xckd take on passwords

Off topic discussion zone.

Moderators: winston, another_commander, Cody

User avatar
DaddyHoggy
Intergalactic Spam Assassin
Intergalactic Spam Assassin
Posts: 8515
Joined: Tue Dec 05, 2006 9:43 pm
Location: Newbury, UK
Contact:

xckd take on passwords

Post by DaddyHoggy »

Love this - and so true - in the MOD we had an enforced password system, that randomly generated a password every 30 days in the following pattern:

consonant vowel consonant consonant vowel consonant number number consonant vowel consonant consonant vowel consonant number number (i.e. holpij63wubgoq71*)

And Security wondered why they kept finding them written down on post-it notes and stuck to the desk underneath the keyboard.

http://xkcd.com/936/


* I did get fukpis69 as the first part of my password once - so it wasn't all bad!
Selezen wrote:
Apparently I was having a DaddyHoggy moment.
Oolite Life is now revealed here
User avatar
drew
---- E L I T E ----
---- E L I T E ----
Posts: 2190
Joined: Fri May 19, 2006 9:29 am
Location: In front of a laptop writing a book.
Contact:

Re: xckd take on passwords

Post by drew »

In a previous life I was a security consultant. I visited one customer site to do an ISO27001 audit (yawnarama for most of the time). However, one of the managers said it was pointless because their security was (and I quote) 'airtight'. High strength passwords, key gens etc.

I nodded and bet him lunch I could get access to one of their desktops within the hour. He scoffed.

Walked up and down a large major building society with their head quarters in Swindon way, looking for post it notes. I was in within 5 minutes and sent him an email from one of his own computers.

He was not amused.

Cheers,

Drew.
Drew is an author of SF and Fantasy Novels
WebsiteFacebookTwitter
User avatar
Disembodied
Jedi Spam Assassin
Jedi Spam Assassin
Posts: 6885
Joined: Thu Jul 12, 2007 10:54 pm
Location: Carter's Snort

Re: xckd take on passwords

Post by Disembodied »

From Charles Stross's short "Laundry" story "Concrete Jungle":
"Didn't they know that the only unhackable computer is one that's running a secure operating system, welded inside a steel safe, buried under a ton of concrete at the bottom of a coal mine guarded by the SAS and a couple of armoured divisions, and switched off?"
User avatar
DaddyHoggy
Intergalactic Spam Assassin
Intergalactic Spam Assassin
Posts: 8515
Joined: Tue Dec 05, 2006 9:43 pm
Location: Newbury, UK
Contact:

Re: xckd take on passwords

Post by DaddyHoggy »

Disembodied wrote:
From Charles Stross's short "Laundry" story "Concrete Jungle":
"Didn't they know that the only unhackable computer is one that's running a secure operating system, welded inside a steel safe, buried under a ton of concrete at the bottom of a coal mine guarded by the SAS and a couple of armoured divisions, and switched off?"
That's the 2nd time I've heard the name of Charles Stross in a week, I'm obviously meant to go and seek out some of his work!
Selezen wrote:
Apparently I was having a DaddyHoggy moment.
Oolite Life is now revealed here
User avatar
Disembodied
Jedi Spam Assassin
Jedi Spam Assassin
Posts: 6885
Joined: Thu Jul 12, 2007 10:54 pm
Location: Carter's Snort

Re: xckd take on passwords

Post by Disembodied »

DaddyHoggy wrote:
That's the 2nd time I've heard the name of Charles Stross in a week, I'm obviously meant to go and seek out some of his work!
You can't argue with fate ... he makes a lot of his stuff available free online, too, so you can try before you buy! The "Laundry" series is good tongue-in-cheek fun, although it does come from somewhere darker (the short story "A Colder War"). A great starting point would be the short story collection "TOAST".
User avatar
JensAyton
Grand Admiral Emeritus
Grand Admiral Emeritus
Posts: 6657
Joined: Sat Apr 02, 2005 2:43 pm
Location: Sweden
Contact:

