Password1? You're so random. By which we mean not random at all - UK.gov
The UK government has renewed its efforts to persuade consumers to pick stronger passwords. The #ThinkRandom campaign is encouraging consumers to use three random words to create strong, separate passwords for their email, social media and online banking accounts. The effort follows a growing number of password dumps and …
COMMENTS
-
-
Wednesday 26th October 2016 16:28 GMT A K Stiles
Re: Okay... let me be the first to post this :
... and let's see if you get assailed by the critical masses as I did for posting the same link in an article a couple of years ago!
The main issue I face with the CorrectHorseBatteryStaple approach is that most of the things I have passwords for insist on mixing upper and lower case letters with numbers and possibly symbols, but maybe not, and minimum and maximum lengths... so never mind reusing a password across different sites, I can't even reuse my password construction rules across sites!
-
Wednesday 26th October 2016 18:38 GMT SkippyBing
Re: Okay... let me be the first to post this :
Handily one of the applications I use at work has to be accessed via Citrix and for some reason the password changed every 6 weeks or so. Apparently there is a password construction policy for this as I keep getting told my chosen password doesn't fit the organisations password policy, unfortunately it won't tell me what this is, and the passwords they send out for a reset don't follow it!!
-
Thursday 27th October 2016 13:56 GMT Robert Carnegie
My formula
Abcdef78
Random letters from words from a book (any book) with case as shown but excluding repeats, random digits usually from minutes units and seconds units on digital watch.
So far it works just about everywhere - though now I've told you what it is I'll need to set another one :-) (and "Abcdef" was so easy to remember!)
If they want bloody punctuation then add on "!" at the end. Or an internal quote mark and a SQL Injection and serve them right. "passwd carnegie Bum\"shutdown -rightnow -nosave -allow-reboot=never" :-)
-
-
Thursday 27th October 2016 10:04 GMT Spudley
Re: Okay... let me be the first to post this :
I wonder how many people have actually used "correcthorsebatterystaple" as a password for something?
I'm sure there are plenty of cases where people have used it for the irony factor on something they don't consider important, but I want to know how many people have actually used it, thinking it was a good password? I bet there's quite a few.
-
-
-
Wednesday 26th October 2016 16:18 GMT The_Idiot
"Barely a day goes by without a major security breach coming to light..."
... and the business that is breached not suffering any business penalty worth mentioning.
No. The bit above _wasn't_ part of his quote. Which doesn't stop it being true.
Is it possible, therefore, that those who count beans decide the cost of effective, regularly reviewed and improved security isn't worth a single one of the mgic beans they so avidly count?
Could be. Just possibly.
"However, what we really need is a fundamental rethink of the basic security protocols,"
That's one approach. But it will take time and cost magic beans. And even if it happens, it's not a one-time thing - it needs to be done, frequently reviewed and assessed in line with new threats, done again and repeated forever.
Which, in this Idiot's view, ain't gonna happen while _not_ doing it doesn't impact the beans. HARD.And NOW.
Yes. I know. I'm shouting. Mostly because I don;t think anyone not reading these pages is listening... sigh.
-
-
-
Wednesday 26th October 2016 22:49 GMT Ole Juul
Re: or, they could really encourage 2FA everywhere
And lots of people don't even have a cellphone, let along get a signal. Seriously, if a site or service cannot come up with something that works for everybody without having to purchase additional equipment and services they should be questioning their ability to develop security solutions for themselves.
-
-
This post has been deleted by its author
-
-
-
-
Wednesday 26th October 2016 18:04 GMT Notas Badoff
Re: Re:drowssap
Ah yes, your codebook can be in plain sight on your shelves and no one would be the wiser! :)
Me, I'm going to switch to a password set suggested by something funny a friend said to me a couple decades ago, him from a different discipline to mine and using a language I don't know (he had to explain _why_ it was funny). Now how is a profiler going to guess that from perusing *my* emails?!
-
-
Thursday 27th October 2016 18:54 GMT Anonymous Coward
Re: Reversed!
Our clinical software stores its application login passwords (hashed, but not salted) in a table in the SQL DB called "drowssap".
Amusingly, the vendor recommends we give read+write permission to Authenticated Users because "authentication is handled inside the application".
I dread the day someone realises you can siphon off the entire table using Excel.
Anon, but I dare say the vendor will know who I am if they read this.
-
-
-
Thursday 27th October 2016 05:54 GMT Brenda McViking
Re: Password managers FFS!
