Yes, the alternative being that if I followed best practice for passwords on every single site I use then I would never remember any of them and would have to reset my password every time I wanted to log in, may as well just make two factor compulsory and stop relying on passwords as the sole gatekeeper.
'Use 1 capital' password prompts make them too predictable – study
A new study has found that password structure is a key flaw in making login IDs hard to guess. Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use …
COMMENTS
-
-
-
Monday 27th April 2015 18:56 GMT Mark 85
Re: No it doesn't
At home, that will work very well... unless you have unwelcome visitors. Even then... maybe not a problem. They'll steal the computer and ignore the Post-It notes.
At work.. I use a small notepad that's kept in a locked drawer. (We're not allowed to put a PW manager on company machines). I note that many (most) of the employees do the same notepad kept away from prying eyes thing. But there's a few who use Post-It notes... usually managers who won't listen to the reality of locking those away. Go figure...
KISS works for most of us.
-
Monday 27th April 2015 19:17 GMT Anonymous Coward
Re: No it doesn't
@AMBxx - "Just write them on a post-it, then stick to your monitor. Problem solved."
That's a horrible system. What if you lose the post-it note?
Take a picture of your post-it note with your phone, send it to your computer as a jpg, and then regedit the LockScreenImage string to use the image as your login screen.
Problem solved.
-
-
Monday 27th April 2015 16:24 GMT FartingHippo
Trust
I think you have to make a leap and trust something to hold everything.
Pick a password safe (carefully) and lock it with the one complicated password you make the effort to commit to memory. Then write down that password on an anonymous and otherwise blank piece of paper and leave it in that decorative tea-pot your mother has. Just in case :)
-
Monday 27th April 2015 17:29 GMT Triggerfish
I think the safer way is have a generic pattern for sites that don't mean much and don't leave your information on the sites if it asks you to store your credit card details etc for ease of use next time, just as many of these sites are losing their info from poor internal security practices.
-
Wednesday 29th April 2015 00:00 GMT asdf
easy
KeePassX. Only have to remember one password (for the AES encryption on the internal app DB) but you can then have different 20+ random character passwords for each site (it can generate for you). Plus its free, open source, cross platform, not tied to a single browser and no cloud bullcrap. Plus it comes by default in Tails OS which is why I started using it.
-
-
Monday 27th April 2015 16:06 GMT Charlie Clark
What's the real issue?
A key part of the problem is with the websites themselves…
The key part of the problem is passwords themselves as they're so difficult to remember.
mnemonic + capitalisation + substitution + user/service salt will produce a strong password that you should in theory be able to remember but only if you're systematic about it and this always adds to the risk.
-
Monday 27th April 2015 17:06 GMT janimal
Re: What's the real issue?
yes and inevitably some websites enforce password rules that prevent you from using your system because they won't accept the length or won't allow punctuation characters.
The ones that really annoy me are those who won't let you use a password you have used previously. Surely this means they are storing all the passwords you have ever used with them before - so if that data gets robbed it provides an even richer source of password material :/
-
Monday 27th April 2015 20:13 GMT Number6
Re: What's the real issue?
Not necessarily, they can just hold a hash value (although with brute force they can recover the password that generated the hash). Most of these things only store the last n passwords anyway, so you can always repeatedly change your password until it lets you have your old one back.
-
-
Friday 1st May 2015 12:29 GMT Michael Wojcik
Re: What's the real issue?
I think the real issue is that by having any rule, you're limiting entropy.
The real issue is that passwords are terrible authenticators. They make precisely the wrong trade-offs. They're a relic of resource-constrained systems from decades ago, and no new systems should be using them.
Passphrases are a little better.
-
-
Tuesday 28th April 2015 09:22 GMT DropBear
Re: What's the real issue?
I got uneasy and started racking my brain where else did I see this "have one more than the last N values the system checks and denies" scheme, then I remembered - certain printers refuse to use the last (chipped) toner cartridge even if you refill it / reset it / whatever successfully, because they store its read-only serial number (and that's stored in the printer not in the cartridge so you can't just reset it) - so obviously, people just use TWO sets of cartridges because only the last serial is remembered. Yeah, life is strange...
-
-
-
-
-
This post has been deleted by its author
-
-
Friday 1st May 2015 13:27 GMT Michael Wojcik
I'd love to just go the correct-horse-battery-staple route, but most sites won't let me. Rejecting a 30+ characters password just because it's all lower-case is stupid.
