# Are your passwords as "secure" as you think?



## MrKowz (Apr 28, 2011)

I came across this interesting article about how passwords are cracked, and what you can do, as a user, to make your password even tougher to crack (without making it something like Nhsd923!!pz, which you KNOW will inevitebly end up on a sticky note, attached to your monitor, in plain view of everyone... thus making it insecure)

http://www.baekdal.com/tips/password-security-usability

Basically, the article states that _"...it is 10 times more secure to use "*this is fun*" as your password, than "*J4fS<2*"."  _By adding just two spaces to a password, it effectively completely destroys any realistic possibility that someone can "brute force" hack your password.  Also, since it has more characters, that makes it harder to hack, and since it is easy to remember and type, it won't have to go on a sticky note! 

I'd recommend taking a look at the entire article, as it has some really good information!


----------



## JamesW (Apr 28, 2011)

What if sites/programs don't allow spaces (I know of about 10 that I use off that don't allow spaces).

Interesting read though.

I've always felt that you should be able to enter anything you want as a password rather than being forced to have a minimum of 20 characters with at least 2 capitals, 3 numbers, 10 punctuation marks and the batman symbol.  It's your own fault if your password is "password".


----------



## gsistek (Apr 29, 2011)

JamesW said:


> I've always felt that you should be able to enter anything you want as a password rather than being forced to have a minimum of 20 characters with at least 2 capitals, 3 numbers, 10 punctuation marks and the batman symbol.


I completely agree. I understand that companies use that method to force peopleto use more secure passwords, but wouldn't having those restrictions (especially the companies that have almost 10 restrictions) give narrower parameters to hackers? They now that the password is x to y characters long and has z numeric values and each character can only be repeated once etc etc. Doesn't that actually make things easier for a hacker?


----------



## Norie (Apr 29, 2011)

I don't quite see how adding spaces in particular would break any 'brute force' method.

If it's something to do with the length of the password perhaps it would slow things down, but so would any character.


----------



## xenou (Apr 30, 2011)

T'would be even stronger with a punctuation mark and some caps:

This Is Fun!

If there's (I'm guessing) 100,000 common words in the English language then three words is 100,000 ^ 3 = 999,999 trillion possible three word combinations.

I don't see why you wouldn't smash it into a single word and use some substitution and casing:

th1sizFUN_!


Funny but I've never used a space in a password so this suggestion is interesting.  I'm not sure that spaces are allowed though all the time as part of a password (but again, I think it makes no difference to the strength of the password - I agree with Norie's point - just the three word combination already makes it stronger against dictionary attacks and brute force tries)


----------



## Norie (Apr 30, 2011)

Does it really matter that much these days the strength of the password when there's stuff happening like the PS3 fiasco?


----------



## sous2817 (Apr 30, 2011)

Norie said:


> Does it really matter that much these days the strength of the password when there's stuff happening like the PS3 fiasco?



The author addresses this in his article (or his response...forgot which).  But basically he blasts the system designers for requiring users to have complex passwords, but then skimp on their own protections.  No amount of user password complexity can save it from a DB that gets hacked.

Also, regarding the difference between This Is Fun! and th1sizFUN_! is the ease in remembering.  His point is, he can't remember which letter he capitalized, which he switched to a number, etc.  In terms of password strength, they're probably comparable (although I think he claims the simple password is actually stronger).

Really it seems the bulk of the "protecting the end users password from being hacked" revolves around a relatively simple password along w/ some basic db protection and log in attempt provisions (only allow X per hour, or Y number of attempts before a lockout, etc).  

Either way, I thought the article linked and the author's followup were great reads.  Thanks for sharing!


----------



## shg (Apr 30, 2011)

Another way to create passwords is to use a phrase; say FabledMuchJoking-- that's 16 different characters drawn from set of 52 (or more).

Each password can then be a hex string that selects characters 1 to 16. For example, you can put in your wallet lists of passwords like 8EC4AD56, which translates to cnkeJidM, which is pretty random.


----------



## Norie (Apr 30, 2011)

I once worked in a place where one of the main IT guys had a text file saved on his desktop with all his passwords in it.

So, according to him, he only had to remember one password - his logon, and the name of the file - MyPasswords.txt.


