ISF Logo   IS Forum
Forum Index Register Members List Events Mark Forums Read Help

Go Back   International Skeptics Forum » General Topics » Computers and the Internet
 


Welcome to the International Skeptics Forum, where we discuss skepticism, critical thinking, the paranormal and science in a friendly but lively way. You are currently viewing the forum as a guest, which means you are missing out on discussing matters that are of interest to you. Please consider registering so you can gain full use of the forum features and interact with other Members. Registration is simple, fast and free! Click here to register today.
Reply
Old 10th August 2017, 01:39 PM   #1
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 40,823
Passwords: Before I write my article about this, can someone explain its "logic"?

So, basically, I am unable to access my existing account at Copyright.gov, nor to create a new account, due to its insufferable, extreme list of requirements for password creation:

Quote:
Minimum password length must be 8 characters and consist of at least 2 alpha characters, 1 number and 1 special character.
A password must have no consecutive repeated characters.
A password must not include your user name or any part thereof.
A password must not include the names of a spouse, children, pets or one's own name.
A password must not include any regional sports teams or players.
A password must not include any office symbols.
A password must not include your social security number or any subset of your social security number that is more than a single number.
A password must not include words that can be found in any dictionary, whether English or any language.
A password must not be any of the 11 most recently used passwords for the account.
Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?

Some are, simply absurd: "A password must not include your social security number or any subset of your social security number that is more than a single number." First of all: If I'm a completely new user who's opening their account for the first time, then that means I haven't even entered such information as my Social Security Number. How in the Blue Hell then do you even know if any of the numbers I'm entering in my new password are found in my Social Security Number??

Finally, they completely destroy any possibility for you to create a password that you would remember and that would make sense to you by dictating that "A password must not include words that can be found in any dictionary, whether English or any language." This means, you are left with nothing but strings of random letters, meaning, this will be something you will need to write down in a piece of paper and save it so you can remember it.


But aside from the fact that this one site is being a real bitch with the whole password creation, most of the sites where you create accounts have a list of requirements for your password.

But why???

The way I see it: it's my account, my responsibility. If I decide to create a password that's just "1234", and that means it has an extreme risk of being deciphered by others, that's MY PROBLEM. Some services such as gmail allow (at least for now) for you to create whatever the hell you wanna create as a password, so we know this is not universal to all sites/services.

Second of all, as I mentioned earlier, by introducing such a large list of demands, you make it so that I have to create a password that I wouldn't remember, because it ends up being something crafted to the site's individual desires. So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords. So, the rationale that this makes your password more secure, isn't precisely true.


Since recently I was looking for ideas to write a new article on my blog, it goes without saying that this subject has infuriated me so much, and for such a long time, that I'm gonna make this my new subject. However, before I start writing an article complaining about this, I would like to hear the opinions of some tech-savy people (preferably people who are code programmers, and who have hands-on experience with this stuff) to patiently explain me, in as concisely as possible, why this **** makes sense at all.
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 01:45 PM   #2
Hellbound
Merchant of Doom
 
Join Date: Sep 2002
Location: Somewhere between the central U.S. and Hades
Posts: 11,093
You'll be happy to see this, then:
https://nakedsecurity.sophos.com/201...-need-to-know/



ETA: NIST's new password recommendations say get rid of all that crazy stuff that makes users either use the same password everywhere or forget them all the time. You don't need artificial complexity to generate a strong password.

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.

Last edited by Hellbound; 10th August 2017 at 01:48 PM.
Hellbound is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 01:51 PM   #3
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 40,823
Originally Posted by Hellbound View Post
You'll be happy to see this, then:
https://nakedsecurity.sophos.com/201...-need-to-know/



ETA: NIST's new password recommendations say get rid of all that crazy stuff that makes users either use the same password everywhere or forget them all the time. You don't need artificial complexity to generate a strong password.

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.
Man, thank you!! Not only is this AWESOME news, but it will also serve as updated complimentary information for me to include in my article.


So basically, what this new law is saying is that I was right! This whole ******** is only annoying, unnecessary and it's not even safer!
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 02:03 PM   #4
Beelzebuddy
Philosopher
 
Beelzebuddy's Avatar
 
Join Date: Jun 2010
Posts: 5,437
Originally Posted by Ron_Tomkins View Post
I would like to hear the opinions of some tech-savy people (preferably people who are code programmers, and who have hands-on experience with this stuff) to patiently explain me, in as concisely as possible, why this **** makes sense at all.
It does not. There is a boss somewhere demanding these silly rules in response to complaints of "hackers" because a dumbass used their SSN as their password and now they're threatening to sue.

Quote:
So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords.
That's actually the best course of action. Keep it in your desk or something.

