back to article UK's National Cyber Security Centre recommends password generation idea suggested by El Reg commenter

Nearly a third of Britons use the name of their pet or a family member as a password, the National Cyber Security Centre has said as it advised folk to adopt what looks very much like a Register forum user's suggestion for secure password generation. A survey of 1,282 British adults commissioned by the NCSC showed that 15 per …

  1. alain williams Silver badge

    Biometric password

    No thank you.

    If something goes wrong then restoring access can be incredibly hard especially with the you-cannot-speak-to-a-human attitudes to many services that a lot of people depend upon.

    1. b0llchit Silver badge
      Facepalm

      Re: Biometric password

      You can always change your fingerprints, eyes, mouth, nose and genome. Oh wait...

      Never mind.

      1. Warm Braw Silver badge

        Re: Biometric password

        The trouble is that these all credentials are actually copies. When you type a password it's a copy of the password in your head or in your wallet or password manager. When you use biometric authentication you provide a copy (a photo or scan) of your fingerprints or face, you don't hand over actual body parts. Wherever a copy is involved, there's a potential for forgery and if there's no mechanism to allow for forgery and recover from it (as in a "something you are" authentication factor), I can potentially assume god-like power over your life in perpetuity.

        Or, as Oscar Hammerstein wrote in another context:

        And some day I'll know that moment divine,

        When all the things you are, are mine!

        Oh, and BTW, I think there may be an intrusive "f" in:

        This shift may be essential

        1. martyn.hare
          Joke

          Time for a novel approach!

          Why not assess "something you are" by finding out how much of a tree stump they are?

          That way, as long attackers are less of a stump, they'll end up stumped as to why they can't get in!

        2. sev.monster Bronze badge

          Re: Biometric password

          That's actually not true in the majority of cases. Most fingerprint, retina, and face biometric authentication tools for example, do not save an image of your respective extremity, and instead save datapoints from the output of a detection algorithm. In almost all cases, these algorithms will look for recognizable minutae in the subject. This is often more for performance and data storage costs associated, but has a bonus in that it respects your privacy by storing only the bare minimum required for often provably secure authentication. For example, for fingerprints:

          • The overall shape (whorl, ridge, arch, etc.) as an enum
          • The location of ridges, such as branch patterns and counts, which can either be independent of fingerprint type or specific to each type
          • Calculating the position or distance between certain recognizable ridges in each type, such as the center of the whorl, or the apex of the ridge

          These pattern recognition trends continue with the retina. It is most common to analyze the design of the sphincter and dilator musculature, which is often unique like fingerprint ridges, kinda like a round barcode. Infrared or near-infrared light can be used to detect patterns that are not present in the visible light spectrum, making them even more secure as existing cameras cannot so easily be used to mass-match irii, which is a concern of privacy advocates.

          And for the face:

          • Brow height and width
          • Nose shape: Length, tip position, ridge angle, nostril width and shape...
          • Corners of mouth
          • Chin shape
          • Vertical offset of eyes (most people's eyes are not perfectly aligned)

          These are only examples, and I do not claim to be an expert on any of the mentioned technologies; retinal algorithms are probably my weakest subject of the 3 examples so I do not have as many practical examples as with the other two.

          More importantly however, implementations of these algorithms vary among manufacturers and even related product lines, meaning the result of an algorithm for one product may not be so easily transferred to another product, making the data much less important should it be stolen on a low level.

          Should a database of this information be breached, one would only need to modify the algorithm to make the data less useful—assuming the data is not encrypted before being stored in the database.

          Overall, biometrics are generally pretty safe and do not expose you to unwarranted breaches of privacy.

          PS: Despite that, I would personally only trust locally-stored authenticators, and not systems that upload that data to the Internet. I prefer hardware authentication tokens in this regard, specifically OpenPGP keys with multiple keyserver attestation.

          1. Scott Pedigo
            Coat

            Re: Biometric password

            >> It is most common to analyze the design of the sphincter

            I'll need a copy machine for that.

          2. Michael Wojcik Silver badge

            Re: Biometric password

            Overall, biometrics are generally pretty safe and do not expose you to unwarranted breaches of privacy.

            That's certainly a minority opinion among security experts.

            1. sev.monster Bronze badge

              Re: Biometric password

              Got any references? I'm interested in their opinions.

              Don't get me wrong, full image captures or highly dense datasets of people's faces, fingerprints, and irii are of course no good. I'm just talking about how most modern consumer tech works.

      2. Eclectic Man Silver badge
        Unhappy

        Re: Biometric password

        Bio - metric is measuring the body. Any measurement of your body contains information about you that may be more than just identification.

        For example, that ratio of your d4 and d2 digits is quite strongly associated with your sexuality.

        https://www.pnas.org/content/108/39/16289

        So, anyone keen on hand geometry biometric log on in any country where homosexuality is punishable by imprisonment / lashes or death? (Saudi Arabia, Pakistan , Afghanistan, Iran, etc:

        https://www.humandignitytrust.org/lgbt-the-law/map-of-criminalisation/ )

        Then. again, whorl type fingerprints are associated with a higher incidence of cancer:

        https://pubmed.ncbi.nlm.nih.gov/28973742/

        And, of course, any number of medical conditions can be diagnosed from examining the eyes.

        And face geometry is also associated with homosexuality:

        https://pubmed.ncbi.nlm.nih.gov/24132775/

        Of course, none of these actually has to be even remotely accurate or true for one to be subjected to abuse, bigotry etc., but I do wonder about why so few (i.e., none that I have encountered) papers or articles on biometric identification even mentions the medical diagnostics that can be made from these systems.

        1. John Brown (no body) Silver badge

          Re: Biometric password

          "but I do wonder about why so few (i.e., none that I have encountered) papers or articles on biometric identification even mentions the medical diagnostics that can be made from these systems."

          It could be handy if you start getting ads for for cancer treatment or funeral services next time you log in to Facebook. It would save so much time!

