Online password requirements have gotten ridiculous

[Evo]

I use imaginary words with the extra mandatory odd unmatching capital letter, number, special character, do imaginary words make it more difficult? The imaginary words are familiar to me, but unknown to others, so easy for me to remember. Do they more commonly look for words or just an assortment of letters and characters?

 

[D H]

But, as I said earlier, how do you entice the hacking computer to think in terms of a 100,000 member pool of possible terms when it can much more easily think in terms of a 62 character pool? It has no incentive whatever to think in terms of words when it can think in terms of upper and lowercase letters and the digits 0-9.

You are missing the point. The whole point is that the hacking community *can't* attack a pass phrase made of four or more randomly selected words from a reasonably sized dictionary, even if the hacker knows the number of words and the dictionary from which those words were selected. Given four randomly selected words drawn from a 25,000 word dictionary where order matters, at a billion guesses per second with words drawn from the exact same dictionary, it would take 6 years to have a 50% chance of correctly guessing the password. Five randomly chosen words extends that to 6 years to 154,000 years.

You are right in that a 28 character long password randomly drawn from a 62 character alphabet is even more secure, at least with regard to random guesses. The universe will die before that long of a random character password can be hacked using random guesses.

However, a hacker doesn't need to use random guesses to find that password. Shoulder surfing will work quite nicely. There is zero chance a person could remember that password. If the user needs to type that password into a computer, that user will have it written out on a piece of paper or displayed on a smartphone so the password can read and typed in, slowly. That over the top password makes the computer less secure, not more secure.

Also note: This thread is most likely someone complaining about a system with a 12 character password rule, and the passwords have to satisfy certain rules. Those rules are not strong enough to connote a random-looking password. Humans would revolt at having to use a 12 character password tested for apparent randomness. Adding one more character to Tr0ub4dor&3 makes for what most systems would deem to be a "strong" password.

 

[zoobyshoe]

You are right in that a 28 character long password randomly drawn from a 62 character alphabet is even more secure, at least with regard to random guesses. The universe will die before that long of a random character password can be hacked using random guesses.

You have overly-charitably mistaken me for saying the opposite of what I was actually saying. I was arguing that viewing the password as being made up of 62 possible choices would make it easier to hack than if it came from 150,000 choices. I was making the (pretty stupid) error of assuming that 62²⁵(based on PF allowing up to 25 character passwords) would be a lot less than 150,000⁴. Having now calculated both I see that 62²⁵, which is 6.453454278 X 10⁴⁴ is actually vastly larger than 150,000⁴, which is 5.0625 X 10²⁰. (62 has, in fact, already surpassed 150,000⁴ with a 12 character password.) 62 is so much less than 150,000 I just didn't think it would catch up that fast.

 

[WWGD]

You have overly-charitably mistaken me for saying the opposite of what I was actually saying. I was arguing that viewing the password as being made up of 62 possible choices would make it easier to hack than if it came from 150,000 choices. I was making the (pretty stupid) error of assuming that 62²⁵(based on PF allowing up to 25 character passwords) would be a lot less than 150,000⁴. Having now calculated both I see that 62²⁵, which is 6.453454278 X 10⁴⁴ is actually vastly larger than 150,000⁴, which is 5.0625 X 10²⁰. (62 has, in fact, already surpassed 150,000⁴ with a 12 character password.) 62 is so much less than 150,000 I just didn't think it would catch up that fast.

It is more a matter of the ratio between 62 and 150000 than about their difference. 150000 is a little less than 2500 times as big as 62. Sub-in then:

150000^4 < (62 X 2500)^4 . But 2500< 62^2 (since , e.g., 2500 < 60^2 =3600) , so

150000^4 < (62 X 2500)^4< (62 X 62^2)^4= (62^3)^4=62^12 , like you said.

Or you can take log on both 62^25 and 150000^4 too .

 

[zoobyshoe]

It is more a matter of the ratio between 62 and 150000 than about their difference. 150000 is a little less than 2500 times as big as 62. Sub-in then:

150000^4 < (62 X 2500)^4 . But 2500< 62^2 (since , e.g., 2500 < 60^2 =3600) , so

150000^4 < (62 X 2500)^4< (62 X 62^2)^4= (62^3)^4=62^12 , like you said.

Thanks! Very nice analysis.

