What they said. Also, if you use any version of your name, your wife’s name, one of your kids’ names, ditto birthdates, anniversary, etc. And many people do. I’m a technical writer in Silicon Valley who has worked on security-related products for most of the last decade, and the system administrators at a *bunch* of big companies and ISPs have confirmed this time and again.
If you really don’t want weak passwords on a server you control, you really have to scan passwords against common lists like this one (and using password cracking programs), and require users whose passwords don’t pass muster to change them immediately. That, or use some other form of security like some type of token (such as an RSA SecureID) or biometric device.
“But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.”
Well,duh
(Which happens to be my simpler password, hope that helps.)
So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! The kind of thing an idiot would have on his luggage!
Dark Helmut: So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! The kind of thing an idiot would have on his luggage!
Catherine Jefferson: Also, if you use any version of your name, your wife’s name, one of your kids’ names, ditto birthdates, anniversary, etc.
People say that, but I wouldn’t worry about that kind of personalized attack on anything but a bank account and there only if I had a lot of money.
What is really unforgivable is not losing the passwords, but keeping them. The standard was set by, IIRC, Dennis Ritchie: you hash the password (that it, put it through an algorithm that mixes it up in an irreversible way) and store the hash. Knowing the hash gives very little help in guessing the password (Unix systems used to make the hashes publicly available). That standard was set in 1967. For a company to fail to follow the standard is rank amateurism.
BTW, my approach is to have five different normal passwords.
My weak password is probably susceptible to a dictionary attack. I use it for things where a hack would not be the end of the world.
My weakest password (also subject to a dictionary attack) is reserved for web site cases where I have to tell someone what to set the password to.
A mid-strength password is all letters, obscure, but not in the dictionary. I use it for most sites. I also use it or variations of it for basic laptop access, etc.
I have two super-strong passwords used for encryption keys, financial sites, and the like. These involve at least 8 characters, a mixture of at least three of upper case, lower case, numbers, and special characters, etc. These passwords are all mnemonic devices for combinations of phrases.
And they are all stored in my head.
What really irks me are the few sites which have weird password requirements that don’t accept any of my passwords…… Password too long… Password may not include special characters…. etc….
Malvolio: Knowing the hash gives very little help in guessing the password (Unix systems used to make the hashes publicly available). That standard was set in 1967. For a company to fail to follow the standard is rank amateurism.
I have seen worse.
PHPNuke used to accept the hashed password from the web browser and authenticate it as if it were the real password. Combined with a SQL injection exploit that allowed one to access the admin password one character at a time……
And SQL-Ledger used to bypass password authentication entirely if you sent a recent timestamp along with your username……. And that’s a financial application…..
First of all, I highly recommend the multi-tiered approach. Save complicated passwords for sites that matter. Don’t use the same password for your bank, facebook, and whatever junk sites you may login too!
Secondly, a method that I like to use to create fairly strong and easy to remember passwords goes like this:
1) Pick some information that is easy to remember for you. A childhood address, grandmother’s maiden name, wife’s name, what middle school you went to, a phone number of a friend, your phone number, etc. Doesn’t have to be private or involving somebody else, though if you’re especially paranoid, pick information that might be harder to guess. The important thing is that it’s easy for you to remember.
2) For added security with words, use mixed upper and lower case, replace some letters with numbers, some with symbols, perhaps misspell the word, etc.
For instance if you had picked your grandmother’s first name “Janet” as one of your pieces of information, you might spell it “j@nET” or “j4nEt” or “jaannet”
3) Combine multiple pieces of information. Continuing the example, let’s say you picked
Janet (a name)
663-1778 (phone number of some relevance to you)
With just these two pieces of information, you could create the password
janet6631778
or a slightly more complicated version
JanEt#6631778
and more complicated
663#j4nET+1778
etc. You can add more information, more obfuscation, etc to make the password stronger.
The end result here is fairly complicated password (longer than average, mixed case, mixed alphanumeric and symbols) but should be easy to remember. Is it as secure as a verified cryptologically random generated password? Probably not…but it’s a heck of a lot easier to memorize!
