Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 04, 2016, 02:28:08 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: xkcd - password truth  (Read 8452 times)

nudone

  • Cody's Creator
  • Columnist
  • Joined in 2005
  • ***
  • Posts: 4,117
    • View Profile
    • Donate to Member
xkcd - password truth
« on: August 10, 2011, 02:26:46 AM »
This password epiphany seems to be popping up in several news articles recently. Here's xkcd's take on it.


Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: xkcd - password truth
« Reply #1 on: August 10, 2011, 05:04:11 AM »
YAY~!

+1 for pass-phrases~! ;D

tryandguessthismuther******! :D
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,713
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: xkcd - password truth
« Reply #2 on: August 10, 2011, 05:14:20 AM »
I like pass-phrases.  :)


worstje

  • Honorary Member
  • Joined in 2009
  • **
  • Posts: 571
  • The Gent with the White Hat
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #3 on: August 10, 2011, 05:56:42 AM »
Problem with pass-phrases is that people will take way too obvious stuff. (The comic is clearly the exception!) For example, you can expect mouser to use 'I like silly acronyms.' or in kyrathaba's case 'nany 2012 hangman YEAH'. :D Or JoTo... 'Thank God It's Friday'. 8)

This is only going to work if people use unpredictable things. For one, you can expect half the xkcd readers to use 'correct horse battery staple' from now on. Or 'import antigravity'. Or other meme-ish catchphrases.

Finally, it pays off to think that mere bits of entropy are not the defining characteristic when discussing password safety and the likelihood that it may be guessed. For example, suppose a user is english. That brings it to 26 letters plus a space character, assuming the random-string-of-words-thing and that people are likely to stick to lowercase. Assume that 30 characters is a good compromise for a password one has to type in, so you get 27^30 = 2.4244 * 10^36 different permutations. Sounds good, right?

Now throw in social engineering. Psychology. User idiocy. Someone looking over someones shoulder and spotting 30 little password characters being typed, or that only lowercase letters are typed. Maybe you think out loud while you're typing! (I wouldn't, but such idiots exist...) Long story kept short: once you are able to glean just a little bit of information about the format of a password, the effective entropy in the eyes of an attack is reduced significantly. Requiring a user to put in one or two odd characters may seem difficult, it prevents predictability and also prevents a brute-force attack that uses dictionary contents as its source from speeding things up. (Think about it: there are far more strings of letters that aren't words than there are actual words.) Likewise, asking for my mothers maiden name isn't a given to gain access to my email anymore; you at least have to figure out what blend of leetspeak I throw at it. (And password recovery schemes with such fixed questions, or equally constrained answers are an equally horrid disaster, but in this case I was implying my email password might be m4rgret.) Or maybe her year of birth. Etc.

While it may be a wet-dream to expect the full 8 bits/byte (=256 'characters') to be usable in a password, reducing it as many password systems do to merely (26*2 letters +10 numbers + underscore + space) = 64 is a security disaster. Every extra bit of entropy doubles the problem space, and in case of a words and letters you can sooner think in factors of 26 or higher! Even worse, programs/websites half the time demand more than 5 and less than 12 characters. Why not allow 30 characters? All those requirements are little more than a gift for your enemies.

Anyhow, for so far that rant. My point is coming up... Pass-phrases are nice. Digits and weird characters are nice. But seperately, they are weak in the eyes of modern bruteforcing and even social engineering. One is slightly stronger than the other in different aspects, but neither is ideal. But combining them is damn orgasmic for your security. The xkcd examples would skyrocket in complexity, just try the math for yourself. :)
« Last Edit: August 10, 2011, 06:01:14 AM by worstje »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: xkcd - password truth
« Reply #4 on: August 10, 2011, 07:10:54 AM »
12 character limits on passwords is just idiotic. I will never understand how/why some admins come to the conclusion that they should have such small limits like that. If someone wants to have a 123 character password, all the more power to them. At the moment, I think 500 is a good limit. You need to store it, and you're pretty much going to use an nvarchar field anyways, so 500 seems good. I don't know if it could impact performance, but I somehow doubt it. People store ntext fields and blobs... 500 is nothing.

Steve Gibson has some strong password stuff, but really, it's insanely large and impossible to remember. I take it that anything over 8 random characters begins to approach insanity (the higher it goes) for casual use. 64 random characters (last I checked)... Yikes... You can only use that with something like Keypass or ALPass.

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Stephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,129
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #5 on: August 10, 2011, 09:27:34 AM »
For the majority of my passwords, I use a variation of my primary one, which is a 32 character password, with some characters from the website, or services' name placed into certain points of the password.

Secret answers never represent the actual question and are usually random sentences (depending on haracter limitation)

Hack that you b***ards  :D

rjbull

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,925
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #6 on: August 10, 2011, 04:19:39 PM »
I used to use the registration letters+numbers of cars I used to own, but own no longer, concatenated together as necessary.

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,766
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #7 on: August 10, 2011, 04:26:03 PM »
When I was young (tm), I used a German slang word for most of my "old" stuff. Newer versions add some random garbage, even never versions have something completely different ...