----------



## diddi (May 1, 2011)

i do a fair bit of tech work where, for whatever reason the customer no longer remembers or never knew a password for some particular application. eg previous employee set it up and has left etc.  There are very few passwords that cannot be cracked instantly no matter what characters or what length they are.

from my experience, winrar passwords are one of the very few PC based passwords that are Very difficult to crack, requiring 'brute force' where every combination of a password is checked 1 at a time.  its very slow. a 6 character password requires about 26,500,000,000 combinations (assuming 80 usable characters from keyboard)


----------



## xenou (May 1, 2011)

> from my experience, winrar passwords are one of the very few PC based passwords that are Very difficult to crack, requiring 'brute force' where every combination of a password is checked 1 at a time. its very slow. a 6 character password requires about 26,500,000,000 combinations (assuming 80 usable characters from keyboard)



Apropos this thread, what about a 12 character password made up of all letters (assuming the average combination of common word has 4 letters in it and we have three of them - or 14 if you include two spaces).

I can't agree that all passwords are instantly crackable.  When you say brute forcing 26 billion combinations is slow, how slow is it?  I've really no idea - the link from the OP says 219 years (which doesn't qualify it as a strong password but is very far from being instantly cracked - I would in any case consider 8 characters the minimum for any password).


----------



## arkusM (May 2, 2011)

Norie said:


> I once worked in a place where one of the main IT guys had a text file saved on his desktop with all his passwords in it.
> 
> So, according to him, he only had to remember one password - his logon, and the name of the file - MyPasswords.txt.


 

. Guilty. Bwahahahaha.
Though according to one of our IT guys there are other easy ways into out network...


----------



## schielrn (May 3, 2011)

I just stick to passwords like:

myBankPassword
myE-mailPassword
myMrExcelPassword

They are all typically at least 14 characters and capitalize each new word.  And then add a number as needed. I can't give away my lucky number though, then everyone would know my passwords.


----------



## sous2817 (May 3, 2011)

schielrn said:


> I just stick to passwords like:
> 
> myBankPassword
> myE-mailPassword
> ...



That seems like as good idea as any...maybe I should switch my password methodology...


----------



## JamesW (May 3, 2011)

Norie said:


> I don't quite see how adding spaces in particular would break any 'brute force' method.
> 
> If it's something to do with the length of the password perhaps it would slow things down, but so would any character.



I'm guessing because a password that has no spaces means you are checking for 26 characters (lets say the alphabet is all that is here) + another 26 for all those capitalised.

Adding a space means you are searching for 1 more character anywhere in the password - I'm rubbish at maths but I know it's alot harder to crack with a space (1 extra character that people don't use much).


----------



## schielrn (May 3, 2011)

The thing that puzzles me, is some major US Banks still do not care about case-sensitive passwords, because I can type my password in any case I want.

And a different bank I was with set up my initialy username as my social security number and never forced me to change it? 

These are just an example of 2 different bank accounts I have had, but it goes back to should the bank (company) require such stringent passwords or leave it up to the user to make it as secure as you want it to be.


----------



## MrKowz (May 3, 2011)

schielrn said:


> The thing that puzzles me, is some major US Banks still do not care about case-sensitive passwords, because I can type my password in any case I want.
> 
> And a different bank I was with set up my initialy username as my social security number and never forced me to change it?
> 
> These are just an example of 2 different bank accounts I have had, but it goes back to should the bank (company) require such stringent passwords or leave it up to the user to make it as secure as you want it to be.


 
I think it is up to both.  The institution should force their clients/users to have a certain level of security to protect their own good.  It is akin to laws; laws are there for our protection because there can be dire consequences if they aren't followed (in this case, identity theft).  Also, forcing a certain level of security protects the user who truly doesn't understand network security.  Take your average senior citizen who is just getting into online banking: they usually don't understand what identity theft is, why it is dangerous to have a "weak" password, etc.  Without forcing them to have a decently strong password, their password usually is something like "pass", "123456", or even their name!

I am a fan of security that forces a password of at least 6 characters in length, allowing letters, numbers, are case sensitive, and require at least one capital letter.  Without forcing the capital letter, most users would use just lowercase (which hackers can target first with the brute-force method).  By forcing an uppercase, that at least forces the hackers to check the first character 26 more times, since most users will only capitalize the first letter.

What I like to do with passwords is incorporate "leet-speak", which is the coined name for substituting numbers for letters.  For example:

1=L
3=E
4=A
5=S
6=G
7=T
8=B
9=Y
0=O
By using this, a simple word like "Guinness" (our favorite brew), can easily be made into 6uiNN355, or 6UinN355, etc...


----------



## xenou (May 3, 2011)

Another strategy for creating a strong password is to use the first letter of a favorite phrase:

But I have that within which passeth show;
These but the trappings and the suits of woe."

