Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

Ask Slashdot: How Do You Create A Highly-Secure Password? (securitymagazine.com) 637

An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."

But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?

Leave your answers in the comments. How do you create a highly-secure password?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Do You Create A Highly-Secure Password?

Comments Filter:
  • Generators (Score:4, Informative)

    by Anonymous Coward on Sunday June 05, 2016 @08:33PM (#52256435)

    https://www.random.org/passwords/

    With a length of at least 10, preferably 20 or more.

    • by Anonymous Coward on Sunday June 05, 2016 @09:13PM (#52256649)

      Everyone knows that hunter2 is the best password

      • Re:Generators (Score:5, Informative)

        by FatdogHaiku ( 978357 ) on Sunday June 05, 2016 @09:57PM (#52256821)
        No, it's correcthorsebatterystaple...
        https://xkcd.com/936/ [xkcd.com]
        No one would ever guess that.
    • Re:Generators (Score:5, Insightful)

      by Anonymous Coward on Sunday June 05, 2016 @09:58PM (#52256827)

      Being strictly paranoid, how can I be sure that all passwords generated on the above site are not logged and added to lists checked by password crackers?

    • Re:Generators (Score:5, Insightful)

      by marcansoft ( 727665 ) <hector@marcanso[ ]com ['ft.' in gap]> on Monday June 06, 2016 @01:13AM (#52257435) Homepage

      Length doesn't matter. What matters is that you use a unique password for everything.

      Using a unique password for everything is impractical without making your passwords random (for a secure definition of unique, i.e. you can't guess one password given another one). But once you make them random, it doesn't matter how long they are as long as they're at least 6 (if fully random), preferably 8 (if constrained) characters or so.

      Why? Because your password doesn't have to withstand an offline brute-force attack. It has to withstand an online, over-the-network brute-force attack. If the attacker gets your password hash such that they can use an offline attack, they have already broken into that service and have all your data anyway. And, since you use different password everywhere, cracking your password on that service gets them nothing.

      Passphrases used to directly generate or wrap encryption keys are the exception to this, of course. Those had better be long.

      Me? I use a pwgen-generated password on all sites/services, with the defaults (8 characters, pronounceable), and write them down in an encrypted password file. It's great, because I end up easily remembering the ones I use often, and the rest I look up as I need them. Can you crack those offline? Absolutely. But I couldn't care less; if you already have the hash, there's nothing more you get by cracking it.

      • by bigdavex ( 155746 ) on Monday June 06, 2016 @01:36PM (#52261043)

        Length doesn't matter

        Right, password girth is the key.

    • oh, wait, you said how do "I" create a secure password. never mind. I just use CowboyNeal's.

  • Password Generator (Score:5, Insightful)

    by CastrTroy ( 595695 ) on Sunday June 05, 2016 @08:34PM (#52256443) Homepage

    20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.

    • by tepples ( 727027 )

      Use 2-Factor authentication wherever possible, especially your email address

      What's a good way to do that in countries where it is common practice for cellular carriers to charge per received text message?

      • just pay for the text message? set up an authentication company and negotiate with the carrier to bring sms rates down for auth messages? just use a second website (or even an email) to re-authenticate?

        • by tepples ( 727027 )

          just pay for the text message?

          That can cost hundreds of dollars per year.

          just use a second website (or even an email) to re-authenticate?

          The context was authenticating to email.

    • by thegarbz ( 1787294 ) on Monday June 06, 2016 @02:36AM (#52257635)

      Dear god!

      How about use a common easy password for things you don't give a shit about, use a more complicated password for things you do, and reserve your super complicated passwords for things like your banking / email.

      We're slowly getting to the stage where a typical day will be spent managing passwords rather than accessing content with them.

    • by jafiwam ( 310805 )

      20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.

      Why bother? Just make it 20 characters you make up.

      Because, you are going to run into "helpful password strength monitors" that want "at least one capital, one lower case, one number and one punctuation character". But which ALSO have a bunch of non-stated rules like "must not have three of the same characters in a row" and "must not begin with punctuation or ";" " and so on.... and you'll still have to search your generated password to remove or change it to suit the dumb JavaScript applet. Or worse, "

  • & d0n't repe@t
  • GUID (Score:5, Insightful)

    by Frosty Piss ( 770223 ) * on Sunday June 05, 2016 @08:35PM (#52256457)

    All of my passwords are 32 char random strings using all the available chars.

