back to article That's what makes you hackable: Please, baby. Stop using 'onedirection' as a password

Newsflash: Not only do people still suck at passwords, but they also have diabolical music taste. Among a number of eye-popping choices, research by NordPass – a password manager from the folk behind NordVPN – discovered that at least 30,388 people, presumably 12-year-old pop fans at the time of signup, use "onedirection" as …

  1. elkster88
    Joke

    Never going to hack me!

    Yeah, what's up with all those lame passwords.

    I got smart and switched all mine to "Correct Horse Battery Staple" some time ago.

    1. MatthewSt Silver badge

      Re: Never going to hack me!

      Was gutted when I found out that hunter2 was no longer considered a secure password

    2. Khaptain Silver badge

      Re: Never going to hack me!

      For those that are unaware of your particular choice of password selection...

      https://xkcd.com/936/

      1. Kane

        Re: Never going to hack me!

        I think it's about time Vulture Central automatically added the relevant XKCD link at the end of each article.

  2. channelswimmer

    Re: Trade deals with the EU

    #7 was 'zinch' - does anybody know why?

    1. SoltanGris
      Childcatcher

      Re: Trade deals with the EU

      Interesting. A web search for the term seems to indicate a scholarship granting outfit. This leads me to presume (why not) a large number of college winks made great use of that grant money.

  3. Claverhouse
    Black Helicopters

    Uncomplicated

    I just use https://passwordsgenerator.net/ to get the longest word the website shall allow, without symbols, or ambiguities; then store them in https://www.enpass.io/ and make several txt copies hidden through different drives.

    I cannot imagine online password applications. Anyway it's all simple enough: I hope we get to a passwordless future but until then --- not that my computers or the sites I visit have a lot to plunder, so do good security but don't expect too much from security.

    1. upsidedowncreature

      Re: Uncomplicated

      Eh? How is enpass.io not an online password application? Also, why are you undermining yourself by storing text copies of passwords?

      1. MrWibble

        Re: Uncomplicated

        Looking at the website, it's a local vault - quote:

        "Privacy matters.

        We do not store any of your data on our servers. Live carefree!"

    2. Anonymous Coward
      Anonymous Coward

      Re: Uncomplicated

      I just assumed any 'free' online password generator recorded the last one it showed you (in case you F5'd a few times to make it _really_ random) and then sent it to the criminals to go into their brute force lists (along with various dictionaries and lists of known words).

      1. veti Silver badge

        Re: Uncomplicated

        GP cites "passwordsgenerator.net", which (by default) generates your password locally, not sending it over the net at all. Feel free to disconnect your network if you don't trust them.

  4. knandras

    "We had a good laugh in the office when we saw this muppet's password" Would be a great testimonial for their service.

  5. Aladdin Sane

    1-2-3-4-5?

    That's amazing! I've got the same combination on my luggage!

    1. upsidedowncreature

      Re: 1-2-3-4-5?

      That's odd, all I see is * * * * *.

      1. Mystereed

        Re: 1-2-3-4-5?

        I caught my 6-yr old son trying to log in to my system a few years back.

        He was typing in a row of asterisks, because he thought that was what I was typing.

        Can't trust anyone.

        I have explained to him now he has his own setup how to create memorable passwords which are hard to crack.

        1. heyrick Silver badge
          Coffee/keyboard

          Re: 1-2-3-4-5?

          "He was typing in a row of asterisks, because he thought that was what I was typing."

          Brilliant. Just shot a gobful of tea clear across the room. ;-)

        2. I ain't Spartacus Gold badge

          Re: 1-2-3-4-5?

          Went to my brother's the other day, to babysit and fix their PC while doing it. Sorting out the sister-in-law's account, and she'd given me the wrong password. Couldn't log in. Of course, the 11 year-old has known Mum's password since the day they got that computer... I know this, because it was him that told me her original password last time I fixed it - several years ago...