          1. Eclectic Man Silver badge

            Re: Biometric password

            "It could be handy if you start getting ads for for cancer treatment or funeral services next time you log in to Facebook. "

            Accepted, bu how about increases to your insurance premiums, rejections from prospective employers due to the possibility of long term sick leave, refusal to provide loans or mortgages with life insurance once they find out what your biometrics could mean?

            1. John Brown (no body) Silver badge

              Re: Biometric password

              I think I should have used <sarc> tags or maybe a joke icon.

      3. Rol

        Re: Biometric password

        use a string of numbers based on the number of moles you have on each limb segment.

        If months later you find you can't log into El Reg, ring your doctor to book a screening for skin cancer.

    2. MrReynolds2U

      Re: Biometric password

      Current example of this is my daughter's Faeces Book account getting hacked and the email and phone number changed. Then they deleted the account for some reason. All automated efforts to fix this fail and there's no obvious way of contacting a human at FB to get it sorted.

      She's since learnt the benefit of setting up MFA so at least she'll be better protected in future.

      Still, it's a shame for her as there were a gazillion photos on there of her late mother.

      1. alain williams Silver badge

        Re: Biometric password

        Still, it's a shame for her as there were a gazillion photos on there of her late mother.

        Do you mean to say that the only copies of these photos were on FB ?

        1. Richard 12 Silver badge

          Re: Biometric password

          Probably not, but they were almost certainly attached to meaningful text that wasn't backed up because Facebook make it relatively difficult to do that.

          Sometimes it's the replies which make the photo important.

      2. FlamingDeath Silver badge

        Re: Biometric password

        This sounds like a secret confession

    3. Anonymous Coward
      Anonymous Coward

      Re: Biometric password

      Biometric password is an oxymoron.

      Biometrics are user IDs. Which can also be faked by determined hackers.

    4. Muscleguy Silver badge

      Re: Biometric password

      And periodically my phone makes me input the pin when I hit the fingerprint sensor. So I still need a pin.

      And just like periodically when you go to swipe your card the system makes you insert it in the reader and input your pin.

      So Biometrics will need another factor, what could that be, oh! a password.

      I use initial phrases with unique suffixes for each site not easily guessable.

      Except for El Reg, my Reg password is deeply ancient. The only one left, that feels right.

    5. Robert Carnegie Silver badge

      Re: Biometric password

      Something else from the novel "Cyberbooks" I think - a character has a voice activated lock on his garage or something, it does not ever recognise his voice until he loses his temper and screams at it in apoplectic rage, Humiliation that he well deserves. It'd be a bugger on your office PC though, if we're still going to have those.

      1. Ken Moorhouse Silver badge

        Re: It'd be a bugger on your office PC though

        On the contrary. The only real problem will be when there is NOT a Microsoft update.

        Thinking further though, when there are no updates, the user will not be able to unlock the pc, so they will lose their temper and... unlock their pc.

  2. gerdesj Silver badge
    Paris Hilton

    "If anyone's got a practical method of resetting your face after your encrypted mugshot is abused by crims"

    Get a tattoo on your cheek that says iPod

    1. Andy Non Silver badge
      Coat

      Use your favourite pet's face.

      1. Eclectic Man Silver badge

        There is a rise in 'dog-napping' there days, I had no idea they were actually stealing people pass-faces.

    2. Chris G Silver badge

      Facial reset

      You could always use the Lector system.

      All it requires is a sharp knife and a random face.

      Although short term for both it would work for fingerprint readers too.

      In the real world, I suspect that the majority who went for What Three Words, using a not their own address approach would use mostly memorable landmarks, their mum's house or somewhere close by etc.

    3. Lyndon Hills 1

      Have a barney with said crims. Let them re-arrange your face for you

  3. Arthur the cat Silver badge

    Passwords?

    Surely in this day and age it ought to be pass phrases?

    1. john.jones.name
      Mushroom

      passphrase

      exactly

    2. Robert Carnegie Silver badge

      Re: Passwords?

      A slight catch - typing English words is about 1 bit of randomicity per keystroke. Actual random letters mean a password of a certain length is much better than if it contains dictionary words.

      Having said that, you can make a long passphrase but just use the initials of words as the password. It still may be not as random as you want, though.

      Also, you probably will encounter systems that don't allow real words or repeated letters but do insist on mixed case, numbers, and punctuation in the password. The other day I found that Microsoft SQL Server was enforcing this. It doesn't really help if it does not stop you setting onetwo12! which it can't really (ish).

      And you may have to change them every month, grr.

      I favour theyw illne verge tthis O varied where necessary with 0 or O! and possibly a leading capital if so enforced. The actual letters should be random and kept on a little card very safely.

      1. Will Godfrey Silver badge
        Happy

        Re: Passwords?

        On a really trivial website I was only ever going to use once that insisted on the number capital etc. I used.

        100%Stupid

        1. Robert Carnegie Silver badge

          Re: Password: 100%Stupid

          I'm appropriating this. And trying it on your LinkedIn :-)

      2. John Robson Silver badge

        Re: Passwords?

        It's much easier to remember four random words than it is to remember 10 random characters; and although longer to type, it's usually *easier* to type things that are correct words than line noise (perl coders may not find it difficult however).

        That's the strength of the system, not the per letter randomness, but the per "memorable bit" randomness.

        Else I'd run `openssl rand -base64 21`

        mUBshJeBHZyBRFG0YbVnNsAj0Jx6

        But this is easier to remember:

        `sort -R /usr/share/dict/words | head -4 | tr '\n' ' '`

        upcover jumprock glancing taglock

        and with `$ wc -l /usr/share/dict/words` showing me 240k words available - that's ~e21 options, substantially less than the long base64 approach, but substantially better than a 10 character base64 password (~e18), which is still pretty hard to remember. (It's about equivalent to a 12 char base64 password)

        Of course - remembering passwords is probably not the way to go anyway - a password manager can deal with even longer, genuinely random, passwords - then you only need the password for the manager. So we're down to remembering one password, that doesn't directly log you in to anything...