_bihtwwpstbttatsow_

If a number and a special character are required (as more often are now):

_b!htwwpstbttats0w_

Something like this is a good candidate for a master password as it can be very long but also easy to recall (I use one such that is 30 characters long).  There are some good password managers that would work well this way - you remember your master password and it handles creating and managing any number of very strong passwords for you.


----------



## MrKowz (May 3, 2011)

I like that, xenou!

"Four score and seven years ago, our fathers brought fouth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal"

fsasyaofbfotcannciladttptamace

or

4sa7yaofbfotcannciladttptamac=

As far as password managers... I never trust a program to manage my passwords for me, as all that takes is a single hack (or datamining or keylogging) to get ALL of my passwords.


----------



## Joe4 (May 3, 2011)

> I just stick to passwords like:
> 
> myBankPassword
> myE-mailPassword
> ...


I use something similar to this (though a formula). Using the same password for multiple things can be dangerous (especially with financial institutions), as if they crack one, they can get into your other accounts.

The nice thing about this method is you have a different password for every program (but only have to remember one formula). So if someone is lucky enough to hack one password, they can't break into anything else with that.


----------



## Norie (May 3, 2011)

JamesW

That applies for any character, perhaps I misunderstood but it seemed the linked article was saying that adding a space in particular made a difference.


----------



## Andrew Fergus (May 3, 2011)

I agree with Norie on this. Merely adding a space to the list of available characters does little for password security. The number of password combinations to test using brute force is n^x where n is the number of characters being tested and x is the number of characters in the character set. An 8 character password (using numbers and letters in both cases) has 8^62 combinations, adding a space increases this to 8^63. If my maths serves me correctly there are 8 times as many combinations that require brute force testing by the inclusion of a space in this example (in other words the combinations are increased by a factor of n where n is the number of characters).

However, this theoretical maximum ignores the fact that very few people (if any) would have a password that consisted of all "z"s - so the brute force method never needs to test all n^x combinations. Assuming an equal distribution of first position characters throughout the alphabet, the brute force method would on average only need to test half of all possible combinations. Furthermore, the time taken to brute force the password could be further reduced by splitting the task across multiple threads and/or processors and/or computers. Each processor would only ever test 1/xth of the total combinations (again on average half of the theoretcial maximum assuming an even distribution of 2nd position characters across the alphabet) - this could be further reduced by using a network of computers i.e. continually breaking the task down into smaller chunks.

So keep in mind the time taken to brute force something is a theoretical constraint. In addition, as other posters have mentioned, the weakness does not usually reside with the password itself.

Andrew

P.S. Plus I reckon most systems will trim a password such that trailing and leading spaces will be ignored. This would reduce the number of combinations to test by (n-1)^63 for leading spaces and the same again for a final trailing space and even less again for multiple trailing spaces.


----------



## Andrew Fergus (May 3, 2011)

Whoops. MAJOR FAIL on my part. I got my x's and n's the wrong way round. Sorry for any confusion!

RESTATED:

The number of password combinations to test using brute force is x^n where n is the number of characters being tested and x is the number of characters in the character set. An 8 character password (using numbers and letters in both cases) has 62^8 combinations, adding a space increases this to 63^8. There are 14% more combinations that require brute force testing by the inclusion of a space in this example.

The reduction for leading and trailing spaces would be 2 x (63^7).

The reason for the increased brute force times is a function of the number of characters in the password, not the inclusion of spaces (which is a consequence of the proposed password method).

Andrew


----------



## Norie (May 3, 2011)

I've got a fail-safe method of creating passwords - just pick random objects in your line of sight, add the first thought that comes into your mind and think up a number.

Combine all that in a random order and bingo!!!.

The perfect password you can't even break yourself.

Or remember.


----------



## Andrew Fergus (May 3, 2011)

Haha! Very true. I've done that before.......funnily enough an admin at one of my former clients used the acronym method which I never forgot but it also told me :
 a) his wife's name;
 b) their new electrical appliance, and 
 c) that his grammar wasn't the best!

Most importantly I never forgot it so that was a good thing for when he was away, except I was a contractor and not officially part of the organisation.....

The forced capitalisation is actually an issue I face with an online server. I always forget that I am required to use an uppercase letter so they constantly have to reset my password - there's increased security for you! New password notification via e-mail is about as secure as a postcard....


----------



## Domski (May 4, 2011)

Norie said:


> I've got a fail-safe method of creating passwords - just pick random objects in your line of sight, add the first thought that comes into your mind and think up a number.
> 
> Combine all that in a random order and bingo!!!.
> 
> ...



That sounds like my method . The number of times I sit staring blankly at my logon screen on a Monday morning looking for inspiration as to what password I'd chosen on Friday is unreal.