The biggest threat to your account security is not that a random mugger or burglar will have a post-it note with access to your accounts, it's that a random script kiddie will. The mugger probably won't even know how to take advantage of them; he'll take the money and the credit cards and throw the rest away. But the hacker makes his living off exploiting exactly that sort of information.
Beelzebuddy is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 02:26 PM   #5
bytewizard
Graduate Poster
 
bytewizard's Avatar
 
Join Date: Jan 2016
Location: In the woods
Posts: 1,580
What's even funnier is that the administrators of the passwords create a backdoor username and password for the programmers to use so they don't have to try and remember a complex one when they have to repeatedly log in. The backdoor username/password is usually something as simple as "Admin5/Admin5". Hypocrites.
bytewizard is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 02:39 PM   #6
mike81
Critical Thinker
 
Join Date: Nov 2009
Posts: 312
I use a password safe called Keepass. It generates passwords with whatever requirements you select. When I need to login to a site, I just copy the password from Keepass and paste it in the login screen. I have no clue what most of my passwords are since they are just random numbers, letters, symbols, etc.

There are just a few important sites where I use a password that I can remember. That's in case I don't have access to Keepass and need to login to one of those sites. It's what appears to be random characters, but makes sense to me and is easy for me to remember.

Last edited by mike81; 10th August 2017 at 02:40 PM.
mike81 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 02:40 PM   #7
Kid Eager
Philosopher
 
Kid Eager's Avatar
 
Join Date: Nov 2010
Posts: 6,188
I read some time ago that a random sentence from a book is a better password than all that rule stuff.
__________________
What do Narwhals, Magnets and Apollo 13 have in common? Think about it....
Kid Eager is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 02:50 PM   #8
Hagrok
Muse
 
Hagrok's Avatar
 
Join Date: Feb 2004
Posts: 936
Incidentally, if you really need to make a password that fits that silly arbitrary criteria you can use a site like this one: http://passwordsgenerator.net/

Then just write it down and file it somewhere, as was mentioned before. If it's your home office, anyone who breaks it could not care less what your password to copyright.gov is. You're significantly more vulnerable to attacks at work, however.
__________________
Indecision may or may not be my problem...
Hagrok is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 02:53 PM   #9
Ampulla of Vater
Master Poster
 
Ampulla of Vater's Avatar
 
Join Date: Aug 2010
Location: North of the White Line of Toldt
Posts: 2,859
Here is an article supposedly by the guy who came up with the current rules:

http://gizmodo.com/the-guy-who-inven...now-1797643987
Ampulla of Vater is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 03:54 PM   #10
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 40,823
Originally Posted by Hagrok View Post
Incidentally, if you really need to make a password that fits that silly arbitrary criteria you can use a site like this one: http://passwordsgenerator.net/

Then just write it down and file it somewhere, as was mentioned before. If it's your home office, anyone who breaks it could not care less what your password to copyright.gov is. You're significantly more vulnerable to attacks at work, however.
Thanks! I think I'm gonna try that. Though I wouldn't be surprised if the *********** site still didn't accept it. I tell you, it just makes no sense. I'm doing exactly everything they require and they still don't accept my passwords. I seriously think their system is broken.
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 03:56 PM   #11
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 40,823
Originally Posted by Ampulla of Vater View Post
Here is an article supposedly by the guy who came up with the current rules:

http://gizmodo.com/the-guy-who-inven...now-1797643987
This source is also gonna come very handy for my article!


(By the way.... Bill Burr is the guy's name?? I had to re-read the first paragraph because for a moment, I thought they were joking, since Bill Burr is the name of a famous comedian. I guess that's just a coincidence then, but how ironic, considering this whole Password thingie is a big JOKE)
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 05:01 PM   #12
Trebuchet
Penultimate Amazing
 
Trebuchet's Avatar
 
Join Date: Nov 2003
Location: The Great Northwet
Posts: 12,389
I always enjoyed the "no word in any language" one. "A" and "I" are words in English. "Y" is a word in Spanish. "U" is a word in Textish. So much for four of the 26.

I was once, briefly and stupidly, the System Administrator for a VAX. I even went and took classes. I learned there were three default accounts on a system, with the following usernames and passwords: "System/Manager", "Field/Service", "User/User". (Not sure about the last one.) One of their customers, headquartered in Redmond, WA, had been hacked. They hadn't changed either of the first two fully privileged accounts. (35 years ago.)

My former very large aerospace company had become rather enlightened on the subject by the time I left. It helped that they were still using IBM mainframes, which couldn't do more than eight characters or use special characters, which they extended as the default to all systems. They also had a web-based app to change multiple passwords at once. That came in handy four times a year.

ETA: My next password is going to be "CorrectHorseSomethingSomething", because I can't remember the other two words.
__________________
Cum catapultae proscribeantur tum soli proscripti catapultas habeant.