        I still think that a handful of words is easier to remember... Maybe I could use five words instead of four, takes me up to ~e26 (i.e. about a 15.5 digit base64 code) - takes about 4 seconds on my machine for my massively inefficient abuse of `sort` to produce a result:

        $ time sort -R /usr/share/dict/words | head -5 | tr '\n' ' '

        Minoan drawling insufferably hyposthenia standardizer

        real 0m3.771s

        I usually get one word I don't recognise, which is fine - it means that noone will guess that I'm using it, and I can learn one word to protect my password manager.

        1. Robert Carnegie Silver badge

          Re: Passwords?

          1 random letter is worth at least 4 letters of a random word, and I like to type as little as possible. ;-) RaNdOm CaSe slows me down more, so no thanks, and I can mentally cache 5 letters at a time (problem: I think Sainsbury online shopping doesn't allow spaces), though some of my txetm odnar has me struggling to remember where the next key is on the kebyarod. English doesn't have rules like "x after t except after e".

  4. Weylin

    Use words from more than one language.

    1. Andy Non Silver badge

      Better still use a mix of words from Klingon, Goa'uld and R2D2.

    2. Anonymous Coward
      Anonymous Coward

      හරිද?

      If my keyboard could do Sinhala, I'd just re-use my old passwords in that different script. That'd work, right?

      1. Anonymous Coward
        Anonymous Coward

        Re: හරිද?

        ඔව්

        මේ අයට තේරෙන්නේ නැහැ

        ගිහින් එන්න

        Another AC

  5. Mike 137 Silver badge

    Another demonstration of zero original thinking

    "the NCSC recommended using "strong passwords made up of three random words,""

    Strong against what?

    Unless that question is answered, "strong" is meaningless. There are maybe half a dozen disparate threats against passwords, each of which requires different controls to minimise it.

    Quite apart from which, this idea has been around for absolute yonks, and it's only as good as the words you choose. The phrase (that's what it is - a short passphrase) must not be obvious, but must be memorable. And BTW, what is a "random word"? Randomness is a property of sets (multiple objects) not of single objects. A single object can only be arbitrary. If they mean words chosen at random from the dictionary, that still may not satisfy the first criterion very well (e.g. "it" "he" "led" - a 7 character password) and will either fail the second criterion (not very memorable) or will encourage tampering ("he led it" - an obvious 7 character password) which will thwart the first criterion. Just requiring three words doesn't stop folks choosing obvious words.

    The strongest property of a password against guessing is originality, which seems to be in short supply judging from published password sets. No password is proof against brute force attack or reverse cracking from a hash offline. But the less likely it is to be duplicated by others the better. Consequently, "password rules" that set strict parameters (unless they are minimum parameters) tend to make passwords less safe, nor more, as they enforce predictability.

    1. Notas Badoff

      Strong like this?

      badger.badger.badger

      1. Uncle Slacky Silver badge

        Re: Strong like this?

        bork.bork.bork

        1. Anonymous Coward
          Anonymous Coward

          Re: Strong like this?

          That is actually my password, you bastard.

        2. John Brown (no body) Silver badge

          Re: Strong like this?

          That's my luggage password.

          (Why, yes, it does have 12 x 26 position thumbwheels)

      2. Fruit and Nutcase Silver badge
        Happy

        Re: Strong like this?

        bidi.bidi.bidi

        1. KSM-AZ
          Happy

          Re: Strong like this?

          Whatsup Buck?

      3. Anonymous Coward
        Anonymous Coward

        Re: Strong like this?

        https://password.kaspersky.com/ suggests that badger.badger.badger would take 5 days to crack.

        Whereas bork.bork.bork would take 2 years.

        And bork.bork.bork.bork.bork.bork 4 four years.

        On the other hand, bork.badger.bork.badger would take 10000+ centuries!

        These "claims" are apparently based on "Your password will be bruteforced with an average home computer in approximately..." - not sure that concurs with a 29 character password taking significantly less time than a 24 character one. Unless bruteforcing doesn't mean what I think it means.

        1. brainwrong

          Re: Strong like this?

          "On the other hand, bork.badger.bork.badger would take 10000+ centuries!"

          So that would take a million years on a typical home PC.

          The last article I read mentioned a tianhe supercomputer that's still 4th in the top500 list of known computers. It has over 10 million cores, lets say it's a million times more powerfull than a typical PC. Given that password cracking is an embarrassingly parallel problem, this machine may be expected to take a year. You need to consider who you are defending yourself from and what resources they may use against you, both now and in the future.

          "Unless bruteforcing doesn't mean what I think it means."

          You don't just build up passphrases to test from individual characters, you create a list of characters and words in order of decreasing expected probability, and combine these into candidate passphrases to test based on their probability. The word 'rhythmic' is more likely to appear in a passphrase than the letter sequence 'cmyihtrh' or 'cihtyhmr' or 'tyrcimhh' or 'yihchtrm', so it's worth testing such passphrases earlier.

          For strong passphrases I would suggest 4 (or 5!) random words, with some deliberate corruption, such as mis-spelling, extra inserted characters (a couple of numerals or punctuation marks ought to be good), some random capitalisation, maybe move any word-separating characters about. You don't need much of this, but avoid obvious substitutions such as '0' for 'o' etc. You should end up with non-dictionary words which are hopefully not too difficult to remember. Stick to common punctuation marks, there are pitfalls with different character encodings.

          To remember passphrases, use them, use them, USE THEM.

          Or write them down, but this creates new risks.

          I'm no expert BTW.

          1. John Robson Silver badge

            Re: Strong like this?

            "Or write them down, but this creates new risks."

            Humans are generally pretty good at keeping small pieces of paper (usually green in the US) safe.

      4. Robert Carnegie Silver badge

        Re: Strong like this?

        gorilla gorilla probably is, are, stronger. I mean look at them. Big hairy things. I just heard on radio about their aggressive chest beating. It turns out that females do it too. I mean, Ow, surely, am I wrong?

    2. Blazde
      Facepalm

      Re: Another demonstration of zero original thinking

      tecumseh.amazebubbles.psychoendoneuroimmunology

      Error: Sorry, your password should contain at least one symbol from the following list: [, ], (, ), #. @, !, %, two numeric characters, one lowercase and one uppercase characters and be between 8 and 12 characters long.