Dom


----------



## litrelord (May 4, 2011)

Andrew Fergus said:


> Furthermore, the time taken to brute force the password could be further reduced by splitting the task across multiple threads and/or processors and/or computers. Each processor would only ever test 1/xth of the total combinations (again on average half of the theoretcial maximum assuming an even distribution of 2nd position characters across the alphabet) - this could be further reduced by using a network of computers i.e. continually breaking the task down into smaller chunks.



Which is even more possible since the advent of cloud computing which creates a very affordable 'super-computer' for this type of number crunching.

I consider a password of 10 characters with mixed upper, lower, numbers and symbols as secure enough. If someone was cracking a database of password hashes I believe they'd come up with enough others before they broke mine. If anyone cares enough to put the effort into breaking it they'll get there regardless of length and entropy.

Nick


----------



## Ten98 (May 4, 2011)

xenou said:


> Apropos this thread, what about a 12 character password made up of all letters (assuming the average combination of common word has 4 letters in it and we have three of them - or 14 if you include two spaces).
> 
> I can't agree that all passwords are instantly crackable.  When you say brute forcing 26 billion combinations is slow, how slow is it?  I've really no idea - the link from the OP says 219 years (which doesn't qualify it as a strong password but is very far from being instantly cracked - I would in any case consider 8 characters the minimum for any password).



That's 219 years based on today's computing power.

In 10 years time when you have an optical processor capable of trillions of operations per second, you will scoff at the ease at which you can brute force a 64 bit or 128 bit password.

In any case, passwords are only as secure as the person that knows them, and actually forcing them to be more complex by requiring a mixture of upper / lower case and a number, and forcing the user to change them every so often has the opposite effect than is intended.

My boss cannot remember his password month to month, so he writes his password on a post-it note which is stuck to the bottom of his keyboard. Secure!

Whereas everyone knows their 4-digit bank card PIN number off by heart, so it's more secure since there's no need to ever write it down. The systems that accept PIN numbers only ever allow 3-5 attempts before locking you out, so there's no danger of them being cracked.

That wouldn't work with passworded files of course, which are at the mercy of the software that's trying to crack them... The difficulty there is how long do can you make the password before it becomes impossible to remember, forcing you to write it down, which instantly makes it less secure!

I think at least 8 characters with at least 1 capital letter and at least one number is what the world has settled for. As computing power moves ever onwards, we will be able to crack such short passwords with ease, but for now it's enough!


----------



## MrKowz (May 4, 2011)

Keep in mind that no matter how fast your computer is, no matter how many threads or processors it has, you are STILL limited to both the speed of your internet connection (Kinda like driving a Bugatti Veyron in Chicago, IL downtown rush hour), and the speed at which the receiving server can process your requests. What the article states is that most servers and internet connections can handle only approx 100 requests per second.


----------



## litrelord (May 4, 2011)

MrKowz said:


> Keep in mind that no matter how fast your computer is, no matter how many threads or processors it has, you are STILL limited to both the speed of your internet connection, and the speed at which the receiving server can process your requests.  What the article states is that most servers and internet connections can handle only approx 100 requests per second.



But if you have a list of the password hashes from the server database then you only need the raw processing power. This is, I believe, the more likely form of attack since brute-forcing through a normal site login script would (should) raise too many alarms to the site admin. 

Nick


----------



## Ten98 (May 4, 2011)

Yeah, anything worth its salt won't allow more than 100 or so incorrect password attempts before locking the account that's being attempted, in which case brute force becomes irrelevant.

I was thinking more of passworded files or password hash tables.


----------



## litrelord (May 4, 2011)

Ten98 said:


> Yeah, anything worth its salt



Not sure whether that pun was intentional but it made me chuckle. 

Perhaps I just need to get a life...


Nick


----------



## Andrew Fergus (May 4, 2011)

Haha - you know you are a computer nerd when.........you laugh at unintended salt puns!

Anyway, I don't subscribe to the view that forcing a password to have at least 1 capital letter and 1 numerical value makes a password more secure.  From a brute force perspective this actually makes it considerably less secure.  Why?  I now know there are many many combinations that I do not need to test.  I can eliminate all combinations that have no capital letters or no numerical values.  What that value is I haven't yet calculated.

Regarding the 219 years from the article per the original post, it is only 219 years because the password in question starts with the letter 't' and the calculation assumed the testing started at 'a'.  So there is not a lot being said about the calculation methodology and the time required would be divided by about 20 for a password that started with the letter 'a' under the same conditions per the article.