Last edited by Trebuchet; 10th August 2017 at 05:15 PM.
Trebuchet is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 05:30 PM   #13
paulhutch
Graduate Poster
 
Join Date: Mar 2010
Location: Blackstone River Valley, MA
Posts: 1,852
Originally Posted by Ron_Tomkins View Post
Man, thank you!! Not only is this AWESOME news, but it will also serve as updated complimentary information for me to include in my article.


So basically, what this new law is saying is that I was right! This whole ******** is only annoying, unnecessary and it's not even safer!
Since you're going to write an article I thought I'd point out that it is not even close to being a law. It's simply best practice guidelines based on the best available science from NIST.
paulhutch is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 06:21 PM   #14
Modified
Philosopher
 
Modified's Avatar
 
Join Date: Sep 2006
Posts: 6,337
Originally Posted by Hellbound View Post
ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.
Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.
Modified is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 08:48 PM   #15
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 40,823
Originally Posted by paulhutch View Post
Since you're going to write an article I thought I'd point out that it is not even close to being a law. It's simply best practice guidelines based on the best available science from NIST.
Nitpicky, but still helpful
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 08:52 PM   #16
deadrose
Master Poster
 
deadrose's Avatar
 
Join Date: Nov 2005
Location: the wet side of the mountains
Posts: 2,489
The point of having upper and lower case, numbers and symbols is that the pool of possibilities for each character is enlarged massively. Instead of 26 letters, you have 52, plus 0-9, and whatever symbols are allowed. It makes a dictionary attack useless, and a brute force attack much more difficult.

So even if you license plate it, l33t it or just turn it to txtspk, unless it's the current hot catchphrase or song title, it's unlikely to be broken, and yet is easy to remember.
deadrose is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 09:58 PM   #17
Babbylonian
Philosopher
 
Babbylonian's Avatar
 
Join Date: Feb 2007
Posts: 9,713
My preference is for strings of 3 or more words (English for me; your language may vary). As long as the website [properly] allows long passwords, and as long as you keep away from popular quotes or catchphrases, or easily discoverable personal information, nobody is going to crack your password without inside information. I find these not only easier to remember but much easier to type. Despite typing for 8-12 hours every day, I still have trouble at times typing nonsense, which is what short passwords with numbers and symbols end up being.

I only get into numbers and symbols when I'm forced by dumb password policies, including short password lengths which are now my biggest password pet peeve.
__________________
Never let anyone forget that the American people elected a rapist to be their president. President Rapist is the only name that should be used when referring to this evil narcissist.
Babbylonian is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 10:03 PM   #18
DevilsAdvocate
Illuminator
 
DevilsAdvocate's Avatar
 
Join Date: Nov 2004
Posts: 4,638
Maybe. Or maybe not. Mathematically, all those restrictions limit the number of possible permutations. Just cycling through all possible permutations, a great many could be eliminated without testing because they don’t meet the password criteria. There would still be a lot, though.

On the other hand, if there are no restrictions it may be easy to guess the password. The restrictions eliminate many passwords that would be easy to guess.

On yet the other hand, the restrictions can make the password somewhat easier to guess. Because it restricts what the user can choose for a password, it can become easier to make certain assumptions about likely passwords.

For example, the password is likely to be based on a set of alphabetic characters. That series of letters is probably 5-7 (or maybe 8) characters so that it is long enough to meet the password length requirement but not too long to be cumbersome. The letters may be based on the first letters of a common phrase (as is commonly suggested). That can narrow down the possible base of the password quite a bit. Or the letters may be a word. If dictionary words are not allowed, it probably has a l33t transformation.

Because many passwords require a capital letter, it is likely that the first letter in the alphabetic series is upper case and the rest of the letters are lower case.

The special character is probably the last character, unless a special character is used in the l33t transformation. If it at the end, it is probably ! or $ because those are easy to remember and are almost always allowed (in passwords that specify specific special characters that must be used) so it makes it convenient when using the same password for multiple sites.

The number requirement may be fulfilled by a l33t transformation if the base word is toward the longer side. Otherwise, the numbers are probably 1 or 2 numbers following the base word, or that the very end or very beginning of the password. If two numbers are likely, a good guess would be the current year (17) or the person’s birth year or other significant number. Repeated numbers are likely when they are filler to meet the number and length requirements, of if repeated characters are not allow then they are probably consecutive numbers like 12 or 56.

And so on. We end up exchanging one set of psychological determinates for a likely password with another set. If we continue to attempt to eliminate every possible likely password, we’ll end up with only a few possible permitted passwords left!

