Oh, please.

Most passwords you get from using the default settings, plus people who use stupid defaults.

Just use a word not in the dictionary, stick a number in it, and you're golden.

E.g. c00k13 instead of cookie.

Although never use any form of the top 5 passwords, like ... password.
Right now I use 15 character unique random alphanumeric passwords for everything, but what happens in 10 years when processors are powerful enough to brute force 15 character hashes? Do we start using 25 character hashes instead? Why is moving this increasingly infeasible line the correct solution when we should be investigating methods of authentication that do not require users to memorize long random strings?
Will do!

Goodbye: password1
Hello: password2
@3 is why most droid phones are hacked today ...

Why not just use Urqutha2Forka instead?

@2 depends on the encryption. Most password locks are 256 key, some are 128 key, but you also get them from sniffing unencrypted web logins at cafes and public places when people use their cellphones to login to their bank accounts. You get that by using root and admin on the router and sniff the traffic. You'd be surprised how few people ever change the defaults.
@2 - I already do: That's not an ad--there are other password managers out there, but it's what I use. You get a browser plug-in that works with every major browser in Mac/Win/Linux plus a phone app. You create one secure password that you memorize and that unlocks your password database and auto-enters your password in your browser based on the site. Every site I use has a different 15-25 character randomly generated password.

I started using it after both Gawker and some local park district had their account information stolen within a 6-month period. I used those passwords across several sites and had to track all them down. I probably still didn't find them all. The passwords were secure-ish, but I used them for years.

Now if a site is hacked, I'll just change the password for that site to another 20-character random string. No other site I use will be compromised. If those become crackable in 5 years, I'll up everything to 60 characters. Or 100. Whatever the site supports.

Of course, LastPass itself could become compromised and I'll be thoroughly fucked. But they're probably more concerned with security and privacy than Gawker or some obscure park district.
#1, this kind of letter/number substitution is mentioned in the article. A lot of people apparently do this, and while it take a lot of brute force to break long passwords with multiple substitutions, the common ones like zero for the letter "o" and one for the letter "l" are known quanitites.
correct horse battery staple!
@3 - ha ha ha ha ha than you.
@7 which is why I used 3.

Look, I know you're too lazy to do anything difficult, like take an uncommon word from another language and translate it into a different language and then string embed a digit in the middle and the end. Cause, well, you're too lazy.

Which is why they just ended the sales tax exemption for online transactions today in the US Senate. Cause, well, you're lazy.
@8 I was wondering how long it would take someone to link to one of my favorite xkcd strips!
@1 Will, you're wrong. Replacing leters with numbers doesn't make it any more secure, it's just an easy, lazy way to meet corporate complexity requirements. All the dictionary lists used in brute-force password attacks include the common numeric letter substitutions.
The GPU cracking programs are extremely fast, large files of millions of actual passwords exist (and almost every clever trick is in there) rainbow tables exist of ALL possible MD5 encrypted passwords below certain lengths,

20 character sha hashes of random characters may well be OK for now. Haven't checked in a couple years. Too depressing. Many sites won't accept them of course. Some quietly truncate.

Now: do your system admins, the companies making network equipment and endpoint equipment use passwords to good standards?

For sanities sake 2-factor allows relatively human-friendly passwords. Google and Apple, among others, support that through cellphones for example.

Apple perhaps by way of apology fot not encrypting appleID transmission until now.

One day in the not so distant future I will give away my slog password, then you all can pretend to be me.
I mostly switched over to using keypass to generate 32-character passwords requiring special characters, spaces, and high ansi characters + additional entropy, like this:


I don't expect to be cracked anytime soon by script kiddies using programs like the ones used in the Ars article.
So, srsly...

