back to article Password1? You're so random. By which we mean not random at all - UK.gov

The UK government has renewed its efforts to persuade consumers to pick stronger passwords. The #ThinkRandom campaign is encouraging consumers to use three random words to create strong, separate passwords for their email, social media and online banking accounts. The effort follows a growing number of password dumps and …

  1. Anonymous Coward
    Joke

    Okay... let me be the first to post this :

    Password Strength...

    1. A K Stiles
      Flame

      Re: Okay... let me be the first to post this :

      ... and let's see if you get assailed by the critical masses as I did for posting the same link in an article a couple of years ago!

      The main issue I face with the CorrectHorseBatteryStaple approach is that most of the things I have passwords for insist on mixing upper and lower case letters with numbers and possibly symbols, but maybe not, and minimum and maximum lengths... so never mind reusing a password across different sites, I can't even reuse my password construction rules across sites!

      1. Anonymous Coward
        Anonymous Coward

        Re: Okay... let me be the first to post this :

        Also, many sites have a maximum password length. Three words plus numbers and special characters can easily be too long.

        I used to set my password manager to autogenerate 25 characters by default, but now have set it at 12...

      2. SkippyBing

        Re: Okay... let me be the first to post this :

        Handily one of the applications I use at work has to be accessed via Citrix and for some reason the password changed every 6 weeks or so. Apparently there is a password construction policy for this as I keep getting told my chosen password doesn't fit the organisations password policy, unfortunately it won't tell me what this is, and the passwords they send out for a reset don't follow it!!

      3. Robert Carnegie Silver badge

        My formula

        Abcdef78

        Random letters from words from a book (any book) with case as shown but excluding repeats, random digits usually from minutes units and seconds units on digital watch.

        So far it works just about everywhere - though now I've told you what it is I'll need to set another one :-) (and "Abcdef" was so easy to remember!)

        If they want bloody punctuation then add on "!" at the end. Or an internal quote mark and a SQL Injection and serve them right. "passwd carnegie Bum\"shutdown -rightnow -nosave -allow-reboot=never" :-)

    2. Blitheringeejit
      Boffin

      Re: Okay... let me be the first to post this :

      Thankyouthankyouthankyou - I've now set all my passwords to "correcthorsebatterystaple" and will sleep soundly in my bed tonight.

      1. Spudley

        Re: Okay... let me be the first to post this :

        I wonder how many people have actually used "correcthorsebatterystaple" as a password for something?

        I'm sure there are plenty of cases where people have used it for the irony factor on something they don't consider important, but I want to know how many people have actually used it, thinking it was a good password? I bet there's quite a few.

  2. The_Idiot

    "Barely a day goes by without a major security breach coming to light..."

    ... and the business that is breached not suffering any business penalty worth mentioning.

    No. The bit above _wasn't_ part of his quote. Which doesn't stop it being true.

    Is it possible, therefore, that those who count beans decide the cost of effective, regularly reviewed and improved security isn't worth a single one of the mgic beans they so avidly count?

    Could be. Just possibly.

    "However, what we really need is a fundamental rethink of the basic security protocols,"

    That's one approach. But it will take time and cost magic beans. And even if it happens, it's not a one-time thing - it needs to be done, frequently reviewed and assessed in line with new threats, done again and repeated forever.

    Which, in this Idiot's view, ain't gonna happen while _not_ doing it doesn't impact the beans. HARD.And NOW.

    Yes. I know. I'm shouting. Mostly because I don;t think anyone not reading these pages is listening... sigh.

    1. Mark 85

      Re: "Barely a day goes by without a major security breach coming to light..."

      We're listening but then, we're also pushing for the same thing... The problem is the beancounters and their ilk aren't listening. Too many beans to count, I suppose.

  3. JimmyPage Silver badge
    Facepalm

    or, they could really encourage 2FA everywhere

    much more effective.

    1. Wensleydale Cheese

      Re: or, they could really encourage 2FA everywhere

      But what sort of 2FA?

      Quite a few of us don't get a reliable phone signal at home, or even at work.

      With phone software nasties that can intercept SMS, aren't we simply moving the goalposts?

