Correct horse battery staple.
That is all.
A quartet of researchers from Carnegie Mellon University's Computer Science Department have explained a method they feel makes it possible to memorise several complex passwords. As their ArXiv paper, Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords explains, passwords are important but most people …
At this point everyone1 knows that 1) Randal Munroe recommends passphrases over cryptic passwords, because they have greater information entropy and are easier for users to remember; 2) lots of other security researchers have been making the same recommendation for years; 3) the people who create and administer password-based authentication systems don't pay any fucking attention2; 4) "correct horse battery staple" is now used as a passphrase by an embarrassing number of xkcd readers who think they're being clever; and thus 5) "correct horse battery staple" is now in password dictionaries.
Thus we have Schneier claiming that Munroe's construction isn't a safe technique. A number of people (including myself) have pointed out why his argument, as presented, doesn't hold water; but it does mean you can't use "correct horse battery staple" itself as a passphrase under many reasonable threat models, and you have to be a bit more thoughtful about using the Munroe technique.
1(who pays attention to these things)
2Because that would require they actually do some work, rather than simply relying on guidelines that were outdated 30 years ago. And, of course, because they're afraid they might get blamed if they deviate from "standard practice" and anything unfortunate happens.
I think using a long phrase is a good idea, Unfortunately, most places that expect passwords severely limit the length, and even if they don't may require numbers and special characters which may be hard to include naturally in a phrase, and may reject spaces. The example would have to be something like "Bill@Gates2swallowing#bike/on!a!beach" to be accepted in them.
Adobe had an especially hilarious one which I discovered after their massive password leak. I used LastPass to reset my leaked password to a random 16 character string, and the website accepted this. Later, I had to reinstall CS4, the installer for which requires you to log onto your Adobe account. Only I couldn't, because the installer's password field would only accept a 12 character string.
Another quality Adobe product!
Virgin Media, where their passwords have to be something like more than 6 and less than 10 and don't allow spaces
Try Schwab's site, which limits passwords to 8 characters, from a restrictive alphabet. And that's for a brokerage and bank. I'd like to see them sued for breach of fiduciary responsibility.
... and irritatingly, they don't usually tell you in advance.
More irritatingly still, when you get password "set" routines that allow you to go past the character limit, with the password "test" routine that observes limits - so your new password will never pass again.
Your only option is to factory reset and start again from scratch.
F**k you TP-Link. F**k you, and the horse you rode on.
You're meant to keep it in your head as a mental image of the scene rather than a collection of words. It's proven that imagery is much more memorable, especially if it's amusing. And if you can imagine the Pope waving a fan over a patty it's much less likely to mutate into an image of the Pope patting someone on the [body part appropriate to the nickname on your continent.]
Although that image would be much more memorable...
My grandmother's generation used them to study in college.
I use them to memorize passwords.
A really simple example would be:
4MhalLwFwwaS4
Very easy to remember that password and I just made it up. Why? Because the password is a combination of two things I can remember.
1. A phrase or string of words that are very easy to remember.
2. A system or set of rules that turns that phase into a password.
In this case:
Mary had a little lamb who's fleece was white as snow.
With this rule set:
A. Take the first letter of each word.
B. Capitalize nouns.
C. List the number of letters in the first word and last word at the beginning and end of the password.
The password is very easy to remember though you might have to decode it a bit in your head sometimes.
Take a string of song lyrics. A poem. A famous quotation. A children's nursery rhyme. Something you will remember. Come up with a set of rules you won't forget.
Then associate that password with that text string.
Using this method you can actually write down hints to your passwords in plain text right next to the password input and no one will be able to guess your passwords.
Good idea, but you should keep this kind of thing to yourself. It would be dead easy to create a rainbow table from a range of (popular) nursery rhymes using this algorithm. Just imagine how many people would end up using The Owl and the Pussy Cat went to sea as a basis for their key. Easy pickings. Wouldn't add much to the length of existing rainbow tables.
Okay, remembering a password is one problem and one can develop and propose methods of selecting and remembering password. Great.
But typing the f%$king things is another matter altogether.
As a systems administrator, I type complex passwords many times a day to the point of muscle memory but I STILL mistype them 2 times out of 5.
Plus, consider the NUMBER of passwords we have to go through each day. I'm pretty sure these phrases run into the point where you have to wonder which mnemonic you used for which site. "Now did I use Mary Had a Little Lamb or Little Jack Horner? Or was it actually Simple Simon?" I'd like to see an effective mnemonic for remembering the credentials for hundreds of arbitrary websites.
Great ideas but then you have sites - notably when dealing with the US government - that require that you change your password every 60 days and require that your new password is not the same as any of the "n" passwords used previously.
So naturally everyone writes the passwords down on a sheet of paper under the keyboard.