Password managers introduce a single point of failure, there is a serious trust relationship which is highly questionable for any password manager, and that's before you consider using a cloud-based one. Then there are issues with mutliple devices, lack of internet connectivity, or lack of ownership of devices you may be accessing secure accounts on.
They might work for you, but they are not a silver bullet.
-
Thursday 27th October 2016 07:41 GMT I_am_Chris
Re: Password managers FFS!
Given that currently the single point of failure is the user, anything that avoids them either using weak passwords or reusing the same password, is a big win. Password managers make it trivially easy.
With the better password managers allowing you to keep your file on Dropbox, icloud, etc any miscreant has to crack one round of 2FA plus the database file's encryption.
No silver bullet, maybe, but certainly silver plated IMO.
-
Thursday 27th October 2016 07:48 GMT I_am_Chris
Re: Password managers FFS!
Forgot to add.
Lack of internet is a red herring. Proper password managers keep your passwords file locally - no internet required. you just need to sync it automatically when you do have internet.
If you want access to secure sites on hardware that you don't own or trust, then more fool you.
-
-
-
Wednesday 26th October 2016 17:47 GMT Criminny Rickets
I use a formula I came up with for generating my passwords, so it is a real pain when I find a website that insists my password has to be up to 8 characters, all lower case letters. (Yes, I still find ones like this).
Another thing I find annoying are sites that insist you change your password every so many months. Why??/ I created a unique password just for this site and now I have to change it even though my account has never been breached? Talk about an insecure website. When people have been using a password for a while, it is memorized. When you force them to now use a new password, what is the best way for most people to remember it. In my experience, I found a lot of people tend to write it on a sticky note and keep it near their computer. Personally, I use an encrypted password manager, but not everyone is as computer savy.
-
Wednesday 26th October 2016 19:32 GMT Tikimon
Foreign language to the rescue
I seed foreign profanity into my passwords. What dictionary attack is going to check multi-language cursing?
Agreed, DAMN the sites that have maximum-minimum or other requirements. They won't make a stupid user create a good password, and they screw up those of us with a good system.
Eta pizdets, faszfej!
-
Wednesday 26th October 2016 19:46 GMT DavCrav
"In a UK government pitch designed to persuade the public to adopt better password security,"
Might be better directed towards companies, since they are the ones responsible for the mega-dumps?
"consumers are advised against using words related to their personal lives that may be easy to guess or share."
I think if you have blue eyes, are 25 and live in Kent then 2kentEYEblue5!! is going to be pretty tough to break. Even Iliveinkentandhaveblueeyesandam25yearsold is pretty good.
-
Wednesday 26th October 2016 20:18 GMT dalethorn
Today many sites force an active password to include a mixture of case and special characters. That's not random. Read up on the fatal weakness of the Enigma machine - the non-random requirement that the machine cannot generate the character typed. And yes, despite much opposition that I've received, it's the same issue.
-
Friday 28th October 2016 14:37 GMT Robert Carnegie
Edward Nygma
I'm not expert on this but would it be necessarily "fatal" to a code if a fiendish algorithm swapped each letter for any letter in the same half of the alphabet, A-M or N-Z, including the same letter, and then performed ROT13 on the output?
Now - Nazis were not without boneheaded giving and obeying of orders, so, "Make sure the output letter is always different from the input" sounds like a stupid management instruction that has to be obeyed, which is familiar to many.
My site password formulas include not repeating any letter because some services or web sites do forbid that, but it makes the password so much less random if e.g. you know that a 26 character password must use each letter only once.
For a password to give away for encrypted data, I generate several sets of 5 uppercase letters, used with space after each 5. This is intended to be passed in writing or spoken, instead of being e-mailed.
-
-
Wednesday 26th October 2016 20:54 GMT Anonymous Coward
'Social media' as the same level of importance as banking??
If you get into my Facebook account, you can't steal my money. If you get in my online bank account, on the other hand...
Email is sort of in between - often control of it will allow an online password reset though hopefully your bank would require more than that.
If they make stupid statements like this, they aren't contributing to a solution. Just muddying the waters even more.
-
Thursday 27th October 2016 15:40 GMT Brangdon
Re: 'Social media' as the same level of importance as banking??
If they have your Facebook account, they can pretend to be you and ask your friends and relatives for money. With a bit of social engineering some people will fall for this. For example, if they pick a date when you are on holiday and say there's been a disaster, you've lost your phone and wallet, and you need money to get home ASAP.
-
-
-
Thursday 27th October 2016 07:33 GMT Anonymous Coward
Re: Yep, That's the password
We had something similar, well something better than password1 - but was easy to remember.