          If she ever leaves her iPhone downstairs, he quickly logs in and disables the time lock on his and his brother's iPads, that won't let them use them after dinner.

          The scary thing is, I sort of am LastPass. I fix a family PC, and then six months later they phone me to ask what their password is. I don't write them down - but remember them better than their owners.

          1. Kiwi
            Pint

            Re: 1-2-3-4-5?

            The scary thing is, I sort of am LastPass. I fix a family PC, and then six months later they phone me to ask what their password is. I don't write them down - but remember them better than their owners.

            Used to be like that myself. These days I just pass someone the keyboard and turn away (or get them to type it in if via Teamviewer etc).

            I don't want to know their password. I don't want to know how many characters, which end of the keyboard they use, nothing.

          2. Mooseman

            Re: 1-2-3-4-5?

            Yes same here - I used to do support for a local business and the MD used to regularly call up and ask me what his password was....

            1. WanderingHaggis

              Re: 1-2-3-4-5?

              I get my boss telling me that as I set up his account for him I should know what his password is. I try to tell him I don't know, didn't store it and don't want to know it but it doesn't seem to fizz on him.

    2. Rich 11

      Re: 1-2-3-4-5?

      Nah, you've got it backwards.

      (Not showing my age in the least.)

      1. Aladdin Sane

        Re: 1-2-3-4-5?

        Yeah, that predates my reference by 23 years.

        1. Anonymous Custard Silver badge
  6. phuzz Silver badge
    Thumb Up

    Rather than using the name of a band as your password, use the lyrics to one of their songs.

    As long as you choose a long enough line, and perhaps swap 'o' for '0' etc. you should be able to come up with a long, difficult to crack, and yet memorable password.

    But maybe if you're well know as a One Direction fan, pick someone else's lyrics...

    1. Anonymous Coward
      Anonymous Coward

      pick someone else's lyrics... I recommend Wendy O Williams lyrics.

      1. tiggity Silver badge

        Damn, images of Wendy wearing little more than black tape now doing through my mind

      2. David 132 Silver badge
        Coat

        Personally I always use the lyrics from “Om” by Smeg And The Heads.

        Either that or those from 4’33” by John Cage.

    2. Anonymous Coward
      Anonymous Coward

      Ok, changing mine to "urinate on the cheese".

      1. Anonymous Coward
        Anonymous Coward

        Weird Al's "Happy Birthday"

        "Well, it's time to celebrate your birthday / It happens every year / You eat a lot of broccoli and drink a lot of beer..."

        "br0ccoli&Beer" could work for me.

        1. Anonymous Coward
          Anonymous Coward

          Re: Weird Al's "Happy Birthday"

          We had a pen test recently. An IT tech's password was cracked, it was 22 characters long.

          But on asking it was a song lyric.

        2. Uncle Slacky Silver badge
          Thumb Up

          Re: Weird Al's "Happy Birthday"

          I prefer "MashedPotatoesCanBeYourFriends":

          https://www.azlyrics.com/lyrics/weirdalyankovic/daretobestupid.html

        3. Mooseman

          Re: Weird Al's "Happy Birthday"

          Utility Muffin Research Kitchen

    3. NATTtrash

      Erm...

      So you guys are saying that I better change my X Factor themed password "h0t_5u5an-b0yl3"?

      1. Rich 11

        I'd say there's certainly something you need to change!

    4. CrazyOldCatMan Silver badge

      pick someone else's lyrics.

      Anglagard[1] or Runrig[2]?

      [1] On and off and on again Scandi-prog band - most of whom went on to other things then reformed, split and reformed again. Lyrics in Swedish :-) https://en.wikipedia.org/wiki/%C3%84nglag%C3%A5rd

      [2] Gaidhlig songs only naturally.

  7. stuartnz

    I didn't google 1D TO here

    But I really DID google "D7xN$%4uO@S0 " FROM here - one of my best friends is a part-Samoan ex-BOFH who would LOVE that band's music :)

    1. Kiwi
      Pint

      Re: I didn't google 1D TO here

      Now if you really wanted to complete the troll, create a page with links to a certain Rick fella's vids...