If you have any number of accounts, you rapidly lose track of passwords. There may be a simple way of using just one password on all your sites, but I am not aware of it. So writing them down seems a reasonable alternative. Then taping that paper where it is visible when you are on-line.
Several years ago, a friend attended a security conference. He told that there is software that you can download off the internet that ‘listens’ to the sound of each key in the computer keyboard. turns out each key has a slightly different sound that can be picked up the by sofware.
So — if you are talking to a person on the phone, and he asks you to enter a website, he can apply the software and ‘listen’ to the keys as you strike them, and then easily find your password.
This software was out a long time ago, so I’m sure it’s ever more sophisticated now.
1) Pick some information that is easy to remember for you. A childhood address, grandmother’s maiden name, wife’s name, what middle school you went to, a phone number of a friend, your phone number, etc. Doesn’t have to be private or involving somebody else, though if you’re especially paranoid, pick information that might be harder to guess. The important thing is that it’s easy for you to remember.
2) For added security with words, use mixed upper and lower case, replace some letters with numbers, some with symbols, perhaps misspell the word, etc.
For instance if you had picked your grandmother’s first name “Janet” as one of your pieces of information, you might spell it “j@nET” or “j4nEt” or “jaannet”
3) Combine multiple pieces of information. Continuing the example, let’s say you picked
this is all good advice btw, but I generally recommend taking a slightly different direction. For very secure passwords, two or three independent pieces of information, abbreviated, and put together.
So, suppose your picked your grandmother’s name “Janet” and your childhood address of 443 Westview Drive, one way to approach this would be Jnt443WvDr
Or suppose you want to include the fact that the time 10am is important, you could:
Jnt443WDr1000a
or
443Wdr1000aJnt
For more security add punctuation:
443WvDr@1000a!Jnt
or
443WvDr@10:00aJnt!
one reason I recommend abbreviating is that words could be abbreviated any number of ways, and I tend to be paranoid about very sophisticated variances of the dictionary attack (just because it’s not out there yet….)
Two passwords depending on importance of the website is what I use. (With variants when a website insists on a cap letter or punctuation or doesn’t like spaces.)
The first password is cheap, easy to type, protects accounts no one will break into anyway with no loss if they do (FARK account, xtube, hotair, pjm, redstate, lgf, freerepublic, rncleadershipcouncil, senate.gov, and volokh, dozens of other website accounts to comment on, etc.) (login account emails are usually directed to mailinator.)
The second password is hard to guess and put together much as Chris Travers suggests, although people who know me very very well, couldn’t guess it, but could determine it’s meaning if it was given to them. (paypal, ebay, amazon, bank)
Important accounts have their passwords noted in a password protected encrypted app stored on my cellphone and desktop. The notation of a password is a just a reminder, usually the first and last letters, I have to remember what the exact password is.
I use the “significant to me but meaningless to anyone else” method, then combine with numbers and symbols in a way that makes sense to me.
If some computer hacker can figure out my Labrador’s name and birthday, and whatever symbol makes sense to me to connect them, well, that person is more than welcome to use my Twitter account.
Excessive complexity is counterproductive. My workplace requires a 12-character password, with a mix of capitals, lowercase, and special characters. We have to change it every three months, and we cannot reuse old passwords. At this level of complexity, I wonder how many people simply write theirs down in their desk drawer.
Sigh. This is an old, old issue in computer security, and this is not the right place to discuss it. I will anyhow.
Back in the days of mainframes and 3270 terminals, the most common password in France was “bonjour.”
Somebody in the comments claimed that hashing the user password by an irreversible algorithm is a solution. No, it is not. It falls to a dictionary attack. I obtain the file of hashed passwords, and run 12345 and bonjour through the hash and see if it matches anything in the file.
Now, this is out of place in a lawyer’s blog, but here is one method of creating good passwords. It’s work, and too bad.
First, many web sites do not need strong passwords, for example my access to the Dallas Morning News. There isn’t a single piece of data on that site that belongs to me and should be protected. For such sites, use whatever is convenient and passes their restrictions for your password.
OTOH, some sites will contain your personal data that should be protected. For these sites you should generate a random password. And I mean random.
