Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

The truth about password strength

  1. Aug 11, 2011 #1

    FlexGunship

    User Avatar
    Gold Member

    Moderator's note: A reminder to all to use common sense when duplicating others' intellectual property.

    XKCD, for example, requires some sort of attribution attached to postings of its comics; e.g. a link to the comic. (And, thankfully, XKCD does permit its images to be hotlinked)

    password_strength.png
     
    Last edited by a moderator: Aug 11, 2011
  2. jcsd
  3. Aug 11, 2011 #2
    There goes my password. It was correcthorsebatterystaple. This is the worse thing to happen to me since a quantum computer successfully factored 15 into primes and broke my private key.
     
  4. Aug 11, 2011 #3

    FlexGunship

    User Avatar
    Gold Member

    Hah, damn... I just got done changing my 57 passwords to that. Time to change them to something else. I can't have the same password as everyone.
     
  5. Aug 11, 2011 #4

    BobG

    User Avatar
    Science Advisor
    Homework Helper

    Instead of memorizing the letters, numbers, etc, it's better to memorize some tune and the dance steps to that tune - except your fingers do the dancing instead of your legs.

    Except that doesn't work for the classified computers at work. Your password can't have any patterns in it. They don't even allow patterns that match legal moves for the Knight in chess or even allow a castling move pattern and they definitely don't allow any of the legal moves in Go or Chinese Checkers. We have a theory that the rules for passwords at work have become so elaborate that there's only one possible password that's allowable and that everyone is actually using the same password, but we can't verify it because we can't ever tell anyone our password.
     
    Last edited: Aug 11, 2011
  6. Aug 11, 2011 #5

    FlexGunship

    User Avatar
    Gold Member

    How mindlessly poetic of you.

    My fingers play Dance Dance Revolution on the keyboard when I'm entering my password : "upupdowndownleftrightleftrightBAselectstart."
     
  7. Aug 11, 2011 #6
    At my last job, the rules for passwords were so elaborate that there was no way to remember them. We all just wrote them down and left them on our desks.
     
  8. Aug 11, 2011 #7

    FlexGunship

    User Avatar
    Gold Member

    That's my current job. It's absurd.
     
  9. Aug 11, 2011 #8

    BobG

    User Avatar
    Science Advisor
    Homework Helper

    My fingers prefer Fred Astaire dancing to "You're All the World to Me" from "Royal Wedding".
     
  10. Aug 11, 2011 #9

    Hurkyl

    User Avatar
    Staff Emeritus
    Science Advisor
    Gold Member

    It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it. :tongue:
     
  11. Aug 11, 2011 #10

    BobG

    User Avatar
    Science Advisor
    Homework Helper

    Your passwords are only 8 characters long?!

    Passwords have to be at least 3 minutes where I work!
     
  12. Aug 11, 2011 #11
    Long ago, you could use special symbols in password fields but that is quickly going away.

    I also used to move my hand position about the keyboard and type passwords.

    Maybe one index fingers now on G and H instead of F and J or maybe shift it up or down.
     
  13. Aug 11, 2011 #12
    I failed to mention we had to change them every three months.
     
  14. Aug 11, 2011 #13

    FlexGunship

    User Avatar
    Gold Member

    So your passwords are:

    password1
    password2
    password3
    ...
    password[INT((X-1)/3)+1] where "X" is the number of months that you've been employed?
     
  15. Aug 11, 2011 #14

    Mk

    User Avatar

    Ah! This xkcd is so excellent.
    Yes! Always please use nonsensical sentences in your passwords! Easy to remember, with the benefit of not being found in any book, and if you stray from grammar, you're protected by another layer when in the future computers will be able to guess sentences and reference books.
     
  16. Aug 11, 2011 #15

    turbo

    User Avatar
    Gold Member

    For a time, I worked for an outfit in which the technical director was a clueless martinet, and his rules for formatting and changing passwords were draconian and ill-advised. Yes, we techs had trade-secrets on our computers, but we were in the field 99% of the time and didn't have the luxury of nice hiding places, like a boring book on a shelf in the office in which you could jot your latest password.

    Years later, I became the network administrator for a very large (by Maine standards) ophthalmic practice and I urged people to use strings of words that wouldn't be guessed easily. I have very few hard-and-fast rules, except "don't use the names/birth dates of your children, pets, spouse, etc". Keep the words impersonal. The xkcd is better than my plan, but back then, code-breaking was more a function of informed guessing and "human engineering". Still, you don't want the curious to log in as a supervisor or administrator and find out how much everybody makes, look at personnel records, etc. That alone can be very destructive in an office atmosphere.
     
    Last edited: Aug 11, 2011
  17. Aug 11, 2011 #16

    Hurkyl

    User Avatar
    Staff Emeritus
    Science Advisor
    Gold Member

    In any case, before you start using strings of words, you really ought to make sure your system actually considers every character significant. Some systems, for example, only use the first 8 characters, making XKCD's advice rather terrible.
     
  18. Aug 11, 2011 #17

    turbo

    User Avatar
    Gold Member

    During my tenure then, we bought all the equipment from a recently failed ophthalmic practice, and the bank that foreclosed (the doctor went bankrupt from malpractice suits) wanted help breaking the master password on the practice-management software so they could try to recover some of the outstanding receivables. I looked in the most obvious places for jotted passwords, then told the bank reps to strip all certificates, etc, off the walls and bring them to me while I continued to hunt.

    I had no luck searching the main office, but one of the certificates had the doctor's birth-date on it. I formatted it in the MMDDYY numeric format, and punched that date in in reverse order. BINGO! The bank reps got pretty fired up, and asked what else I needed. I told them to go to Staples and buy a new printer ribbon for that dot-matrix printer, and a couple of cases of tractor-feed paper. I got them started, showed them how to pause printing and re-start and they got a complete paper record of the practice's receivables.
     
    Last edited: Aug 11, 2011
  19. Aug 11, 2011 #18
    Does anyone know if the 10-20 most common passwords has changed much over the last 10 years? I would think password1 is probably still one of the most common right?

    http://en.wikipedia.org/wiki/Password

    I like the one about hotmail banning the pw 123456 heh.
     
  20. Aug 11, 2011 #19

    dlgoff

    User Avatar
    Science Advisor
    Gold Member

    What if you have three? At my last job (Gov), one to get the desktop operating system to boot, one to get onto the LAN then one to get onto the Gov network. Oh and one for their mail. And every 30 days we were prompted to change them. What made it bad was prompts were not in sync.
     
  21. Aug 12, 2011 #20

    FlexGunship

    User Avatar
    Gold Member

    No joke:
    • Local admin login - laptop
    • Local admin login - desktop
    • Network login
    • Mail login
    • Remote support login (different for every site)
    • VPN login
    • My company's FTP site login
    • Siemens' FTP login
    • Siemens' SiePro login
    • Simotion controller FTP login (different for every site)
    • Simotion IT diagnostics login (different for every site)
    • Legacy modem connection login (different for every site)
    • TestTrack Pro login
    • VSS login

    Yup; those are real. I keep my passwords in my KeyPass program on my phone in an encrypted file to which the password is "password."
     
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook




Similar Discussions: The truth about password strength
  1. The truth about truth (Replies: 19)

Loading...