    The only drawback is that I have to write them down on a yellow sticky.

    Fortunately, none of the hackers have physical access to my collection of yellow stickies...

  • Easy. (Score:5, Informative)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday June 05, 2016 @08:35PM (#52256461)

    #1. No password re-use. Ever.

    #2. Not formulaic.

    #3. Not in a dictionary list.

    #4. Long. I prefer 32 characters long.

    • Re:Easy. (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday June 05, 2016 @08:44PM (#52256527)

      #1. But I can't remember all those passwords.
        - use a password manager

      #2. But I like the formula I use. It's my name + the website name.
        - no. Just use a password manager

      #3. How will I know that my password isn't in a dictionary list?
        - use a password manager and have it generate random passwords

      #4. But I cannot remember long passwords.
        - use a password manager

      Also, "ieatkale88" can now be cracked in the same number of tries as "iloveyou" or "pAsswOrd" because they are now all added to common dictionaries.

      Once you publish your "secure" password someone will add it to a dictionary.

      http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/ [arstechnica.com]

      • Re:Easy. (Score:5, Insightful)

        by bloodhawk ( 813939 ) on Monday June 06, 2016 @12:08AM (#52257285)
        unless you run your password manager on a non internet connected stand alone machine I would say this is pretty bad advise from the majority of users. Most users simply don't have the security awareness or safe computer use habits to make a password manager secure, with drive by exploits and malware infesting everything these days putting all your eggs in one basket would be tantamount to internet suicide for many people.
        • Re:Easy. (Score:4, Insightful)

          by AmiMoJo ( 196126 ) <.mojo. .at. .world3.net.> on Monday June 06, 2016 @06:36AM (#52258227) Homepage Journal

          A password manager is the best advice for most people, because the risk of it being compromised is much smaller than the risk of them using poor passwords if they don't have one.

          To get at the password manager, drive-by malware has to defeat the browser security, then defeat the OS security, and then defeat the password manager's security. That is assuming that the password manager happens to be open and the database decrypted at the time, if not then stealing that file still requires the cracker to find the master password.

          On the other hand, major and minor web sites alike regularly leak user data and passwords. Realistically users to too lazy to come up with really good passwords for every site, or to remember them, or to look through their password book for them. And if malware does get onto their computer, there are easier targets like cookies for sites they are currently logged in to and account numbers stored in documents and spreadsheets, which typically are not encrypted.

          I think you also vastly over-estimate the level of malware infestation. Chrome, the most popular browser, is actually extremely secure and so is Windows now. That's why malware has changed from mostly exploit based to mostly trojan based.

    • by mark-t ( 151149 )
      With regards to point #2, does I matter if it is formulaic if not only does nobody else know the formula you use, but the formula cannot be reverse engineered from the password, almost like a one-way hash? even a very formulaic password can look random when you don't know the formula.
      • Re:Easy. (Score:5, Informative)

        by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday June 05, 2016 @09:17PM (#52256663)

        Yeah, it matters. Unless you really are using a hash function you probably aren't as unique as you believe.

        Remember, the crackers have hundreds of millions of passwords to dig through to find patterns.

        Check haveibeenpwned.com to see if your email address has already been compromised. And if so, at how many sites.

      • by vux984 ( 928602 )

        I've been struggling with this for ages.

        And the answer is yes it does matter; even if we assumed it's not reverse engineerable.

        1) You WILL run into situations that require passwords that reject your formula. Your formula has a digit ... they don't allow a digit. Or your forumula is too long, or too short, or needs a capital letter, or can't contain a fraction of your user name or whatever.

        2) You WILL run into situations that require password rotation. And some will be smart enough to reject last months pass

    • Re:Easy. (Score:5, Insightful)

      by Tom ( 822 ) on Monday June 06, 2016 @01:56AM (#52257517) Homepage Journal

      #1. No password re-use. Ever.

      user-hostile

      #2. Not formulaic.

      memory-hostile (the mind loves patterns)

      #3. Not in a dictionary list.

      memory-hostile (the mind recalls the known better than the unfamiliar)

      #4. Long. I prefer 32 characters long.

      user-hostile

      Thank you for explaining in just four points why normal users think that security dudes are assholes and sabotage the rules made by them wherever they can.

  • Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.
    • I would never remember the extra "I" before the $...

    • Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.

      Even if an application or OS doesn't support long passphrases, you can still use an abbreviated passphrase. The common one is the first letter of each word in your passphrase but there is no reason that you can't use the 2nd letter, the last letter, or some memorized sequence like "first-last-second". Using your passphrase above: "My dog ate a chicken and now is $ick with the gout" and "first-last-second", your passphrase becomes: "Mgtannnsiweo" Throw in a few number and symbols and uppercase letters

  • I like to use the 1st letters of song lyrics and other phrases that are easy to remember.

    For instance, the wireless password for my home is "luitsiabiapis". Which is an acronym of "look, up in the sky... it's a bird, it's a plane, it's superman".

    Take any song lyric that you like and that matches the format. The geneaology website login might be "iodagos", which is "in olden days a glimpse of stocking".

    I have pretty-much no problem remembering my passwords.

  • I use or make up a phrase that I can remember and use the first or last letters in each word for the password.
    example not in use :

    This is my #1 bank password phrase choice.

    Tim#1bppc. or ssy#1kdee.

  • by suupaabaka ( 854944 ) on Sunday June 05, 2016 @08:40PM (#52256497)

    xkcd covered this a while ago. [xkcd.com]

    I use this now. Not the actual passphrase, but the principle.

    • The only problem being sites that don't support passwords over X amount of characters. They suck.

  • https://sqlite.org/random-pass... [sqlite.org] shows example output with a link to the source code.
  • SHA256. (Score:5, Interesting)

    by 0100010001010011 ( 652467 ) on Sunday June 05, 2016 @08:42PM (#52256509)

    echo -n "<mypassword>|<username>+example.org" | sha256sum | cut -c1-20

    Need to change all my passwords? Change the cut or my password.

    • Go truly random:

      head -c 80 /dev/random | base64

      Grab a random sequence of characters that you think you can type reliably.

      • by PPH ( 736903 )

        The down side to this (compared to the simple string | sha256sum | cut) is that I can't reproduce it if I forget it. I can remember my simple string and cut points.

        • That's exactly why I use it. I don't need a password keeper, I can just make my password on any device that can do a hash. If it comes to it I could do it by hand.

          It's unique to both every site and every username I use at the site. And I can use to use the full hash if a site will allow it.

          Even if it gets leaked as plain text it'll never work for another site short of someone cracking sha256. If you want to protect against rainbow tables switch to a different delimiter to add entropy.

          Just changing the "-n"

  • by manu0601 ( 2221348 ) on Sunday June 05, 2016 @08:42PM (#52256511)

    Use a sentence. This is easier to remember and way much longer than random-characters. For improved security against dictionary attacks, you can add typos.

    Example: "Little pyg, little pig, let me in!"

  • morse code (Score:5, Funny)

    by Anonymous Coward on Sunday June 05, 2016 @08:47PM (#52256539)

    It's simple. I come up with a short word. Then I translate the word into morse code, with SHIT as the the dot and FUCK as the dash. For example, HORSE becomes SHITSHITSHITSHITFUCKFUCKFUCKSHITFUCKSHITSHITSHITSHITSHIT. That's actually a very strong password.

  • In addition to using a random string generator (easy enough to find on-line), add accented characters.

    • by DES ( 13846 ) *

      Don't use accented characters, or anything outside ASCII. You don't know how they will be encoded and transmitted.

      (And don't say “UTF-8”, because a *shitload* of software still doesn't handle character encodings correctly. You can rely on your browser to do so, and maybe on the site's HTTP server, but you have no idea what sort of yahoo wrote the backend.)

  • Apply something specific to you - such as the first 3 letters of 4 pets you have / grew up with. Take "Rufus, Hobbs, Chipper, Stinky" and turn it into "RufHobChiSti". Or how about the different street names you have to walk along to go from home to school. Lots of combinations are possible, the point is to figure out something you can remember. In order to remember it has to have some personal meaning otherwise you would just use random numbers.