  8. Anonymous Coward
    Anonymous Coward

    one direction

    De gustibus non est disputandum

    But continuing a theme of using initial letters from stuff you don't like:

    hymn lyrics for atheists

    complete Monty Python sketches for people with no sense of humour

    1. Anonymous Coward
      Anonymous Coward

      Re: one direction

      My favorite disposable password is "1goodpassword" ... it meets all the security requirements.

      1. John H Woods

        Re: one direction

        Note that "Ra;;,soh1" passes most complexity checks despite simply being what happens if you type "Password!" on a Dvorak keyboard

        1. phuzz Silver badge

          Re: one direction

          If you have a Dvorak keyboard you don't need a password to lock access to your computer, because no one else will be able to type on it anyway.

          1. Kiwi
            Gimp

            Re: one direction

            There's an xkcd for that.

            (Bout time we had an XKCD icon as well)

      2. Sir Runcible Spoon

        Re: one direction

        Apart from capital letters and special characters.

    2. Chris G

      Re: one direction

      I use the Kaspersky password manager, as it comes with the AV package I have with them.

      I have however, been considering developing a rectal recognition app to open my phone, using a Bluetooth thimble to avoid having to drop my strides st inopportune moments.

      1. Khaptain Silver badge
        Joke

        Re: one direction

        "I have however, been considering developing a rectal recognition app to open my phone"

        Depending on your state of hygiene or how many curries/beers you had the night before, it might not be a very stable method...

        I would suggest that you use a written form of the physical act..some suggestion

        Rectally Recognizable

        Anally Artistic

        Bisturbing Diarrhea

        1. Wellyboot Silver badge
          Coat

          Re: one direction

          Sounds like an early run through for the next set of Ubuntu distro names.

      2. EnviableOne

        Re: one direction

        cool, if you forget your password just ask the FSB

      3. EVP

        Re: one direction

        Won’t buy. I hate the blnotch.

  9. iron

    I used to write industrial control software (not networked!) that had rudimentary security to distinguish an operator from a production engineer. When I visited to update or fix issues with a system I could peruse the users' passwords. Often I saw variations on football team names but my favourite was the woman who had the password 'TENMEN' all in caps!

    I don't know if they were all at once or a running total...

    1. JimboSmith

      Had to visit a friend of a friend who complained her "password" had been hacked. When I arrived I asked which password was it? She said "My email one, tell me why it was hacked?" I said because you're using Yahoo mail. She didn't understand that which was mildly amusing.

      After a talk about the need to use a secure password, dictionary attacks, brute force cracking, repeatedly hacked mail providers etc. She chose a new more secure "set" of passwords which we used to update all the instances she'd used the old one. After that was done I said what was your old password? She said "football" with no capitals or letter substitutions.

  10. TRT

    I find...

    it rather annoying that so many websites have a very low figure for the maximum number of characters e.g. choose a password between 8 and 14 characters long. Why? Presumably they don't store them in plaintext, so there's not going to be an excessive overhead in storing the characters because the hashed version is going to be longer still. Then there are ones that refuse to accept other characters such as "-" which is useful for breaking a randomly generated string up into memorable groups. Then there are those that must have capital letters, can't have capital letters, must have a non-alphanumeric, can't have a non-alphanumeric, must have numbers, can't start with a number... Gah!!!!

    Why can't people learn to use the pattern and max/min length attributes on input type="password" tags, that can then clue browser based password generators in to the rules required to generate a valid password for that site? In fact, why do some browser based password managers NOT make use of those attributes?

    1. FrogsAndChips Silver badge

      Re: password requirements

      The fact that there's no password pattern that will be accepted by every site is one of the reasons I switched to a password manager, instead of trying to rely on a formula that would be rejected 50% of the time. Now I just generate a 20-char alphanum password. Too long, missing a special char? No problem, I just change the criteria and recreate a password. If I need to change it again, the criteria have already been saved, I know the new password will be valid.