      1. David Pearce

        Rainbow Tables

        Pre computed rainbow tables are readily available up to 9 or 10 characters depending on the options.

        You can guess that serious TLAs can go up to about 12.

        1. Paul Crawford Silver badge
          Coat

          Re: Rainbow Tables

          I thought they went to 11!

          Mine has a copy of Spinal Tap =>

    3. TheProf Silver badge

      Re: Another demonstration of zero original thinking

      Upvote for using the word 'criterion'.

  6. Sabot
    Devil

    As a dutchie I'd like to say the bri ish are overtaking the Belgians.

    1. Lunatic Looking For Asylum
      WTF?

      Intrigued. What does this mean ?

    2. Trigonoceps occipitalis

      Watch your Language

      Z. Beeblebrox

  7. Ben1892

    Biometrics and FIDO U2F

    To be fair the way that's not the way biometrics work - so they'd need access to your face and your device but why let that get in the way of a good gag about editing your visage.

    But back to the point, I'm still not sure why something like the Yubikey / U2F isn't a thing - so many sites still won't support it - Paypal I'm looking at you!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Biometrics and FIDO U2F

      Why would anyone want multiple Yubikeys?!?

      1. Anonymous Coward
        Anonymous Coward

        Re: Biometrics and FIDO U2F

        Welcome to life as a engineer in the 21st century. This one is the one issued by IT support, it unlocks my laptop. This one is issued by SRE, this gets me on to the AWS console. This one is also from SRE, gets me on to GCP - I don't know why they issued two either. This one is my personal one, its got my personal GPG keys on it. This one is my old personal one, for U2F websites I haven't switched over yet. This one has my work GPG keys on it.....

    2. KSM-AZ

      Re: Biometrics and FIDO U2F

      I use U2F for everything that will accept it. All M"FA shoud need 2 of 3 items, prefierably allow multiple U2F devices and/or text and and/or TOTP taken with maybe a password. U2F is about as secure as it gets. You don't got my physical key your outta luck. TWO because I want one in an alternate location in cae something bad happens.

      U2F is the heat. No way to break it easily, and the private key cannot be copied, and it lotsa bits!

    3. Ian 55

      Re: Biometrics and FIDO U2F

      Paypal limit your password to something like 18 characters too.

      W T Actual F?!?

  8. Hubert Cumberdale Silver badge

    Just a little nod to KeePassXC, of which I'm rather fond. Almost all passwords can be truly random and ridiculously long* with a decent cross-platform manager such as this (the database [in encrypted form] can be seamlessly cloud-synced to your favourite provider/roll-your-own). But yes, the master password can be as correct a battery staple as any horse could wish for.

    *(Barring nonsensical limitations on what you can use as a password: I tried something like "kl][';dtshJ~Khs%$aq:dVrL#}>¬KdR=" somewhere once and got "Your password must contain at least one number"... sigh.)

    1. KSM-AZ

      Kudos to KeepassXC as well, remind me to send them some money.

  9. GreyNerd
    FAIL

    Password stuck since 1989

    After a little SNAFU on a ICL mainframe, my password is stuck at "A55w0rd"

  10. Ian Mason

    Password reset.

    > If anyone's got a practical method of resetting your face after your encrypted mugshot is abused by crims, let us know by sticking it in the comments.

    Not since the Printer's Devil pub in Uxbridge was knocked down. In the section reviewing pubs in the annual student handbook at Brunel University it was the only one with an invariant review year-on-year: "Good place to get your face customised by the locals."

    1. Ken Moorhouse Silver badge

      Re: annual student handbook at Brunel University

      Did they do a review of all the Harefield pubs?

      Apparently Harefield used to hold some kind of record for the largest number of hostelries in England. Did a treasure hunt in that area once where participants had to name them all.

      1. Fruit and Nutcase Silver badge

        Re: annual student handbook at Brunel University

        I suppose its as good a place to be if you end up with a heart attack after a pub crawl

      2. aks

        Re: annual student handbook at Brunel University

        Way back when, as a student at the new Lancaster University and living in Morecambe, I was told that in the 1950s,one street had held 50 pubs. Pub-crawl anyone?

  11. Cinderellaphant

    Crap. My password is already handed.dawn.short

  12. JDPower666 Bronze badge

    The problem with this advice is every website only accepting passwords with mixed case, numbers, symbols and a thousand characters. Website owners are some of the biggest ones in need of educating.

    1. Anonymous Coward
      Anonymous Coward

      " Website owners are some of the biggest ones in need of educating."

      And quite a few of them don't allow + signs in email addresses, either.

      1. Roland6 Silver badge

        Re: " Website owners are some of the biggest ones in need of educating."

        And some allow the use of '&' from iOS devices, but not Android...

        1. Mike 16 Silver badge

          & cetera

          Clearly, they have determined that iOS uses the Commercial character set from the early 60's punch cards, while Android uses the Scientific set. This makes me wonder what they make of an 8-2 punch.

    2. Andy Non Silver badge

      And some annoyingly don't let you paste the password in, forcing you to type it in, then again to verify it, at which point I usually abandon my long complex password and use a shorter easier one. I keep my passwords in encrypted documents in encrypted folders, so just copy and paste them into websites (if I can).

      1. Anonymous Coward
        Anonymous Coward

        "And some annoyingly don't let you paste the password in"

        That's when you open developer tools and set the value field variable youself :-) but you are right -- there is absolutely no excuse to forbid pasting into a password field.

      2. Terry 6 Silver badge

        That's how I do this too. A slightly cryptic table, in an encrypted file in OneNote, which itself needs a passkey or fingerprint to open. With my mobile needing a SIM passkey on reboot and another to access the phone itself.

      3. Lunatic Looking For Asylum

        pwgen and vi -x here.

        Firefox does a pretty good job of generating garbled passwords and storing them. PITA if you want to access a site from another machine though.

        My pet hate is websites that change the rules so the password you register with uses a different rule set to the "I've forgotten My Password" process.