Andrew


----------



## ChrisOswald (May 4, 2011)

With all due respect, I have to disagree with Andrew about the requirement of using at least one capital and one number making a password less secure, assuming that a 'significant' number of people would use NO uppercase letters or numbers in their password if they weren't required.

Assuming a password of length N: 
The set of possible passwords using uppercase, lowercase and numbers has 62^n elements.

The set of all possible passwords consisting of only lowercase letters and numbers has 36^N elements.

The set of all possible passwords consisting of only lowercase and uppercase letters has 52^N elements.

The set of all possible passwords consisting of only lowercase letters has 26^N elements

Thus, the set of allowable passwords has:
62^N - 52^N - 36^N + 26^N elements. (we add the 26^N back in as it's being double counted in the 2nd and 3rd sets)

comparing this to the set of 26^N passwords using only lowercase letters, which I'm assuming is what this requirement is intended to do, we find out (using goal seek, just to keep this relevent to uses of Excel) the sets are the same size with n = 2.135755: in other words, so long as there are at least 3 characters in the password, the requirement should, more or less, strengthen "lazy" password choices. And let's face it, there are lots of lazy password choosers out there. (I'll let someone else figure out the percentage of "lazy" choosers there needs to be for this to strengthen the number of possible passwords)

In practice, I'm sure the rule mostly has users choosing passwords in the form Password1, then the next month Password2, etc. Still should make a dictionary type attack a little tougher, at least.

Oh yeah, the thing about nobody ever using a password of 'xxxxxx'? If people have actually called IT helpdesks about where the 'Any' key is on the keyboard, I'm betting that there are quite a few people that think they have to have their password be the same thing as the input mask.


----------



## Andrew Fergus (May 4, 2011)

Hi Chris

I have no issues with differing opinions. It is interesting to read others thoughts on this.

In saying it made it less secure, my comment was in relation to the option of having other characters, not the perspective of never using them - so the part I disagree with is comparing your reduced number to 26^n.

If I am brute forcing a password I need to test all combinations - if I don't know the construction requirement I need to (potentially) test 62^n combinations. But if I know there must be at least one uppercase character and one digit, then I need to test fewer combinations (as per your post). Again, this is purely from a theoretical viewpoint of testing all combinations.

Otherwise I agree if we knew the password was entirely lower case then yes that is naturally weaker given the smaller character set. I believe not having a forced construction is theoretically stronger (given the larger data set to test), but having it forces people to use something they might not (i.e. people compromise security by not utilising the full character set available).

From memory, there were forced constraints on the Enigma machines in WW2 that resulted in fewer combinations needing to be tested (I think it was something like not repeating a wheel position from the previous day). Whilst this was stronger from a practical perspective (in stopping lazy operators putting the system at risk) it actually gave fewer combinations to brute force from a theoretical perspective (and this theory was applied by the English). Enigma would have been stronger if this constraint was never imposed, and I'm guessing the inventor never sanctioned such a constraint.

So knowing something (sometimes anything) about a system means it can be used as a crib or a filter, resulting in a lower level of security than originally thought.

There is a very interesting book on this sort of subject called "The Code Book" by Simon Singh - it is an interesting read and written in a non-technical way for us laymen.

Regards
Andrew


----------



## xenou (May 4, 2011)

On a tangentially related point, I enjoyed this read quite a lot (on a new tack):
A Shortcut Through Time: The Path to the Quantum Computer (Amazon)

Among other entertaining passages (such as describing a computer made of tinkertoys) the thought is that a quantum computer will be able to solve algorithmic problems using indeterminate quantum states that can be On or Off or _both at once_.  Or put another way -- testing all solutions simultaneously.  Quite fascinating.  Of course maybe by then maybe we'll also be using quantum computers to create better security too.


----------



## MrKowz (May 4, 2011)

xenou said:


> using indeterminate quantum states that can be On or Off or _both at once_.  Or put another way -- testing all solutions simultaneously.



Schrödinger's cpu?


----------



## Domski (May 5, 2011)

Andrew Fergus said:


> Haha - you know you are a computer nerd when.........you laugh at unintended salt puns!



Happy days...I don't get the joke 

Dom


----------



## Joe4 (May 5, 2011)

> Happy days...I don't get the joke


I'm glad I am not the only one...
I guess that means despite our best efforts, we aren't computer nerds yet!


----------



## JamesW (May 5, 2011)

Joe4 said:


> I'm glad I am not the only one...
> I guess that means despite our best efforts, we aren't computer nerds yet!



I guess they mean: In cryptography, a salt comprises random bits that are used as one of  the inputs to a key derivation function. The other input is usually a  password or passphrase. The output of the key derivation function is  stored as the encrypted version of the password. ...