      1. Ole Juul

        Re: or, they could really encourage 2FA everywhere

        And lots of people don't even have a cellphone, let along get a signal. Seriously, if a site or service cannot come up with something that works for everybody without having to purchase additional equipment and services they should be questioning their ability to develop security solutions for themselves.

    2. This post has been deleted by its author

  4. Primus Secundus Tertius

    Reversed!

    A certain UK government website told me that passwords containing 'password' were forbidden. But it accepted 'drowssap'.

    1. DNTP

      Re:drowssap

      That sounds like a spell component from a D&D manual.

      I'm going to start generating passwords that way. Spell component as the password, name of the spell written down in the 'password hints' binder.

      1. Notas Badoff

        Re: Re:drowssap

        Ah yes, your codebook can be in plain sight on your shelves and no one would be the wiser! :)

        Me, I'm going to switch to a password set suggested by something funny a friend said to me a couple decades ago, him from a different discipline to mine and using a language I don't know (he had to explain _why_ it was funny). Now how is a profiler going to guess that from perusing *my* emails?!

      2. Jelder

        Re: Re:drowssap

        Upvote for the nerdiest password generation system I've ever heard of.

    2. Anonymous Coward
      Anonymous Coward

      Re: Reversed!

      Our clinical software stores its application login passwords (hashed, but not salted) in a table in the SQL DB called "drowssap".

      Amusingly, the vendor recommends we give read+write permission to Authenticated Users because "authentication is handled inside the application".

      I dread the day someone realises you can siphon off the entire table using Excel.

      Anon, but I dare say the vendor will know who I am if they read this.

  5. I_am_Chris

    Password managers FFS!

    That is all

    1. Brenda McViking

      Re: Password managers FFS!

      Password managers introduce a single point of failure, there is a serious trust relationship which is highly questionable for any password manager, and that's before you consider using a cloud-based one. Then there are issues with mutliple devices, lack of internet connectivity, or lack of ownership of devices you may be accessing secure accounts on.

      They might work for you, but they are not a silver bullet.

      1. I_am_Chris

        Re: Password managers FFS!

        Given that currently the single point of failure is the user, anything that avoids them either using weak passwords or reusing the same password, is a big win. Password managers make it trivially easy.

        With the better password managers allowing you to keep your file on Dropbox, icloud, etc any miscreant has to crack one round of 2FA plus the database file's encryption.

        No silver bullet, maybe, but certainly silver plated IMO.

      2. I_am_Chris

        Re: Password managers FFS!

        Forgot to add.

        Lack of internet is a red herring. Proper password managers keep your passwords file locally - no internet required. you just need to sync it automatically when you do have internet.

        If you want access to secure sites on hardware that you don't own or trust, then more fool you.

  6. Criminny Rickets

    I use a formula I came up with for generating my passwords, so it is a real pain when I find a website that insists my password has to be up to 8 characters, all lower case letters. (Yes, I still find ones like this).

    Another thing I find annoying are sites that insist you change your password every so many months. Why??/ I created a unique password just for this site and now I have to change it even though my account has never been breached? Talk about an insecure website. When people have been using a password for a while, it is memorized. When you force them to now use a new password, what is the best way for most people to remember it. In my experience, I found a lot of people tend to write it on a sticky note and keep it near their computer. Personally, I use an encrypted password manager, but not everyone is as computer savy.

  7. Tikimon
    Devil

    Foreign language to the rescue

    I seed foreign profanity into my passwords. What dictionary attack is going to check multi-language cursing?

    Agreed, DAMN the sites that have maximum-minimum or other requirements. They won't make a stupid user create a good password, and they screw up those of us with a good system.

    Eta pizdets, faszfej!

  8. DavCrav

    "In a UK government pitch designed to persuade the public to adopt better password security,"

    Might be better directed towards companies, since they are the ones responsible for the mega-dumps?

    "consumers are advised against using words related to their personal lives that may be easy to guess or share."

    I think if you have blue eyes, are 25 and live in Kent then 2kentEYEblue5!! is going to be pretty tough to break. Even Iliveinkentandhaveblueeyesandam25yearsold is pretty good.

