The truth about password strength

  • #1
FlexGunship
Gold Member
369
8
Moderator's note: A reminder to all to use common sense when duplicating others' intellectual property.

XKCD, for example, requires some sort of attribution attached to postings of its comics; e.g. a link to the comic. (And, thankfully, XKCD does permit its images to be hotlinked)

password_strength.png
 
Last edited by a moderator:

Answers and Replies

  • #2
918
16
There goes my password. It was correcthorsebatterystaple. This is the worse thing to happen to me since a quantum computer successfully factored 15 into primes and broke my private key.
 
  • #3
FlexGunship
Gold Member
369
8
There goes my password. It was correcthorsebatterystaple.
Hah, damn... I just got done changing my 57 passwords to that. Time to change them to something else. I can't have the same password as everyone.
 
  • #4
BobG
Science Advisor
Homework Helper
185
80
Instead of memorizing the letters, numbers, etc, it's better to memorize some tune and the dance steps to that tune - except your fingers do the dancing instead of your legs.

Except that doesn't work for the classified computers at work. Your password can't have any patterns in it. They don't even allow patterns that match legal moves for the Knight in chess or even allow a castling move pattern and they definitely don't allow any of the legal moves in Go or Chinese Checkers. We have a theory that the rules for passwords at work have become so elaborate that there's only one possible password that's allowable and that everyone is actually using the same password, but we can't verify it because we can't ever tell anyone our password.
 
Last edited:
  • #5
FlexGunship
Gold Member
369
8
Instead of memorizing the letters, numbers, etc, it's better to memorize some tune and the dance steps to that tune - except your fingers do the dancing instead of your legs.
How mindlessly poetic of you.

My fingers play Dance Dance Revolution on the keyboard when I'm entering my password : "upupdowndownleftrightleftrightBAselectstart."
 
  • #6
918
16
At my last job, the rules for passwords were so elaborate that there was no way to remember them. We all just wrote them down and left them on our desks.
 
  • #7
FlexGunship
Gold Member
369
8
At my last job, the rules for passwords were so elaborate that there was no way to remember them. We all just wrote them down and left them on our desks.
That's my current job. It's absurd.
 
  • #8
BobG
Science Advisor
Homework Helper
185
80
How mindlessly poetic of you.

My fingers play Dance Dance Revolution on the keyboard when I'm entering my password : "upupdowndownleftrightleftrightBAselectstart."
My fingers prefer Fred Astaire dancing to "You're All the World to Me" from "Royal Wedding".
 
  • #9
Hurkyl
Staff Emeritus
Science Advisor
Gold Member
14,916
19
It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it. :tongue:
 
  • #10
BobG
Science Advisor
Homework Helper
185
80
It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it. :tongue:
Your passwords are only 8 characters long?!

Passwords have to be at least 3 minutes where I work!
 
  • #11
366
16
Long ago, you could use special symbols in password fields but that is quickly going away.

I also used to move my hand position about the keyboard and type passwords.

Maybe one index fingers now on G and H instead of F and J or maybe shift it up or down.
 
  • #12
918
16
It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it. :tongue:
I failed to mention we had to change them every three months.
 
  • #13
FlexGunship
Gold Member
369
8
I failed to mention we had to change them every three months.
So your passwords are:

password1
password2
password3
...
password[INT((X-1)/3)+1] where "X" is the number of months that you've been employed?
 
  • #14
Mk
1,984
3
Ah! This xkcd is so excellent.
Yes! Always please use nonsensical sentences in your passwords! Easy to remember, with the benefit of not being found in any book, and if you stray from grammar, you're protected by another layer when in the future computers will be able to guess sentences and reference books.
 
  • #15
turbo
Gold Member
3,077
45
For a time, I worked for an outfit in which the technical director was a clueless martinet, and his rules for formatting and changing passwords were draconian and ill-advised. Yes, we techs had trade-secrets on our computers, but we were in the field 99% of the time and didn't have the luxury of nice hiding places, like a boring book on a shelf in the office in which you could jot your latest password.

Years later, I became the network administrator for a very large (by Maine standards) ophthalmic practice and I urged people to use strings of words that wouldn't be guessed easily. I have very few hard-and-fast rules, except "don't use the names/birth dates of your children, pets, spouse, etc". Keep the words impersonal. The xkcd is better than my plan, but back then, code-breaking was more a function of informed guessing and "human engineering". Still, you don't want the curious to log in as a supervisor or administrator and find out how much everybody makes, look at personnel records, etc. That alone can be very destructive in an office atmosphere.
 
Last edited:
  • #16
Hurkyl
Staff Emeritus
Science Advisor
Gold Member
14,916
19
In any case, before you start using strings of words, you really ought to make sure your system actually considers every character significant. Some systems, for example, only use the first 8 characters, making XKCD's advice rather terrible.
 
  • #17
turbo
Gold Member
3,077
45
During my tenure then, we bought all the equipment from a recently failed ophthalmic practice, and the bank that foreclosed (the doctor went bankrupt from malpractice suits) wanted help breaking the master password on the practice-management software so they could try to recover some of the outstanding receivables. I looked in the most obvious places for jotted passwords, then told the bank reps to strip all certificates, etc, off the walls and bring them to me while I continued to hunt.

I had no luck searching the main office, but one of the certificates had the doctor's birth-date on it. I formatted it in the MMDDYY numeric format, and punched that date in in reverse order. BINGO! The bank reps got pretty fired up, and asked what else I needed. I told them to go to Staples and buy a new printer ribbon for that dot-matrix printer, and a couple of cases of tractor-feed paper. I got them started, showed them how to pause printing and re-start and they got a complete paper record of the practice's receivables.
 
Last edited:
  • #18
Containment
Does anyone know if the 10-20 most common passwords has changed much over the last 10 years? I would think password1 is probably still one of the most common right?

http://en.wikipedia.org/wiki/Password

I like the one about hotmail banning the pw 123456 heh.
 
  • #19
dlgoff
Science Advisor
Gold Member
3,830
1,769
It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it. :tongue:
What if you have three? At my last job (Gov), one to get the desktop operating system to boot, one to get onto the LAN then one to get onto the Gov network. Oh and one for their mail. And every 30 days we were prompted to change them. What made it bad was prompts were not in sync.
 
  • #20
FlexGunship
Gold Member
369
8
What if you have three? At my last job (Gov), one to get the desktop operating system to boot, one to get onto the LAN then one to get onto the Gov network. Oh and one for their mail. And every 30 days we were prompted to change them. What made it bad was prompts were not in sync.
No joke:
  • Local admin login - laptop
  • Local admin login - desktop
  • Network login
  • Mail login
  • Remote support login (different for every site)
  • VPN login
  • My company's FTP site login
  • Siemens' FTP login
  • Siemens' SiePro login
  • Simotion controller FTP login (different for every site)
  • Simotion IT diagnostics login (different for every site)
  • Legacy modem connection login (different for every site)
  • TestTrack Pro login
  • VSS login

Yup; those are real. I keep my passwords in my KeyPass program on my phone in an encrypted file to which the password is "password."
 

Related Threads on The truth about password strength

  • Last Post
Replies
19
Views
3K
  • Last Post
Replies
1
Views
3K
  • Last Post
Replies
11
Views
2K
  • Last Post
Replies
1
Views
2K
  • Last Post
2
Replies
25
Views
4K
  • Last Post
Replies
3
Views
1K
  • Last Post
Replies
7
Views
3K
  • Last Post
2
Replies
25
Views
11K
Replies
10
Views
931
Replies
21
Views
6K
Top