The Virtues and Vicissitudes of Passwords

  • Thread starter FactChecker
  • Start date
In summary: I believe he died in 2000.In summary, the conversation discusses concerns about the security of using Google passwords to unlock a Chromebook and the potential for a serious security flaw. It is suggested to use a unique and hard-to-crack password for Gmail, possibly through the use of a security key fob. Other suggestions include using a passphrase or a pattern on the keyboard. The conversation also touches on the idea of using visual patterns or song lyrics as passwords, and the importance of considering individual security needs for different devices.
  • #1
FactChecker
Science Advisor
Homework Helper
Gold Member
2023 Award
9,004
4,383
anorlunda said:
One thing I hated was that I was forced to use my Google password to unlock the Chromebook. That forced me to dumb down my password to something I could easily remember and easily type. IMO, that is a serious security flaw.
All good points, but this about the passwords is the most critical. I think it is horrifying that Chrome uses the same password for gmail as it does for every other Google-owned thing (yahoo, etc.). I want the gmail password to be unique and hard to crack. I guess everyone could have two Google accounts -- one only for gmail and another one for everything else.
Chrome was made with security in mind and is thought to have some good security features. Every time you log in, it checks that the software on your machine has not been modified. It uses sandboxes. etc. Chrome allows the use of a security key fob, which I guess can greatly increase password protection.
 
  • Like
  • Informative
Likes mech-eng and anorlunda
Computer science news on Phys.org
  • #2
FactChecker said:
I want the gmail password to be unique and hard to crack.
I'll second that. It would seem to be little trouble for Google to allow a separate pw for each service. ?
FactChecker said:
Chrome allows the use of a security key fob, which I guess can greatly increase password protection.
Maybe that's the answer. Everyone seems to be moving in the direction of decreasing dependence on passwords. Maybe the day when there are no passwords is on the horizon.
 
  • Informative
  • Like
Likes mech-eng and FactChecker
  • #3
anorlunda said:
One thing I hated was that I was forced to use my Google password to unlock the Chromebook. That forced me to dumb down my password to something I could easily remember and easily type. IMO, that is a serious security flaw.
No need to dump down your password, use a passphrase, which can be extremely easy to remember
For example: Trois-Pegase?Frenchfor3flyinghorses!
that's 36 characters, with uppercase used, number used, plus -, ? and !, and words from two languages.
Secure enough for most people.
PS That's not my passphrase, of course.
 
  • Haha
  • Like
Likes jedishrfu and anorlunda
  • #4
DrJohn said:
For example: Trois-Pegase?Frenchfor3flyinghorses!
Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.

On my Windows machine, I just use a 4 digit pin to unlock, and my phone has fingerprint unlock (which works poorly). I view the unlock as only needing minor security. I even set up my sister's computer to have no lock at all because she would never succeed in unlocking it. If I have info requiring more security, it is encrypted.

I think that it is good to think through your security needs and to realize that not everything needs the same level of security.
 
  • #6
anorlunda said:
Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.
Unlock it once, and leave it on. That's what I do.
 
  • #7
anorlunda said:
Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.

On my Windows machine, I just use a 4 digit pin to unlock, and my phone has fingerprint unlock (which works poorly). I view the unlock as only needing minor security. I even set up my sister's computer to have no lock at all because she would never succeed in unlocking it. If I have info requiring more security, it is encrypted.

I think that it is good to think through your security needs and to realize that not everything needs the same level of security.
If your Windows machine has a simple pin does it have better security for the drive? If not, someone can pull the drive and hack it fairly quickly. In fact, if it does not have bitlocker, is the drive protected at all?
 
  • #8
anorlunda said:
Good advice. But I unlock my computer maybe a dozen times per day. 8 characters is the upper limit for my tolerance.
One thing you can do is have visual patterns on the keyboard. For example, what is sw234rfd? It's all the keys surrounding E. Then throw a ringer in the middle and you've got something hard to guess. I am looking forward to more pasword alternatives though.