  9. Anonymous Coward
    Anonymous Coward

    What about forehead recognition in keyboards?

    You smash you head into said keyboard to log into the service. I see no problem with this approach.

    1. piscator
      Coffee/keyboard

      re: forehead recognition

      comment of the week :)

  10. dalethorn

    Today many sites force an active password to include a mixture of case and special characters. That's not random. Read up on the fatal weakness of the Enigma machine - the non-random requirement that the machine cannot generate the character typed. And yes, despite much opposition that I've received, it's the same issue.

    1. Robert Carnegie Silver badge

      Edward Nygma

      I'm not expert on this but would it be necessarily "fatal" to a code if a fiendish algorithm swapped each letter for any letter in the same half of the alphabet, A-M or N-Z, including the same letter, and then performed ROT13 on the output?

      Now - Nazis were not without boneheaded giving and obeying of orders, so, "Make sure the output letter is always different from the input" sounds like a stupid management instruction that has to be obeyed, which is familiar to many.

      My site password formulas include not repeating any letter because some services or web sites do forbid that, but it makes the password so much less random if e.g. you know that a 26 character password must use each letter only once.

      For a password to give away for encrypted data, I generate several sets of 5 uppercase letters, used with space after each 5. This is intended to be passed in writing or spoken, instead of being e-mailed.

  11. Anonymous Coward
    Anonymous Coward

    'Social media' as the same level of importance as banking??

    If you get into my Facebook account, you can't steal my money. If you get in my online bank account, on the other hand...

    Email is sort of in between - often control of it will allow an online password reset though hopefully your bank would require more than that.

    If they make stupid statements like this, they aren't contributing to a solution. Just muddying the waters even more.

    1. Brangdon

      Re: 'Social media' as the same level of importance as banking??

      If they have your Facebook account, they can pretend to be you and ask your friends and relatives for money. With a bit of social engineering some people will fall for this. For example, if they pick a date when you are on holiday and say there's been a disaster, you've lost your phone and wallet, and you need money to get home ASAP.

    2. petef

      Re: 'Social media' as the same level of importance as banking??

      Many sites allow you to log in using credentials from Facebook, Google, Twitter, etc.

  12. Anonymous Coward
    Anonymous Coward

    Yep, That's the password

    Visited one of our hospitals and the local admin password on every PC and server was password1.

    I think the "1" was so no one could guess what the password was.

    They're all about convenience.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yep, That's the password

      We had something similar, well something better than password1 - but was easy to remember.

      Then the manager's son decided it was insecure, and changed it to a randomly generated password that changed every month via group policy - which didn't always update correctly. So us poor mortals in support ended up having to do the cardinal sin of writing them down, just so we log in!

  13. J.G.Harston Silver badge

    More and more online sites demand tighter and tigher password rules - for utterly ridiculous things, a job vacancy website for f***'s sake!!! - that I end up using my high-strength banking password, just to look at ***king job vacancies!!!!!!!! - which then means I have to try and work out a stronger banking password that I can remember. And then discover that my bank won't let me strengthen my password beyond what I've just given to an advert site.

    Why the FUCK!!!! should non-financial websites demand the same type of password as my banking website?

    1. veti Silver badge

      They shouldn't. Heck, if a website's only function is to show you ads, it has no business requesting any password at all.

      On the other hand, if it looks after personal data - like, f'rinstance, if it allows you to upload your CV for forwarding to selected advertisers - that's another story.

  14. Anonymous Coward
    Anonymous Coward

    Got a DBS check email in the summer

    Moving on to the next stage "If the link doesn't work, just visit blahblah.co.uk and enter this username and password"

    FFS it's a DBS check for security and they send an effin' plaintext email with credentials to login and confirm my identity!!!!

    And yes, it's for real, documents submitted and approved etc. It all came out ok in the end, but a fecking plaintext email? <still gobsmacked>

  15. Anonymous Coward
    Anonymous Coward

    Password1

    Was tis article written directly at me?

    Spooky!!!

    ;O)

  16. Mark Simon

    The Bank of Melbourne whose password policy EXCLUDES special characters and LIMITS passwords to 12 characters. When I raised my concerns, customer support replied that that should be hard enough to guess.