A "password" is, basically, a word to pass. Could you imagine Indiana Jones in front of some magic wall or something, spelling "/&jJ"4"(=\}lÖ"?

After all, there's LastPass.  :P

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #8 on: August 11, 2011, 01:02:43 AM »
I have learned many things from xkcd, but the most important lesson on password security I have EVER learned, I learned from LulzSec:

Your password is only as secure as the server it's stored on.

OK, having a password like "password" or "1234" is stupid, but let's face it, once a nefarious individual gets into the system, it doesn't matter one flipped bit whether you keep one password or a hundred, use Keepass, Lastpass, etc. or if your password is "mickey mouse" or "1h&3bo(8tH45Tew9@hGn=p]#6b".
What does matter is how your password is stored and accessed at the security point.

That said, I use personally use reasonably complex matrix-based passwords (so they're easily remembered) to prevent 'casual' hacking of outside resources, but my home router is locked down enough that I feel confident using a very simple password for my desktop login, just for convenience.

Much has been said regarding plain text vs. encrypted vs. client-side authorization via encrypted hash (or something like that), and I am now in the process of taking up the issue with any company, individual or group that has any claim on any information I would like to see secured.
My bank, my email provider, my social networks, everything.

So then, Mouser old buddy... how secure are the DC passwords? ;)
« Last Edit: August 11, 2011, 02:47:56 AM by Edvard »

mahesh2k

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,417
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #9 on: August 11, 2011, 01:17:15 AM »
 :D

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #10 on: August 11, 2011, 05:36:39 AM »
I usually go with a pass phrase except I'll prefix or follow it with a number and punctuation mark; and capitalize one letter somewhere in it. I do this to satisfy the occasional "complexity" policy you encounter on some servers.

FWIW, 'obsolete' or archaic spellings, words, and phrases (ex: He ferde as freke were fade and oueral enker grene...) provide some good raw material when choosing pass phrase elements. So now you finally have a use for what you learned when you studied The Canterbury Tales or Gawain and the Green Knight back in 'English Lit' class. Wow! Aren't you glad you paid attention?  :P

For my password on any of my client's machines I'll go with the longest and most complex 'true random' password the system will allow, and use a password manager app to remember it.

But in the case of a client system, this is more a CYA move on my part. That way, if anybody ever did get in masquerading as me, nobody could say it was because their 'Computer Guy' used a weak password.
 8)

« Last Edit: August 11, 2011, 07:38:47 AM by 40hz »

nudone

  • Cody's Creator
  • Columnist
  • Joined in 2005
  • ***
  • Posts: 4,117
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #11 on: August 11, 2011, 07:24:42 AM »
Anyone have any thoughts on how safe Roboform is (or other password managers too).

I mean, if they are really, REALLY, safe then I'll stop being too concerned. Of course, I understand it's their business so they are SURE to be safe - aren't they. Aren't they?  :'(

cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 982
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #12 on: August 11, 2011, 07:38:47 AM »
So now you finally have a use for what you learned when you studied The Canterbury Tales or Gawain and the Green Knight back in 'English Lit' class. Wow! Aren't you glad you paid attention?  :P

Oh, darn!  I wish I had known this umpteen years ago when I read these.  Then again, umpteen years ago, I didn't have to think about secure passwords.  My typewriter didn't need them.  :D

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #13 on: August 11, 2011, 07:53:22 AM »
Anyone have any thoughts on how safe Roboform is (or other password managers too).

I mean, if they are really, REALLY, safe then I'll stop being too concerned. Of course, I understand it's their business so they are SURE to be safe - aren't they. Aren't they?  :'(

To a certain extent, you need to trust what you're being told by the publisher. That, and what you hear bone fide security experts saying about a given product.

In the case of Keypass (which I use) the source code is available so you can verify what it does and how it does it. Something that can't be done with a closed source app.

That being said, most publishers who do products like RoboForm go out of their way to make sure they deliver on their promises of properly implemented and secure code. So if you're dealing with a reputable product, you're at least as secure as most people would be if they were using an open source app. Because let's face it - how many people really do examine the source code of the FOSS apps they use? And even more to the point, are they qualified enough coders with enough background in encryption methodologies to have sufficient expertise to pass judgment on the source code if they do?

Probably not.

So it's back to how much you trust the publisher - and what the word is out on the street.

FWIW I trust Keypass and its Linux variant KeyPassX.  :)


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #14 on: August 11, 2011, 08:01:57 AM »
So now you finally have a use for what you learned when you studied The Canterbury Tales or Gawain and the Green Knight back in 'English Lit' class. Wow! Aren't you glad you paid attention?  :P

Oh, darn!  I wish I had known this umpteen years ago when I read these.  Then again, umpteen years ago, I didn't have to think about secure passwords.  My typewriter didn't need them.  :D

 ;D ;D ;D ;D ;D ;D ;D ;D

Yeah. I hear you. Simpler times...

For real security, all you had to do was to lock up the original and copy. And destroy the carbons and ribbons if you were truly paranoid.

No joke either. My old man worked for a DoD contractor that pulled the ribbons from every typewriter every night and locked them in a vault. They passed them back to the secretaries and typists (remember those?) when they returned in the morning. They actually made them sign them in and out! Now THAT'S being paranoid.