Isn't the solution for site operators to lock an account after a certain number of bad guesses, or at least to impose a long delay on allowing another attempt? A 20 second timeout changes your 1000 guesses a second to 0.05 guesses a second, or like a million years to guess "cat123."
16, you are correct. What the Ars Technica article was referring to was not really cracking someone's password, but cracking the "hash" of a password. A hash is a scrambled way of storing your password, used by banks etc. So after cracking the hash codes, they were left with a list of passwords - great. But you can't really do anything with it. I could name twenty common passwords right now but it won't get me the money in your bank account, in large part because of what #16 mentions: most logins force a longer and longer delay with each try, or lock you out after three tries.
@17 right, but if you use the same password for your bank as you do on then if a hacker gets the password hash from the latter and cracks it then your bank account is likewise compromised. Password reuse is one of the main ways to get hacked these days.
bitwise @2:

Right now I use 15 character unique random alphanumeric passwords for everything, but what happens in 10 years when processors are powerful enough to brute force 15 character hashes? Do we start using 25 character hashes instead? Why is moving this increasingly infeasible line the correct solution when we should be investigating methods of authentication that do not require users to memorize long random strings?

Because increasing password length exponentially increases the amount of time it takes to crack it, while processor speed increases are linear. A 15 character passphrase that isn't a common phrase taken from a book or otherwise predictable (your kid's full name, for instance) is very secure, even more so if you mix case, add numbers, add symbols, or otherwise increase the number of guesses required for each character in the phrase.

Using zxcvbn as an estimator (one of the better strength estimators available): cracking a 14 character, all lowercase password like 'port star cows' through brute force takes something on the order of 10 years when working back from the hash. Capitalizing each word or adding a comma or a number takes the time to centuries. Part of this depends on the hashing algorithm used to create the password hashes - some are quicker to crack than others, and many companies still foolishly use those ones.

On the other hand, Will's example @1, 'c00k13', takes less than a fifth of a second, in part because it's an example of a technique that crackers like Hashcat explicitly check for - leetspeak replacement. What's more, his reply @10 is equally silly. Translating an obscure word from a foreign language into another language just gets you another, perhaps less-obscure, perhaps shorter word in a different foreign language, not more security. If you took "forest" and translated it into French, then German, then Spanish, and back into English, you (ideally) get 'forest' back and the password cracker doesn't need to know that you spent some time with Google Translate before entering 'forest.' And if you left it in German, you'd have 'wald,' which is a) not harder to guess because you started with 'forest' and b) much shorter than 'forest' and computationally much easier to crack. And finally, the dictionaries that password crackers use aren't the Oxford English Dictionary, they're collections of passwords that people have used in the past, which is a very different thing, and means that his 'pierogie3' suggestion is potentially extremely common, since people all over the world use computers, passwords, and the internet.

That's the point of the xkcd comic - length trumps complexity. Most password cracking these days is done working back from the hash using brute force, so increasing the number of guesses required is the way to go.

To illustrate the numbers: the search space for a password of one character that only accepts lowercase alphabetic characters is 26. So the maximum guesses required for a computer are 26. If the password is 2 characters long, the maximum guesses required is 702 (26*26 for a 2 character password, + 26 for a possible 1 character password - the cracker doesn't know the length of the password). If the password is 3 characters, it's 18,300. For 4 character,s it's 475,254. At 10 characters it's more than 146 trillion guesses. That's actually not huge - it only takes about 10 hours to crack that password using a moderately powerful setup. But when you get to 15 characters, it takes 555 years. If you're really worried, bitwise, add another character. That jumps you to 144 centuries. And that's with only lowercase characters. Source: Gibson.

For most people, a tool like LastPass is a great way to ensure that you're secure. It means that no single security breach renders any of your other sites vulnerable, and it lets you generate passwords that aren't vulnerable to brute force approaches.
rubus @17: Unless they have that list of hashes that accompanies a list of account names. Say, from having hacked into your bank. Or Amazon. Or whoever. These sorts of password losses happen all the time. It's not clear how often it happens and goes unreported, but the sheer volume of reported incidents should make you want to have a secure password. If your bank loses your login name and password hash, the only thing standing between your bank account and the crackers who got your information is the strength of your password. 'wisebit subur will' is going to keep your cash a damn sight safer than 'c00k13'

Please wait...

Comments are closed.

Commenting on this item is available only to members of the site. You can sign in here or create an account here.

Add a comment

By posting this comment, you are agreeing to our Terms of Use.