Most chromebooks have rather dull screens. And I expect they are even worse for gaming than Macs, which do have a few serious titles.
 
  • #9
Algr said:
One thing you can do is have visual patterns on the keyboard. For example, what is sw234rfd?
Anything with a pattern is a bad password. For example, on Pwned, sw234rfd has been found in 38 data breaches already.

When using a pattern - no matter how smart and unique you think you are - it makes you very predictable.
 
  • Like
Likes pbuk, vela and CalcNerd
  • #10
The pass-phrase is the best strategy. Decades ago at work, an employee had used a password of "igagik"

which was short for "I got a girl in Kalamazoo" which I thought was quite novel and easy to remember.



But much as he liked Glenn Miller and his song, he could never walk around humming it lest he gave away his password. :-)

The clip also features the Nicholas Brothers one the best dance teams of all time. They put many modern dancers to shame.
 
  • Like
Likes FactChecker
  • #11
jedishrfu said:
The pass-phrase is the best strategy.
I agree, and I have no trouble remembering passwords with 15-20 characters. Pick a phrase or song lyric, add a simple pattern of capitalization, and finally, throw in a simple sequence of numbers and special characters. Then you have a password that is easy to remember and will never be cracked.
 
  • #12
jedishrfu said:
I got a girl in Kalamazoo
I met Tex Beneke when I was a boy. He was very kind to me.

Oh, and Sun Valley Serenade also features Glenn Miller, the Nicholas Brothers, Dorothy Dandridge (who was one of the Mrs. Nicholases) and a young Milton Berle.
 
Last edited by a moderator:
  • Wow
Likes jedishrfu
  • #13
Google has serious problems with privacy and poor accountability when they screw up:
jack action said:
Anything with a pattern is a bad password. For example, on Pwned, sw234rfd has been found in 38 data breaches already.
Any conceivable combination of 8 letters and numbers will have some kind of pattern.
 
  • #14
Algr said:
Any conceivable combination of 8 letters and numbers will have some kind of pattern.
Find a pattern in ANY ONE of these and I'll give you a prize:
Code:
    nS3dQu4u
    CpJSr3qe
    5htvcH4x
    swPuZ3ds
    9Wj8PwA6
    hR5E4UHE
    dycEa8JM
    pKr9Vjpt
    X29Yf7mb
    VewLrgru
    Kr2dhutT
    Ry85EWkv
    NcMNZpus
    QSWYj65Y
    yn6HZYrM
    nv9WmqkT
    d6WATtgy
    WXQBhjBu
    SfFy2yqG
    zmUGTHMF
    VKeCJ8NT
    QKk6eU5p
    MA6H9amh
    NVT4kHzM
    xhmeu76p
    jcKxzh4K
    KyTC864C
    VnE9bbkf
    qADjS4QJ
    qnShtXeg
    fKMwwqms
    WbsujFQE
    YyrGQQKg
    FGXLXgCC
    LdrmTVUn
    TtvUqxPJ
    qbkkuNfN
    mtqeW3Aw
    vTKDwbm6
    kxPuCmtV
    Wjxc2yyx
    XndX8GSJ
    vScVDWZq
    JwCx38Sz
    7UKE9Ca7
    2c4M2FQE
    UK2BnXrc
    ed9NFyyp
    LEQCtDvG
    DdbjuncU
    pAfxaEY5
    6ar2MBd6
    XQn4H8L4
    mEUG8C83
    hG3MQBQA
    vsWVS5qd
    q9ENybf7
    WJnHXQNX
    Pe2ddbfW
    VJFpkbr2
    wJVkP9bj
    9gtmatgA
    jxWVYktg
    P8Q6RtGX
    KPzuwWHb
    JUAM5pSn
    cgMUNFUc
    Gm5j2TRB
    ZRBq4YnQ
    tCCNtkDm
    8pcNsa9q
    f3SPzk63
    zRZAPyes
    2HHgkewb
    j2gYbvxB
    Lurgfmxg
    M3kuQF7E
    z8h3AeDJ
    CgeQz296
    DGUKKBTR
    B6593Kbw
    WV6DHJ8X
    AV8n9GR4
    hkePYJZB
    zTejgsKG
    C5Vtd3bF
    6V9KxtHC
    nbnyCY82
    wQb6vVQm
    sYUQM7rT
    7KupTDur
    fpSFtAqP
    43vmEdpx
    mMPVZq4g
    6S7Su2YH
    TDC9nfQ9
    n8XfkZtV
    YrHJL29k
    AebFVhXy
    sRkQUwTc
 