      4. Spanners Silver badge
        Happy

        I have found that many of those that forbid pasting in still allow the use of <Ctrl>V

        1. Brewster's Angle Grinder Silver badge
          Coat

          Don't they complain <Ctrl>V is a bit short and missing numbers?

      5. PTW
        Facepalm

        Xiaomi

        Did this with one or more releases of MIUI on their droid phones! "...for your protection, as many apps have access to the clipboard" Yeah, like Keepass, Lastpass and 1Password, morons!

        And of course, having used all of the above, meant typing in something like MV64BPb*bBFPpQgT0G7%$Gi7Lvw9wMW$JcP% anytime I wanted to login anywhere

    3. Roland6 Silver badge

      >Website owners are some of the biggest ones in need of educating.

      About the secure storage of credential information.

      Remember, this is only really a problem because of major security lapses by websites that permitted third-parties to bulk download their customer details and password files.

      A second group in need of educating are web browser developers who think it is okay to include a password store that can be read by third-party webpages.

  13. Howard Sway Silver badge

    using your pet's name as a password could make you an easy target

    That's why my goldfish is called hj5l88nARnL[72&cx4.

    1. Ken Moorhouse Silver badge

      Re: That's why my goldfish is called hj5l88nARnL[72&cx4.

      You could have used obfishcation techniques.

    2. Trigonoceps occipitalis

      Re: using your pet's name as a password could make you an easy target

      That'll make the bad guys flounder.

    3. LDS Silver badge

      Re: using your pet's name as a password could make you an easy target

      You're still at risk of phishing.

      1. whileI'mhere

        Re: using your pet's name as a password could make you an easy target

        That's just pollocks.

    4. I ain't Spartacus Gold badge

      Re: using your pet's name as a password could make you an easy target

      Is his name really Spot? But "blobllobloobllleeplbll" is what it sounds like underwater?

  14. Long John Silver
    Pirate

    Set up for dictionary based attacks?

    Three 'random' words if adopted widely sets up the user for dictionary based attacks and for simple brute force attack. The latter made more easy by virtue of only alphabetic characters (upper and lower case) requiring anticipation.

    Every bad agent with access to a powerful computer will revel in this proposal. Shall GCHQ, supposedly on the side of the angels, similarly rejoice?

    1. Roland6 Silver badge

      Re: Set up for dictionary based attacks?

      Is this the new use for bitcoin mining rigs?

    2. Anonymous Coward
      Anonymous Coward

      Re: Set up for dictionary based attacks?

      And they don't use them already?!?

    3. keithpeter Silver badge
      Windows

      Re: Set up for dictionary based attacks?

      Do password cracking systems based on rainbow tables make provision for permutations of the letters in each word?

      If not, would writing the pass phrase in (say) a 5x5 square left to right then reading it off top to bottom juggle the letters around enough to force the cracking software to go to brute force?

      You can probably spot the phrase I've jumbled up below, but could an algorithm?

      SHPEEAIRETDEWIH?

      Icon: I've reached the life stage where I have to write stuff down anyway...

    4. KSM-AZ
      WTF?

      Re: Set up for dictionary based attacks?

      Just READ the XKCD. It's about entropy. There are a LOT of words, proper names, foreign words . . . Many of which are not dictionary words. I use 3 words + a number so like '43 Walruses Vomit Chartruse' Spaces if they let me. Creates really nasty entropy.Or I let keepassXC generate 24 random chars and just paste. I never use special characters unless required. Invariably I'm stuck typing the crap in by hand in a pressure situation, . . was that a star or an at sign?

      1. Grunchy Bronze badge

        Re: Set up for dictionary based attacks?

        43 Walruses Vomit...?

        I had the same password idea!

        (Mine vomit "human toes" shh)

        1. I ain't Spartacus Gold badge
          Happy

          Re: Set up for dictionary based attacks?

          43 Walruses Vomit...?

          Is that what happens in the rather darker sequel to 'The 12 Days of Christmas'?

    5. Stork Silver badge

      Re: Set up for dictionary based attacks?

      Words from several languages?

      What often bothers me is only being allowed ascii 127. When playing with one brute force cracker, ø lasted really long.

  15. Blofeld's Cat
    Pint

    Er ...

    OK I had to look ...

    handed.dawn.short = Robinsons Unicorn Brewery in Stockport

    I once had a tour of that valuable establishment.

  16. Claverhouse Silver badge
    Angel

    After The Ball Is Over

    Adenike Cosgrove, a cybersecurity strategist from email security biz Proofpoint, opined that passwords will probably become old hat soon, saying: "We have already seen a rise in methods such as facial recognition and other biometric authentication forms in use in place of the traditional password."

    She added: "This shift may be essential, because although technical vulnerabilities may be harder to exploit in future, humans are already and will remain the most targeted link in cyber security, with the most tech-savvy individuals vulnerable to increasingly personalised and complex attacks."

    .

    .

    All very well and good until you snuff it and your executors are trying to clear up your affairs.

    1. Anonymous Coward
      Anonymous Coward

      Re: After The Ball Is Over

      Been there. Having the Grant of Probate is all very well but, if the deceased embraced the "go paperless" mindset, knowing where to send the copies is quite a challenge. Fortunately good old Dad could be relied on to use one of about four passwords, so once I was into his laptop...

  17. John H Woods

    Isn't this terrible advice?

    I'm suspect What 3 Words works on a vocabulary of about 40k words, which probably matches an English speaker's passive vocabulary. (The earth has an area of about 5.1e14 square metres; 4e4^3 is 6.4e13, meaning that a W3W square is just under 8 square metres, which seems about right.)

    Let's be really generous and assume someone asked to come up with three random words is able to pick each word from a 50k word vocabulary (I suspect, in practice, an awful lot of people would be picking, from an immediately accessible vocabulary of 5k words or less). So, like W3W, you now have 6.4e13 combinations.

    On my keyboard I can comfortably type 88 different symbols (26 letters + 10 shift-digit symbols + 8 punctuation = 44, all of which can be shifted to give another 44).