----------



## litrelord (May 5, 2011)

Yeah that's the one 

So even if your password was 'password' the system would assign the salt to your password, say '541t' making your password '541tpassword'. If someone has the password hash and is trying passwords until they find one that gives the same hash as yours then this stops them using a list of known passwords or a dictionary. 

To make the system stronger you can have random salt values assigned to each user which are stored at a different location. Assuming an attacker got hold of the database containing the password hashes, unless they have the list of unique salts they'd have a hard job identifying the password as the salt has increased the password length. 

Using this type also protects against rainbow tables which are huge lists of hashes and the passwords that made them. These tables take a long time to compute int he first place but then mean discovering the password takes seconds. With a large enough salt the time needed to create and store the rainbow table becomes unmanageable.

That's about as much as I know on the subject so if any of it's inaccurate please feel free to correct. 

Nick


----------



## SuperFerret (May 5, 2011)

JamesW said:


> I guess they mean: In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is stored as the encrypted version of the password. ...


 
_Whooosh!_ and there goes that completely over my head 

I'll just sit here and smile like I understand


----------



## Domski (May 5, 2011)

Too much!!!

I'm now sitting with my fingers in my ears shouting "Lah Lah Lah Lah Lah" and hoping Sponge Bob Squarepants is on when I get home so I can revert back to my usual mental capacity.

Dom


----------



## litrelord (May 5, 2011)

Domski said:


> Too much!!!
> 
> I'm now sitting with my fingers in my ears shouting "Lah Lah Lah Lah Lah" and hoping Sponge Bob Squarepants is on when I get home so I can revert back to my usual mental capacity.
> 
> Dom



Squidward has given spongebob a secret word that will get him a free krabby patty burger.

To make sure no-one else can use this to get a free burger he gives a second secret word to Patrick. 

He’ll give spongebob his burger when both secret words are used at the same time. 

Patrick’s secret word is ‘salt’.



How's that?

Nick


----------



## Domski (May 5, 2011)

Everyone worth their salt should know that Patrick has a secret box, not a word. You people are so thick sometimes 

Dom


----------



## MrKowz (May 5, 2011)

litrelord said:


> Squidward has given spongebob a secret word that will get him a free krabby patty burger.
> 
> To make sure no-one else can use this to get a free burger he gives a second secret word to Patrick.
> 
> ...


----------



## Andrew Fergus (May 5, 2011)

Except Patrick forgot the word he was supposed to remember......


----------



## arkusM (May 10, 2011)

and knowing that he would forget, wrote it on the bottom of the box....


----------



## RoryA (May 11, 2011)

but then ate the box.


----------



## Gerald Higgins (May 11, 2011)

Now I'm really confused.
Next time I go to the fish and chip shop and they ask me if I want salt and sauce on my fish supper (or salt and vinegar if I'm below the border), what should I say ?


----------



## litrelord (May 11, 2011)

Gerald Higgins said:


> Now I'm really confused.
> Next time I go to the fish and chip shop and they ask me if I want salt and sauce on my fish supper (or salt and vinegar if I'm below the border), what should I say ?



That's a prime example, they're waiting to see whether you say 'yes' or 'aye'. An answer of aye and you get haddock, yes for cod. Of course if your accent's broad enough it'll be a mars bar instead so you have to be careful.

Hope that's cleared it up.

Nick


----------



## RoryA (May 11, 2011)

And if you add "Crivens", "Jings" or "Hoots" you get a deep fried calzone.


----------



## diddi (May 11, 2011)

so they have battered mars bars in UK as well.  i thought that only australians where stupid enough to buy the super-healthy battered mars bar.

blah - im feeling an attack of diabetes coming on right now.


----------



## SuperFerret (May 11, 2011)

A chip shop near us had a whole range of battered confectionery: Mars bars, Snickers or Twix and all of them were revolting


----------



## arkusM (May 11, 2011)

Hauling this back a bit (sorry, fried suger sounds.... interesting)
So I made a quick list of username/password combos that I have active, most with differing usernames. I am sure I am missing some.
So far I have:
- 58 PERSONAL combos 
- 31 Work combos.

I was surprised. no wonder we write this stuff down.
Username password overload.

I am sure many/most people have way more around here...


----------



## arkusM (May 11, 2011)

arkusM said:


> Hauling this back a bit (sorry, fried suger sounds.... interesting)
> So I made a quick list of username/password combos that I have active, most with differing usernames. I am sure I am missing some.
> So far I have:
> - 58 PERSONAL combos
> ...