    They’re probably wondering why I closed my accounts. Morons.

    1. Arthur the cat Silver badge
      Facepalm

      The Bank of Melbourne whose password policy EXCLUDES special characters and LIMITS passwords to 12 characters.

      I don't know whether they still do, but the Bank of America used to insist that passwords to access (and trade) your portfolio online (average customer worth: several million dollars) must contain a mix of upper and lower case letters plus digits not more than six characters long!

      That showed them pesky hackers.

    2. Anonymous Coward
      Anonymous Coward

      "The Bank of Melbourne whose password policy EXCLUDES special characters and LIMITS passwords to 12 characters."

      That's bollocks. Try ING Direct in Oz. 4-6 numeric, I believe, FTW.

  17. Agent Tick

    Secure Passwords?

    try this one:

    ӊTҎybyѴҊhKҘȻÏҔemVUbk

  18. Arthur the cat Silver badge

    Three random words

    Expect future "most common password" lists to contain

    Oh My God

    My Mail Box

    Let me in(*)

    Bank account password

    Won't guess this!

    (*) A golden oldie.

  19. tiggity Silver badge

    Assumptions

    Lost my attention at "Your most important accounts are your email, social media and online banking accounts."

    Social media - no.

    Online banking - no.

    Email - ooh, I actually have that!

  20. Dom 3

    Stub + algorithm

    It's really not hard to create easy to remember, cryptographically hard passwords that are not duplicated across sites. First, think of a phrase.

    I will choose 'yet another flippin password for:'.

    That makes 'yaFp4:'. Yay, six characters including upper, lower, numeric, special.

    Next. What is it for? theregister.co.uk? I will choose a selection of letters in a fixed pattern; let's say, third, second, fourth, first. Makes 'ehrt'.

    Now tack on a memorable number. Yer mum's birthday. You *do* remember that every year? Well, maybe if you type it in ten times a day, you will from now on. Win-win situation.

    Result: yaFp4:ehrt120152

  21. allthecoolshortnamesweretaken

    It's not exactly an algorithm, but I find that random drunken ramblings sampled at 3 AM in a bar is a good starting point for creating strong passwords.

    1. Nimby
      Joke

      Random lives in a House and does a lot of Publishing

      "It's not exactly an algorithm, but I find that random drunken ramblings sampled at 3 AM in a bar is a good starting point for creating strong passwords."

      For creating strong passwords ... or for creating new Australian colloquialisms to rival the likes of "flat out like a lizard drinking" and "she'll be apples".

      But to vaguely waver back towards seriousness for a moment, it's the old adage that "anything is better than nothing". Whatever system you have works, so long as you have a system, and you use it.

      Random drunken ramblings, reverse typing, random creature names from an AD&D Monstrous Manual and the page number they came from, pig latin, inverted ASCII, R3PL4C1N6 letters with digits (with or without full leetspeak), or even rousing games of Bingo and Battleship can all provide wonderfully difficult passwords to crack.

  22. Nimby
    Devil

    Random and Corwin drove to Amber

    The problems with 2FA have already been covered. (AKA besides the fact that not everyone has a smartphone, when was the last week you made it through that didn't read a headline, "phone cloned", "Android / iOS hole found", etc.?) Frankly, and with good reason, I trust my PC more than I do my phone!

    Likewise a bad idea in security is the finger print. Even if they were truly unique (which they are not) most scanners are still beaten by a gummy bear, with or without involving a printer. I'm not sure about retinal scanners, but then I don't see many of those kicking around. And even if we could go straight to DNA, I'm betting most systems that could be made to fit into something small enough to use would be flummoxed by family members. (Not to mention all those pins and needles and hazmat concerns.) So anything biometric is out. (And yet companies still do try.)

    Frankly, it's Steam that has some of the best solutions that I've seen combined. As simple as a password ... but protected by sanity checks such as location and device. Chances are pretty low that I would travel continents to log in from Estonia, at 3 in the morning, from a device that I have never used before. And if it really is me because I really went on a vacation, I just have to get my confirmation code from a second factor of my choosing. It's a much more sane solution that covers a majority of situations well, and is customizable to cover the rest.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like