The objection to random passwords is that they are difficult to remember. I strongly disagree. I have been using random passwords for years with no trouble remembering them. It is like learning a new musical phrase, you practice the phrase a few times (I used to play the recorder and flute) and in little time your fingers know the stops or the characters (I’m also a touch typist).
For sites needing strong passwords, do not use the same password for more than one site. Your password, no matter how strong, may get compromised eventually. So, somebody in Tadzhikistan gets access to your T. Rowe Price account, but that password does not give access to your bank account.
Now, for how to generate a random password.
Use a number of dice, and a coordinate table like this:
1 2 3 4 5 6
1 a 1 b 2 c 3
2 d 4 e 5 f 6
3 g 7 h 8 i 9
4 j 0 k l m n
5 o p q r s t
6 u v w x y z
You can mix the numbers and letters in the table as you please. I happen to use American Cryptogram Association convention for placing the numerals, but that is not necessary.
Shake and roll the dice and select them two by two while taking pains not to observe them during selection. The reason is, the human mind cannot tolerate randomness, and if you look before you select you will try to make the picks random and thus screw it up. The digits 1 2 3 4 5 have exactly the same probability of occurring as a more random seeming order. BTW, not being able to tolerate randomness is why you will remember a random password. Your mind will impose an order on it, be it just the alternation of numerals and letters.
Write the coordinates down in a row, and keep on shaking, rolling, and picking, until you have let’s say eight, then start the second row.
You should have something that looks like this
4 4 1 5 1 3 6 6
6 2 2 3 1 3 4 2
Use the columns as the coordinates into your key table.
In this example we would get
n 0 1 q a h x v
You may not be done. Web sites in a mindless attempt to enforce good passwords may reject the above password and demand mixed case, numerals, and punctuation marks. If so, flip a coin for each character, and make heads upper case and tails lower case for alphabetics, or numeral or punctuation for numbers (the 2 becomes an at sign, etc).
Record your password. You can consider recording the password like keeping a key ring. I do not recommend encrypting your key ring because if your disk crashes you may lose the decryption key, and hence all your passwords.
BTW, it helps constantly backing up all your sensitive data on a memory stick so that if you need to bring your machine in for repairs, you have a clean computer.
[...] Your Password Is 123456, Just Make It HackMe at the NYT, via Orin Kerr. What security people don’t realize is that most people have nothing to steal, and for the [...]
A law enforcement agency whom I work with have small temporary gun safes near their holding cells. Officers will temporarily place their weapons within the safes in order to frisk prisoners without the fear one may forcibly remove an officer’s weapon. The safe’s combination? 4-3-2-1.
JohnKT is right about the difficulty of creating a truly random number list – you will not want to take some things that come up randomly because they just won’t look random enough.
Dice are good, but I prefer a deck of cards. Shuffle a few times and you have a wonderful random-number generator. It is also easier on the mind to just take the top card than it is to avoid looking at the dice you just rolled. There are 54! possible ways for a deck of cards to be ordered. If you began reshuffling the deck once every second since the big bang, the universe is not old enough for you to have gotten a repeat order.
For random passwords, visit a site like goodpassword.com and generate one. AMgn48fk
Next, change a few letters or numbers to make it your own (and easier to type). ATgn48fi
Finally, write it down somewhere, and don’t use the “remember my password” feature on whatever website you’re visiting. If you have to type in the password every time, you’ll soon commit it to memory.
I have a number of passwords which I remember by keyword – work, financial (credit card for online statements), strong financial (banking), personal (email), weak personal (web forums), and PAIR (because I haven’t taken the time to change from the random assignment).
At last count I have over 80 different passwords that I have to remember, and not only remember but remember which password goes with which app/site. And I have to remember the username that goes with it – I’m not uh_clem everywhere, you know.
How do I do this? I have no idea, but somehow I manage. Now if I could just remember where I put my car keys….
One thing to also consider – if the sensitive sites use a password reset function… This is how Palin’s not-sensitive-but-very-newsworthy Yahoo account got hacked. The kid figured out the answers to her Challenge questions for a pw reset, such as mother’s maiden name… You should have clever answers for those as well that are not easily guessed.
Sometimes forgetting the password is made painful. I forgot my password to a .gov website several years ago, and I need to get my bank to authenticate who I am before they will reset anything. I simply haven’t bothered even though I have something valuable stored there. It will keep.