    What I do is I have a common password which is then twea

  • by mark_reh ( 2015546 ) on Sunday June 05, 2016 @09:02PM (#52256591) Journal

    The thing I don't understand is the variation in password acceptiblilty from one site to another. Some sites don't allow special characters, or only certain ones, some limit passwords to 12 characters, some 16, etc. Why on earth are there any limits to usable characters and why are any limited to less than 64 characters?

  • by Pauldow ( 1860502 ) on Sunday June 05, 2016 @09:10PM (#52256623)

    I use eight asterisks as my password so I can see it when I'm typing it in.

  • A bit of an essay... (Score:5, Informative)

    by Sarten-X ( 1102295 ) on Sunday June 05, 2016 @09:12PM (#52256635) Homepage

    In an offline cracking scenario, the number of possibilities is what counts, not which possibility you used. That means users should have the option of simple or short passwords, but should use long ones. For ease of use (more on this later), a passphrase of several words and punctuation is appropriate. Don't mandate the use or exclusion of any particular symbols, because that reduces the search space, and similarly reduces the time to break the password. In a famous example [xkcd.com], "correct horse battery staple" is far more resistant to brute-force attacks than something complex like "Tr0ub4dor&3".

    In an online cracking scenario, uniqueness is what counts. If an attacker has harvested your password from one location, they will try to use it to access another. Make sure every password you use is unique. Dumb tricks like appending the site name to a common password are easily caught by attackers, so they don't improve security much. The best way to mitigate the risk of an online attack, then, is use a trusted password manager to create and store your passwords, so every location has a long unique password. This is the approach I use, and most of my passwords are 24+ characters, randomly generated, and all unique.

    For universal access, I keep my password manager's encrypted database files in a cloud storage service that my phone can access. Even if that storage is compromised and my file is stolen, it's useless without my master password, which is of course different from every other password for any other purpose.

    If you're ever designing a system to handle authentication, the best solution is to not do it. Thanks to standards like OpenID and OAuth, you can connect your services to someone else's authentication, because they're far more likely to handle it correctly.

    If you must do your own authentication, use sane policies. Require long (10+ characters) passwords, but don't force numbers or symbols. Requiring a number in a password cuts the password's resistance to brute-forcing by about half (very roughly speaking, and noted in TFS). Make sure nothing in your application interferes with the use of password managers, which often use the system clipboard to copy/paste passwords. To improve user experience, avoid asking for the password at all, instead using an expiring authentication token to reinstate a previous session. The less often a user has to type their password, the less averse they'll be to having a long and secure one.

    On the back end, if you must store passwords, make sure they are hashed using a modern secure algorithm (AES-256, SHA-2 or SHA-3) and salted, and do that as soon as possible in your back-end processes. No, your users do not need a way to recover their old passwords. They need a way to reset their password to a new value, and that should only happen by using two separate forms of ID (like a phone call to customer support verbally confirming security questions and an email to the address on file). Those security questions should also be as unrestricted as passwords. Allowing the user to enter open-ended prompts allow the user to use prompts that are only meaningful to them, and are thus much more difficult to find an answer on social media.

    Above all else, do not take advice from others, including me and this post, without understanding the reasoning behind it. Computer security is steeped in several decades of little more than superstition, relying on "common knowledge" that often turns out to be incorrect. It may start out well-intentioned, but the implementation is usually missing a key detail, undermining the security of the whole system.

  • by DaEMoN128 ( 694605 ) on Sunday June 05, 2016 @09:12PM (#52256637)

    The longer the password req, the harder it is for normal users to remember them. I keep a 30 ish character password for my real accounts. I see folks having trouble with 14 characters.. writing down hints, doing keyboard runs, reusing passwords all over the place. How bout we stop using 1 factor authentication (something you know, 2x in normal logins) and kick it up to 2 or 3.. Say go to a smart card with identity certs on them and a pin, or a token, pin, biometric combo?

  • Perhaps include the house number or phone number of a place where you lived years ago, or a scrambled version of an imaginary name you had for yourself, or a candy brand that is no longer made? The older you are, and the more secretive, the more material you might have to work with.