Then the manager's son decided it was insecure, and changed it to a randomly generated password that changed every month via group policy - which didn't always update correctly. So us poor mortals in support ended up having to do the cardinal sin of writing them down, just so we log in!
-
-
Wednesday 26th October 2016 21:52 GMT J.G.Harston
More and more online sites demand tighter and tigher password rules - for utterly ridiculous things, a job vacancy website for f***'s sake!!! - that I end up using my high-strength banking password, just to look at ***king job vacancies!!!!!!!! - which then means I have to try and work out a stronger banking password that I can remember. And then discover that my bank won't let me strengthen my password beyond what I've just given to an advert site.
Why the FUCK!!!! should non-financial websites demand the same type of password as my banking website?
-
Wednesday 26th October 2016 23:25 GMT veti
They shouldn't. Heck, if a website's only function is to show you ads, it has no business requesting any password at all.
On the other hand, if it looks after personal data - like, f'rinstance, if it allows you to upload your CV for forwarding to selected advertisers - that's another story.
-
-
Wednesday 26th October 2016 22:41 GMT Anonymous Coward
Got a DBS check email in the summer
Moving on to the next stage "If the link doesn't work, just visit blahblah.co.uk and enter this username and password"
FFS it's a DBS check for security and they send an effin' plaintext email with credentials to login and confirm my identity!!!!
And yes, it's for real, documents submitted and approved etc. It all came out ok in the end, but a fecking plaintext email? <still gobsmacked>
-
-
Thursday 27th October 2016 10:13 GMT Arthur the cat
The Bank of Melbourne whose password policy EXCLUDES special characters and LIMITS passwords to 12 characters.
I don't know whether they still do, but the Bank of America used to insist that passwords to access (and trade) your portfolio online (average customer worth: several million dollars) must contain a mix of upper and lower case letters plus digits not more than six characters long!
That showed them pesky hackers.
-
-
Thursday 27th October 2016 16:59 GMT Dom 3
Stub + algorithm
It's really not hard to create easy to remember, cryptographically hard passwords that are not duplicated across sites. First, think of a phrase.
I will choose 'yet another flippin password for:'.
That makes 'yaFp4:'. Yay, six characters including upper, lower, numeric, special.
Next. What is it for? theregister.co.uk? I will choose a selection of letters in a fixed pattern; let's say, third, second, fourth, first. Makes 'ehrt'.
Now tack on a memorable number. Yer mum's birthday. You *do* remember that every year? Well, maybe if you type it in ten times a day, you will from now on. Win-win situation.
Result: yaFp4:ehrt120152
-
-
Friday 28th October 2016 10:10 GMT Nimby
Random lives in a House and does a lot of Publishing
"It's not exactly an algorithm, but I find that random drunken ramblings sampled at 3 AM in a bar is a good starting point for creating strong passwords."
For creating strong passwords ... or for creating new Australian colloquialisms to rival the likes of "flat out like a lizard drinking" and "she'll be apples".
But to vaguely waver back towards seriousness for a moment, it's the old adage that "anything is better than nothing". Whatever system you have works, so long as you have a system, and you use it.
Random drunken ramblings, reverse typing, random creature names from an AD&D Monstrous Manual and the page number they came from, pig latin, inverted ASCII, R3PL4C1N6 letters with digits (with or without full leetspeak), or even rousing games of Bingo and Battleship can all provide wonderfully difficult passwords to crack.
-
-
Friday 28th October 2016 10:29 GMT Nimby
Random and Corwin drove to Amber
The problems with 2FA have already been covered. (AKA besides the fact that not everyone has a smartphone, when was the last week you made it through that didn't read a headline, "phone cloned", "Android / iOS hole found", etc.?) Frankly, and with good reason, I trust my PC more than I do my phone!
Likewise a bad idea in security is the finger print. Even if they were truly unique (which they are not) most scanners are still beaten by a gummy bear, with or without involving a printer. I'm not sure about retinal scanners, but then I don't see many of those kicking around. And even if we could go straight to DNA, I'm betting most systems that could be made to fit into something small enough to use would be flummoxed by family members. (Not to mention all those pins and needles and hazmat concerns.) So anything biometric is out. (And yet companies still do try.)
Frankly, it's Steam that has some of the best solutions that I've seen combined. As simple as a password ... but protected by sanity checks such as location and device. Chances are pretty low that I would travel continents to log in from Estonia, at 3 in the morning, from a device that I have never used before. And if it really is me because I really went on a vacation, I just have to get my confirmation code from a second factor of my choosing. It's a much more sane solution that covers a majority of situations well, and is customizable to cover the rest.