@John Brown (no body)
"Users will always find the easy way, even if that decreases security."
This ABSOLUTELY should be a key factor in designing a password policy, The key is to make it strict enough enough that people aren't using 'password' but not so strict and unmanageable that people find a way around it.
The problem is that it's next to impossible to prevent people gaming the system by using a password that fulfills the requirements but is not very secure at all - Password123 for example, and it's just as hard to prevent people from writing them down.
The best thing, I have found, is to have a password policy that enforces basic good sense, 8+ chars, complexity (not really necessary) and 90 day expiry (to taste). Then you have to EDUCATE the users on how to choose strong passwords and why these are necessary - especially where remote access (like webmail) is concerned.
In some workplaces there is a lot of bickering and stealing credit and you need to tell people plainly that if they choose a weak password, one of their colleagues could just log onto their e-mail and steal their sales leads or whatever.
The trick is to get the users to be part of the process - to understand why it's necessary.
"As a systems administrator, I type complex passwords many times a day to the point of muscle memory but I STILL mistype them 2 times out of 5."
Sounds more like a typing problem than a password problem? Observation suggests something of the order of 1-2% of IT professionals and users are properly trained to a competent standard in touch typing (I'm not, I should add). Think what that does for accuracy and speed across a large business, yet I know of no business that regards touch typing as an essential part of basic training. The companies happily train their staff in manual handling for jobs that don't involve any manual handling, they insist everybody does DSE training, yet with the most basic input operations of a computer companies don't train staff to use the tools properly (and buying the cheapest, nastiest keyboards and mice probably doesn't help either).
Sounds more like a typing problem than a password problem?
I'll argue it isn't. I'm a trained touch-typist - I was taught to touch-type on manual typewriters in the early '80s, and between programming and my academic work I've touch-typed the equivalent of thousands of pages of text. I still mistype my passphrases (which are now generally around 40 characters) on a regular basis.
Passphrases often aren't especially amenable to touch-typing. The typical passphrase system has zero tolerance for error and doesn't provide useful feedback. With Windows, for example, the standard password dialogs show bullet symbols for each character and are only 26 characters wide; after that, you don't even get feedback to show that you've successfully entered a character, because the identical bullet symbols just scroll horizontally.
And passphrases generally aren't typical natural-language phrases, because those would be weak against dictionary attacks. And since many passphrase systems are actually just password systems that allow long "passwords", they are often configured to require a large alphabet, so your passphrase has to include numerals and punctuation. Those elements make it easier to mistype the passphrase.
Back in the days of non-correcting typewriters, it's true that touch-typists typically had a much lower error rate than they do today, when correcting typographical errors is trivial. But a vanishingly small number of people use such typewriters now, so very few users have the training to eliminate typographical errors. And expecting users to do so once again puts the security burden on the wrong part of the system.
"""But typing the f%$king things is another matter altogether."""
german keyboard layout (and derived c-e european) has 'y' and 'z' swapped. imagine the joy "i'm positive i typed the %@!$ thing right! oh, blimey, wrong keyboard layout again!"
of course, who in their right mind would set anything different than plain US as default keyboard layout?
well... apparently it's our new domain default. which cannot be changed. enforced by domain policies. updated on every reboot. they can even reboot your computer for you. arghhh!
quote: "german keyboard layout (and derived c-e european) has 'y' and 'z' swapped. imagine the joy "i'm positive i typed the %@!$ thing right! oh, blimey, wrong keyboard layout again!"
of course, who in their right mind would set anything different than plain US as default keyboard layout?
well... apparently it's our new domain default. which cannot be changed. enforced by domain policies. updated on every reboot. they can even reboot your computer for you. arghhh!"
Standardised keyboard layout for servers in EU subsidiaries, I completely agree with. My place does this as we only have the one 3rd line support department for the whole of the EU, and it's based in the UK so we're familiar with (and use) UK layouts. It's not difficult to fit a physical UK keyboard in to the racks for any local support techs to use either.
Standardised keyboard layout for users though? Utter insanity. If there is one thing guaranteed to cause a fistfight between users and support, it's not having the fucking keys in the correct place. Yes, it means I have to be mindful when typing passwords on a remote system and the layout is QWERTZ or AZERTY, but that is minimal fuss compared to asking several hundred people to use a different layout than the rest of their country uses.
Maybe I'm being far too sympathetic though ^^;
As has been mentioned, most authentication is limited to a maximum number of characters which prevent using a really strong password.
Or worse
I tried "heroes in a half shell turtle power" on one site, and got a dialogue pop-up telling me my password required strengthening. Sack off
This post has been deleted by its author
So now we need to remember 200 bloody passphrases instead of 200 passwords. Personally I am old and can't remember sh!t these days so I use KeePass to manage my passwords for me.