Well, it's not hard to have a long passphrase and scatter some capital letters and punctuation into it to satisfy "strength" requirements imposed by a moron.
The real problem with using passphrases is length restrictions, which are even more idiotic. The number of web sites - web sites, for the love of god - that impose password length or entry restrictions is truly amazing. Microsoft's Outlook Web Access, for example, silently truncates the password entered by the user, as I discovered when I couldn't get it to accept my 38-character passphrase.
Even worse: Schwab's online banking site limits passwords to 8 characters. There's no excuse for that - it's sheer incompetence. (Even if their backend is a legacy system with password-length restrictions, hash longer passwords and then express them in base-n, where n is the size of the password alphabet for the backend system. Then converting longer passphrases to allowable passwords is trivial.)
-
-
Monday 27th April 2015 16:24 GMT Josh 14
I get annoyed when some of the sites require exactly the mix of letters, numbers, symbols, and caps that the specify, and will not allow anything more.
I don't know how many times I've run into one that wants exactly eight characters, with one being caps, one a number, and a certain subset of symbols (which it does not state, until it rejects an attempted password...)
-
Monday 27th April 2015 18:37 GMT Crazy Operations Guy
My previous company requires passwords in the form of 5 letters, a special character, then 3 numbers. This was caused by some ancient mainframe system and a home-brewed password encryption system. The company's name has 5 characters in it, and people tend to increment the last three digits each time they reset their password... I discovered my old boss's password, it was just Sunil&### with ### being which cycle, started at 001 then was incremented to 002 and so forth....
And these are the people that are designing your phones, running your cloud systems and in case of one division, guiding your airplanes.
My new company requires a minimum of a 16 character password and requires white space. The employee manual actually has a whole guide on pass phrases and recommends that people use sentences and phrases like:
" Chapter 5 starts with 'But alas, he was alone!' "
or
"This book cost me $19.99."
But overall, it recommends using sentences like that that you would logically write on a piece of paper or type several times a day to defeat people finding it by snooping around or even using a keylogger. For a while my password was "Where is the 10:30 meeting today?" a reasonable reminder (not that I needed one) could have been a post-it with just 10:30 meeting written on it and no one would be the wiser.
-
-
Friday 1st May 2015 13:40 GMT Michael Wojcik
So the first thing you typed after returning from lunch every day was, "Where is the 10:30 meeting today?"
That's shorter than my current Windows domain passphrase, which I enter several times a day. I don't let any software remember my passwords, so I have to enter it when I reconnect to the VPN, unlock my laptop, etc. I don't think I've mistyped the current one yet, and I've had it for a couple of weeks now.
Typing a 32-character passphrase quickly and accurately isn't hard if you're a decent touch-typist.
I generate my passphrases with a simple (Cygwin) bash command line, using $RANDOM/sort/head/strings on aspell's English dictionary. That gives me a screenful of words chosen at random from the dictionary. I put together a nonsense but memorable phrase (as in the XKCD method, which has been recommended by various security researchers for decades), then scatter some numerals, capitals, and punctuation to make the group-policy password constraints happy. Jot down a hint in case I forget it and put that in a safe location, and I'm good to go.
-
-
-
This post has been deleted by its author
-
Monday 27th April 2015 17:53 GMT Bill Gray
"...What would help is if more sites would let you use Unicode..."
I've wondered about this. Why the (censored) _can't_ I use Unicode? (To send a password: switch keyboard layout to Russian, type something in English that comes out as Cyrillic gibberish, switch back to English.) And why, oh why, can't I use spaces or more than 20 characters? (Honest question here: am I correct in assuming these last two limitations mean the site is probably storing an unhashed password? Or are there actually valid reasons for crippling security in this manner?)
-- Bill
-
-
Tuesday 28th April 2015 17:19 GMT Bill Gray
Re: "...What would help is if more sites would let you use Unicode..."
@DropBear :
"...Now please access the same system from a smartphone keyboard. I'll even let you install Cyrillic support on it! Just hold on until I fetch the popcorn..."
True, not a system for all people or purposes. Or possibly, even very many. But there are those of us (myself included) who use phones as little as possible. I make the occasional traditional, 19th-century style "call" from time to time, where you talk and listen, just like Great-Grandma used to do. And, on rare occasion, a text message or two. No passwords. And in any case, this is 2015; the world extends beyond nations with languages fitting conveniently into eight bits
-
-
Friday 1st May 2015 13:55 GMT Michael Wojcik
Re: "...What would help is if more sites would let you use Unicode..."
am I correct in assuming these last two limitations mean the site is probably storing an unhashed password?