  • Like
Likes Wrichik Basu
  • #15
pbuk said:
nS3dQu4u
not So 3d Quit forget you.

pbuk said:
CpJSr3qe
Crap J Senior Sege

pbuk said:
5htvcH4x
Shut venture capital haxor.

pbuk said:
swPuZ3ds
Star Wars puzzles

pbuk said:
9Wj8PwA6
9 weight paws
pbuk said:
hR5E4UHE
Hearse for You! He he he...
pbuk said:
dycEa8JM
____ ate Jim.
pbuk said:
pKr9Vjpt
Pack our 9Volt script
 
  • #16
Algr said:
not So 3d Quit forget you.Crap J Senior SegeShut venture capital haxor.Star Wars puzzles9 weight paws

Hearse for You! He he he...

____ ate Jim.

Pack our 9Volt script

We were referring to visual patterns, as you mentioned in post #17:
Algr said:
One thing you can do is have visual patterns on the keyboard. For example, what is sw234rfd?
 
  • #17
jack action said:
We were referring to visual patterns
And why would the attacker know that a given person had used that instead of some other method?

All of these calls for impossibly difficult passwords are based on a false premise: They assume that hackers are getting in by trying out millions of random passwords and finding one that works. But that exploit was solved back in the 1980s. Just don't allow more than one password attempt per IP address per second.

What is really happening here is blame shifting. Hackers get in without needing any password. The IT department is told to "Fix it", so they just make things difficult for legitimate users. When one of them inevitably can't keep up with all the demands, they take the blame for the next fault that they had nothing to do with:

dt210207.jpg
 
  • Like
Likes anorlunda
  • #18
Just use a passphrase, not tricky to remember random mixes.
Compare dfR4.5"(hjY0
with 7*hamsters8myDOG!
Which is easier to remember, easier to type and has the most characters in it? The passphrase, Seven star hamsters ate my dog! with only a slight disguise to increase the character pool used is so much easier to remember, but hammers a brute force attack. And if you can't remember that phrase after two or three reads, you will definitely struggle with remembering and typing the first shorter one.
No need for hard to remember nonsense-style passwords.
 
  • Like
Likes Algr
  • #19
Algr said:
And why would the attacker know that a given person had used that instead of some other method?

All of these calls for impossibly difficult passwords are based on a false premise: They assume that hackers are getting in by trying out millions of random passwords and finding one that works. But that exploit was solved back in the 1980s. Just don't allow more than one password attempt per IP address per second.
Please stop posting misinformation.

The reason it is a very bad idea to use a keyboard pattern as a password is that there are only a limited number of such patterns. This does not mean that a hacker has to try every possible pattern at a login screen because hackers have lists of email accounts and the associated password in an encoded form known as a "salted hash", obtained through historical data breaches. Hackers then compare all common patterns with every entry in the list and if they find any matches then they have an email/password combination they know was correct for a given service at the time of the breach. They can then try that email/password combination everywhere and if it works they have compromised an account, if it doesn't then they have thousands of other places to try.

If you think you are not vulnerable to such an attack then type your email address in here https://haveibeenpwned.com/ and/or a password you have used, or just one with a "pattern" that you think might be OK, https://haveibeenpwned.com/Passwords for a nasty surprise.
 
