xckd take on passwords

[DaddyHoggy]

Love this - and so true - in the MOD we had an enforced password system, that randomly generated a password every 30 days in the following pattern:

consonant vowel consonant consonant vowel consonant number number consonant vowel consonant consonant vowel consonant number number (i.e. holpij63wubgoq71*)

And Security wondered why they kept finding them written down on post-it notes and stuck to the desk underneath the keyboard.

http://xkcd.com/936/


* I did get fukpis69 as the first part of my password once - so it wasn't all bad!

[drew]

In a previous life I was a security consultant. I visited one customer site to do an ISO27001 audit (yawnarama for most of the time). However, one of the managers said it was pointless because their security was (and I quote) 'airtight'. High strength passwords, key gens etc.

I nodded and bet him lunch I could get access to one of their desktops within the hour. He scoffed.

Walked up and down a large major building society with their head quarters in Swindon way, looking for post it notes. I was in within 5 minutes and sent him an email from one of his own computers.

He was not amused.

Cheers,

Drew.

[Disembodied]

From Charles Stross's short "Laundry" story "Concrete Jungle":

"Didn't they know that the only unhackable computer is one that's running a secure operating system, welded inside a steel safe, buried under a ton of concrete at the bottom of a coal mine guarded by the SAS and a couple of armoured divisions, and switched off?"

[DaddyHoggy]

From Charles Stross's short "Laundry" story "Concrete Jungle":

"Didn't they know that the only unhackable computer is one that's running a secure operating system, welded inside a steel safe, buried under a ton of concrete at the bottom of a coal mine guarded by the SAS and a couple of armoured divisions, and switched off?"

That's the 2nd time I've heard the name of Charles Stross in a week, I'm obviously meant to go and seek out some of his work!

[Disembodied]

That's the 2nd time I've heard the name of Charles Stross in a week, I'm obviously meant to go and seek out some of his work!

You can't argue with fate ... he makes a lot of his stuff available free online, too, so you can try before you buy! The "Laundry" series is good tongue-in-cheek fun, although it does come from somewhere darker (the short story "A Colder War"). A great starting point would be the short story collection "TOAST".

[JensAyton]

Note that the xkcd method is only as secure as claimed if you use four random words, and aren’t allowed to reject a set. “dentilingual Mantodea fandom trackway” or “multilaminate vitellarium unmotherly Geoprumnon” (actual random word combinations¹) are harder to remember than his contrived example.

Love this - and so true - in the MOD we had an enforced password system, that randomly generated a password every 30 days in the following pattern:

consonant vowel consonant consonant vowel consonant number number consonant vowel consonant consonant vowel consonant number number (i.e. holpij63wubgoq71*)

The funny thing is, you’d get better security using a shorter random password without the pattern.

¹Bashery from the tubes: n=`cat /usr/share/dict/words | wc -l`; head -n`jot -r 1 1 $n` /usr/share/dict/words | tail -n1

[Cmd. Cheyd]

I have some experience in network security. The greatest threat to security is combination of: 1) Inflexible standards that are hostile to the intended user, and 2) The laziness of the average user and their creativeness is making that inflexible / hostile standard less painful on them. It is commonly preached by myself and colleagues that security is only effective if it is non-intrusive to the user's workflow. I encourage users to abandon the idea of 'passwords' and adopt 'pass-phrases'. The example I commonly give is: "My daughter is 13 years old." That's 28 overall characters, a mix of capitol and low-case lettering, 6 symbols (spaces are symbols), and two numerals. And I guarantee you, I remember how old my daughter is, so I will not need to record it on a post-it note on my keyboard.

Is it ideal, no. But it works.

[DaddyHoggy]

I have some experience in network security. The greatest threat to security is combination of: 1) Inflexible standards that are hostile to the intended user, and 2) The laziness of the average user and their creativeness is making that inflexible / hostile standard less painful on them. It is commonly preached by myself and colleagues that security is only effective if it is non-intrusive to the user's workflow. I encourage users to abandon the idea of 'passwords' and adopt 'pass-phrases'. The example I commonly give is: "My daughter is 13 years old." That's 28 overall characters, a mix of capitol and low-case lettering, 6 symbols (spaces are symbols), and two numerals. And I guarantee you, I remember how old my daughter is, so I will not need to record it on a post-it note on my keyboard.

Is it ideal, no. But it works.

I use a similar method, where possible - annoyingly Tesco, my email provider allows for a MINIMUM of 6 and a MAXIMUM of 9 characters - which is a pig to create a strong/memorable password for.

[Makandal]

As a user of a supposed airtight company, I am forced to use a 'airtight' password. What did I do ? I rotate ! The system remembers only the last 3 passwords and ask to change of passwords every 3 months. The rest is easy to guess.
I know 2 persons who do the same. That answers to all the security audit they can do...

[DaddyHoggy]

As a user of a supposed airtight company, I am forced to use a 'airtight' password. What did I do ? I rotate ! The system remembers only the last 3 passwords and ask to change of passwords every 3 months. The rest is easy to guess.
I know 2 persons who do the same. That answers to all the security audit they can do...

For some reason my MOD password system remembers previous 21 passwords and checks for patterns so I could do $unshine0001, but it would not allow me to do $unshine0002, or Sun$hine0002, etc, it is very, very annoying...

[Smivs]

For some reason my MOD password system remembers previous 21 passwords and checks for patterns so I could do $unshine0001, but it would not allow me to do $unshine0002, or Sun$hine0002, etc, it is very, very annoying...

"You are my $unshine, my only $unshine..."

[Bugbear]

My 2c / 2p (for the British denizens here)

My password generation technique is to take your current favourite song, then take the first line or two from the song, and use the first letter of each word to create your password, using substitutions as required.

Makes an easy way of generating new passwords...

[SandJ]

My password generation technique is to take your current favourite song, then take the first line or two from the song, and use the first letter of each word to create your password, using substitutions as required.

Take care. Pseudo-random algorithms are sometimes worse than useless.

Please always say something
Worthy of real desire,

And be careful, Darling
Each feeling's growing higher.

[Thargoid]

As a touch-typist, I like to just shift my fingers one position up, down, left or right on the keyboard. Thus my username would become "Rgaefius" by that technique (with the "a" still an "a", as I run out of keyboard, using a left-shift), rendering even standard dictionary words into gibberish. When mixed with the usual substitution and number-adding techniques, you get quite a tough password.

Only problem is when you are used to a UK keyboard and end up on a French one or some similar with keys shuffled around (but then you switch to English by software and make your password even less intelligible by not even typing what's written on the keyboard...)

[RyanHoots]

Only problem is when you are used to a UK keyboard and end up on a French one or some similar with keys shuffled around (but then you switch to English by software and make your password even less intelligible by not even typing what's written on the keyboard...)

Let's hope you're not really typing "password" without knowing it.