    Now my maths might be wrong (l seem to have some kind of long Covid neurological issue going on, so please be gentle!) but as 88^7 = 4.1e13 and 88^8 = 3.6e15 that means even a good three word passphrase would have about 50% more entropy than a 7 character password whilst an 8 character password would have 50x more entropy.

    1. John H Woods

      Re: Isn't this terrible advice?

      NB: I know they're trying to target the people who use "Rover123" and obviously 3 random words are vastly preferable to that --- but I think the approach misses the required entropy of a moderately secure password by a factor of at least a million (probably a billion with more common words).

    2. Roland6 Silver badge

      Re: Isn't this terrible advice?

      You omitted the word separator, which can be any character not just '.'.

      However, enforcing this rule will be difficult, so best just to insist on upper and lower case, numbers and special characters. What3words just gives people a memorable structure on which to hang their favourite convention. In this way it is relatively simple to create 12+ character passwords; without the framework, people will struggle to create a 12+ character password.

      My 2 longest passwords, that I have to remember are 32 characters, both are nonsense phrases constructed out of words with filler symbols and are more easily recalled (after a few weeks of holiday) than the 16 random character passwords some insist on using.

    3. Anonymous Coward
      Anonymous Coward

      Re: Isn't this terrible advice?

      I think if you wrote a program mapping from every address in the UK (such DB's exist) to the what3words equivalent, you would have a usable tool for password spraying.

    4. Anonymous Coward
      Anonymous Coward

      Linux to the rescue?!!!!

      @John_H_Woods

      Quote: "...on a vocabulary of about 40k words..."

      *

      .......but the widely available file called "linux.words" has over 400K entries......many of which don't look like any words I can recall!!!! Does this x10 increase in the word pool not make a significant difference to the "three word math"?

      *

      Some examples: a-glucosidase, aasvogels, abrotanum, absolutistically, achroiocythaemia, ......

      *

      .....and that's just a few from the beginning up to "ACH...."!!!

    5. Steve Graham

      Re: Isn't this terrible advice?

      My thoughts too. Basing your password on a smallish, fixed database is probably a bad idea.

      I don't know if the W3W database is publicly available, but their business model is clear: get the concept used widely (including by paying for TV advertising) and then start charging.

      1. Terry 6 Silver badge

        Re: Isn't this terrible advice?

        Using w3w to provide 3 words isn't as good as it sounds. If you use a specific address/postcode you might as well just use that address/postcode as your p/w. If you generate it from a location you are stood in that gives a much wider more random choice. But then you have to find the precise location again.Even my little home has at least 9, arguably 16 possible locations. I could narrow it down to maybe 6 or 8. But what a faff. I guess if you base it on a specific part of the property that you can locate on a map it'd work, a garage say. As long as you can remember where on the property you used in 6 months or so time.

        I know I used a location near mum's house- was it the garage, the shed, the garden, the back gate, the apple tree.....

  18. J. Cook Silver badge
    Go

    four words:

    Correct horse battery staple

    (huh?)

    Also, + MANY for KeePass, in it's various forms (portable, cloud, etc.)

    And I can also recommend a web-based password manager for businesses called Thycotic. Worth it.

  19. Peter Prof Fox

    Calm down

    For many uses 3 words that are easy to remember is fine. (But don't make it a phrase

    like MY,LITTLE,SECRET ) Lots of applications don't need nuclear-bomb level protection.

  20. Fruit and Nutcase Silver badge
    Black Helicopters

    cost.flags.plans

    No one will think of using this combination!

    https://w3w.co/cost.flags.plans

    1. Ken Moorhouse Silver badge

      Re: No one will think of using this combination!

      These things aren't unique unfortunately. It is shared with somewhere in Altoona, Wisconsin, which could mean residents at that location being treated with some suspicion.

      My address suggests that I help exiles... If it's to do with exiling oneself from the cloud then I can help with that.

    2. Anonymous Coward
      Anonymous Coward

      Re: cost.flags.plans

      I think they'd be more likely to use https://what3words.com/race.slides.sand

      It's interesting that you have to remember not just the 'word' but also whether it is plural or not. That makes it somewhat less easy to memorise, IMHO.

      1. Terry 6 Silver badge

        Re: cost.flags.plans

        That's interesting. One of the singular/plural versions of that sequence is within a few miles of my home. Another is in Australia. Could make for an interesting drive.......

        1. Eclectic Man Silver badge
          Coat

          Re: cost.flags.plans

          Shouldn't that be

          Fun.With.Flags ?

          I'll get my (lab) coat.

  21. Anonymous Coward
    Anonymous Coward

    openssl

    On sites that don't allow special chars openssl seems to produce passwords with decent entropy

    openssl rand -base64 16

  22. Primus Secundus Tertius

    Old Ways Best

    The Plain Old Telephone System did it the easy way.

    "Hello, its me", in a unique voice.

  23. Keith Oborn

    Most valuable property--

    handed.dawn.short.

    I knew Stockport property values had gone up a lot in recent years, but for a small block of flats there to be "the most valuable" is quite surprising.

  24. Anonymous Coward
    Anonymous Coward

    Worn out biometrics

    I live in a country that uses thumbprints as the national biometric

    Many of us lose these in our 50s, then its the manual queue everywhere and produce a paper certificate that the prints are useless

  25. FlamingDeath Silver badge
    WTF?

    Mailbox password

    I always assumed this to be obvious to most people.

    If someone gets into your mailbox, they can change the mailbox password, locking you out, and then do password resets on any service associated with that mailbox.

    I mean, you don’t even have to understand computers to understand that little nugget of logic

    Turns out, not many people are logically minded, who knew...

    1. brotherelf
      Paris Hilton

      Re: Mailbox password

      Works the other way around, too. I have accounts in some places where I literally don't know the password and don't store it. The company I might order something from once every five years? It's faster just to do a password reset.

      (I vaguely recall even The Bruce thinks this is a valid mode of operation, but don't quote me — or him — on that. Also, he has surprising views on on-paper passwords.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Mailbox password

        That only works if you still have access to the same (alternate) email address or phone (number) that you did 5 years ago.