One other problem with passphrases is that it takes way longer to enter them. If it's once per day, no problem, but I enter between 100 and 300 passwords every day!
Wouldn't work for me.Not how i roll and would make my life a nightmare. At my "peak" i was keeping about fifty or so moderate to long alphanumeric usernames/passwords in my head. Occasionally i'd mix a user/pass, but i'd remember them all.
All of them were generated by KeePass, but the decisive factor came after. I had to read and type them to see if they "felt right". If they didn't, i'd try to "fix" them because i could "feel" where the wrong part was. If they did, no more work needed. It is my honest belief that passwords can feel "right" or "wrong" to different people thus making them easier/harder to memorize.
While this might seem a bit esoteric, i'm pretty sure there is an underlying explanation as to why certain random sequences "feel" different..
Probably the same underlying mechanism that makes certain note/chords sequences "feel right" when listened to and others be just noise.
So basically it's a variation of the very old and well tested "loci" memory technique. By making associations to very familar places you can remember very complex pieces of information by "walking a journey" through those places you know, picking up familar objects as you go. Instead with this technique they use famous faces with memorable actions used on everyday, easy to imagine objects.
I recall it once termed "memory theater". The problem is that it's meant to recall things in a particular order. That's why you "walk through" your loci mnemonic. Trouble is that, in modern life, things are much more random. You may be asked to recall the 57th password you memorized one day and the 124th one the next, with the 89th demanded after dinner for good measure. So having to walk through your mnemonic to recall something out of order can be time-consuming and prone to mistakes.
Create a password.....
cabbage
Sorry, the password must be more than 8 characters....
boiled cabbage
Sorry, the password must contain 1 numerical character.
1 boiled cabbage
Sorry, the password cannot have blank spaces.
50fuckingboiledcabbages
Sorry, the password must contain at least one upper case character.
50FUCKINGboiledcabbages
Sorry, the password cannot use more than one upper case character consecutively.
50FuckingBoiledCabbagesShovedUpYourArse,IfYouDon'tGiveMeAccessImmediatelyYouTwats
Sorry, the password cannot contain punctuation.
NowIAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourArseIfYou DontGiveMeAccessImmediatelyYouTwats
Sorry, that password is already in use!
Thanks for the laugh - I have actually been through this process myself, but the password wasn't taken when I did it..sorry.
The funniest thing is that whenever you create a password like this, it sets off some kind of celestial motion that entails you having to provide the password to that particular site to a boss or something. It's a law that should have a name "The Fucking Boiled Cabbage Principle@{}" or something.
I can't believe we're on the second page and no one has discussed password hashing. Is it terribly insecure or something? Example:
https://www.pwdhash.com/
Remember one (or a small set of passwords), and use the site/machine name to generate a repeatable hash for each place. Every system as a unique password, you only need to remember a few things. I guess the argument is once someone figures out what you're doing, they have a head start on breaking in, but realistically they're going to go after the "Password201410" jokers first.
If you have to go that far, why not just use a password keeper and let it generate completely random passwords for each site, taking into account each site's eccentricities? That way you only have to recall one passphrase to open this keep (which you can store locally) which you can make as long and convoluted as you please.
Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters. Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.
When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.
This function of managing strong passwords by weak text passwords is one of the secondary merits of the Expanded Password System.
At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.
How well do dictionary attacks do against passphrases containing more than 2 words? Each one multiplies the potential complexity by the size of the dictionary. Six words and a million-word dictionary, assuming no semantics, results in (10^9)^6, or 10^54 possible phrases, and if even one of those words is intentionally misspelled...
By forcing users to reset their password frequently an organization forces its users to remain within the most difficult rehearsal region
Absolutely. That's one reason why reputable security researchers don't recommend short password / passphrase lifetimes. Doesn't stop know-nothing administrators from imposing such policies, though, because they like to rely on the "standard practice" excuse.
Account lockout is another idiotic policy that's rarely justified by any sensible threat model. If your password / passphrase strength requirements are decent, it's vanishingly unlikely that anyone will correctly guess a user's password with three tries. What is likely is that users will mistype strong passwords or passphrases (per the discussion above) three times, get locked out, and have to request account unlocking or password reset - which means lost productivity and opportunities for social engineering. Three-strikes account lockout is a great example of a policy that does far more harm than good to password-based security.
But here again, the people making these policy decisions generally seem to be actively hostile to sound security research, preferring instead to rely on a cargo-cult set of "standard" practices.
That some people can do it does not automatically mean that all or many people can do it. That some can finish the marathon for less than 2.5 hours does not mean that many of us can do the same.
At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.
I believe Bruce Schneier recommends writing your passwords down and keeping them in your wallet.
Most people only ever lose their wallets once or twice in their life, and even if somebody does find it, you don't keep your user id / email written down in the same place.