  • Like
  • Informative
Likes russ_watters, Wrichik Basu, jack action and 1 other person
  • #20
pbuk said:
type your email address in here
Seriously? Give my e-mail and a big hint to my password to some random site?

pbuk said:
Please stop posting misinformation.
pbuk said:
Find a pattern in ANY ONE of these and I'll give you a prize:
Nothing about visuals here. Gimme the prize!
f4bea046302b762a92b3503be8522d4d-280888461.jpg
 
  • #21
It seems to be forgotten here that passwords came up only in the context of unlocking the screen for Chromebooks.

Screen unlock is a case of multi-factor authentication. The password is one factor. Physical access to the Chromebook is a second factor. If my computer was stolen, I figure game over; passwords won't prevent access to my info.

So in my view, the security of a password is less critical with multi-factor authorization than it would be with single factor.

I also believe that the biggest risk to consumers (not criminals, not spies) is that the database of your trusted vendor is stolen with the credentials of all customers. For example, Amazon knows my credit card info; so do other vendors that I purchase from online, so does my bank. That kind of crime happens every day and databases of millions of sets of credentials are sold on the dark web. For that kind of crime, it doesn't matter if your password is more secure or less secure.
 
  • Like
Likes Richard Crane, russ_watters, pbuk and 1 other person
  • #22
Seriously, @Algr hackers use lists of common passwords sorted as most to least common as one scheme of attack. These lists come from data breaches so there's a good chance that one of them will work.

Another more directed attack uses information on email name as a user identifier coupled with the data breach data to get a list of passwords the given user may have used. From there one might glean a pattern to try when trying to crack an account.

There may be other associations gleaned from open source data on a user that can be used to guess passwords or to get by security questions to change passwords.

Lastly, nation states have the resources to dig even deeper into breaking into accounts that we won't get into on this forum.
 
  • #23
My rough calculation is that there are 2^25 or 33,554,432 passwords that are eight characters with each one key-adjacent to the next. I also suggested:
Algr said:
throw a ringer in the middle

All the services I use lock you out after three-to-five wrong guesses. Hackers aren't getting in by guessing between 33 million common passwords. They are getting in because they know exactly what your password is via the data leak. No amount of memorizing gibberish is going to protect you from that.
 
  • #24
Algr said:
They are getting in because they know exactly what your password is via the data leak.
That's right. So the better protection is to change your passwords every 30 days. If you do that, by the time the criminals get around to exploiting the stolen passwords, you will have already changed yours.

Of course, the ultimate is a single-use password. I recall sometime in the 2000s, Visa was offering single-use CC numbers. But they quickly stopped offering that. I'm not sure why.

But once again, all this talk does not apply to PC unlock codes. Unlock is a special case.
 
  • #25
Algr said:
My rough calculation is that there are 2^25 or 33,554,432 passwords that are eight characters with each one key-adjacent to the next. I also suggested:All the services I use lock you out after three-to-five wrong guesses. Hackers aren't getting in by guessing between 33 million common passwords. They are getting in because they know exactly what your password is via the data leak. No amount of memorizing gibberish is going to protect you from that.
No, there have been very few data leaks of plain text passwords. Almost all the email/password combinations available on the dark web have been cracked by dictionary attacks on salted hashes. Choose an obvious password like the ones you suggest and you are vulnerable to a dictionary attack.
 
  • Like
Likes Vanadium 50 and jedishrfu
  • #26
Algr said:
My rough calculation is that there are 2^25 or 33,554,432 passwords that are eight characters with each one key-adjacent to the next. I also suggested:

Algr said:
throw a ringer in the middle
When you are using a visual keyboard pattern (or a word, or a name, or a date, or whatever is a pattern thought by a human), you are reducing considerably this 33 million figure. When you know which ones are the most popular, it will take even fewer trials.

Even @jedishrfu 's example (igagik) is a pattern. How many popular songs are there that will be chosen by most people? A few thousand at most. Probably a few hundred will be enough to cover most possibilities. Trivial for a brute force attack.