Probably not, actually. These sort of restrictions are more likely due to legacy limitations in input systems, poor coding in applications that accept passwords and submit them to the verification back end, or artificial constraints imposed by programmers who weren't sure if there might be a problem, and rather than find out simply restricted the input.
One common case is where the back end is, or originally was, a system with terminal input that could only handle a restricted character set: IBM EBCDIC mainframe, for example, with something doing ASCII-EBCDIC translation in front of it, or an old UNIX system. Since these back ends only let users enter a limited character set, when people put web or GUI-application front ends in front of them, the developers would restrict the input.
So, for example, while RACF on modern zOS uses strong password hashes, an old COBOL transaction program running in a zOS CICS region and doing an EXEC CICS SIGNON is limited to 8 printable EBCDIC characters for the password. Put a fancy web front end on that, but if you're passing the user password directly to that old COBOL app, the user's password will have to be no more than 8 characters, and they'll have to be ones that map to printable EBCDIC.
Now, as I pointed out in another post, it's certainly possible to hash longer passwords into short printable strings; and the same goes for reducing the character set.1 But few organizations doing this kind of legacy-application modernization seem to understand that, or be willing to implement it.
1An idea this obvious - why, I ought to patent it.
-
-
Monday 27th April 2015 16:30 GMT Ken Hagan
Case sensitivity
Don't forget that there are some sites out there that are case insensitive on passwords and others that are case sensitive on email addresses.
Fortunately, the worst offenders often perform all the validation in Javascript so if you View Source on the offending web page it is possible to reverse engineer the rules. (Dunno what "normal" people do, though.)
-
Monday 27th April 2015 16:36 GMT Hilibnist
Password rage
This. Largely caused by having to remember* a complex never-before-used upper/lower/numeric/punctuation password for a supermarket loyalty card** to protect my largely spurious personal information. And trying to follow good practice by not duplicating another password and not being systematic.
Just because the eager beaver who put the system together *could* tick all the security boxes, it doesn't automatically mean that it was absolutely necessary.
* okay, not remember. Just reset when I use it. Like that stupid Verified by VISA thing.
** yeah, but there are some convenient savings sometimes.
-
Monday 27th April 2015 16:47 GMT Anonymous Coward
Re: Password rage
I up-voted you for mentioning the idiotic Verified by VISA thingy.
Using my credit card number and my birthday as only requirements to reset the password it is plain stupid because they are not so secret. Besides that, the reset being done into a small frame of a hidden website for which you can not verify the validity of SSL certificates is close to dangerous.
I makes me sick to think a cretin turned into developer takes pride in pushing that as a security measure.
I even called my bank to talk about it and they refused to discuss that matter insisting it's being done for security purposes.
-
Monday 27th April 2015 17:20 GMT Ben Tasker
Re: Password rage
Yup, VbV is a complete waste of time.
I actually made the effort to try and remember the phrase I used a while back (rather than setting a random string knowing I'd just reset next time). Got one, ONE character incorrect the next time I tried to use it, and as a result of that single borked attempt they made me reset and wouldn't let me reset to the phrase I'd bother to remember.
So I'm back to 'forgot my password' -> set to a random string -> make no attempt to remember it
Which means it, once again, provides bugger all value whatsoever.
-
Monday 27th April 2015 18:52 GMT Crazy Operations Guy
Re: VbV
What is even worse is when you get the password wrong and they lock your card. Had that happen to me while booking a last minute ticket out of Ukraine last year. Passwords are pretty hard to type on a smartphone with such a ridiculous password policy when you're in the back of cab that is red-lining the engine and blowing every stoplight...
-
-
This post has been deleted by its author
-
-
-
Tuesday 28th April 2015 19:42 GMT BristolBachelor
Re: Password rage
I wrote down my VbV password once (the horror) just to prove to myself that I wasn't going senile, and it still didn't work. When I managed to complain to someone knowledgeable there, he admitted to me that the password was automatically retired after 4 weeks of no use, so that was the reason why. Now I just reset it every time.
-
-
-
-
Monday 27th April 2015 16:42 GMT Anonymous Coward
Use a high-entropy password generator
Low entropy in your passwords is the weakest link in any crypto-system.
Use a high-entropy Random Bit Generator
-
Friday 1st May 2015 14:07 GMT Michael Wojcik
Re: Use a high-entropy password generator
Low entropy in your passwords is the weakest link in any crypto-system.