A law enforcement agency whom I work with have small temporary gun safes near their holding cells. Officers will temporarily place their weapons within the safes in order to frisk prisoners without the fear one may forcibly remove an officer’s weapon. The safe’s combination? 4–3-2–1.
Even a criminal can figure that out.
If the officer can’t stop him in the time to get to the safe and dial it — we’ve got bigger problems.
I think the problem with several sets of complicated passwords is that the user either can’t remember them or simply writes them down where they can be found. I agree, however, that a password which is simply 123456 or the like is foolish.
I have a very limited knowledge of how most of the attempts to break into someones account work, but I have always presumed it is mostly by trying hundreds of obvious combinations in a minute or so. If so, perhaps a better way to protect would be to limit on the number of attempts in an hour. My TIAA-CREF account will only allow three incorrect passwords before “freezing” access for an hour. Thus trying hundreds of likely combinations to find out which one works would not work.
I presume the proprietor of the account to be accessed (e.g., a bank, Amazon.com) would have to insititute the controls, just as TIAA-CREF has done. It may be that this wouldn’t solve all of the problems, but perhaps it would solve at least an appreciable amount of them. But my knowledge of computers is sufficiently limited to know if this is a realistic solution. (On the other hand, why does TIAA-CREF use this technique if it isn’t effective?)
I kinda’ like the way my online brokerage service handles password security. They issue their customers a little RSA keychain security device which generates a new six-digit number every thirty seconds and displays it in an LCD window. Those six digits must be appended to one’s password in order to log in.
(That is the most memorable hex string I have seen, used to occur from some ACPI-related Linux crashes.)
AIX used to use ‘deadbeef’ in similar circumstances.
Back in the days of mainframes and 3270 terminals, the most common password in France was “bonjour.”
FWIW, my experience was different. I was a sysadmin on an IBM mainframe where passwords were stored in plaintext. I was routinely surprised when nice little old ladies used quite risque passwords.
For random passwords, visit a site like goodpassword.com and generate one. AMgn48fk
Note to self: start ultimatesecurepasswords.com, and always reuse the same handful of passwords :-). [the concept of asking a third party for a password seems really odd to me]
As slovak police was mentioned here already, few years ago hackers broke into servers of Slovak National Security Authority (something like FBI) – it’s name in Slovak is NBU (Narodny Bezpecnostnu Urad) – using user name ‘admin’ and pasword ‘nbu123′.
petB: As slovak police was mentioned here already, few years ago hackers broke into servers of Slovak National Security Authority (something like FBI) — it’s name in Slovak is NBU (Narodny Bezpecnostnu Urad) — using user name ‘admin’ and pasword ‘nbu123’.
That one is great, truly great! Any documentation on it? I’d like to point Bruce Schneier to it if so.
JohnKT:
That one is great, truly great! Any documentation on it? I’d like to point Bruce Schneier to it if so.
I looked this up and I did not remembered it correctly, user was ‘nbusr’ (as NBU of Slovak Republic) and password ‘nbusr123′ – thought it is known as “nbu123 affair.” Googling it up shows a lot of Slovak articles, here is one in English: http://blogs.zdnet.com/Ou/?p=202
Here is the hacker’s description what they did, inclding logs, in Slovak: http://blackhole.sk/node/442
Shortly, through hole in webmail interface they got a list of users, they noticed ‘nbusr’ user and tried the password nbusr123 and got in. The user seems to have su privileges so they had unlimited access to all data, on the machine they found a backup application that has hard-coded root access passwords to other machines in NBU network.
At the bottom is one of the mails they downloaded saying something like “… how are you doing in London? Here in the headquarters we really do not suffer from hard work…” :-)
The common password problem has a solution installable within your browser.
You can activate this protection by pressing F2 before you type your password, or by choosing passwords that start with @@. Or go to this website which runs a javascript on your computer: pwdhash.com
Catherine Jefferson says:
What they said. Also, if you use any version of your name, your wife’s name, one of your kids’ names, ditto birthdates, anniversary, etc. And many people do. I’m a technical writer in Silicon Valley who has worked on security-related products for most of the last decade, and the system administrators at a *bunch* of big companies and ISPs have confirmed this time and again.