Of course there is a benefit in having a minimum password length and not allowing things like “password” or “1234”. But increasing those restrictions has diminishing returns, and can eventually even turn back and become less beneficial.
__________________
Heaven forbid someone reads these words and claims to be adversely affected by them, thus ensuring a barrage of lawsuits filed under the guise of protecting the unknowing victims who were stupid enough to read this and believe it! - Kevin Trudeau
DevilsAdvocate is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 10:16 PM   #19
DevilsAdvocate
Illuminator
 
DevilsAdvocate's Avatar
 
Join Date: Nov 2004
Posts: 4,638
Originally Posted by Babbylonian View Post
My preference is for strings of 3 or more words (English for me; your language may vary). As long as the website [properly] allows long passwords, and as long as you keep away from popular quotes or catchphrases, or easily discoverable personal information, nobody is going to crack your password without inside information. I find these not only easier to remember but much easier to type. Despite typing for 8-12 hours every day, I still have trouble at times typing nonsense, which is what short passwords with numbers and symbols end up being.

I only get into numbers and symbols when I'm forced by dumb password policies, including short password lengths which are now my biggest password pet peeve.
I think that is what NIST is getting at. Without restrictions, I could have a password like "gold ponydog" that would be easy to remember and type but would be pretty hard to hack given that I could have chosen anything. But with the restrictions in the OP, I would probably have to go with something like D3vil17! that looks like a "strong" password but that could actually be rather easy to guess.
__________________
Heaven forbid someone reads these words and claims to be adversely affected by them, thus ensuring a barrage of lawsuits filed under the guise of protecting the unknowing victims who were stupid enough to read this and believe it! - Kevin Trudeau
DevilsAdvocate is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 11:16 PM   #20
GlennB
In search of pi(e)
 
GlennB's Avatar
 
Join Date: Sep 2006
Location: Pie City, Arcadia
Posts: 20,426
xkcd has this covered

(I once did something similar to generate passwords in Unix systems - take the first 4 letters from each of a pair of random words of > 4 letters, and plug them together. So green light would become the password greeligh. All the user had to do was remember "green light" and the way the system worked)

__________________
"Even a broken clock is right twice a day. 9/11 truth is a clock with no hands." - Beachnut

Last edited by GlennB; 10th August 2017 at 11:29 PM.
GlennB is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 11:32 PM   #21
Darat
Lackey
Administrator
 
Darat's Avatar
 
Join Date: Aug 2001
Location: South East, UK
Posts: 77,742
Originally Posted by Ron_Tomkins View Post
Thanks! I think I'm gonna try that. Though I wouldn't be surprised if the *********** site still didn't accept it. I tell you, it just makes no sense. I'm doing exactly everything they require and they still don't accept my passwords. I seriously think their system is broken.
The site is not going to check your password against all the criteria it lists! It will check a handful of them, such as length and does it include a special character.
__________________
I wish I knew how to quit you
Darat is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 10th August 2017, 11:37 PM   #22
Darat
Lackey
Administrator
 
Darat's Avatar
 
Join Date: Aug 2001
Location: South East, UK
Posts: 77,742
Originally Posted by DevilsAdvocate View Post
...snip...

And so on. We end up exchanging one set of psychological determinates for a likely password with another set. If we continue to attempt to eliminate every possible likely password, we’ll end up with only a few possible permitted passwords left!

...snip...
This is part of the reason why NIST suggestions for passwords have changed.
__________________
I wish I knew how to quit you
Darat is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 12:13 AM   #23
Babbylonian
Philosopher
 
Babbylonian's Avatar
 
Join Date: Feb 2007
Posts: 9,713
Originally Posted by DevilsAdvocate View Post
I think that is what NIST is getting at. Without restrictions, I could have a password like "gold ponydog" that would be easy to remember and type but would be pretty hard to hack given that I could have chosen anything. But with the restrictions in the OP, I would probably have to go with something like D3vil17! that looks like a "strong" password but that could actually be rather easy to guess.
Good sites/services, fortunately, have long ago done away with the arbitrary password requirements. Unfortunately, in my job I access up to 10 hospital systems a day, and I expect it to be many years more of changing my short, confusing passwords every 3-6 months. Such a bummer.
__________________
Never let anyone forget that the American people elected a rapist to be their president. President Rapist is the only name that should be used when referring to this evil narcissist.
Babbylonian is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 01:57 AM   #24
fagin
Illuminator
 
fagin's Avatar
 
Join Date: Aug 2007
Location: As far away from casebro as possible.
Posts: 4,251
I need to access a dozen or so sites regularly for work. I got so fed up with them needing to change all the time (with regular emails from IT about keeping **** safe, including how to use some sort of online 'password safe') that I have a little notebook on my desk that I update them in.

I've written, in big letters on the cover, 'PASSWORD SAFE - KEEP OUT'.