  • String together a couple of the 'play online' codes from McDonalds monopoly game pieces. Random numbers and letters, just capitolize at your discression. You can even keep them in your wallet for refrence without much risk of giving away your password, because everyone has a few of the damn things floating around for months after the promotion ends.
  • I delegate creating passwords to PasswordSafe. The current standard policy is 15 characters, requires at least 2 lowercase letters, 1 uppercase letters, at least 1 symbol. The password database is backed up and available to my devices via a server I control. I've been steadily increasing the password length as hardware improves.

  • e4kss$$%Jjsov..>32\][[wDGAPz0.qpaWW=-nveke

    That would be a shocking secure password... but it isn't something you can remember, or type easily.

    A password manager works, but now you have moved the vulnerability to a new place.

  • If you don't mind a slightly longer password, lyrics to a song are a good way to go. Best choose something a bit more obscure.
  • ...on how big the rainbow tables have gotten.

    Also, regardless of the low-sodium health push these days, it would be nice if more vendors used a little salt.

    I mean, it's not like that's a new concept or anything...

  • Poetry (Score:4, Interesting)

    by Space cowboy ( 13680 ) on Sunday June 05, 2016 @09:44PM (#52256777) Journal

    So one of the (at the time) drawbacks of my UK education was that we had to learn poems off by heart for the English Lit. exam. At the time I thought it was just about the most boring part of the curriculum, but now they're a treasure trove of password sources...

    Example (no, I don't use this one). One of the poems we had to learn was "Dulce Et Decorum Est"...


    Bent double, like old beggars under sacks,
    Knock-kneed, coughing like hags, we cursed through sludge,
    Till on the haunting flares we turned our backs
    And towards our distant rest began to trudge.
    Men marched asleep. Many had lost their boots
    But limped on, blood-shod. All went lame; all blind;
    Drunk with fatigue; deaf even to the hoots
    Of tired, outstripped Five-Nines that dropped behind.
    Gas! Gas! Quick, boys! – An ecstasy of fumbling,
    Fitting the clumsy helmets just in time;
    But someone still was yelling out and stumbling,
    And flound'ring like a man in fire or lime . . .
    Dim, through the misty panes and thick green light,
    As under a green sea, I saw him drowning.
    In all my dreams, before my helpless sight,
    He plunges at me, guttering, choking, drowning.
    If in some smothering dreams you too could pace
    Behind the wagon that we flung him in,
    And watch the white eyes writhing in his face,
    His hanging face, like a devil's sick of sin;
    If you could hear, at every jolt, the blood
    Come gargling from the froth-corrupted lungs,
    Obscene as cancer, bitter as the cud
    Of vile, incurable sores on innocent tongues,
    My friend, you would not tell with such high zest
    To children ardent for some desperate glory,
    The old Lie; Dulce et Decorum est
    Pro patria mori.

    "The old lie" being "It is a great and glorious thing to die in the service of one's country". Anyway, take the N'th character of every line - easiest is the first, until you get the number of characters you need. It's easy to remember if you know the poem, it gives you a completely unintelligible password, and it's easy to make a password hint that's opaque to pretty much everyone but you.

    Has worked for me for ages. (I'm very old, compared to you yound whippersnappers hanging around /. recently).

    Simon

  • If I left my Answer of how then it would not be a highly secure mechanism anymore. However for my moderately security sensitive passwords I usually use a pass phrase combined with capital's, numbers and non alpha numeric characters. e.g. Security thru Obscurity could become "5eCur!tythru0bsCur!ty" incredibly easy to remember and incredibly difficult to brute force or guess
    • PS: the important rule with pass phrases is DON'T use something common. pick something that has some meaning to you and combine it with some rules about when to substitute letters/numbers/symbols. It isn't hard to come up with something that is easy to remember while being highly unpredictable.
  • ~ $ pwgen -y -s 20
  • There are many ways to make a password. Use your imagination. Also note that a lock-out policy on failed attempts means more than ANY fucking password. It is usually built into the system...USE IT!!!
  • head -c 20 /dev/urandom | uuencode -

    Replace 20 with whatever you desire, and if you're misinformed or paranoid, use /dev/random instead of /dev/urandom.
    • If you want "regular characters", use a longer string with base 64 encoding:

      head -c 30 /dev/urandom | uuencode -m -

      Put it in your wallet, and use it until it is memorized. This may take months, but once you have it memorized, you can use it to encrypt more passwords for years to come.
  • by clovis ( 4684 ) on Sunday June 05, 2016 @10:11PM (#52256867)

    What I find is the hardest part about changing passwords is getting my kids and dog to accept their new names.