        Otherwise you're out of luck.

  26. Persona Silver badge

    Almost pointless

    It doesn't really help. Instead of having to remember a password for each of the 100 id's instead you need to remember 3 words for each. Alternatively you can as suggested just remember the location and look it up if needed, but who can remember dozens of "random" locations and tie each one to a particular site/id.

    Not only doesn't it help. It doesn't even work as most sites will insist on password complexity so you need to add digits etc.

    I've even come across one site that applied "complexity" rules to the memorable answers (normally crappy low entropy passwords). This site wanted me to give the middle name of my oldest sibling, but would only accept answers of seven or more characters including at least one digit. My parent were quite remiss in this respect as they only gave her a 3 letter name and no numbers!

    1. Anonymous Coward
      Anonymous Coward

      Re: Almost pointless

      Agreed.

      Totally impractical.

  27. Eclectic Man Silver badge
    Joke

    Does this mean

    that "MAGA2020" is no good?

    I'm shocked, truly shocked.

  28. Vocational Vagabond

    bit late to shout out some love for keypass ?? ! comes with cross platform love and ... $0.00 down, full of ethical goodness . . .

  29. This post has been deleted by its author

  30. jack d

    Random words

    Does anyone here realizes that the basic password cracking programs use what is called "dictionaries"?

    Any word found in a dictionary is a poor password or part thereof. Assumng 30 000 words for the basic English dictionary, how long do you think it would take a supercomputer to crack your "random" 3 word password? Probably not even 2 minutes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Random words

      According to the Kapersky link higher up, an old 3 word password (since changed) would take 10000 years to crack with a desktop computer - are supercomputers really 3 billion times faster?

    2. Terry 6 Silver badge

      Re: Random words

      Most of us here, I'm guessing, are thinking in terms of chancers and low level criminals trying to break into our accounts. If we're talking of targetted attacks by serious organised crime (or state machinery) that's a whole different level of security (though I'd always use some kind of non-dictionary component- can't be too careful)

    3. John Robson Silver badge

      Re: Random words

      Yes, they use dictionaries... do you know what you are protecting against when protecting against dictionary attacks?

      The entropy available in three (or prefereably four) words is actually pretty impressive, assuming of course that you can generate reasonable random words from a large enough dataset.

      The dictionary isn't a bad place to start, there are quite a few choices for each word...

  31. Wimmerke

    Randomness and getting burned :-)

    Hmmm... having the secret limited to existing words and even reduce it to pets, names and places... the change of brute forcing is on the rise, because it limits considerably the possibilities to check... But as always the balance between security and user experience.

    What about facial recognition and finger print revocation or change... Plastic surgery on the rise, or burning finger prints LoL

    Once had my finger burned in the kitchen, well yes... I was locked out with fingerprint recognition... Unintended or uncontrolled revocation ;)

  32. kneedragon

    We've been here before, but, how the fk do you change your face or your fingerprint if it's compromised? Do I really need to wear an expression of surprised innocence and my old purple T-shirt and the fluorescent c0ck-ring to get into my bank, or the annual general meeting? I can't remember a 56 character p1ssword that contains ancient Greek and Sumerian characters. I don't really want to be chipped like a stray dog and I don't want to have a 64 char bar-code tattooed on my forehead either. I don't do two factor authentication because I don't do mobiles. My comms device is my desktop. I don't want to use the p1sswrd manager on my desktop to boot and login to my desktop because that's a logic bomb even Barbie and Ken would spot. I can download and install a pisswrd manager that demands I first create a pissword that it didn't provide but if I download another pisswrd manager it may produce a pisswrd, but that 2nd pisswrd manager demands that I download a 3rd pisswrd manager because it shouldn't manage something as critical as it's out pissrd so it recommends another 4th pissword manager to make the pisswrd for the paisswrd that pisswords the pissword to get the pissword, ... so now I have to ask the CIA if I can ask the KGB if I can ask the Chinese Intelligence service if I can ask the Iranian Intelligence if I can ask Facbook if I can ask google if I can boot up windows, because privacy and security are a human right, and obviously I'm a stupid non-technical old khun if have to have simple things like this explained to me.

  33. KSM-AZ

    Weird Always Sucks

    Adding a symbol or two outperforms weird every time. Password checks should be entropy checks. p455w0rd! is not better than 'Humbled By 1950 Jaded Pelicans' And frankly not easier to type. mis-spel the word for even more simple fun. 'Flexable Furnature 500 Dollers'.

    NOBODY is breaking modest passwords with brute force unless it's a weak hash. It's phishing and repeated reuse across multiple sites, until you get bitten. Set up on kewlstuff.com use the same password as the bank their hashes are stolen, and were md5. "Let's try this one . . ." That is assuming you crack the actual password, and not just an alternate hash match.

    Password cracking is not TV easy. But as Kevin Mitnick will attest, people are often even easier.

  34. Blackjack Silver badge

    Facial recognition is hilariously bad and even if it wasn't, it really is quite unsafe as a 3D print if your face works quite well.

    Also a real "old hat" is insisting the use of SMS as part of authentication despite the fact SMS is completely unsafe.

  35. Grunchy Bronze badge

    Locked Out of Twitter

    Because of an ill-advised comment uttered approximately at the same time as a certain "Dunnild Tramp" got his own ass banned, the Twitter organization has invited me to delete said comment and thus regain access to their fine web property. But in order to do that they want to make sure I provide to them my cell phone number. But I aint got none.

    So I'm like, "bother!"

    Anyway who cares.

    (Hack away at my Twit account - I dares ya)

  36. Not Entered

    Another method

    I went about it a different way.

    Register a domain (yourname.co.uk)

    This way you can redirect any emails to your domain and easily track spam.

    Example you can now have tesco@yourname.co.uk, asda@yourname.co.uk, theregister@yourname.co.uk etc.

    and, each email address you register with the web site can have a unique password, Tesco could be P@ssw0rdt3s, Asda could be P@ssw0rd4sd, etc.

    Also, I'd rather use something like Keepass than a browser password plugin. More secure.