If you really don’t want weak passwords on a server you control, you really have to scan passwords against common lists like this one (and using password cracking programs), and require users whose passwords don’t pass muster to change them immediately. That, or use some other form of security like some type of token (such as an RSA SecureID) or biometric device.
January 21, 2010, 10:59 pmanon says:
“But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.”
Well,duh
(Which happens to be my simpler password, hope that helps.)
January 21, 2010, 10:59 pmDark Helmut says:
So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! The kind of thing an idiot would have on his luggage!
January 21, 2010, 11:00 pmChris Travers says:
Beat me to it.
Life imitates art, or in this case comedy.
January 21, 2010, 11:10 pmMalvolio says:
People say that, but I wouldn’t worry about that kind of personalized attack on anything but a bank account and there only if I had a lot of money.
What is really unforgivable is not losing the passwords, but keeping them. The standard was set by, IIRC, Dennis Ritchie: you hash the password (that it, put it through an algorithm that mixes it up in an irreversible way) and store the hash. Knowing the hash gives very little help in guessing the password (Unix systems used to make the hashes publicly available). That standard was set in 1967. For a company to fail to follow the standard is rank amateurism.
January 21, 2010, 11:27 pmChris Travers says:
BTW, my approach is to have five different normal passwords.
My weak password is probably susceptible to a dictionary attack. I use it for things where a hack would not be the end of the world.
My weakest password (also subject to a dictionary attack) is reserved for web site cases where I have to tell someone what to set the password to.
A mid-strength password is all letters, obscure, but not in the dictionary. I use it for most sites. I also use it or variations of it for basic laptop access, etc.
I have two super-strong passwords used for encryption keys, financial sites, and the like. These involve at least 8 characters, a mixture of at least three of upper case, lower case, numbers, and special characters, etc. These passwords are all mnemonic devices for combinations of phrases.
And they are all stored in my head.
What really irks me are the few sites which have weird password requirements that don’t accept any of my passwords…… Password too long… Password may not include special characters…. etc….
January 21, 2010, 11:31 pmChris Travers says:
I have seen worse.
PHPNuke used to accept the hashed password from the web browser and authenticate it as if it were the real password. Combined with a SQL injection exploit that allowed one to access the admin password one character at a time……
And SQL-Ledger used to bypass password authentication entirely if you sent a recent timestamp along with your username……. And that’s a financial application…..
January 21, 2010, 11:34 pmKuzbad says:
First of all, I highly recommend the multi-tiered approach. Save complicated passwords for sites that matter. Don’t use the same password for your bank, facebook, and whatever junk sites you may login too!
Secondly, a method that I like to use to create fairly strong and easy to remember passwords goes like this:
1) Pick some information that is easy to remember for you. A childhood address, grandmother’s maiden name, wife’s name, what middle school you went to, a phone number of a friend, your phone number, etc. Doesn’t have to be private or involving somebody else, though if you’re especially paranoid, pick information that might be harder to guess. The important thing is that it’s easy for you to remember.
2) For added security with words, use mixed upper and lower case, replace some letters with numbers, some with symbols, perhaps misspell the word, etc.
For instance if you had picked your grandmother’s first name “Janet” as one of your pieces of information, you might spell it “j@nET” or “j4nEt” or “jaannet”
3) Combine multiple pieces of information. Continuing the example, let’s say you picked
Janet (a name)
663-1778 (phone number of some relevance to you)
With just these two pieces of information, you could create the password
janet6631778
or a slightly more complicated version
JanEt#6631778
and more complicated
663#j4nET+1778
etc. You can add more information, more obfuscation, etc to make the password stronger.
The end result here is fairly complicated password (longer than average, mixed case, mixed alphanumeric and symbols) but should be easy to remember. Is it as secure as a verified cryptologically random generated password? Probably not…but it’s a heck of a lot easier to memorize!
January 21, 2010, 11:47 pmHouston Lawyer says:
If you have any number of accounts, you rapidly lose track of passwords. There may be a simple way of using just one password on all your sites, but I am not aware of it. So writing them down seems a reasonable alternative. Then taping that paper where it is visible when you are on-line.