Might not be the most secure system (although I have asked people to KEEP OUT) but it does come in handy so colleagues can access things when I'm away.

For my personal stuff I just use the Google remember this password thingy.
__________________
There is no secret ingredient - Kung Fu Panda
fagin is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 03:45 AM   #25
paulhutch
Graduate Poster
 
Join Date: Mar 2010
Location: Blackstone River Valley, MA
Posts: 1,852
Originally Posted by Modified View Post
Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.
Yes they are, I can't find the articel now but this year a security company published a paper showing how they succeeded in cracking very long passphrases rapidly using a new algorithm.

It was done in response to this,

Originally Posted by GlennB View Post
xkcd has this covered

(I once did something similar to generate passwords in Unix systems - take the first 4 letters from each of a pair of random words of > 4 letters, and plug them together. So green light would become the password greeligh. All the user had to do was remember "green light" and the way the system worked)

https://imgs.xkcd.com/comics/password_strength.png
and pointed out that by basing your password on words in the English language dictionary is no longer safe due to advanced password cracking algorithms and cheap high performance computing (IIRC, the researcher used relatively cheap GPU clusters). Responding to the article Randall Munroe pointed out that he is absolutely not a cryptography expert and his XKCD strip was only meant to illustrate a mathematical property that proves that no matter how random looking the password is, if it is short it can be cracked quickly.

If you want the passwords to be very secure you should use a password vault program and generate a unique very long random sequence password for every login you have.
paulhutch is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 04:24 AM   #26
Argumemnon
World Maker
 
Argumemnon's Avatar
 
Join Date: Oct 2005
Location: In the thick of things
Posts: 64,938
Originally Posted by Ron_Tomkins View Post
But why???
A lot of "rules" about passwords are ridiculous. As a computer programmer I think that the most important things about a password is:

1) That no one can guess the password just by knowing you.
2) That you can easily remember it, especially considering how many passwords we need nowadays.
3) That the system locks the account after a set number of attempts, avoiding brute force attacks.

So "Banana" would probably be a pretty great password, first because it won't be within people's first few attempts, and because it has nothing to do with you unless you work in the banana industry, in which case it's stupid. In addition, it's easy for you to remember, so you don't have to write it down, potentially helping people to find it.
__________________
"Yes. But we'll hit theirs as well. We have reserves. Attack!"
Argumemnon is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 06:03 AM   #27
elgarak
Illuminator
 
elgarak's Avatar
 
Join Date: Nov 2003
Posts: 4,231
Originally Posted by Kid Eager View Post
I read some time ago that a random sentence from a book is a better password than all that rule stuff.
It is. At least, with the current way hackers try to hack passwords: For short-ish passwords the crack programs that are commonly used try to use dictionary approaches, standard character replacements (! instead of 1, 4 instead of A, etc.) and such, but with a longer passwords, somewhere longer than 12 or 16 characters, they default to brute force. An easy to remember and to type long password is a random sentence. Even if they try to add dictionary approaches, you can throw obstacles by using nonsense sentences with words that are not usually combined. Last, the space character is treated as a special character by most password checkers and crackers... but since people assume a password to be a single word, it's one of the seldom used special characters. Another thing is that hackers often use just the user names and hash tag lists obtained from some service sites (not containing the actual passwords, just their hash tag) and then try to guess a password that fits the hash. Any user in there with a long password is essentially shielded by the mass of other suckers users that use short passwords that are easier to crack by hash.

So yes, a very good and safe approach to password security would be to allow people simply long passwords that do not follow easy to guess rules (such as strings of the same letter or series like abcd or 1234). Random sentences would work for that, unless everyone does that, and uses always the same popular sentences (but that should be easy to defeat, with mentioned recommendations of using nonsense sentences or character replacements, but keeping that as RECOMMENDATIONS, not REQUIREMENTS; leave the complexity of the whole set of passwords with the users).

Doesn't help if you get a site like the OP describes. Which essentially tries to do the right thing, but frustrates the user so much that they resort to unsafe practices. What really grinds my gears are sites that use such a complex set of rules ... AND LIMITS THE LENGTH... AAARGH...
elgarak is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 06:11 AM   #28
Jack by the hedge
Safely Ignored
 
Jack by the hedge's Avatar
 
Join Date: Oct 2009
Posts: 8,470
I used to think I was clever using vertical runs down the keyboard as passwords. Fits the rules, looks random, super easy to remember.

But then I read an article about the top 10 most commonly used passwords and right there was "1qaz2wsx". D'oh.
Jack by the hedge is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 06:57 AM   #29
elgarak
Illuminator
 
elgarak's Avatar
 
Join Date: Nov 2003
Posts: 4,231
Originally Posted by Argumemnon View Post
A lot of "rules" about passwords are ridiculous. As a computer programmer I think that the most important things about a password is:

1) That no one can guess the password just by knowing you.
2) That you can easily remember it, especially considering how many passwords we need nowadays.
3) That the system locks the account after a set number of attempts, avoiding brute force attacks.