A ringer in the middle? That's also a pattern thought by a human. Guess what? Most humans are similar and think alike and it's usually trivial to find it. That's why p4$$w0rd is still not a good password. That's why asking people to insert a special character doesn't work also, because most people will only add a "!" at the end of their password. People are predictable. Therefore, not only you will never need to check all possibilities, but the list of "probably thought by a human" passwords is much much much shorter than the entire list of possible passwords.

To be efficient, a password must be as random as possible (i.e. not generated by a human) and then you use a password manager. Brute-force doesn't work, social engineering doesn't work, reused password doesn't work, phishing scam doesn't work, and you don't have to remember anything! I don't see any reason to select anything else but a 64 hexadecimal password (256 bits entropy), which is basically a random number between 0.07e77 and 1.15e77 (assuming the first digit is not zero), still giving 1.08e77 possible integers.

Algr said:
All the services I use lock you out after three-to-five wrong guesses. Hackers aren't getting in by guessing between 33 million common passwords.
Yes, they do:
https://www.washingtonpost.com/world/2020/12/17/dutch-trump-twitter-password-hack/ said:
Dutch hacker Victor Gevers claims to have logged into President Trump’s Twitter account six years ago by guessing the password: “yourefired.”

Then he did it again. On Oct. 16, Gevers, 44, made an accurate guess, “maga2020!,” on his fifth try, according to Dutch prosecutors.
Funny, there's an exclamation point at the end. Who would've thought!
 
  • Like
Likes russ_watters
  • #27
One method I've always thought was superior to passwords was the zero-knowledge proof scheme where a couple of questions are asked that only the user knows. However, that means you are interacting with the computer and not doing meaningful work so companies rejected the idea.

https://en.wikipedia.org/wiki/Zero-knowledge_proof

You variants of this in the security questions that get asked to reset a password but the difference is that they are the same questions whereas in a zero-knowledge proof scheme the questions would always be different.

Questions are usually of the form:

What is the fifth letter of the college you graduated from?

What is the third letter of your password?

Anyone watching over their shoulder would not in one sitting be able to determine the answers. However, over many sittings its possible though very unlikely.
 
  • #28
jack action said:
When you are using a visual keyboard pattern (or a word, or a name, or a date, or whatever is a pattern thought by a human), you are reducing considerably this 33 million figure.
No. I already accounted for that by using 4 bits per letter, and 3 after that. 33 million also excludes the ringer. There is a huge difference between "cdewq7sxz" and "maga2020!" Anyone who would use the latter is a moron.
 
  • #29
pbuk said:
No, there have been very few data leaks of plain text passwords. Almost all the email/password combinations available on the dark web have been cracked by dictionary attacks on salted hashes.
That's interesting. I've been trying to verify that, but no luck. That shouldn't be surprising. Any statement claiming to know what is on the dark web sounds like an oxymoron by definition. However, the article below implies that cracking encrypted password files is almost as easy as cracking passwords.

Security expert Bruce Schneier has a pretty comprehensive article on choosing secure passwords. It's too long to paste here, but the link is https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Here are a few gems from that article.
What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as “k1araj0hns0n,” “Sh1a-labe0uf,” “Apr!l221973,” “Qbesancon321,” “DG091101%,” “@Yourmom69,” “ilovetofunot,” “windermere2313,” “tmdmmj17,” and “BandGeek2014.”

This is why the oft-cited XKCD https://subrabbit.wordpress.com/2011/08/26/how-much-entropy-in-that-password/ for generating passwords—string together individual words like “correcthorsebatterystaple”—is no longer good advice. The password crackers are on to this trick.

Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62%—in a few hours.

Pretty much anything that can be remembered can be cracked. [bold is mine]

There’s more to passwords than simply choosing a good one:
  1. Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
  2. Don’t bother updating your password regularly. Sites that require 90-day—or whatever—password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it. [Note: this is the opposite to what I said in other posts.]
  3. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
  4. One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.
 