January 21, 2010, 11:49 pmRandy says:
Several years ago, a friend attended a security conference. He told that there is software that you can download off the internet that ‘listens’ to the sound of each key in the computer keyboard. turns out each key has a slightly different sound that can be picked up the by sofware.
So — if you are talking to a person on the phone, and he asks you to enter a website, he can apply the software and ‘listen’ to the keys as you strike them, and then easily find your password.
This software was out a long time ago, so I’m sure it’s ever more sophisticated now.
January 22, 2010, 12:01 amChris Travers says:
this is all good advice btw, but I generally recommend taking a slightly different direction. For very secure passwords, two or three independent pieces of information, abbreviated, and put together.
So, suppose your picked your grandmother’s name “Janet” and your childhood address of 443 Westview Drive, one way to approach this would be Jnt443WvDr
Or suppose you want to include the fact that the time 10am is important, you could:
Jnt443WDr1000a
or
443Wdr1000aJnt
For more security add punctuation:
443WvDr@1000a!Jnt
or
443WvDr@10:00aJnt!
one reason I recommend abbreviating is that words could be abbreviated any number of ways, and I tend to be paranoid about very sophisticated variances of the dictionary attack (just because it’s not out there yet….)
January 22, 2010, 12:02 amSoronel Haetir says:
And here I’ve been happy with SHA on random file chunks and take a sequence that is more or less memorable.
January 22, 2010, 12:15 amanonyme says:
Two passwords depending on importance of the website is what I use. (With variants when a website insists on a cap letter or punctuation or doesn’t like spaces.)
The first password is cheap, easy to type, protects accounts no one will break into anyway with no loss if they do (FARK account, xtube, hotair, pjm, redstate, lgf, freerepublic, rncleadershipcouncil, senate.gov, and volokh, dozens of other website accounts to comment on, etc.) (login account emails are usually directed to mailinator.)
The second password is hard to guess and put together much as Chris Travers suggests, although people who know me very very well, couldn’t guess it, but could determine it’s meaning if it was given to them. (paypal, ebay, amazon, bank)
Important accounts have their passwords noted in a password protected encrypted app stored on my cellphone and desktop. The notation of a password is a just a reminder, usually the first and last letters, I have to remember what the exact password is.
January 22, 2010, 12:27 amChris Travers says:
those are usually just hex strings, right?
Hope you don’t choose one like fee1dead ;-)
(That is the most memorable hex string I have seen, used to occur from some ACPI-related Linux crashes.)
January 22, 2010, 12:32 amtheobromophile says:
I use the “significant to me but meaningless to anyone else” method, then combine with numbers and symbols in a way that makes sense to me.
If some computer hacker can figure out my Labrador’s name and birthday, and whatever symbol makes sense to me to connect them, well, that person is more than welcome to use my Twitter account.
January 22, 2010, 1:20 amTom T. says:
Excessive complexity is counterproductive. My workplace requires a 12-character password, with a mix of capitals, lowercase, and special characters. We have to change it every three months, and we cannot reuse old passwords. At this level of complexity, I wonder how many people simply write theirs down in their desk drawer.
January 22, 2010, 7:50 amJohnKT says:
Sigh. This is an old, old issue in computer security, and this is not the right place to discuss it. I will anyhow.
Back in the days of mainframes and 3270 terminals, the most common password in France was “bonjour.”
Somebody in the comments claimed that hashing the user password by an irreversible algorithm is a solution. No, it is not. It falls to a dictionary attack. I obtain the file of hashed passwords, and run 12345 and bonjour through the hash and see if it matches anything in the file.
Now, this is out of place in a lawyer’s blog, but here is one method of creating good passwords. It’s work, and too bad.
First, many web sites do not need strong passwords, for example my access to the Dallas Morning News. There isn’t a single piece of data on that site that belongs to me and should be protected. For such sites, use whatever is convenient and passes their restrictions for your password.
OTOH, some sites will contain your personal data that should be protected. For these sites you should generate a random password. And I mean random.