So "Banana" would probably be a pretty great password, first because it won't be within people's first few attempts, and because it has nothing to do with you unless you work in the banana industry, in which case it's stupid. In addition, it's easy for you to remember, so you don't have to write it down, potentially helping people to find it.
Re. (3): As I understand, the primary way to hack passwords (say, for web services) is not via the normal login process. It's getting a list of user names and the password hash numbers, and then try to find passwords fitting the hash number. That can be done at your leisure. It's just running using data on the hacker/cracker's own machine. After that, the hacker/cracker has only a very limited set of passwords to try in the login, assuming the login process DOES actually use the full passwords. Some services just use the hash numbers alone.

Another really problematic practice some services use is allowing long passwords with little requirements ... but not actually using the full password, but cutting it off at 12 characters or so. So a user thinks he's using a safe long password but in fact is not.

Last edited by elgarak; 11th August 2017 at 07:02 AM.
elgarak is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 07:01 AM   #30
Argumemnon
World Maker
 
Argumemnon's Avatar
 
Join Date: Oct 2005
Location: In the thick of things
Posts: 64,938
Originally Posted by elgarak View Post
Re. (3): As I understand, the primary way to hack passwords (say, for web services) is not via the normal login process. It's getting a list of user names and the password hash numbers, and then try to find passwords fitting the hash number. That can be done at your leisure. It's just running using data on the hacker/cracker's own machine.
Yeah but that's a security problem with the server, not the password or its handling. And they're going to get the PWs this way at some point regardless of what they are.
__________________
"Yes. But we'll hit theirs as well. We have reserves. Attack!"
Argumemnon is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 07:21 AM   #31
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 40,823
Originally Posted by DevilsAdvocate View Post
Maybe. Or maybe not. Mathematically, all those restrictions limit the number of possible permutations. Just cycling through all possible permutations, a great many could be eliminated without testing because they don’t meet the password criteria. There would still be a lot, though.

On the other hand, if there are no restrictions it may be easy to guess the password. The restrictions eliminate many passwords that would be easy to guess.

On yet the other hand, the restrictions can make the password somewhat easier to guess. Because it restricts what the user can choose for a password, it can become easier to make certain assumptions about likely passwords.

For example, the password is likely to be based on a set of alphabetic characters. That series of letters is probably 5-7 (or maybe 8) characters so that it is long enough to meet the password length requirement but not too long to be cumbersome. The letters may be based on the first letters of a common phrase (as is commonly suggested). That can narrow down the possible base of the password quite a bit. Or the letters may be a word. If dictionary words are not allowed, it probably has a l33t transformation.

Because many passwords require a capital letter, it is likely that the first letter in the alphabetic series is upper case and the rest of the letters are lower case.

The special character is probably the last character, unless a special character is used in the l33t transformation. If it at the end, it is probably ! or $ because those are easy to remember and are almost always allowed (in passwords that specify specific special characters that must be used) so it makes it convenient when using the same password for multiple sites.

The number requirement may be fulfilled by a l33t transformation if the base word is toward the longer side. Otherwise, the numbers are probably 1 or 2 numbers following the base word, or that the very end or very beginning of the password. If two numbers are likely, a good guess would be the current year (17) or the person’s birth year or other significant number. Repeated numbers are likely when they are filler to meet the number and length requirements, of if repeated characters are not allow then they are probably consecutive numbers like 12 or 56.

And so on. We end up exchanging one set of psychological determinates for a likely password with another set. If we continue to attempt to eliminate every possible likely password, we’ll end up with only a few possible permitted passwords left!

Of course there is a benefit in having a minimum password length and not allowing things like “password” or “1234”. But increasing those restrictions has diminishing returns, and can eventually even turn back and become less beneficial.
Spoken like a true Devil's Advocate
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 07:23 AM   #32
Beerina
Sarcastic Conqueror of Notions
 
Beerina's Avatar
 
Join Date: Mar 2004
Posts: 28,743
Originally Posted by Hellbound View Post
ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.

Oooh, so if I was a fan of the new Wonder Woman, Gal Gadot, would Iw2hswgg! work? Or maybe Allison Brie from GLOW, Iw2fthsooab! ?
__________________
"Great innovations should not be forced [by way of] slender majorities." - Thomas Jefferson

The government should nationalize it! Socialized, single-payer video game development and sales now! More, cheaper, better games, right? Right?
Beerina is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 07:23 AM   #33
elgarak
Illuminator
 
elgarak's Avatar
 
Join Date: Nov 2003
Posts: 4,231
Originally Posted by paulhutch View Post
Yes they are, I can't find the articel now but this year a security company published a paper showing how they succeeded in cracking very long passphrases rapidly using a new algorithm.