  • I use a password manager and try to make passwords as long as the app or site will allow me.
    The bitch is, a lot of sites and apps artificially limit password length at around 10 characters.

  • 1. Have my password vault spew out (hopefully) random noise made up of uppercase, lowercase, numbers and special characters and use that.

    2. Just randomly swipe a finger across, up and down and diagonally across my keyboard, hitting this and that and that other thing, while being in my password vault's password field for whatever it is I'm creating.

    3. A phrase from a book or film, further obfuscated in some way.

    The idea is, however, that no two logins share a password. I don't even know my passwords, I'm

  • For all your passwords, use a password manager. Have the manager make 20+ character passwords. Make them different for each site.

    The basic requirements are (1) Runs on your phone, PC and Mac. (2) Can use a shared password file on a network drive like dropbox or Google Drive. and (3) isn't a pain to use.

    I get by with Keeppass2. It has clients that support the file format on all the platforms (E.G. I use KylePass on MacOS).

  • The Bigger Question (Score:5, Interesting)

    by ytene ( 4376651 ) on Monday June 06, 2016 @12:35AM (#52257357)
    Is there a more interesting question to ask here?

    Have we reached the point where the concept of the password itself is no longer either appropriate, or adequately secure? For example, should we be recommending use of multi-factor and/or multi-channel solutions?

    A useful question to ask is, "Where do you have to place your trust?" For example, many respondents to this thread recommend using a password manager.cOK, but how many of those people are aware of the emergence of specific threats targeting password managers, or that some solutions have been found to be insecure? How many people come to rely more and more heavily on a smartphone or similar personal device - a single object that can give access to web, email and voice authentication vectors - yet which is one of the most heavily-targeted platforms from a threat perspective?

    I am not trying to denigrate the many excellent answers given here, but I wish to point out the risk that we are taking by asking this as a closed question ("How do you create a highly-secure password?") when changing the question slightly (for example, to "What are the most pragmatic and reliable secure authentication mechanisms available?").

    As technology consumers, maybe we should be a bit more demanding about the solutions we are offered. Maybe it would be nice if we had a trustworthy and independent third party that offered a security audit rating system for commonly used service providers, like banks? This alone would drive down a lot of the risk, because to so e extent breaches can be facilitated by bad practices on the part of the service providers...

    But other options could consider available variation on the themes of something you have, something you are and something you know. Services should allow us to set our security based on a selection of two or more of that trinity, with a range of options for each... Here's a bad example... Suppose that the fingerprint reader on new Apple iDevices had an exposed API. Then suppose that a web site authentication engine integrated with this, over a secure SSL channel. You go to the site, you tap the option for fingerprint reader, then you put your pinky on the sensor.... What would it take to engineer that securely? In a combination with even the most basic of known passwords, wouldn't that be much more secure?

    Or what about something you have? How many people drive a vehicle with a remote control unlock mechanism? One German manufacturer uses a supposedly very secure rotating key mechanism that never sends the same release code twice... What if we used the same principle and allowed people to connect their car key to their keyboard via Bluetooth, using the same or similar principle to integrate an everyday object like a car key as a "something you have" factor?

    Both of these are spur-of-the-moment suggestions and likely flawed, but I just wanted to push us past the idea that the right solution is still a password. Respectfully, that's still only single-factor and thus still implicitly weak.
  • by Tom ( 822 ) on Monday June 06, 2016 @01:51AM (#52257509) Homepage Journal

    The first thing you need to do is stop listening to statistics someone else faked.

    Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.

    In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.

    So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... [random.org] and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.

    The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.

    IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.

"How many teamsters does it take to screw in a light bulb?" "FIFTEEN!! YOU GOT A PROBLEM WITH THAT?"

Working...