  11. Pascal Monett Silver badge
    Coat

    "Whether it's LastPass, 1Password, Dashlane or more"

    You can be sure they've all been hacked at one point or another, or they will be. Much too tempting a target.

    A password manager is fine and well, but if you're using it online, you've missed the point.

    Oh well, it'll just take a few generations of suffering for people to start getting the message.

    1. EnviableOne

      Re: "Whether it's LastPass, 1Password, Dashlane or more"

      KeyPass and PasswordSafe are better, less to hack as they are locally hosted, but suffer from the portability angle, but saving the safe in cloud storage helps

      No Holes in my bucket .....

  12. heyrick Silver badge

    D7xN$%4uO@S0

    If I had any musical talent whatsoever, it'd be fun to start a band called that, just to break people's minds on how to pronounce it. And if they ask, just play a snippet of 56k modem training noise and say "that's how".

    1

    1. Oh Matron!

      Re: D7xN$%4uO@S0

      Not cool enough: ZX spectrum game loading noise.

      1. davenewman

        Re: D7xN$%4uO@S0

        The definitive film on what you can do while waiting for a game to load.

        https://www.youtube.com/watch?v=AL2NhhtIFPw

    2. This post has been deleted by its author

  13. msage

    Password Services

    I use keepass and self host; I agree about the number of commercial services being a really high value target.

    The other thing that people don't seem to have mentioned is the password vault is only as good as the password protecting it (or 2FA). You could use a password generator to generate the most complex passwords in the world and store in a vault with a password of Password1 and it's all been for nothing. In some ways the password vault industry might have made hacking more devastating than before.

    1. doublelayer Silver badge

      Re: Password Services

      "The other thing that people don't seem to have mentioned is the password vault is only as good as the password protecting it (or 2FA). You could use a password generator to generate the most complex passwords in the world and store in a vault with a password of Password1 and it's all been for nothing. In some ways the password vault industry might have made hacking more devastating than before."

      Not exactly. That's a good point, but you've still got the attack landscape to consider. If your passwords are stored insecurely on a local password vault, someone could get all of them if they have access to your filesystem through local malware. That's a concern. But if that makes your passwords better, it lessens your vulnerability to compromised online services. If you had some method of knowing you'd never get infected with malware, the encryption password on the vault wouldn't matter but you'd still want to use one to protect you against loss of hashes elsewhere.

      It's also worth considering what malware can do to those who don't have a password manager. If it has access to your system, it can watch as you enter your password on the keyboard, redirect you to a fake login page, send password reset emails to the account you have in a mail client and intercept them, or come across the text file containing passwords. Stealing an encrypted password database is a concern as well, but compared to the alternatives, is not as worrying as it could sound.

      1. This post has been deleted by its author

        1. EnviableOne

          Re: Password Services

          https://xkcd.com/538/

          Mandatory Password related XKCD #2

      2. Michael Wojcik Silver badge

        Re: Password Services

        Or to put it more simply: security assessments are only as good as the underlying threat model.

  14. This post has been deleted by its author

  15. 0laf Silver badge
    Flame

    Cut and paste ya bam

    I use a password manager. What is an utter PITA then are websites that do not allow you to cut and past passwords which means I then have to manually type in a 20 char gibberish password every bloody time. Thanks a lot you useless fucks.

    1. John H Woods

      Re: Cut and paste ya bam

      Browser "dev mode" is usually your friend here but, you're right, it shouldn't be necessary.

    2. FrogsAndChips Silver badge

      Re: Cut and paste ya bam

      KeePass' AutoType feature is your friend.

      1. NATTtrash

        Re: Cut and paste ya bam

        ...unless the login page comes back with a "hovering window" without a window title...

        1. FrogsAndChips Silver badge

          Re: Cut and paste ya bam

          There are various Autotype plugins that can deal with these situations.