The objection to random passwords is that they are difficult to remember. I strongly disagree. I have been using random passwords for years with no trouble remembering them. It is like learning a new musical phrase, you practice the phrase a few times (I used to play the recorder and flute) and in little time your fingers know the stops or the characters (I’m also a touch typist).
For sites needing strong passwords, do not use the same password for more than one site. Your password, no matter how strong, may get compromised eventually. So, somebody in Tadzhikistan gets access to your T. Rowe Price account, but that password does not give access to your bank account.
Now, for how to generate a random password.
Use a number of dice, and a coordinate table like this:
1 2 3 4 5 6
1 a 1 b 2 c 3
2 d 4 e 5 f 6
3 g 7 h 8 i 9
4 j 0 k l m n
5 o p q r s t
6 u v w x y z
You can mix the numbers and letters in the table as you please. I happen to use American Cryptogram Association convention for placing the numerals, but that is not necessary.
Shake and roll the dice and select them two by two while taking pains not to observe them during selection. The reason is, the human mind cannot tolerate randomness, and if you look before you select you will try to make the picks random and thus screw it up. The digits 1 2 3 4 5 have exactly the same probability of occurring as a more random seeming order. BTW, not being able to tolerate randomness is why you will remember a random password. Your mind will impose an order on it, be it just the alternation of numerals and letters.
Write the coordinates down in a row, and keep on shaking, rolling, and picking, until you have let’s say eight, then start the second row.
You should have something that looks like this
4 4 1 5 1 3 6 6
6 2 2 3 1 3 4 2
Use the columns as the coordinates into your key table.
In this example we would get
n 0 1 q a h x v
You may not be done. Web sites in a mindless attempt to enforce good passwords may reject the above password and demand mixed case, numerals, and punctuation marks. If so, flip a coin for each character, and make heads upper case and tails lower case for alphabetics, or numeral or punctuation for numbers (the 2 becomes an at sign, etc).
Record your password. You can consider recording the password like keeping a key ring. I do not recommend encrypting your key ring because if your disk crashes you may lose the decryption key, and hence all your passwords.
BTW, it helps constantly backing up all your sensitive data on a memory stick so that if you need to bring your machine in for repairs, you have a clean computer.
January 22, 2010, 8:32 amWeblog » The Most Common Passwords says:
[...] Your Password Is 123456, Just Make It HackMe at the NYT, via Orin Kerr. What security people don’t realize is that most people have nothing to steal, and for the [...]
January 22, 2010, 8:43 amPete Freans says:
A law enforcement agency whom I work with have small temporary gun safes near their holding cells. Officers will temporarily place their weapons within the safes in order to frisk prisoners without the fear one may forcibly remove an officer’s weapon. The safe’s combination? 4-3-2-1.
Even a criminal can figure that out.
January 22, 2010, 8:52 amMaryanna says:
JohnKT is right about the difficulty of creating a truly random number list – you will not want to take some things that come up randomly because they just won’t look random enough.
Dice are good, but I prefer a deck of cards. Shuffle a few times and you have a wonderful random-number generator. It is also easier on the mind to just take the top card than it is to avoid looking at the dice you just rolled. There are 54! possible ways for a deck of cards to be ordered. If you began reshuffling the deck once every second since the big bang, the universe is not old enough for you to have gotten a repeat order.
January 22, 2010, 9:02 amegd says:
For random passwords, visit a site like goodpassword.com and generate one. AMgn48fk
Next, change a few letters or numbers to make it your own (and easier to type). ATgn48fi
Finally, write it down somewhere, and don’t use the “remember my password” feature on whatever website you’re visiting. If you have to type in the password every time, you’ll soon commit it to memory.
I have a number of passwords which I remember by keyword – work, financial (credit card for online statements), strong financial (banking), personal (email), weak personal (web forums), and PAIR (because I haven’t taken the time to change from the random assignment).
January 22, 2010, 9:44 amuh_clem says:
At last count I have over 80 different passwords that I have to remember, and not only remember but remember which password goes with which app/site. And I have to remember the username that goes with it – I’m not uh_clem everywhere, you know.
How do I do this? I have no idea, but somehow I manage. Now if I could just remember where I put my car keys….
