The truth about password strength

[FlexGunship]

Moderator's note: A reminder to all to use common sense when duplicating others' intellectual property.

XKCD, for example, requires some sort of attribution attached to postings of its comics; e.g. a link to the comic. (And, thankfully, XKCD does permit its images to be hotlinked)

 

[Jimmy Snyder]

There goes my password. It was correcthorsebatterystaple. This is the worse thing to happen to me since a quantum computer successfully factored 15 into primes and broke my private key.

 

[FlexGunship]

There goes my password. It was correcthorsebatterystaple.

Hah, damn... I just got done changing my 57 passwords to that. Time to change them to something else. I can't have the same password as everyone.

 

[BobG]

Instead of memorizing the letters, numbers, etc, it's better to memorize some tune and the dance steps to that tune - except your fingers do the dancing instead of your legs.

Except that doesn't work for the classified computers at work. Your password can't have any patterns in it. They don't even allow patterns that match legal moves for the Knight in chess or even allow a castling move pattern and they definitely don't allow any of the legal moves in Go or Chinese Checkers. We have a theory that the rules for passwords at work have become so elaborate that there's only one possible password that's allowable and that everyone is actually using the same password, but we can't verify it because we can't ever tell anyone our password.

 

[FlexGunship]

Instead of memorizing the letters, numbers, etc, it's better to memorize some tune and the dance steps to that tune - except your fingers do the dancing instead of your legs.

How mindlessly poetic of you.

My fingers play Dance Dance Revolution on the keyboard when I'm entering my password : "upupdowndownleftrightleftrightBAselectstart."

 

[Jimmy Snyder]

At my last job, the rules for passwords were so elaborate that there was no way to remember them. We all just wrote them down and left them on our desks.

 

[FlexGunship]

At my last job, the rules for passwords were so elaborate that there was no way to remember them. We all just wrote them down and left them on our desks.

That's my current job. It's absurd.

 

[BobG]

How mindlessly poetic of you.

My fingers play Dance Dance Revolution on the keyboard when I'm entering my password : "upupdowndownleftrightleftrightBAselectstart."

My fingers prefer Fred Astaire dancing to "You're All the World to Me" from "Royal Wedding".

 

[Hurkyl]

It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it.

 

[BobG]

It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it.

Your passwords are only 8 characters long?!

Passwords have to be at least 3 minutes where I work!

 

[HowlerMonkey]

Long ago, you could use special symbols in password fields but that is quickly going away.

I also used to move my hand position about the keyboard and type passwords.

Maybe one index fingers now on G and H instead of F and J or maybe shift it up or down.

 

[Jimmy Snyder]

It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it.

I failed to mention we had to change them every three months.

 

[FlexGunship]

I failed to mention we had to change them every three months.

So your passwords are:

password1
password2
password3
...
password[INT((X-1)/3)+1] where "X" is the number of months that you've been employed?

 

[Mk]

Ah! This xkcd is so excellent.
Yes! Always please use nonsensical sentences in your passwords! Easy to remember, with the benefit of not being found in any book, and if you stray from grammar, you're protected by another layer when in the future computers will be able to guess sentences and reference books.

 

[turbo]

For a time, I worked for an outfit in which the technical director was a clueless martinet, and his rules for formatting and changing passwords were draconian and ill-advised. Yes, we techs had trade-secrets on our computers, but we were in the field 99% of the time and didn't have the luxury of nice hiding places, like a boring book on a shelf in the office in which you could jot your latest password.

Years later, I became the network administrator for a very large (by Maine standards) ophthalmic practice and I urged people to use strings of words that wouldn't be guessed easily. I have very few hard-and-fast rules, except "don't use the names/birth dates of your children, pets, spouse, etc". Keep the words impersonal. The xkcd is better than my plan, but back then, code-breaking was more a function of informed guessing and "human engineering". Still, you don't want the curious to log in as a supervisor or administrator and find out how much everybody makes, look at personnel records, etc. That alone can be very destructive in an office atmosphere.

 

[Hurkyl]

In any case, before you start using strings of words, you really ought to make sure your system actually considers every character significant. Some systems, for example, only use the first 8 characters, making XKCD's advice rather terrible.

 

[turbo]

During my tenure then, we bought all the equipment from a recently failed ophthalmic practice, and the bank that foreclosed (the doctor went bankrupt from malpractice suits) wanted help breaking the master password on the practice-management software so they could try to recover some of the outstanding receivables. I looked in the most obvious places for jotted passwords, then told the bank reps to strip all certificates, etc, off the walls and bring them to me while I continued to hunt.

I had no luck searching the main office, but one of the certificates had the doctor's birth-date on it. I formatted it in the MMDDYY numeric format, and punched that date in in reverse order. BINGO! The bank reps got pretty fired up, and asked what else I needed. I told them to go to Staples and buy a new printer ribbon for that dot-matrix printer, and a couple of cases of tractor-feed paper. I got them started, showed them how to pause printing and re-start and they got a complete paper record of the practice's receivables.

 

[Containment]

Does anyone know if the 10-20 most common passwords has changed much over the last 10 years? I would think password1 is probably still one of the most common right?

http://en.wikipedia.org/wiki/Password

I like the one about hotmail banning the pw 123456 heh.

 

[dlgoff]

It's not all that hard to memorize a random sequence of 8 characters if you spend a few minutes practicing it.

What if you have three? At my last job (Gov), one to get the desktop operating system to boot, one to get onto the LAN then one to get onto the Gov network. Oh and one for their mail. And every 30 days we were prompted to change them. What made it bad was prompts were not in sync.

 

[FlexGunship]

What if you have three? At my last job (Gov), one to get the desktop operating system to boot, one to get onto the LAN then one to get onto the Gov network. Oh and one for their mail. And every 30 days we were prompted to change them. What made it bad was prompts were not in sync.

No joke:

• Local admin login - laptop
• Local admin login - desktop
• Network login
• Mail login
• Remote support login (different for every site)
• VPN login
• My company's FTP site login
• Siemens' FTP login
• Siemens' SiePro login
• Simotion controller FTP login (different for every site)
• Simotion IT diagnostics login (different for every site)
• Legacy modem connection login (different for every site)
• TestTrack Pro login
• VSS login

Yup; those are real. I keep my passwords in my KeyPass program on my phone in an encrypted file to which the password is "password."