    3. Spanners
      Happy

      Re: Cut and paste ya bam

      A lot of websites think they don't allow pasting into their password field. They do however seem to allow <Ctrl>+V

    4. This post has been deleted by its author

  16. IceC0ld

    But strap in – we're just getting started

    that sentence brought back memories, and not all good ones TBH :o)

  17. Anonymous Coward
    Anonymous Coward

    Foreign lang

    Just use the title of your favourite anime or themesong, written in Romaji. Change out letters for numbers. Bonus points if the title contains the proposition "no" (equivalent to "of" in English), as the hiragana for "no" looks a lot like "@", so use that as your punctuation character. There are other hiragana and katakana that can be use similarly.

  18. Anonymous Coward
    Anonymous Coward

    One what?

    Funny, the other names I've heard for them is "No Direction" or "One Erection".

  19. Terry 6 Silver badge

    Don't underestimate

    The full impact of user faced with the sudden ( though inevitable) demand to register for something or other that ought to be straight forward, the mini-panic of trying to think of something and the pressure of knowing you'll need to remember another username and password combination.

    Inevitably an awful lot of users, maybe most, choose the buggerit route of using the first memorable thing that comes to mind.

    Most passwords are not created with advance planning. But are spur of the moment choices.

    And many are for trivial sites, so people are being gently trained to use weak reused passwords

    1. veti Silver badge

      Re: Don't underestimate

      Yep, this is the point that seems to keep being forgotten: 90% of the sites that demand passwords are completely trivial. Who cares if someone can impersonate me on El Reg? How is that going to let them take over my life or empty my bank account?

      Sure, they could troll. They could post defamatory or otherwise illegal material and I'd, presumably, get the blame, at least initially. But I'm having a hard time seeing the percentage in that. A certain level of pure spite, maybe. But profit? where?

    2. Kiwi
      Big Brother

      Re: Don't underestimate

      Inevitably an awful lot of users, maybe most, choose the buggerit route of using the first memorable thing that comes to mind.

      Actually... For sites I doubt I'll visit much, I use whatever random stuff comes to mind so long as it meets the reqs.

      If I go back, there's always the password reset option. or... Well, they can use another small boost to their "registered user" numbers.. (and why I think I may have created 20 odd facebook accounts over time - what, give them my real name??????????)

  20. John 104

    Why is it so hard for people?

    like one direction? You could do: "0n3 W@y $tr33t" as a mnemonic, keep a clue about your favorite boy band and still have a rock solid pass PHRASE...

    1. Terry 6 Silver badge

      It's one of those "Easy to say that now" situations. Doesn't work in real life.

    2. veti Silver badge

      That's OK until you get to the first site that makes you change your password from time to time. Then you realise you're going to need not just one such phrase, but a potentially unlimited supply of them.

      And of course it doesn't allow for sites that don't allow passwords to contain spaces, or start with numerals, or whatever other lame and usually undocumented rules they choose to apply.

    3. ThatOne Silver badge

      > You could do: "0n3 W@y $tr33t"

      You could do this, and me too, but my old aunt, who still isn't sure there aren't little gnomes working inside a computer, won't even understand the concept. L33tspeak? What on earth is that?

      1st phase: Hard pressed to use a password she'd remember (translates to her as "a memorable word"), she will necessarily chose the name of either a child or a pet. Needs a number too? Birth year/month.

      2nd phase: Now somewhat more familiar with the idea of passwords, she will feel empowered and chose to play with the concept: That's how the "Password1" and "LetMeIn!" type passwords come to be.

      3rd phase: After having been repeatedly told about password guessing/cracking and password hygiene, she will start to make her first attempts at strong passwords. That's where the "how do I remember them" issue kicks in, and solutions will range from the little notebook in the top left drawer to password managers.

      We're all phase 3+ users here, but we shouldn't forget that the vast majority of people out there (and parts of our family) are still traipsing around phase 1.