January 22, 2010, 10:15 amSnack McSnarkerston says:
One thing to also consider – if the sensitive sites use a password reset function… This is how Palin’s not-sensitive-but-very-newsworthy Yahoo account got hacked. The kid figured out the answers to her Challenge questions for a pw reset, such as mother’s maiden name… You should have clever answers for those as well that are not easily guessed.
January 22, 2010, 10:39 amDan Weber says:
Sometimes forgetting the password is made painful. I forgot my password to a .gov website several years ago, and I need to get my bank to authenticate who I am before they will reset anything. I simply haven’t bothered even though I have something valuable stored there. It will keep.
January 22, 2010, 11:30 ammischief says:
If the officer can’t stop him in the time to get to the safe and dial it — we’ve got bigger problems.
January 22, 2010, 12:11 pmMark Horning says:
How did you know the password to my voicemail?
The only reason it’s 123456 is because they (the company) made us have one in the first place.
January 22, 2010, 12:42 pmPaul McKaskle says:
I think the problem with several sets of complicated passwords is that the user either can’t remember them or simply writes them down where they can be found. I agree, however, that a password which is simply 123456 or the like is foolish.
I have a very limited knowledge of how most of the attempts to break into someones account work, but I have always presumed it is mostly by trying hundreds of obvious combinations in a minute or so. If so, perhaps a better way to protect would be to limit on the number of attempts in an hour. My TIAA-CREF account will only allow three incorrect passwords before “freezing” access for an hour. Thus trying hundreds of likely combinations to find out which one works would not work.
I presume the proprietor of the account to be accessed (e.g., a bank, Amazon.com) would have to insititute the controls, just as TIAA-CREF has done. It may be that this wouldn’t solve all of the problems, but perhaps it would solve at least an appreciable amount of them. But my knowledge of computers is sufficiently limited to know if this is a realistic solution. (On the other hand, why does TIAA-CREF use this technique if it isn’t effective?)
January 22, 2010, 1:36 pmsnopercod says:
I kinda’ like the way my online brokerage service handles password security. They issue their customers a little RSA keychain security device which generates a new six-digit number every thirty seconds and displays it in an LCD window. Those six digits must be appended to one’s password in order to log in.
January 22, 2010, 3:52 pmPintler says:
AIX used to use ‘deadbeef’ in similar circumstances.
FWIW, my experience was different. I was a sysadmin on an IBM mainframe where passwords were stored in plaintext. I was routinely surprised when nice little old ladies used quite risque passwords.
Note to self: start ultimatesecurepasswords.com, and always reuse the same handful of passwords :-). [the concept of asking a third party for a password seems really odd to me]
January 23, 2010, 9:39 ampetB says:
As slovak police was mentioned here already, few years ago hackers broke into servers of Slovak National Security Authority (something like FBI) – it’s name in Slovak is NBU (Narodny Bezpecnostnu Urad) – using user name ‘admin’ and pasword ‘nbu123′.
January 23, 2010, 5:05 pmJohnKT says:
That one is great, truly great! Any documentation on it? I’d like to point Bruce Schneier to it if so.
January 23, 2010, 5:43 pmpetB says:
I looked this up and I did not remembered it correctly, user was ‘nbusr’ (as NBU of Slovak Republic) and password ‘nbusr123′ – thought it is known as “nbu123 affair.” Googling it up shows a lot of Slovak articles, here is one in English:
http://blogs.zdnet.com/Ou/?p=202
Here is the hacker’s description what they did, inclding logs, in Slovak:
http://blackhole.sk/node/442
Shortly, through hole in webmail interface they got a list of users, they noticed ‘nbusr’ user and tried the password nbusr123 and got in. The user seems to have su privileges so they had unlimited access to all data, on the machine they found a backup application that has hard-coded root access passwords to other machines in NBU network.
At the bottom is one of the mails they downloaded saying something like “… how are you doing in London? Here in the headquarters we really do not suffer from hard work…” :-)
January 23, 2010, 7:20 pmphishing worse problem than guessing says:
The common password problem has a solution installable within your browser.
You can activate this protection by pressing F2 before you type your password, or by choosing passwords that start with @@. Or go to this website which runs a javascript on your computer: pwdhash.com
January 24, 2010, 9:14 pm