 

Make that 36 for Work


----------



## Expiry (May 12, 2011)

I have to have about 5 passwords at work - all a variation on a theme. Not only do I have to remember which password is which, but I also have to change them all every 30 days. Goddamit!

So what do I do? The same as every body else. Have a word with a number on the end and just increment it by one each month.

Quality security.


----------



## SuperFerret (May 12, 2011)

Since I started this job just over a year ago, where you have 6 passwords for different systems and some change every week, others every month, others every _n_ login's...I've had to try and figure out a new way to remember the various passwords. 

So I have started using the punchlines to my favorite jokes, my favorite number, 2 digits that are part of my telephone number and always make sure the capital is the same number of characters through the word.


----------



## Gerald Higgins (May 12, 2011)

Expiry said:


> So what do I do? The same as every body else. Have a word with a number on the end and just increment it by one each month.


 
And if you're anything like me (and Expiry, I know you'd like to be ), the word itself is "password" which is exactly what I have on one application.


----------



## Peter_SSs (May 12, 2011)

Many years ago I was teaching high school students some computing courses. Some students were always mischievous and regularly asked what the system password was. I repeatedly told them that the password was secret. None of them ever twigged that I was actually telling them the password. 

Doubt that would be the case these days.


----------



## SuperFerret (May 12, 2011)

Peter_SSs said:


> Many years ago I was teaching high school students some computing courses. Some students were always mischievous and regularly asked what the system password was. I repeatedly told them that the password was secret. None of them ever twigged that I was actually telling them the password.
> 
> Doubt that would be the case these days.


 
I did something similar when I had to lockdown a spreadsheet, people kept asking what the password to unlock the cells was and I responded "I dont know" every time... they never tried entering _Idontknow_ and subesquently never got in!


----------



## Domski (May 12, 2011)

I think I'm up to about 15 work passwords. I use an encrypted password keeper for keeping track of the harder ones to remember that I don't use so often and never use the 'add a new number to the end' method.

I then have a general password that I use for places that I don't really care if people get into like this and individual passwords for each of my email accounts, online banking etc etc.

I know where most of the people in my office keep the piece of paper or Excel doc with their passwords, must have some mischief some time


----------



## MrKowz (May 12, 2011)

Domski said:


> I then have a general password that I use for places that I don't really care if people get into like this and individual passwords for each of my email accounts, online banking etc etc.


 
You don't care if people get into your online banking?


----------



## Expiry (May 12, 2011)

I actually had to request a new password for some webhosting today and they emailed it to my yahoo email account. I suddenly realised that any password is only as secure as my email password. If someone got into my yahoo email, they could request all of my other passwords to be reset, no bother. 

Particularly as any accompanying security question is easily answered - mother's maiden name, first school etc.


----------



## MrKowz (May 12, 2011)

Expiry said:


> I actually had to request a new password for some webhosting today and they emailed it to my yahoo email account. I suddenly realised that any password is only as secure as my email password. If someone got into my yahoo email, they could request all of my other passwords to be reset, no bother.
> 
> Particularly as any accompanying security question is easily answered - mother's maiden name, first school etc.


 
That's why you give those questions some really obscure, off-the-wall, answer, like:

First school:
School of Hard Knocks

Mother's Maiden Name:
Jingelheimer-schmidt

First pet:
Folgers Coffee

Street you grew up on:
Asphalt


----------



## TinaP (May 12, 2011)

MrKowz said:


> That's why you give those questions some really obscure, off-the-wall, answer, like:
> 
> First school:
> School of Hard Knocks
> ...


Then the answers are just as hard to remember as the passwords.

I like the sites that allow you to create your own questions. I usually use stuff like "Which teacher did you dislike the most?" I have one application where I had to pick three questions and most of them were family related. I'm an unmarried only child. I don't have kids, siblings or in-laws. I had to make up fake siblings. I hope I don't have to answer the questions for that application, because I don't remember their birth months or names, for that matter.


----------



## Domski (May 12, 2011)

MrKowz said:


> You don't care if people get into your online banking?



 Very much so which is why I have individual passwords for each one!!!!


----------



## MrKowz (May 12, 2011)

Domski said:


> Very much so which is why I have individual passwords for each one!!!!


 
I misread what you said.  My apologies


----------



## Cindy Ellis (May 12, 2011)

My dad's cable internet tech support has only 2 challenge questions to reset a password, and they're both ridiculous...
What's your favorite restaurant?
and
What's your favorite music group?

These seem like bad questions for anyone, as these change over time, but really...my dad is 80 years old.  Favorite music group...maybe the church choir?  Favorite restaurant...whoever has the best senior discount?  And trying to remember the answer he have 10 years ago when he signed up for it? Impossible.
They wouldn't let him continue without giving an answer, which he hadn't written down, so I ended up spending 45 minutes with him and tech support on the line to get his access back so he could do his online banking.