  • Like
Likes jack action
  • #30
Algr said:
No. I already accounted for that by using 4 bits per letter, and 3 after that. 33 million also excludes the ringer.
That is not what I meant. By obeying a set of rules (for example choosing letters based on their position on a keyboard), you are excluding a lot of passwords that a hacker doesn't need to try.

As soon as you are using a set of rules to create your password, you're screwed. For example, here's a set of rules that was popular to get an easy-to-remember password: use an alternate of consonants and vowels (ex.: fiborazu). It's meaningless, but still easy to remember. But doing so - for someone who assumes you used this rule - you drop from 209 billion possibilities (= 26^8) to 207 million possibilities (= (20 X 6)^4).

Algr said:
There is a huge difference between "cdewq7sxz" and "maga2020!"
Not by that much. Your password is no more secure than "qwer7ty" because you are using a pattern based on the key positions on a keyboard. Which limits the possibilities just like orthography does with letters when forming words. I can assure you that there is a dictionary out there with all possible patterns on a keyboard, ordered by popularity.

Have you noticed that your ringer is a number? That's the first thing a human does instinctively, which again greatly limits the number of possibilities.
 
  • #31
jack action said:
Something like 40% of all passwords are of the form a capital letter, 5 lower case letters, the number 1, and an exclamation point. I suspect many of them are 5 or 6 character dictionary words as well.

There have been complaints about password managers and attacks (which did not cause a leak) but when the alternative is Password1! , which probably takes a millisecond to crack, what is the better strategy?
 
  • #32
Good thread after separation from Chromebooks. I've learned useful things, and it made me think through the problem more, especially the secondary aspects of the security. Here is my summary. I tagged quotes from others; everything else is my opinion.

1. Never reuse a password you care about. -- Bruce Scheiner
a. If you have N online accounts, you need N secure passwords.
b. You must remember which password goes with which site.
c. A corollary: Never reuse the same email address for password recovery. If you have N online accounts, you need N password recovery email addresses and N email passwords.
i. An alternative is to use something other than email address as the account name. Then someone stealing your account name does not simultaneously get your recovery email address.
1. Some sites mandate a valid email address as the account name.
d. I tried and failed to delete old unused accounts. Many sites have no function for account deletion. Therefore, I have to forever remember the login information I used on those sites, in order to avoid reusing them.
i. When service providers go bankrupt, their assets including digital assets are sometimes sold to the highest bigger. Obviously, all provider security becomes moot. For example, a hospital in Phoenix failed to pay the rent on a warehouse storing patient medical records. The landlord sold the records at auction.
2. Pretty much anything that can be remembered can be cracked. -- Bruce Scheiner
As soon as you are using a set of rules to create your password, you're screwed. -- @jack action
a. That pretty much mandates a pseudo-random software pw generator. No human method or algorithm can be secure enough.
i. If using a machine generated pw, and machine entry of your pw, it might as well be the maximum length, because you will never type it in by hand. There is no advantage to shorter passwords. My password generator can produce 256 character passwords.
3. Unless you think your password might be compromised, don’t change it. -- Bruce Scheiner
a. Obvious corollary: If you do think your password may be compromised, change it immediately.
4. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. -- Bruce Scheiner
5. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper. -- Bruce Scheiner
a. Unless your handwriting skills are exceptional, writing it down means printing it. A transcription error can be almost as damaging as password theft.
i. Since transcription errors are so easy, your paper list must be tested by trying to log in using the information on the paper.
b. Don’t forget to include both the password and the account name and the site on the paper.
c. You might die. Your house can burn down. Make sure your loved ones have access to a copy of that paper list, or access to the password manager.
i. Every time you change a password, you need to regenerate the list and distribute copies to your loved ones.
ii. If you use porn or other sites that you don’t want your loved ones to know about, you need a separate security system for those.
iii. Make sure that your loved ones secure their copy of the paper.
d. I can’t trust myself to do all that stuff on paper. For me, a password manager is the only practical solution. .
6. One more piece of advice: if a site offers two-factor authentication [or MFA], seriously consider using it. It’s almost certainly a security improvement. -- Bruce Scheiner

Not addressed in that list are the vulnerabilities of letting your login credentials be stored elsewhere. For example, I opt to let PF keep me logged in. I assume that means cookies, but sometimes browsers claim to store passwords.