Re: xckd take on passwords

Post by JensAyton »

Note that the xkcd method is only as secure as claimed if you use four random words, and aren’t allowed to reject a set. “dentilingual Mantodea fandom trackway” or “multilaminate vitellarium unmotherly Geoprumnon” (actual random word combinations¹) are harder to remember than his contrived example.
DaddyHoggy wrote:
Love this - and so true - in the MOD we had an enforced password system, that randomly generated a password every 30 days in the following pattern:

consonant vowel consonant consonant vowel consonant number number consonant vowel consonant consonant vowel consonant number number (i.e. holpij63wubgoq71*)
The funny thing is, you’d get better security using a shorter random password without the pattern.

¹Bashery from the tubes: n=`cat /usr/share/dict/words | wc -l`; head -n`jot -r 1 1 $n` /usr/share/dict/words | tail -n1
User avatar
Cmd. Cheyd
---- E L I T E ----
---- E L I T E ----
Posts: 934
Joined: Tue Dec 16, 2008 2:52 pm
Location: Deep Horizon Industries Manufacturing & Research Site somewhere in G8...

Re: xckd take on passwords

Post by Cmd. Cheyd »

I have some experience in network security. The greatest threat to security is combination of: 1) Inflexible standards that are hostile to the intended user, and 2) The laziness of the average user and their creativeness is making that inflexible / hostile standard less painful on them. It is commonly preached by myself and colleagues that security is only effective if it is non-intrusive to the user's workflow. I encourage users to abandon the idea of 'passwords' and adopt 'pass-phrases'. The example I commonly give is: "My daughter is 13 years old." That's 28 overall characters, a mix of capitol and low-case lettering, 6 symbols (spaces are symbols), and two numerals. And I guarantee you, I remember how old my daughter is, so I will not need to record it on a post-it note on my keyboard.

Is it ideal, no. But it works.
User avatar
DaddyHoggy
Intergalactic Spam Assassin
Intergalactic Spam Assassin
Posts: 8515
Joined: Tue Dec 05, 2006 9:43 pm
Location: Newbury, UK
Contact:

Re: xckd take on passwords

Post by DaddyHoggy »

Cmd. Cheyd wrote:
I have some experience in network security. The greatest threat to security is combination of: 1) Inflexible standards that are hostile to the intended user, and 2) The laziness of the average user and their creativeness is making that inflexible / hostile standard less painful on them. It is commonly preached by myself and colleagues that security is only effective if it is non-intrusive to the user's workflow. I encourage users to abandon the idea of 'passwords' and adopt 'pass-phrases'. The example I commonly give is: "My daughter is 13 years old." That's 28 overall characters, a mix of capitol and low-case lettering, 6 symbols (spaces are symbols), and two numerals. And I guarantee you, I remember how old my daughter is, so I will not need to record it on a post-it note on my keyboard.

Is it ideal, no. But it works.

I use a similar method, where possible - annoyingly Tesco, my email provider allows for a MINIMUM of 6 and a MAXIMUM of 9 characters - which is a pig to create a strong/memorable password for.
Selezen wrote:
Apparently I was having a DaddyHoggy moment.
Oolite Life is now revealed here
Makandal
Deadly
Deadly
Posts: 129
Joined: Tue Jun 12, 2007 3:48 pm
Location: Frenchman lost in Africa

Re: xckd take on passwords

Post by Makandal »

As a user of a supposed airtight company, I am forced to use a 'airtight' password. What did I do ? I rotate ! The system remembers only the last 3 passwords and ask to change of passwords every 3 months. The rest is easy to guess.
I know 2 persons who do the same. That answers to all the security audit they can do...
There is no theory of evolution. Just a list of creatures Chuck Norris has allowed to live.
User avatar
DaddyHoggy
Intergalactic Spam Assassin
Intergalactic Spam Assassin
Posts: 8515
Joined: Tue Dec 05, 2006 9:43 pm
Location: Newbury, UK
Contact:

Re: xckd take on passwords

Post by DaddyHoggy »

Makandal wrote:
As a user of a supposed airtight company, I am forced to use a 'airtight' password. What did I do ? I rotate ! The system remembers only the last 3 passwords and ask to change of passwords every 3 months. The rest is easy to guess.
I know 2 persons who do the same. That answers to all the security audit they can do...
For some reason my MOD password system remembers previous 21 passwords and checks for patterns so I could do $unshine0001, but it would not allow me to do $unshine0002, or Sun$hine0002, etc, it is very, very annoying...
Selezen wrote:
Apparently I was having a DaddyHoggy moment.
Oolite Life is now revealed here
User avatar
Smivs
Retired Assassin
Retired Assassin
Posts: 8408
Joined: Tue Feb 09, 2010 11:31 am
Location: Lost in space
Contact:

Re: xckd take on passwords

Post by Smivs »

DaddyHoggy wrote:

For some reason my MOD password system remembers previous 21 passwords and checks for patterns so I could do $unshine0001, but it would not allow me to do $unshine0002, or Sun$hine0002, etc, it is very, very annoying...
"You are my $unshine, my only $unshine..."
Commander Smivs, the friendliest Gourd this side of Riedquat.
User avatar
Bugbear
---- E L I T E ----
---- E L I T E ----
Posts: 415
Joined: Sun Sep 17, 2006 1:30 am

Re: xckd take on passwords

Post by Bugbear »

My 2c / 2p (for the British denizens here)

My password generation technique is to take your current favourite song, then take the first line or two from the song, and use the first letter of each word to create your password, using substitutions as required.

Makes an easy way of generating new passwords...
Commander Bugbear
Cruising chart 5 in a Boa Class Criuser: Quantum Pelican I
Vigilante, trader, gems and precious metals hoarder.
Black Monks bothering performed at no extra charge.
User avatar
SandJ
---- E L I T E ----
---- E L I T E ----
Posts: 1048
Joined: Fri Nov 26, 2010 9:08 pm
Location: Help! I'm stranded down here on Earth!

Re: xckd take on passwords

Post by SandJ »

Bugbear wrote:
My password generation technique is to take your current favourite song, then take the first line or two from the song, and use the first letter of each word to create your password, using substitutions as required.
Take care. Pseudo-random algorithms are sometimes worse than useless.

Please always say something
Worthy of real desire,

And be careful, Darling
Each feeling's growing higher.
Flying a Cobra Mk I Cobbie 3 with nothing but Explorers Club.OXP and a beam laser 4 proper lasers for company :D
Dropbox referral link 2GB of free space online + 500 Mb for the referral: good for securing work-in-progress.
User avatar
Thargoid
Thargoid
Thargoid
Posts: 5528
Joined: Thu Jun 12, 2008 6:55 pm

Re: xckd take on passwords

Post by Thargoid »

As a touch-typist, I like to just shift my fingers one position up, down, left or right on the keyboard. Thus my username would become "Rgaefius" by that technique (with the "a" still an "a", as I run out of keyboard, using a left-shift), rendering even standard dictionary words into gibberish. When mixed with the usual substitution and number-adding techniques, you get quite a tough password.

Only problem is when you are used to a UK keyboard and end up on a French one or some similar with keys shuffled around (but then you switch to English by software and make your password even less intelligible by not even typing what's written on the keyboard...)
User avatar
RyanHoots
---- E L I T E ----
---- E L I T E ----
Posts: 958
Joined: Fri May 20, 2011 8:10 pm
Location: Nowhere
Contact:

Re: xckd take on passwords

Post by RyanHoots »

Thargoid wrote:
Only problem is when you are used to a UK keyboard and end up on a French one or some similar with keys shuffled around (but then you switch to English by software and make your password even less intelligible by not even typing what's written on the keyboard...)
Let's hope you're not really typing "password" without knowing it. :roll: :lol:
Image
Post Reply