      1. EnviableOne

        I get frustrated by people that dont understand why 23 minuted to 2 in the afternoon is the best time of the day, spose I am of a specific ilk

        I have got the olds trained that people get these password thhings by using memorable words so passphrases are the way to go, till a site gets hacked and its compromised then you have to come up with a new one. So i get them to think of a phrase with a symbol in:

        Kitty was born on the fourth of july. becomes Kwbot4oj.

        or

        I get 20% staff discount at work becomes Ig20%sd@w

        then to add a bit of entropy, the wrap arround method works so

        tIg20%sd@wr would work for something here

        fIg20%sd@wb for the zukerborg.....

        a lot better than mothers maiden or cats name

    4. Michael Wojcik Silver badge

      "rock solid"? Password cracking engines have been using adaptive dictionaries that accommodate l33tspeak and other simple substitutions for years. John the Ripper had support for l33tspeak in 2008, for example.

      Sufficiently-long (10+ characters, depending on the value of the target) decently-pseudorandom sequences are adequate these days. Random-word passphrases (extended versions of the xkcd method) also can be, though length requirements are difficult to estimate because cracking engines use various language models and are always improving.

      For most low-value websites I use a password manager. (I like StickyPass, because it supports Pale Moon and is highly configurable.) For some higher-value accounts which unfortunately lack pervasive MFA, I use randomly-generated passphrases of several words and punctuation, in the 40-50 character length range. Still far from ideal, but it puts my credentials outside the current capabilities of typical cracking facilities.

      1. Kiwi
        Pint

        "rock solid"? Password cracking engines have been using adaptive dictionaries that accommodate l33tspeak and other simple substitutions for years. John the Ripper had support for l33tspeak in 2008, for example.

        Hence rate limiting. With machines that can do (IIRC from Reg articles) a couple of billion or more tries per second, even good databases will fall.

        But no website lets you try 2 passwords a second, let alone 2 billion and decently done ones have timeouts. IIRC "fail2ban" has a default of 5 failures=5 min lockout (I change to 3=1hr).

        I could use a common phrase on my bank, or even a common single word. You have 3 chances at guessing which word before the account gets locked out, and requires phoning or visiting a branch depending on how the lockout occurred. Lock out the phone app = a visit to the branch.

  21. Clive Galway
    Joke

    As any fule kno...

    The correct response when asked to enter a password with at least 8 characters is "snowwhiteandthe7dwarves"

    1. Michael Wojcik Silver badge

      Re: As any fule kno...

      Pfft. If it's "at least 8 characters", I'd go with "onehundredandonedalmations". It's exponentially better!

  22. Anonymous Coward
    Anonymous Coward

    I use favorite biblical verse notations, such as EmpiresandRome4:6-20. It's a bit better more secure than the good old 12346 back in the DOS days :)

  23. irrelevant

    Re: Greedy and careless

    I find Password123 meets most website rules ....

    What I find odd about the list of passwords in the linked article is some of the really obscure ones... Did 33K people really choose "0.00000000" or 372K people choose "g_czechout" ... with an underscore too? I'd be tempted to believe that latter was a parsing error.

    1. EnviableOne

      Re: Greedy and careless

      Password1! is apparently strong (according to entropy strength meters)

      even though its like 12th guess in my cracking list

    2. Michael Wojcik Silver badge

      Re: Greedy and careless

      "g_czechout" is an odd one, because the pun makes it seem plausible (though that's a really high rank unless it's some pop-culture reference I don't recognize), but the "g_" is ... weird. Is this maybe a hard-coded password for some widely-deployed script or something?

      I was glad to see perennial favorites like "iloveyou" (#14, also mentioned in TFA) and "monkey" (#30) are still on the list. "monkey" is the example I usually use when I talk to non-IT folks about well-known passwords, because it's not obvious but has been prominent in these lists for decades.

      1. Michael Wojcik Silver badge

        Re: Greedy and careless

        Also, JFTR, "czechout" is found by HIBP, but "g_czechout" isn't.