It was done in response to this,



and pointed out that by basing your password on words in the English language dictionary is no longer safe due to advanced password cracking algorithms and cheap high performance computing (IIRC, the researcher used relatively cheap GPU clusters). Responding to the article Randall Munroe pointed out that he is absolutely not a cryptography expert and his XKCD strip was only meant to illustrate a mathematical property that proves that no matter how random looking the password is, if it is short it can be cracked quickly.

If you want the passwords to be very secure you should use a password vault program and generate a unique very long random sequence password for every login you have.
Not knowing the actual paper, I'm somewhat sceptical. Because, how can the cracker know that dictionary words are used, how they are separated, and does he need to know that certain words follow each other (as they do in actual sentences) etc.?

Alone by combining words one can add a huge complexity. And one can add additional complexity by intentionally NOT following rules of actual language. Such as using nonsense sentences, made-up words, not using space as word separator between every word...

A lot of papers I know differentiate between "passwords" and "pass phrases". And actually following these names gives information about the pass information. If you say "pass phrase", and actually use a pass phrase, you tell the cracker that he's looking at a series of words...

As I was saying: "Password" implies using a single word. And people actually use only a single word. They do not use space, because that's the usual character used to separate words. So a great deal of online password strength checkers indicate a stronger password just by using space. I don't know if this actually increases the strength against currently used techniques. It could be, because, why try to use space if you know that the vast majority of users don't use it? Of course, that might change once everyone tries to use sentences as passwords. But, would this ever happen, given how prevalent unsafe passwords like "password", "12345678", "qwerty" still are?

(One online password strength checker I tried, which does indicate problems if you use common words, conks out noticeably if you use four common words. "Steve eats candy" was only a medium safe password, "Steve eats candy often" a super safe one.)
elgarak is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 07:27 AM   #34
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 40,823
Originally Posted by Darat View Post
The site is not going to check your password against all the criteria it lists! It will check a handful of them, such as length and does it include a special character.
So you're saying they bothered to create a whole Bible of criteria, and they don't even check to see if my password meets all of them? If this is true, the level of nonsensical ridiculousness has really trascended. Why would they create a list of requirements if they're not gonna check to see if you meet all of them? This sounds more and more like whoever creates these requirements, just made them up out of boredom.

I imagine some stupid code programmer sitting at his desk going like:

"Lets see..... Password must not rhyme with the word Red!

Hmmm.... oh, Password must not remind me of my grandma

Yeah. That should do. That's enough requirem..... Oh wait! Lets also add: Password must not be an anagram of the word Elevator!"
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 07:28 AM   #35
elgarak
Illuminator
 
elgarak's Avatar
 
Join Date: Nov 2003
Posts: 4,231
Originally Posted by Argumemnon View Post
Yeah but that's a security problem with the server, not the password or its handling. And they're going to get the PWs this way at some point regardless of what they are.
That's kinda the whole point, isn't it? The security of the data on the server is only as good as the weakest element.
elgarak is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 07:56 AM   #36
Beerina
Sarcastic Conqueror of Notions
 
Beerina's Avatar
 
Join Date: Mar 2004
Posts: 28,743
Not sure exactly what the battle they're trying to fight is. The days when you could pepper a login process over and over, not worrying about a multiple-failure lockout, are long gone.

Getting a hold of a big list of login IDs and trying each one 3 times then moving on to the next one and hoping for the inevitable success? (Assuming this doesn't also have failure lockouts looking for this sort of thing from a single internet address.)

Getting the encrypted password file and trying to decrypt it using intelligent guesses as to things that are probably in it?
__________________
"Great innovations should not be forced [by way of] slender majorities." - Thomas Jefferson

The government should nationalize it! Socialized, single-payer video game development and sales now! More, cheaper, better games, right? Right?
Beerina is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 08:15 AM   #37
Argumemnon
World Maker
 
Argumemnon's Avatar
 
Join Date: Oct 2005
Location: In the thick of things
Posts: 64,938
Originally Posted by elgarak View Post
That's kinda the whole point, isn't it? The security of the data on the server is only as good as the weakest element.
How in blazes do people get their hands on the hash data, anyway?
__________________
"Yes. But we'll hit theirs as well. We have reserves. Attack!"
Argumemnon is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 08:49 AM   #38
Modified
Philosopher
 
Modified's Avatar
 
Join Date: Sep 2006
Posts: 6,337
Originally Posted by Beerina View Post
Not sure exactly what the battle they're trying to fight is. The days when you could pepper a login process over and over, not worrying about a multiple-failure lockout, are long gone.