Whew! What a headache all this stuff is. The future trend seems to be to use many-factor authentication, reducing or eliminating the need for secure passwords. I welcome that.
 
  • #33
Algr said:
Any conceivable combination of 8 letters and numbers will have some kind of pattern.
Of course, the issue is the security of keyboard position patterns. The pattern 'qwerty' is probably the worst example. A password strength checker rates qwerty as "an open door" even though it would appear fairly random if you ignore keyboard positions.
 
  • #34
anorlunda said:
2. Pretty much anything that can be remembered can be cracked. -- Bruce Scheiner
As soon as you are using a set of rules to create your password, you're screwed. -- @jack action
I think Scheiner's claim is just a little bit over the top. You can make good passwords that you can remember but don't rely on a pattern, e.g., five or six random words generated by Diceware. Most password managers, I expect, allow the user to generate such a password as well.

anorlunda said:
i. If using a machine generated pw, and machine entry of your pw, it might as well be the maximum length, because you will never type it in by hand. There is no advantage to shorter passwords. My password generator can produce 256 character passwords.
You may never need to type in a password on your computer, but if you need to enter one on another device, you will quickly appreciate the benefits of a shorter, easier to enter password.

There are also places, for reasons I don't understand, that don't allow you to autofill a password or paste a password in. You're pretty much forced to type in those passwords. Personally, I wouldn't want to type in a 256-character password consisting of random characters.

anorlunda said:
3. Unless you think your password might be compromised, don’t change it. -- Bruce Scheiner
I think this advice is a holdover from the days before password managers. When people were forced to change their password, say, every six months, supposedly to increase security, they instead made things worse because users would opt for weak, easier-to-remember passwords.

Nowadays, a password manager may eliminate the problem of weak passwords, but changing your passwords frequently strikes me as a waste of time.

anorlunda said:
Not addressed in that list are the vulnerabilities of letting your login credentials be stored elsewhere. For example, I opt to let PF keep me logged in. I assume that means cookies, but sometimes browsers claim to store passwords.
Websites use cookies to keep you logged in. They can't access the passwords stored by a browser. That would be a gigantic security hole.

One vulnerability currently is that your login credentials are stored by the website, so you might follow the best practices, but the website may be compromised due to circumstances outside of your control.

anorlunda said:
Whew! What a headache all this stuff is. The future trend seems to be to use many-factor authentication, reducing or eliminating the need for secure passwords. I welcome that.
Me too. Microsoft, Google, and Apple recently committed to support the FIDO standard for password-less authentication, which relies on public and private keys and MFA. I hope this standard gets adopted quickly by sites once it rolls out.
 
  • #35
anorlunda said:
For example, a hospital in Phoenix failed to pay the rent on a warehouse storing patient medical records. The landlord sold the records at auction.
Can you point me to this? It sounds like a pretty egregious HIPAA violation.

While I don't disagree with anything on the list, it does fail to put things in perspective. Think of security as a parallel network of resistors. Increasing the resistance of an alreday-high resistor doesn't change the network resistance. Similarly, changing your password from "password" to "Z!n33%DA" is more helpful than changing it from Z!n33%DA to Z!n33%DA1iQ@7w5Rnkr0d9mrDp.
 
  • Like
Likes pbuk and PeroK

Similar threads

Replies
44
Views
4K
Replies
4
Views
3K
Replies
2
Views
2K
Replies
46
Views
8K
Replies
4
Views
2K
Replies
10
Views
5K
  • Sticky
Replies
0
Views
2K
Back
Top