  24. This post has been deleted by its author

    1. This post has been deleted by its author

  25. greglane

    Guilty. But how to keep the balance between having secure passwords and remembering all of them? I just always forget the new ones, so find myself using mostly the same one again and again. Bought a password manager, so maybe this will help lol. Actually read a pretty good article on managers, if in need of one: https://medium.com/@wfred0346/5-best-password-managers-how-to-securely-organize-your-passwords-77a435ce7df4

    1. Michael Wojcik Silver badge

      There was a time when even some security experts were suggesting that reusing a password for very-low-value sites - the ones that didn't hold personal or financial information, and didn't pose other privacy concerns, but wanted a login anyway - was not necessarily a bad idea, to reduce the burden on the user.

      These days, those re-used passwords are increasingly a problem, since they help deanonymize your other online activity, if nothing worse.

      On the plus side, they're likely to show up in porn-extortion spam ("I hacked your webcam and recorded you..."), which is a handy reminder to track down those old sites and change those passwords to something unique.

      Because of the generally terrible state of web authentication, password managers have become more or less indispensable, unfortunately. And people who use multiple devices with the same sites, which is most people these days, will probably need a manager that has both desktop and mobile clients and provides some kind of synchronization mechanism.

      We're starting to see wider adoption of web MFA and FIDO2, but it will be a long time before those are practical for most users.

      1. Terry 6 Silver badge

        I store my passwords in a table, in an encrypted folder of OneNote on a mobile phone that's encrypted, with a Sim that's encrypted, synchronised to my laptop that's similarly protected.

        That'll have to be enough.

  26. Mike 137 Silver badge

    The real problem

    The real problem is that those providing advice and setting password rules don't in general know what they're talking about. They don't understand randomness or its relevance to password security, they don't consider what they are trying to protect against (there's no such thing as a "strong" password, you have to ask "strong against what?") and they don't have a clue about human psychology. Consequently we perpetuate silly rules that don't achieve the intended objective.

    In the most basic terms, a password has to be difficult to guess but easy to remember. That rules out truly random sequences of any significant length as they can't be remembered, and in any case the human mind is incapable of creating a truly random sequence because we have a thing called memory that influences sequences of decisions. It also should be as long as practicable (but not exceeding the length of the hash) because length increases the password space faster than size of character set so the shorter it is the harder it becomes to be original.

    The way passwords have to be created is also a major contributor to obvious choices. You get asked to create one out of the blue, you can't see it as you type it in (eliminating the visual imprinting that is one of the strongest contributors to memorising), and then you go away and don't use it again for some time. So unless its' something obvious you'll have forgotten it by the next time you want to use it.

    However it's worth noting that almost every study of crap passwords is derived from breaking an exfiltrated password database, so we should ask ourselves what the dominant problem really is. Given today's technologies, there's no password imaginable that can't be broken offline given time. Furthermore, offline cracking tools use heuristics than bypass apparent "strengths" such as leets, so visual obscurity doesn't equal robustness.

    Dr. Angela Sasse at University College London did masses of very useful research into password effectiveness and usability, but I've never met an IT person who knew about or had read any of it.

    1. FrogsAndChips Silver badge
      Mushroom

      Re: The real problem

      "a password has to be difficult to guess but easy to remember"

      Sorry but this is a premise that needs to die, preferably this way: ->

      If a password is easy to remember, that means you have a unique password for all accounts (which is utterly stupid), a password root with per-site variations, or a formula to derive the password from the website domain/name. In any case I can guarantee you that there will be websites that won't accept your password (too long, not enough special chars, forbidden chars...). So what do you do? You make an exception for this site, but then how do you remember all the exceptions? Next time you log in, you realize that your password doesn't work. Did you type it wrong, has it been compromised or is this one of these exceptions? If it's an exception, what change did you make? Anyway, you ask for a password reset and you're back to square 1. After enough iterations, you will realize that the only sane option is to invest some time in a decent password manager.