There's a whiff of Poe's Law here, but I'm assuming this isn't meant as a joke.
The "weakest link" in most security systems, regardless of the use of cryptography, is human beings. To claim that it's "low entropy in ... passwords" is simply stupid.
Even if we restrict ourselves to the cryptographic operations per se, in many cases of actual deployed systems, low password entropy was far from the most serious problem. There have been many systems that used weak mechanisms for generating password verifiers, for example - sufficiently weak that even optimal password entropy didn't significantly increase the attacker's work factor.
-
Monday 27th April 2015 16:58 GMT Andy Nugent
Password generators
I've also had trouble using a random password generator on various sites because it was:
(a) too long
(b) didn't match their rules (despite being 16 random characters of lower/upper/numbers).
(c) the website blocked the ability to copy 'n' paste into the text box, forcing me to use a password I could be bothered to type out twice.
It's almost like the developers don't understand the maths and think creating rules makes it harder to crack (tip, a 20 character phrase all in lower case is harder to crack and easier for humans to remember than a 6 character password with uppercase/lowercase/numbers/symbols).
-
Monday 27th April 2015 17:23 GMT Ben Tasker
Re: Password generators
Max lengths piss me off, given the things should be salted and hashed in the database anyway (long passwords are all reduced to the same length as short passwords in terms of DB storage). So why limit me to 8 characters??
I can understand having some kind of a limit so I don't try and set a 10KB string as a password, but low character limits are just stupid.
-
Monday 27th April 2015 18:59 GMT Crazy Operations Guy
Re: Password generators
Even typing a 10KB string shouldn't be a problem either. A hash should just work on a string no matter its size or even its contents. I should be able to use an executable as a password. I suppose the issue is memory exhaustion for the hashing process, but RAM is cheap nowadays anyway, so even if the hasher requires 1 MB per session, you could still support 10s of thousands of users on a modern web server.
-
-
Monday 27th April 2015 20:03 GMT Anonymous Coward
Re: Password generators
Since so many developers are "self taught" or come in via some kind of trade school, you can't expect that they've had any exposure to theoretical concepts like entropy. Their managers are usually even worse off.
When anyone asks about this sort of thing I always point them to xkcd # 936, not because it contains the most mathematically accurate presentation of the subject, but because it gets people to start thinking about the problem in the right way.
Here's an entropy aware pass phrase generator I really like:
https://www.fourmilab.ch/javascrypt/pass_phrase.html
And a strength checker that uses the same principles to evaluate what you've created:
-
Tuesday 28th April 2015 11:50 GMT Kubla Cant
Re: Password generators
Here's an entropy aware pass phrase generator I really like:
https://www.fourmilab.ch/javascrypt/pass_phrase.html
Yikes! I flatter myself that I have a good vocabulary, but a high proportion of the passphrases contain unfamiliar, foreign or obscure words.
overnice bowline sceptic octopus pleopod sentient
licorice patroon miler bondman tramline dicker
par compo gyrus carolus rejoice jack
whoreson winding digit lozenge skiplane hopper
refer hyoscine nude ala fender piton
resign hawfinch enshrine assignor boast heliport
compos trigraph slacks genital corpsman akene
matchbox squeaky plump haloid sapwood metallic
byelaw smallish turbit marking afforest praetor
-
-
Tuesday 28th April 2015 13:39 GMT Rimpel
Re: Password generators
I concur with all of your gripes. Long password restrictions are particularly annoying. Sometimes the password field is a fixed length or the password is silently truncated somewhere before it is saved with the new account. Either way this means next time I try and log in my password is inevitably wrong and it is a case of trial and error to guess what length I need to truncate my password to. Usually I have to do a password reset and use a shorter password hoping it is short enough this time.
If the password length is limited then it should be clearly stated when the password is created.
-
-
Monday 27th April 2015 17:03 GMT MatsSvensson
12AB.,
I have "12AB.," on a speed-dial just for stupid motherfucking sites like that, and then I add it to the end of my actual safe PW.
Assholes that think adding extra special little-princess predictable patterns into all of their users passwords, need to get taken out and shot in the head.
(and then get shot in the head 2 more times, and then 1 time exactly 7 minutes later)
-
Monday 27th April 2015 17:10 GMT Anonymous Coward
Craziest implementation of restrictions
The craziest implementation I have EVER come across is a company who really must remain nameless (hence the AC post.)
