Password Myths

Posted on August 10, 2011

XKCD always has something interesting and funny to say.  This one made me think a bit:

We all know longer is better than more funky, but we rarely do it in practice.  I’ve seen plenty of passwords in my time and they are almost always 6-8 chars. Why?  Least common denominator of course, the truth is that most people (even IT people) re-use the same password over and over, so they pick on that works with everything, meaning 8 chars long with an alphanumeric mix.

I remember the first time I used a program that supported and encouraged long passwords… it was PGP, which called them pass phrases.   Frankly, I wish all use of the word “password” was replaced with “pass phrase” as it instantly changes your perception into something more useful.

Most UNIX systems now use SHA or MD5 has the default scheme, which allows up to 255 chars for your password.  So that’s not a limitation anymore.  But what about most web sites?   I thought I’d use the model XKCD offers as a test.  I created a pass phrase that is simply my 4 favorite things, in order, with spaces in between and the first char of each word capitalized.  No digits, no punctuation.  The 4 words plus spaces comes out to 29 chars.  Then I changed my password on some popular sites to see if it would work.  Here are the results:

  • Facebook: Works
  • Google (Gmail/Youtube): Works
  • Twitter: Works, but spaces are not allowed.
  • Yahoo (Yahoo Mail): Works (See below)
  • Reddit: Works
  • Digg: Works

Funny thing happened when I changed my Yahoo password, it switched my language preference to Vietnamesse for some reason.  And, to make it all the more bizarre, there is no obvious place to change my language preference back.  I guess I’ll have to use Google Translate to fix my Yahoo account.

So, go ahead, change your password to something easier to remember and more secure, and let go of your old standby.

PS: If your managing systems… for heavens sake, turn on account locking and consider using Duo.