      Now about password leaks: yes, even complex passwords can be cracked given enough time and CPU. But if your other passwords are just variations, they will fall quickly once this one has been cracked. Unique and random passwords from a PM will protect you from that.

      1. EnviableOne

        Re: The real problem

        Unfortunatley the Password will not die anytime soon ast there are at least two cases where a password safe won't help you -

        Your windows domain password (no access to safe till you logon) and Your safe password

        the rest of your passwords are completley forgetable as they are random junk and stored in your password safe, so thats cut down password overload to two random streams of characters that are easy for you to remember but hard for someone to guess.

        1. FrogsAndChips Silver badge

          Re: The real problem

          For Windows account, biometrics are an alternative, if you don't mind having your thumb cut or your eyes gouged.

          For the safe password, some PM offer to use a key file as an alternative or extra authentication method.

          As you say, the obvious benefit of using a PM is that it reduces the number of passwords to remember to at most 1 for the PM and 1 for each device where it's installed.

    2. Michael Wojcik Silver badge

      Re: The real problem

      a password has to be difficult to guess but easy to remember

      This rules out (traditional) passwords, full stop. The asymmetry of effort between "guessing" and "remembering" is far too steep.

      there's no password imaginable that can't be broken offline given time

      That's trivially true for any finite sequence, so it's not a useful observation in itself. It's possible to make more productive observations about password or passphrase entropy versus contemporary cracking approaches under realistic economic assumptions and a plausible threat model; but generalizations like this are pointless.

      There's also not much point in talking about passwords unless you're also going to consider passphrases.

      For example, we might say something like: most people will find it non-trivial to come up with a passphrase that 1) has sufficient entropy to resist extant cracking engines, 2) also resists cracking by a hypothetical engine with access to large natural-language corpora and is able to do sufficiently-fast partial and close-match searches on it (to account for minor variation such as character substitution); and 3) can be reliably remembered by the user.

      If we want to raise the stakes, we might also ask that it have enough entropy to resist BQP attacks (Shor's or variations thereof) for what we guess is an economically-feasible number of functional qubits given the value of the protected resource. (If an attacker is willing to dedicate 100 f-qubits to attacking the passphrase, you probably need at least 60 characters, if the passphrase is in English - but that's just a rough estimate.)

      But even statements like those are just handwaving.

      Angela Sasse at University College London did masses of very useful research into password effectiveness and usability

      Indeed, including the classic 1999 CACM article "­Users Are Not the Enemy" (with Anne Adams), which is a useful corrective for the Reg article we're responding to here. And Sasse has published on many other aspects of IT security. And so have many, many other researchers. And most software developers have studied little or none of this research. What else is new?

      Developers and other IT practictioners, with their ignorance of relevant research, aren't the enemy either (tempting though it often is to blame them). There are reasons - economic and psychological1 - why the vast majority of IT practitioners don't follow relevant research. And why most researchers aren't practitioners. And why both are often disconnected from users.

      There are ways to change those economics, such as regulation.They come at a cost, too. Maybe at some point we'll decide, as a society, that the cost of poor IT security justifies the cost of changing the economics of better software security.

      1Which are really two aspects of the same thing, of course; that's why we have behavioral economics as a research field.

  27. Plest Silver badge
    Stop

    Stop stupid devs cow-towing to moronic users incompetence!

    The problem is that I've been on websites, forced to sign up, got my password manager to generate a random 20 char password only to be told the password must be 10 chars or less and can only contain alphas and basic ASCII punc marks like underscore and pound!

    You know why don't you? People who who do NOT use password managers walk around with one password in their head and the site managers don't need the grief everytime 90% of their user base forget's it's password.

    1. Michael Wojcik Silver badge

      Re: Stop stupid devs cow-towing to moronic users incompetence!

      Well, I suppose blaming everyone is one option.

      While we're at it, why not complain that computing technology has improved so quickly? If we were all still using TENEX on PDP-10s, all we'd have to worry about is the login timing side channel, and Alan Bell fixed that a while ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon