topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 4:48 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Good or bad password?  (Read 6599 times)

tsaint

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 497
  • Hi from the a*** end of the earth
    • View Profile
    • Read more about this member.
    • Donate to Member
Good or bad password?
« on: May 11, 2016, 08:17 PM »
First, thanks in advance to any or all responders.. I'll read with interest the comments but probably not add anything to the discussion.
Also, hope it won't engender the controversy my last question caused!!
Q: Is "Remember to pay gas Aug 14" a good, as in secure, password? I know it's good as in useability because I can hide it in plain sight (eg google calendar)
Thanks
Tony

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Good or bad password?
« Reply #1 on: May 11, 2016, 08:31 PM »
that's an excellent password (pass phrase).
theoretically would be improved if you mispelled a word or otherwise made it ungrammatical.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Good or bad password?
« Reply #2 on: May 11, 2016, 09:28 PM »
obligatory link to xkcd


Target

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 1,832
    • View Profile
    • Donate to Member
Re: Good or bad password?
« Reply #3 on: May 11, 2016, 09:42 PM »
the difficulty here is that everyone remembers 'correct horse battery staple' and probably always will, but most of us still can't remember our own passwords (or where we put our car keys...)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Good or bad password?
« Reply #4 on: May 11, 2016, 10:06 PM »
the difficulty here is that everyone remembers 'correct horse battery staple' and probably always will, but most of us still can't remember our own passwords (or where we put our car keys...)

Since I switched to a passphrase for some things, I remember those better, and it's natural.  I usually now try to actually make a phrase instead of just stringing words together.  One that I do quite a bit is make the password a question, and the password reminder the answer.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Good or bad password?
« Reply #5 on: May 11, 2016, 10:43 PM »
Q: Is "Remember to pay gas Aug 14" a good, as in secure, password?

I'd add some non-alphanumeric characters, eg. Remember! Pay gas bill, 14/08.

You could also keep it as Aug 14 in plain sight, just remembering to switch it to 14/08. for when you need to enter password.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Good or bad password?
« Reply #6 on: May 11, 2016, 11:24 PM »
Q: Is "Remember to pay gas Aug 14" a good, as in secure, password?

I'd add some non-alphanumeric characters, eg. Remember! Pay gas bill, 14/08.

You could also keep it as Aug 14 in plain sight, just remembering to switch it to 14/08. for when you need to enter password.

Along those lines, instead of adding non-numeric, I've just replaced the spaces with another character, so that the words are delimited by that character.

tsaint

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 497
  • Hi from the a*** end of the earth
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Good or bad password?
« Reply #7 on: May 12, 2016, 03:18 AM »
Thanks for good ideas. My REAL password actually involves part of a friend's car number plate, which she USED to own (how paranoid is that?)
 What's now making my head spin tho, is that without a priori knowledge, isn't my passPHRASE actually a passWORD? (I hear Baynes calling). I see on various sites, entropy levels are different.
And Mouser, without knowing brute force passphrase cracking methodology, would having the mis-spelling early in the "pass-phrase" improve things?
This is all academic really but I'm interested - I've taken all the suggestions onboard thanks.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Good or bad password?
« Reply #8 on: May 12, 2016, 07:48 AM »
My REAL password actually involves part of a friend's car number plate, which she USED to own (how paranoid is that?)

She should probably be very paranoid about the creepy old guy that keeps memorizing her license plate number... :D

But seriously the key to pass phrases is that the words should be completely non sequitur, but mnemonically associated with something by you.

So if your favorite movie scene involved a duck on a bicycle in the rain, the pass phrase for it might be.

Ride Cloudy Mallard!

tsaint

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 497
  • Hi from the a*** end of the earth
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Good or bad password?
« Reply #9 on: May 12, 2016, 08:02 AM »
Creepy, old part is right, but in my defence, it's only numberplate memorization standing between me and senility

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Good or bad password?
« Reply #10 on: May 25, 2016, 05:19 PM »
Is "Remember to pay gas Aug 14" a good passphrase? That depends a bit on your adversary. It's long, but all its components exists in dictionaries. Personally, I'd suggest adding some nonsense words - and not just go for obvious substitutions like S->$, E->3 and the likes, since bruteforcing tools handle those.

And use different passphrases for different accounts. Having a perfect, non-bruteforceable passphrase doesn't help you if you use it everywhere, and it turns out that one of those sites stores the password in plaintext or encrypted rather than (properly) hashed. Either use a password manager (protected with the memorizable passphrase) and generate long random strings for other sites, or (if you're afraid of getting the password database stolen and your passphrase keylogged), think up a couple of passphrases for different uses. Like sharing one for forums and other low-impact sites, but keeping separate passphrases for your bank, email accounts, facebook or whatever other high-risk sites.

And yes, facebook would be a high-risk site for normal people, since it can be used as a login mechanism several places, as well as for grabbing juicy information that can be used for social engineering attacks.
- carpe noctem

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Good or bad password?
« Reply #11 on: May 25, 2016, 07:12 PM »
And use different passphrases for different accounts

This is an important point that people sometimes overlook.  You need to be using different passwords(passphrases) for different sites, so that a security lapse on one site does not blow all your site logins.
A good solution is to use a password manager to hold all your passwords so you don't have to remember them.

Target

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 1,832
    • View Profile
    • Donate to Member
Re: Good or bad password?
« Reply #12 on: May 25, 2016, 08:23 PM »
mmmm, passwords....

basic151118.gifGood or bad password?