----------



## RichardS (May 13, 2011)

I have a file with 92 passwords in it, mostly work related passwords for various web sites and a multitude of applications. My passwords for on-line banking, both for work and personal, are not recorded anywhere, but they don't force you to change them.

Our network passwords are no longer required to be changed, as the view is that if people have to change them every month, they will write them down. Tried to convince a statewide finance deployment that this was a good idea, but they didn't agree.


----------



## JamesW (May 13, 2011)

Actually, why are we worrying? Most of the things I use which need a password have a 3 chance rule (SAP, Email, Work PC, Online Banking).  If you don't get it right in 3 tries then it locks you out and you have to call the IT people.

Surely most important systems have a similar rule, meaning they will never be hacked.


----------



## litrelord (May 13, 2011)

JamesW said:


> Actually, why are we worrying? Most of the things I use which need a password have a 3 chance rule (SAP, Email, Work PC, Online Banking).  If you don't get it right in 3 tries then it locks you out and you have to call the IT people.
> 
> Surely most important systems have a similar rule, meaning they will never be hacked.



This is where the other aspect of protecting yourself comes in and you keep yourself aware of people using social engineering to try and get you to disclose your passwords or the answers to the forgotten password questions (though I'm sure that used to just be called conning people rather than social engineering?!?)

The Google and Adobe hacks last year were due to holes in the software but these were only activated by clicking a link in an email. The emails were sent to individuals in the company rather than everyone and were specifically targeted towards those people which made them much more believable.

I don't think the perpetrators of the google hack are coming afetr my MrExcel password though so hopefully I'm safe for now.

Nick


----------



## MrKowz (May 16, 2011)

This comic strip is actually somewhat relevant to this topic - and pretty funny!

Password Validation


----------



## Auracle (May 26, 2011)

JamesW said:


> Actually, why are we worrying? Most of the things I use which need a password have a 3 chance rule (SAP, Email, Work PC, Online Banking). If you don't get it right in 3 tries then it locks you out and you have to call the IT people.
> 
> Surely most important systems have a similar rule, meaning they will never be hacked.


 
Unless of course you've got a situation like at work here where my supervisor told us that if we have such a complicated and/or hard to type password that we keep getting locked out of systems, she is going to come over and make a password for us...  well, you know at that point it's not going to be anything terribly complex...


----------



## MrKowz (Jun 9, 2011)

Interesting read on how GPUs are being used to crack passwords in a FRACTION of the time:

http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125


----------



## Darren Bartrup (Jun 10, 2011)

MrKowz said:


> Schrödinger's cpu?



I didn't get the salt joke, but giggled at this one.  
So your passwords secure, but is instantly cracked as soon as you use it?


----------



## arkusM (Aug 29, 2011)

Anybody heard of this method of password generation called Diceware?
Basically they have come of with a dictionary of words based on 5 digit values.

Then you roll a dice five times per word and as many words as you like (25 rolls for a five word password) then you concatenate the words as your password. Interesting, but thoughts from this group?

http://world.std.com/~reinhold/diceware.html


----------



## sous2817 (Aug 29, 2011)

For our company, the weakest link is the help desk.  We have network log ins, so I can go to any laptop and type my employee ID number and password and get access to my desktop, outlook email, etc.  

Get it wrong 3 or 5 times and I'm locked out and have to call IT.  There is no identity validation when I call IT, just give them my employee number and tell them I'm locked out.  They'll reset it w/ a generic password that I then have to reset on your next log in. 

Do you know what's freely available on our corporate directory?  People's employee id!  So if I was the type, I could do to one of the computers in one of the workrooms and type in some employee's ID, get it locked, call the help desk and get it reset, and relog in and have access to their email account as well as anything they've put on their network drive allocation.


----------



## Oaktree (Aug 29, 2011)

This thread makes me think of this recent comic from xkcd:

http://xkcd.com/936/


----------



## arkusM (Aug 29, 2011)

Oaktree said:


> This thread makes me think of this recent comic from xkcd:
> 
> http://xkcd.com/936/


 

That comic is what Diceware is supposed to do. 
Is it really a valid method? 
Of course there is the proverbial character limit...


----------



## RobMatthews (Aug 29, 2011)

Oaktree said:


> This thread makes me think of this recent comic from xkcd:
> 
> http://xkcd.com/936/


That strip is predated by this thread. Any chance Randall (Author) is a member here??


----------