  37. Big_Boomer

    I have 2 tiers of passwords. Tier 1 are all unique and are for sites/services that matter to me. Tier2 sites/services are for sites/services that require an account, but that actually don't matter to me if they are compromised. For those I use a small list of reused passwords. I use a good password manager and so far have managed to avoid them getting compromised. However, there are no guarantees, so plan accordingly and make sure that you can recover that which matters to you.

    The biggest problem with Biometrics is that you cannot change them once compromised, so they are inherently useless for Tier1 but are convenient for Tier2 (eg. fingerprint to unlock my phone). If my bank decides that they need my Biometrics, then I'm moving bank. I already don't like that my passport stores biometric data but I do understand why and hope/assume that the data is well secured.

  38. Anonymous Coward
    Anonymous Coward

    Bad idea

    What3words uses 40 000 words in case you pick location in sea, otherwise only 25 000

    https://en.wikipedia.org/wiki/What3words

    Now count with me...

    - It is 40 000 * 40 000 * 40 000 = 64 000 000 000 000 = 64 000 G of combinations

    - It is similar like 52 power to 8 = 53 459 728 531 456. Anybody consider 8 character lower and upper case password secure?

    - 2080 Ti has NTLM hash rate about 73602.4 MH/s ~ 73 GH/s (MD5 even faster) https://gist.github.com/binary1985/c8153c8ec44595fdabbf03157562763e

    - So 64 000 / 73 ~ 877 / 60 = 14,6 minutes

    - Well played... what3words gives you at best 15 minutes of life... you will drown in your sea location

    I agree that memorable(words) passwords are better

    - But it must be loooong, rather like sentence. 30 to 60 characters

    - Few of the words MUST NOT be in dictionary, make intentional typo or make new word.

  39. anthonyminchinton@yahoo.co.uk

    Hair facial recognition

    After the lockdown people are returning to work and finding their extra facial hair, grown during the furlough period, is borking their facial recognition on company devices. Either go home and have a shave or join the queue asking IT to reset your company device (you are 993 in the queue).

  40. Kevin McMurtrie Silver badge

    !@#$!#$

    Phrases are great until a security advisor with little imagination says you need 3 letters of each case, two numbers, at least 2 punctuation marks, no spaces, and no quotes, and no angle braces. Now you're at the login prompt wondering if your password was "DumbA55L0g!n!" or "Dumb4SS1Ogin!!!" or... Should have written it on a PostIt note.

    1. Terry 6 Silver badge

      Re: !@#$!#$

      ShouldhavewrittenitonaPostItNote!

      What a brilliant password. Wish I'd thought of it first :-(

  41. Anonymous Coward
    Anonymous Coward

    stupid password rules

    Virgin cables online system only allows 8-12 chars and they can only be alpha or numeric. Whilst there are stupid rules like this there is little hope.

    1. Andy A Bronze badge

      Re: stupid password rules

      My mum changed energy suppliers and I was dismayed to find that the fresh one - only recently set up - demanded passwords 8-12 characters long consisting ONLY of letters and digits.

      And it announced that letters were NOT case sensitive.

      Mind you, not many black hats will want to pay her gas bill.

  42. Ian 55

    W3W

    Give it my address and it says my location is something like

    stupid.cockwomble.pedant

    I type that in to its location finder, and it points to somewhere at the other end of the street...

  43. Richard Gray 1
    Pint

    I suggested that in 2017

    https://forums.theregister.com/forum/all/2017/09/20/researchers_train_ai_bots_to_crack_passwords/#c_3294311

    The beer is what you owe me :)

  44. MJI Silver badge

    Harvey Street Stockport?

    What is special about it?

    I used Streetmap and SJ 89773 90375

  45. Anonymous Coward
    Anonymous Coward

    Having worked in IT for a while...

    I have been seeing "experts" saying that passwords are on the way out. They are still here.

    Certainly users are more aware of passwords. Unfortunately, there is still a number that will not.

    I use 2FA in several places and so do all our VPN users but when someone mentioned that it could be used with Office365 hostility arose!

  46. MJI Silver badge

    Need a password in a hurry?

    Got something electronic and not cheap handy, look at the information panel at all the potential passwords.

    Model number, serial number, lots of them.

    Your car chassis number?

    Lot of nice random strings.

    I even have a password for accounts I am recovering to delete. Vendor specific stuff you really want to lose. This is just swearing in a string.

    1. Andy A Bronze badge

      Re: Need a password in a hurry?

      -- Your car chassis number?

      Not even the DVLA get that right. I had a lengthy postal conversation trying to convince them that the number as recorded at the MOT station was correct. In the days when humans looked at paper (or electronic) records, the spacing didn't matter.

  47. Brewster's Angle Grinder Silver badge

    The entropy-predictability conundrum

    The most perfectly random string in the universe is useless as a password if it has already been used as a password, leaked (unhashed) and added to password db. There's a reason OTPs are one time.

  48. PizzaMac

    Three random words:

    - probably too constrained a space and some argue easy to dictionary attack as a hash.

    - doesn't hit the complexity password rules without character substitution.

    So add 'magic word' from a key phrase (My mate Boris -> Mm6)

    Always prefix or suffix your three words with your magic word and punctuation : you subvert the attack space away from a straight dictionary space and meet the complexity requirements.

    PLUS using regular words makes typing easier than 16 truly random characters and punctuation marks.

    PLUS if you have sufficient trust in your magic word you can write down the _other_ words in an ordinary notebook (or app).

    So:

    Mm6=antimony+arsenic+aluminum

    Mm6=taken+three+bottles

    This is my 'granny' solution. It doesn't need a password app, and Granny can understand it. (YGMV - Your Granny May Vary).

  49. Anonymous Coward
    Anonymous Coward

    I do use the names of my pets

    .. only I don't have any, on account of even managing to kill dried flowers if I put my mind to it.

    And no, I don't consider computers pets.

    Anyway, I like the location idea. Not to speak any less of the XKCD approach which I have used many times in companies that needed a bit of gentle help, but the location idea attaches something physical to it. Nice.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022