Their rule states no consecutive letters. So, having used "B" for instance, you can't then use "A" or "C" ANYWHERE IN THE PASSWORD! Each letter you use effectively eliminates 2 others!!
After several invalid passwords, and a phone call to find out what the restrictions are, I eventually managed to construct something suitable.
-
Monday 27th April 2015 17:27 GMT Rufus McDufus
Long passwords
Password handling is one of the most borked aspects of websites. The amount of sites that don't specify a max number of chars but will let you enter (say) a 20 or 30 char password, and then mysteriously you're unable to login afterwards because presumably they've trimmed the password to some invisible maximum and you haven't got a clue what it is.
-
Monday 27th April 2015 23:00 GMT Kanhef
Re: Long passwords
I encountered one site with a similar issue. On the account creation page, the password field had a length of 20 characters, but the login page only allowed 10. Somewhat concerning that no one at the company who developed, tested, or used the site had a password longer than 10 characters.
-
-
Monday 27th April 2015 17:52 GMT Donald Becker
This is clearly a company trying to make a name for itself, without addressing the real problem.
Most security failings are not because of weak passwords. Once you move beyond dictionary attacks, your password is secure enough.
The real vulnerability is everything else surrounding the password. As we have found out, major sites have stored unencrypted user passwords in spreadsheets, truncated passwords to only the first few characters, had trivially weak encryption, used no salt, and used a fixed salt value.
In between you and the site with questionable security are people watching you type, keyloggers, fake login prompts, compromised DNS servers, rogue WiFi hotspots, spoofed sites, cross-site scripting, man-in-the-middle attacks, compromised identity managers, and too many more vulnerabilities to list.
You are far more likely to be exposed by having your password revealed by something you can't control, and then having it added to a dictionary for later attacks, than a clever system guessing passwords using rules.
-
Friday 1st May 2015 14:20 GMT Michael Wojcik
Once you move beyond dictionary attacks, your password is secure enough.
A meaningless claim. Whether a password is "secure enough" (or just "secure") depends entirely on the threat model, and you haven't specified one.
Depending on your definition (which, again, you've failed to provide), "dictionary attacks" probably doesn't include rainbow tables, which certainly might be employed by attackers if the potential benefit justifies the cost. Or attackers might mount massive parallel brute-force attacks against a specific target; again, some password-protected resources justify the (now quite low) cost of using a cloud provider for that purpose - particularly if the cloud resources are stolen (by hacking some legitimate cloud user's account).
Certainly the other attack classes you mention - observation, keyloggers, etc - are applicable to many threat models, and in many cases will represent more-prominent branches of the attack tree. But these are not universal verities that apply in every case.
-
-
-
Monday 27th April 2015 19:18 GMT Crazy Operations Guy
Re: Anyone?
Wouldn't do a damn thing against most attacks. Digging through my logs, a lot of attacks will try the same password but cycle the username (password hash is the same). Then the attack switches to a different password and goes through the username list again. All an attacker would have to do is increase the number of usernames tried so that the cycle becomes 10 seconds long. And that is assuming that the attack has a short list of names, even trying 1000 names at 10ms a piece would mean that the attacker doesn't even notice a thing.
-
Monday 27th April 2015 19:24 GMT Anonymous Coward
Re: Anyone?
Because automated password guessing attacks probably account for 0.1% of successful hacks, as opposed to the large majority of hacks that have nothing to do with whether you have a great or terrible password, and the remaining minority of hacks where your encrypted password (along with that of thousands/millions of others) are stolen and subject to leisurely dictionary attacks.
-
-
Monday 27th April 2015 19:29 GMT Anonymous Coward
Stupid rules
For my work I have access to a certain computer system that contains private data for many millions of people. I also have write privileges and could do lots of nasty things if I were that sort. (Fortunately, I'm not.)
What makes me wonder what the people who set this thing up were smoking is that all passwords for this system must be exactly "X" characters long, and "X" is not all that large.
WHAT WERE THEY THINKING?
AC for obvious reasons.
-
Monday 27th April 2015 20:18 GMT John H Woods
The metric ...
... there's only one measure of password quality, and that is approximate - it is how long a decent password cracker can run on it without success. Anything else, as shown here is actually scoring passwords on 'how well they fit our rules on passwords'. And when those are bad rules ...
-
Monday 27th April 2015 21:16 GMT Terry 6
Setting password rules requires two sets of skills
One is the mathematical, knowing the cryptography rules that make the p/w "strong".