 

[Borg]

I can believe this is true of average people on the internet, but in the works of fiction I mention people are trying to break into the computers of people like company CEO's, terrorists, master criminals, and police detectives. The trick always turns out to be to figure out what is the most important thing in that person's life and their password always ends up being related to that.

I just got back from a weekend trip to my home state where I helped a very non-technical friend with setting up his Facebook account on a tablet. Someone else had helped him change his password a while back to just the names of his two sons. Even better, he kept his passwords (including that one) written on the back of the tablet in felt marker!

I use imaginary words with the extra mandatory odd unmatching capital letter, number, special character, do imaginary words make it more difficult? The imaginary words are familiar to me, but unknown to others, so easy for me to remember. Do they more commonly look for words or just an assortment of letters and characters?

My strongest one looks like something you would see on a license plate. It's next to impossible to figure out unless you already know what the phrase is.

 

[jhae2.718]

Honestly, passwords are horrible and shouldn't be used. Not sure what the best alternative is though...good luck getting people to use PKI properly.

 

[Greg Bernhardt]

Honestly, passwords are horrible and shouldn't be used. Not sure what the best alternative is though...good luck getting people to use PKI properly.

Two factor login is better. Then you don't need a complicated password.

 

[WWGD]

Why can't one use something like fingerprints instead of passwords?

 

[epenguin]

Pws have been a nightmare for me. First I believed what I was told, never wrote them down, thought of clever word associations that linked a word to this bank, that other thing, write a clever hint in a list. Result: I was so secure I was locked out of my bank accounts etc. sometimes repeatedly, and sometimes for long times because the banks in the .UK take 2 or 3 weeks to send you a letter and I am away for long times, sometimes they have passed their use-by date by the time I see them. Etc. Etc.

The hints were often not good enough because even when I remembered the word it was impossible to remember upper/lower case assignments etc, etc. And anyway passwords were only half of it - when you remembered the password you'd forgotten the username!

I did a few things.

First now in UK, I imagine everywhere, every damned thing you do, buy a cinema ticket online, send flowers, buy a rail ticket, write a letter to a newspaper,... you have to have a password.

Eventually I decided I wouldn't worry about anyone impersonating me for thse purposes and I just use the same one which used to be strong for all these purposes. Then I have another one like that for all 'clever' sites like PF.

For a very few sensitive sites I use a 6-word + special characters generated randomly by a program called Dice or something similar. Completely nonsensical yet memorable.

I learned various tricks, e.g. it is not a good idea to type directly into boxes where you can't see what you typed because capitals etc. may not be what you think... I always type in Word then copy and paste, does anyone do different?

I read that things like Tr0ub4dor&3 are losing their effectiveness as hackers are fully aware of them.

But now I am surprised no one has mentioned PASSWORD MANAGERS. I have nearly all my passwords in one of these now, and it has the added convenience you call up the bank etc. sites from within it. I think mine is among those reccommended by CNET. It's putting a lot of trust in the integrity in more than one sense of some organisation one knows little of, not a good principle in principle. And I ought to have more than one of them. Must get that seen to.

 

[collinsmark]

Why can't one use something like fingerprints instead of passwords?

Biometric authentication has its place, and there is lots of research going into the technology. And maybe in some, limited applications it makes sense.

But the disadvantages for using biometrics such as fingerprints as the sole form of authentication for a large population are twofold (maybe more):

1. Biometric authentication, let's say fingerprints, doesn't bode well for individuals who do not have fingers.
2. When technology is hacked (use your imagination -- lifting prints off a doorknob and making a fake finger, etc. Or easier still, just stealing the metrics out of another system's database), the security failure is not easy to rectify. it's not like the legitimate user can just go out and get new fingerprints.

 

[WWGD]

Biometric authentication has its place, and there is lots of research going into the technology. And maybe in some, limited applications it makes sense.

But the disadvantages for using biometrics such as fingerprints as the sole form of authentication for a large population are twofold (maybe more):

1. Biometric authentication, let's say fingerprints, doesn't bode well for individuals who do not have fingers.
2. When technology is hacked (use your imagination -- lifting prints off a doorknob and making a fake finger, etc. Or easier still, just stealing the metrics out of another system's database), the security failure is not easy to rectify. it's not like the legitimate user can just go out and get new fingerprints.

