XKCD always has something interesting and funny to say. This one made me think a bit:
We all know longer is better than more funky, but we rarely do it in practice. I’ve seen plenty of passwords in my time and they are almost always 6-8 chars. Why? Least common denominator of course, the truth is that most people (even IT people) re-use the same password over and over, so they pick on that works with everything, meaning 8 chars long with an alphanumeric mix.
I remember the first time I used a program that supported and encouraged long passwords… it was PGP, which called them pass phrases. Frankly, I wish all use of the word “password” was replaced with “pass phrase” as it instantly changes your perception into something more useful.
Most UNIX systems now use SHA or MD5 has the default scheme, which allows up to 255 chars for your password. So that’s not a limitation anymore. But what about most web sites? I thought I’d use the model XKCD offers as a test. I created a pass phrase that is simply my 4 favorite things, in order, with spaces in between and the first char of each word capitalized. No digits, no punctuation. The 4 words plus spaces comes out to 29 chars. Then I changed my password on some popular sites to see if it would work. Here are the results:
- Facebook: Works
- Google (Gmail/Youtube): Works
- Twitter: Works, but spaces are not allowed.
- Yahoo (Yahoo Mail): Works (See below)
- Reddit: Works
- Digg: Works
Funny thing happened when I changed my Yahoo password, it switched my language preference to Vietnamesse for some reason. And, to make it all the more bizarre, there is no obvious place to change my language preference back. I guess I’ll have to use Google Translate to fix my Yahoo account.
So, go ahead, change your password to something easier to remember and more secure, and let go of your old standby.
PS: If your managing systems… for heavens sake, turn on account locking and consider using Duo.
The biggest enemy of decent passwords is forcing people to change then every 90 days – which is required by many regulations. Its silly and has to stop. Until that changes advice like this is meaningless.
And two-factor authentication only protects you from some attack vectors and increases costs so its not the “holy grail” that people make it out to be.
oh man.. increasing pass sec is some thing which should be abandoned
phising works in almost all cases.. TRUST ME
I use 1Password to manage my passwords. In general, a brute force attack of your password is the unlikely attack vector. It’s more likely that a site will be compromised and your password revealed. So you should use unique passwords on each site.
The other problem with pass phrases is what you intimated. Many sites won’t allow them. Between max lengths, forced use of numerics and symbols and restrictions on spaces it’s a PITA.
Pass phrases are therefore most useful for machine logins and keystore passwords.
Ted is right – it’s crucial to use different passphrases on each site (or at least, use different passphrases on each site that has any value). For a while I would do something similar to what Ben does, with the addition of inserting a term that I associate with the site in question into the string, but even that becomes overwhelming eventually.
I’ve given up trying to remember things – now I just use keepass. I have a master passphrase and a key, and when I encounter a new site I just let keepass generate the most complex random password the site will accept. I keep the keypass database itself in a git repo which I can sync to my smartphone, too.
“PS: If your managing systems… for heavens sake, turn on account locking and consider using Duo.”
Considered it. I don’t trust them.
SmartCards or SIM cards are the way to go:
http://www.gemalto.com/brochures/download/safesite_pc.pdf
Note that Solaris is supported.
The beauty of Duo is that you aren’t trusting them… you’re trusting yourself.
As for SmartCard support, I’d love to see someone demonstrate how it works in the real world for SSH connections on OSX and/or Solaris. No ones done it. I don’t feel like buying the hardware until I can see it for real.
Regardless, I don’t think any SmartCard solution is as secure as Duo… no way no how.
One of my banks made some progress towards pass pharses, they forbid non-aplha-numerical chars.
Except they also will only accept 12 char passwords…. I try not to keep much money in that bank.
For security reasons you should use 5 words instead of 4:
http://twitter.theinfo.org/101343280771506176
( and of course don’t only use your favorite words
)
Hi, just like to point out that Steve Gibson did a great analysis on this topic in his SecurityNow podcast. His recommendation is to use a mix of cases, numbers, symbols and pad the password to a good length. Something like this : MyW1f!!!!!!!!!!
“As for SmartCard support, I’d love to see someone demonstrate how it works in the real world for SSH connections on OSX and/or Solaris. No ones done it. I don’t feel like buying the hardware until I can see it for real.”
I have been using SmartCards for authenticating myself and Solaris host-to-host for years, and it was Schlumberger, which then merged into Axalto, which then became Gemalto, that we used. On Solaris.
In fact, we have gone as far as authenticating directly at Oracle plsql client via a certificate on the SmartCard.
If you want to hire me to implement it for your organization, I will. Then you can believe it.
That is understandable that money makes people independent. But how to act if somebody has no cash? The one way is to try to get the loan or just financial loan.
Ben, did you happen to check whether the sites that “work” with long passwords actually pay attention to anything past the eighth character? Obviously the longer pass phrases only create additional entropy if all the characters are significant.
thanks for sharing,good article.I like it,I’m looking forward to read other articles.
I read with great interest.Thanks for you sharing.