY!

    link to this | view in chronology ]

  • icon
    Rikuo (profile), 14 Nov 2014 @ 8:50am

    I admit, I do have my passwords in a text document. The document is itself protected by a password and is not stored on my computer. It is instead stored on an old smartphone that is permanently disconnected from Wifi and is charged by a USB cable that plugs only into a charge socket, not into a computing device. The phone itself is encrypted.

    link to this | view in chronology ]

    • icon
      MondoGordo (profile), 14 Nov 2014 @ 10:51am

      Re:

      that's pretty damn secure ... and not a little paranoid!

      Check out Steve Gibsons article on generating passwords that are memorable and hard to guess https://www.grc.com/haystack.htm

      my password manager password shows the following results for "crackability" using his tool and it's easy to remember, a pain in the ass to type, but easy to remember.

      Couple with your approach to storing pass words with his approach to generating memorable passwords and you're almost unhackable.

      link to this | view in chronology ]

      • icon
        MondoGordo (profile), 14 Nov 2014 @ 10:52am

        Re: Re:

        Brute Force Search Space Analysis:
        Search Space Depth (Alphabet): 26+26+10+33 = 95
        Search Space Length (Characters): 26 characters
        Exact Search Space Size (Count):
        (count of all possible passwords
        with this alphabet size and up
        to this password's length) 2,663,234,997,260,162,
        196,476,097,223,547,872,
        948,519,727,017,017,120
        Search Space Size (as a power of 10): 2.66 x 1051
        Time Required to Exhaustively Search this Password's Space:
        Online Attack Scenario:
        (Assuming one thousand guesses per second) 8.47 hundred trillion trillion trillion centuries
        Offline Fast Attack Scenario:
        (Assuming one hundred billion guesses per second) 8.47 million trillion trillion centuries
        Massive Cracking Array Scenario:
        (Assuming one hundred trillion guesses per second) 8.47 thousand trillion trillion centuries

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Nov 2014 @ 11:50am

          Re: Re: Re:

          When is it acceptable to calculate statistics for one distribution—and then to assume that those statistics are meaningful for a different distribution?

          Extra credit: When is min entropy less than Shannon entropy?

          link to this | view in chronology ]

  • identicon
    JS, 14 Nov 2014 @ 9:30am

    https

    And make sure that the page you are entering your password on is https. Up until about 3 years ago, Facebook's login page wasn't.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Nov 2014 @ 9:33am

      Re: https

      And make sure that the page you are entering your password on is https.

      And make sure that the TLS certificate that your browser accepts is the expected one—chaining up to a trusted root CA.

       

       

      Oh, what?

       

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2014 @ 7:56pm

    I did say “random”, didn’t I?

    Dilbert: Tour of Accounting

    xkcd: Random Number

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.