How about requiring more than one trait, say fingerprints and some form of eye identification, together with, say, a birthdate password --easy for the legit users, harder for hackers? Besides, are there that many people without fingers out there?

 

[collinsmark]

How about requiring more than one trait, say fingerprints and some form of eye identification, together with, say, a birthdate password --easy for the legit users, harder for hackers? Besides, are there that many people without fingers out there?

I know many individuals who have lost an arm or an eye somewhere along the line. Perhaps I don't have a personal acquaintance who has lost both hands, but I know that it happens. And they need bank accounts to Facebook access to PF access just like anybody else.

More to the point though, what if somebody hacks your identity. Changing the simple, birthday password might not get you very far since that's easy to re-hack.

Or worse. Heaven's forbid, what if somewhere along the line you lose a finger and need to change your identification strategy? How do you prove that you're you? (How do you mimic the "Enter old password: " functionality?)

You could have other biometrics on file, in case the need arises to swap fingers or eyes or some-such, but then those too could be stolen/hacked from the database they are stored in. [Edit: or by whatever method was used to steal the biometric the first time around; i.e., the doorknob might have more than one of your fingerprints on it.]

There's no security problem with any of this as long as there's an option to use a strong password (no simple, birthday passwords) instead of a biometric. But since it would then be possible gain access by using a single password, that brings us back to square 1.

 

[WWGD]

I know many individuals who have lost an arm or an eye somewhere along the line. Perhaps I don't have a personal acquaintance who has lost both hands, but I know that it happens. And they need bank accounts to Facebook access to PF access just like anybody else.

More to the point though, what if somebody hacks your identity. Changing the simple, birthday password might not get you very far since that's easy to re-hack.

Or worse. Heaven's forbid, what if somewhere along the line you lose a finger and need to change your identification strategy? How do you prove that you're you? (How do you mimic the "Enter old password: " functionality?)

You could have other biometrics on file, in case the need arises to swap fingers or eyes or some-such, but then those too could be stolen/hacked from the database they are stored in. [Edit: or by whatever method was used to steal the biometric the first time around; i.e., the doorknob might have more than one of your fingerprints on it.]

There's no security problem with any of this as long as there's an option to use a strong password (no simple, birthday passwords) instead of a biometric. But since it would then be possible gain access by using a single password, that brings us back to square 1.

But, what are the odds someone will steal both and will have the technology to do something about it; isn't this technology harder to come about?

Or one can ultimately have a triple of birthdates, together with names, say dad's first name, mom's first name , dad's birthdate , mom's birthdate. Easy to remember, hard to hack; around 18600 choices for each birthday, and you can write them down , or call, or e-mail them if you forget, or just write it down somewhere , of course not stating in the sheet that it is part of the password.

 

[collinsmark]

But, what are the odds someone will steal both and will have the technology to do something about it; isn't this technology harder to come about?

Yes, the biometric authentication systems are getting better. But, so are other technologies like 3d printing.

http://spectrum.ieee.org/tech-talk/biomedical/imaging/print-3-d-fingerprints-for-better-biometrics

Don't get me wrong. Biometrics have their place. But for reasons already discussed, I don't think you'll see them replacing strong passwords.

Or one can ultimately have a triple of birthdates, together with names, say dad's first name, mom's first name , dad's birthdate , mom's birthdate. Easy to remember, hard to hack; around 18600 choices for each birthday, and you can write them down , or call, or e-mail them if you forget, or just write it down somewhere , of course not stating in the sheet that it is part of the password.

Or one could just remember a list of words to create a strong, easy to remember password, such as what was discussed in this thread.

 

[WWGD]

@Collinsmark, I guess I just spent some time reinventing the wheel :).

 

[DataGG]

But now I am surprised no one has mentioned PASSWORD MANAGERS. I have nearly all my passwords in one of these now, and it has the added convenience you call up the bank etc. sites from within it. I think mine is among those reccommended by CNET. It's putting a lot of trust in the integrity in more than one sense of some organisation one knows little of, not a good principle in principle. And I ought to have more than one of them. Must get that seen to.

I did mention PASSWORD MANAGERS, in post #15. They're absolutely fantastic. Support 2-factor-authentication and are all around very stable and usefull... All one needs is a strong Master-Password, which really isn't that hard to get...

My internet security is absolutely better, now that I use them... Now, the question is: Does NSA have backdoors on LastPass? Some say they do, some say they don't...