The other is psychological.
Knowing what can reasonably be expected of a reasonably sane user. And that doesn't mean what they could or should do, but what they would do.
So, if you insist on a capital letter mathematically reasonable it may be but a user will place it where they can remember they put it - which is largely where they would expect to find it.
So they might use "Password", possibly "PassworD" if they think they're being clever, but never "pasSword".
-
Monday 27th April 2015 21:54 GMT Stork
I4got
was a PW we used on a development server when I was in IT. Capital, check, Number, check. And fast to type too.
At some time the company was taken over and we had to work with even more systems; I think I counted that I had to enter 10 passwords before I could actually do any work (managers did not like being asked what we should book the login time to). Of course, the passwords were subject to different lengths, accepted/required character types and lifetimes. Guess what the first hour after a holiday was spent doing?
-
Tuesday 28th April 2015 13:00 GMT Mike 137
Nice research - obvious results
A nicely conducted piece of statistical research, telling us what we've actually known for years. The entire "character set + template" approach to authentication credential creation is well recognised by both experts in systems and psychologists to be flawed, but we're stuck with it because the people defining login requirements currently have no understanding of either.
The silliest recommendation after "character set + template" is the supposedly random character string. This is grounded in a misunderstanding (and misapplication) of Shannon entropy, and fundamentally fails because (even if generated by a true random process) no-one (OK, maybe one in a million) can remember it. It's actually impossible for a human to create because the mind can't wrap round true randomness - what looks like a "random string" to a human is usually biased to emphasise a small subset of the possible code space.
Even the random word sequence advocates ("horse staple ...") have it wrong. The essence of a robust authentication credential subsists in three requirements:
[1] it must be long enough to make brute forcing hard - the required length will change with time and the criticality of what is being protected;
[2] it must be memorable to its creator - so in principle it must mean something to him or her;
[3] it must not be readily guessable by anyone else - so a problem arises for folks who are not very original ;-)
Within the string space fulfilling these three requirements, the strongest strings against guessing attacks will be the ones that conform least well to a common template. So the best rule set will contain the fewest, simplest rules. Here's my take with commentary in square brackets:
"A logon credential [note that we intentionally don't say 'password'] is not to allow you access to our systems - it's to prevent anyone else gaining access by pretending to be you. It must therefore be easy for you to remember but difficult for anyone else to guess. To achieve this, here are some basic guidelines:
[1] think up a memorable but not well known phrase or sentence of at least four words totalling at least 15 characters [reasonable length at time of writing, but may need to increase]. This phrase should mean something to you to make it easy to remember, so be imaginative, consider using humour and/or your native language.
[2]certain obvious words are blocked and therefore cannot be used, including [e.g.] your user name, the company name or date words (month and day names) [but keep the excluded words list to a minimum to avoid user frustration].
[3] you may, but are not obliged to, separate the words in your phrase with non-alpha symbols."
Not the ultimate maybe, but probably a better start than the standard rules that render all words in any dictionary illegal (rather a challenge for a literate user) but permit 'Pa55w0rd!'. I've written about this elsewhere (http://intinfosec.com/library/policies/2011-Instant_Compliance_for_a_Grand.pdf)
-
Tuesday 28th April 2015 16:24 GMT JimboSmith
Security
So I'm called by a friend who has had her Yahoo! email account hacked and someone is sending emails to her friends as her. It's not just spam sending either this is I thought someone preparing for an "I'm on holiday and I've been mugged please Western Union me £800 to get home" scam. They'd been sending emails saying that this girl was off on holiday somewhere hot and might not take their phone etc. they were caught out by an out of office reply for an email my friend hadn't sent.
So I go round and we talk about password security Dictionary Attacks, Brute Force etc. and did some simple maths about how long it takes to crack a password. I suggest using a phrase spaced unevenly with odd capitalisation and random other characters (e.g. thi smO nit Orn eed s!a rea lly gO, Odc lea n) but she settles on something far longer but easier to remember. So having had her change it (without my knowledge of the actual phrase) and check that everything else is the same like recovery email password reminders etc. I asked her what her initial password was and she says "football" she also acknowledged that this was a bit dumb knowing what she now knew about how easy that was to crack.
-
Wednesday 29th April 2015 02:42 GMT Jin
Wanted is hard-to-forget and yet hard-to-break passwords.
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another. ID federations (single-sign-on services and password managers) create a single point of failure.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.