Getting a hold of a big list of login IDs and trying each one 3 times then moving on to the next one and hoping for the inevitable success? (Assuming this doesn't also have failure lockouts looking for this sort of thing from a single internet address.)

Getting the encrypted password file and trying to decrypt it using intelligent guesses as to things that are probably in it?
Primarily the last one. Getting as many passwords as quickly as possible from the encrypted data.
Modified is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 09:35 AM   #39
CORed
Philosopher
 
Join Date: Dec 2008
Location: Central City, Colorado, USA
Posts: 7,079
Originally Posted by Argumemnon View Post
How in blazes do people get their hands on the hash data, anyway?
A lot of successful cracks actually seem to be social engineering based anyway. Call up several employees of the organization you're trying to hack, say, "This is Ralph from IT. We're updating the turbo-ecabulation database, and we need your user ID and password." If that doesn't work, there's always bribery, or holding their cat hostage.
CORed is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 11:27 AM   #40
blutoski
Penultimate Amazing
 
blutoski's Avatar
 
Join Date: Jan 2006
Posts: 10,643
Originally Posted by Ron_Tomkins View Post
So, basically, I am unable to access my existing account at Copyright.gov, nor to create a new account, due to its insufferable, extreme list of requirements for password creation:



Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?

Some are, simply absurd: "A password must not include your social security number or any subset of your social security number that is more than a single number." First of all: If I'm a completely new user who's opening their account for the first time, then that means I haven't even entered such information as my Social Security Number. How in the Blue Hell then do you even know if any of the numbers I'm entering in my new password are found in my Social Security Number??

Finally, they completely destroy any possibility for you to create a password that you would remember and that would make sense to you by dictating that "A password must not include words that can be found in any dictionary, whether English or any language." This means, you are left with nothing but strings of random letters, meaning, this will be something you will need to write down in a piece of paper and save it so you can remember it.


But aside from the fact that this one site is being a real bitch with the whole password creation, most of the sites where you create accounts have a list of requirements for your password.

But why???

The way I see it: it's my account, my responsibility. If I decide to create a password that's just "1234", and that means it has an extreme risk of being deciphered by others, that's MY PROBLEM. Some services such as gmail allow (at least for now) for you to create whatever the hell you wanna create as a password, so we know this is not universal to all sites/services.

Second of all, as I mentioned earlier, by introducing such a large list of demands, you make it so that I have to create a password that I wouldn't remember, because it ends up being something crafted to the site's individual desires. So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords. So, the rationale that this makes your password more secure, isn't precisely true.


Since recently I was looking for ideas to write a new article on my blog, it goes without saying that this subject has infuriated me so much, and for such a long time, that I'm gonna make this my new subject. However, before I start writing an article complaining about this, I would like to hear the opinions of some tech-savy people (preferably people who are code programmers, and who have hands-on experience with this stuff) to patiently explain me, in as concisely as possible, why this **** makes sense at all.
Most of those criteria are trying to eliminate passwords that can be guessed from personal information. I'm not a security expert by any means, but I have been able to guess my friends' bank card PINs pretty reliably.

In this world of Facebook disclosures, I know a lot of peoples' unlock information as well. Mother's maiden names. City they were born. Favourite pet name.

They're also trying to create unique criteria that other sites don't use, which protects the user in a different way, by preventing the user from having one password for a hundred sites. Once crackers find your favourite password they can log in everywhere. It's a disaster.

So, I don't blame companies for trying to coach users on how to reduce their exposure, but I also don't like the idea of passphrases.

I use a password generator (a unix crypt based app on my mac) and a vault (a text file on same mac). It reliably follows any site's rules by virtue of being totally random characters. The one exception is the password for the computer itself, where the vault is stored, which has a passphrase that I rotate monthly. The Mac's drive is encrypted, so if it's stolen, there's no way for anybody to read the password vault file.


ETA: on the topic of card PINs...
YouTube Video This video is not hosted by the ISF. The ISF can not be held responsible for the suitability or legality of this material. By clicking the link below you agree to view content from an external website.
I AGREE
"Well the year was 1690..."
__________________
"Sometimes it's better to light a flamethrower than curse the darkness." - Terry Pratchett

Last edited by blutoski; 11th August 2017 at 11:31 AM.
blutoski is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Reply

International Skeptics Forum » General Topics » Computers and the Internet

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -7. The time now is 08:01 PM.
Powered by vBulletin. Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
© 2014, TribeTech AB. All Rights Reserved.
This forum began as part of the James Randi Education Foundation (JREF). However, the forum now exists as
an independent entity with no affiliation with or endorsement by the JREF, including the section in reference to "JREF" topics.

Disclaimer: Messages posted in the Forum are solely the opinion of their authors.