 :Thmbsup:

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #15 on: August 11, 2011, 08:17:42 AM »
Anyone have any thoughts on how safe Roboform is (or other password managers too).

I mean, if they are really, REALLY, safe then I'll stop being too concerned. Of course, I understand it's their business so they are SURE to be safe - aren't they. Aren't they?  :'(

There's no such thing as really safe, only safe for the time being :). So, for the time being, you'll have to trust their claims, even if the source code is available, which without proper code auditing means nothing.

So, anyway, passphrases and password managers for the win. And hope the services you use don't store the password in clear text or use weak cryptographic schemes.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: xkcd - password truth
« Reply #16 on: September 19, 2012, 11:11:29 AM »
Necrothread~! RISE, THREAD RISE~! :P

Just saw this:

http://blogs.avg.com...sumer/p4ssw0rd-myth/

Quote
It’s nothing new that there are bad people out there on the internet who, if they should get the chance, would steal your personal details and your banking ones too.

The news is full of hacking these days, with companies, multinational organisations, governments and individuals on the receiving end of some pretty serious privacy breaches.

Obviously, most of us don’t have a say in government or company security policy so it’s up to us to keep our own digital lives safe and while this can involve a number of steps including both software and hardware, it often comes down to passwords.

Your password is your basic online defence, the key to much of your information. We at AVG and other security experts recommend you to use a different password for each site (or at least a few variations) limiting any damage were your password to be compromised. However, we understand that most people aren’t overly worried by hacking and multiple passwords can be difficult to remember.

Interestingly, randomly generated passwords have become all the rage over the last few years and we at AVG have recommended passwords with a mix of characters and symbols. Sometimes these come in the form of passwords that are generated completely at random such as PhuR7Tr$.

More at the link.

Yeah, old, but on topic and still valuable.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #17 on: September 19, 2012, 01:17:29 PM »
I saw a portable app some time ago (can't remember where) that generated a very long and complex password out of a passphrase and a number you keyed into it. So if you entered something like: Eta kooram nah smech, and a number like: 314159 it would return a string like: r=+-~/[$=a^LADwR0t%W&JT011\b9^A~qrIgvvC]_tgY&f,P0;cO*ZfwD`r&(c. You could then copy and paste it as needed.

You could specify the length of the generated string. And there were checkboxes to select what type of characters (i.e UC, LC, number, symbol) to allow in the string.

Anybody know the name of this app?

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,550
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #18 on: September 19, 2012, 02:14:48 PM »
I saw a portable app some time ago (can't remember where) that generated a very long and complex password out of a passphrase and a number you keyed into it. So if you entered something like: Eta kooram nah smech, and a number like: 314159 it would return a string like: r=+-~/[$=a^LADwR0t%W&JT011\b9^A~qrIgvvC]_tgY&f,P0;cO*ZfwD`r&(c. You could then copy and paste it as needed.

You could specify the length of the generated string. And there were checkboxes to select what type of characters (i.e UC, LC, number, symbol) to allow in the string.

Anybody know the name of this app?

Oh Oh I know this one!

http://www.youtube.c.../watch?v=IPphyjkXnPc

 :P

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #19 on: September 19, 2012, 03:32:30 PM »
I saw a portable app some time ago (can't remember where) that generated a very long and complex password out of a passphrase and a number you keyed into it. So if you entered something like: Eta kooram nah smech, and a number like: 314159 it would return a string like: r=+-~/[$=a^LADwR0t%W&JT011\b9^A~qrIgvvC]_tgY&f,P0;cO*ZfwD`r&(c. You could then copy and paste it as needed.



You could specify the length of the generated string. And there were checkboxes to select what type of characters (i.e UC, LC, number, symbol) to allow in the string.

Anybody know the name of this app?

Oh Oh I know this one!

http://www.youtube.c.../watch?v=IPphyjkXnPc

 :P

crazy-laughing-horse.gif

That's it! :Thmbsup:



Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,126
    • View Profile
    • Donate to Member
Re: xkcd - password truth
« Reply #20 on: September 20, 2012, 12:35:29 AM »
I love this comic .. it has made half the internet remember that one four word combination. I think what it fails to tell you is that if you have more than five of these random four word passwords, they are almost as impossible to remember as random ones. Unless you have some system to relate the words to the actual site, but then, of course, they are no longer random words, and the number of effective bits starts shrinking.

Btw, for all the patent haters (via NH):

https://xato.net/pas...ry-that-is-patented/

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: xkcd - password truth
« Reply #21 on: September 20, 2012, 01:49:23 AM »
I love this comic .. it has made half the internet remember that one four word combination. I think what it fails to tell you is that if you have more than five of these random four word passwords, they are almost as impossible to remember as random ones. Unless you have some system to relate the words to the actual site, but then, of course, they are no longer random words, and the number of effective bits starts shrinking.

Btw, for all the patent haters (via NH):

https://xato.net/pas...ry-that-is-patented/

And for those that do not hate patents yet, after you read the above article, you will. :P (Or there is something profoundly bizarre in your idea of what "non-obvious" means. :P )
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker