back to article 'Use 1 capital' password prompts make them too predictable – study

A new study has found that password structure is a key flaw in making login IDs hard to guess. Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use …

Yes, the alternative being that if I followed best practice for passwords on every single site I use then I would never remember any of them and would have to reset my password every time I wanted to log in, may as well just make two factor compulsory and stop relying on passwords as the sole gatekeeper.

20
0
Silver badge
Coat

No it doesn't

Just write them on a post-it, then stick to your monitor. Problem solved.

22
0
Holmes

Trust

I think you have to make a leap and trust something to hold everything.

Pick a password safe (carefully) and lock it with the one complicated password you make the effort to commit to memory. Then write down that password on an anonymous and otherwise blank piece of paper and leave it in that decorative tea-pot your mother has. Just in case :)

10
1
Silver badge

I think the safer way is have a generic pattern for sites that don't mean much and don't leave your information on the sites if it asks you to store your credit card details etc for ease of use next time, just as many of these sites are losing their info from poor internal security practices.

2
0

Re: Trust

I've gone for that approach, via lastpass, as such all my new passwords are now the maximum allowed length and support the maximum allowed range of characters. I let it import my old passwords and I'm changing them piecemeal.

0
1
Silver badge

Re: No it doesn't

At home, that will work very well... unless you have unwelcome visitors. Even then... maybe not a problem. They'll steal the computer and ignore the Post-It notes.

At work.. I use a small notepad that's kept in a locked drawer. (We're not allowed to put a PW manager on company machines). I note that many (most) of the employees do the same notepad kept away from prying eyes thing. But there's a few who use Post-It notes... usually managers who won't listen to the reality of locking those away. Go figure...

KISS works for most of us.

4
0
Holmes

Re: No it doesn't

@AMBxx - "Just write them on a post-it, then stick to your monitor. Problem solved."

That's a horrible system. What if you lose the post-it note?

Take a picture of your post-it note with your phone, send it to your computer as a jpg, and then regedit the LockScreenImage string to use the image as your login screen.

Problem solved.

18
0
Silver badge

Re: Trust

"I think you have to make a leap and trust something to hold everything."

I find that this works best these days: http://www.angryflower.com/986.html

2
0
Silver badge

Re: Trust

Then write down that password on an anonymous and otherwise blank piece of paper and leave it in that decorative tea-pot your mother has.

You mean the one I keep her ashes in?

3
0

Re: Trust

Then write down that password on an anonymous and otherwise blank piece of paper and leave it in that decorative tea-pot your mother has.

The paper's not going to last long if she keeps making tea in the pot.

1
0
Silver badge

Re: Trust

...paper and leave it in that decorative tea-pot your mother has. Just in case :)

Add one (1) snake for piece of mind as per my useful anti head-boiling burglar tips.

0
0
Silver badge

easy

KeePassX. Only have to remember one password (for the AES encryption on the internal app DB) but you can then have different 20+ random character passwords for each site (it can generate for you). Plus its free, open source, cross platform, not tied to a single browser and no cloud bullcrap. Plus it comes by default in Tails OS which is why I started using it.

1
0
Silver badge

What's the real issue?

A key part of the problem is with the websites themselves…

The key part of the problem is passwords themselves as they're so difficult to remember.

mnemonic + capitalisation + substitution + user/service salt will produce a strong password that you should in theory be able to remember but only if you're systematic about it and this always adds to the risk.

0
3

Re: What's the real issue?

yes and inevitably some websites enforce password rules that prevent you from using your system because they won't accept the length or won't allow punctuation characters.

The ones that really annoy me are those who won't let you use a password you have used previously. Surely this means they are storing all the passwords you have ever used with them before - so if that data gets robbed it provides an even richer source of password material :/

20
2
Silver badge

Re: What's the real issue?

The ones that really annoy me are those who won't let you use a password you have used previously.

Add a cycler, but yeah some restrictions are simply stupid.

0
0

Re: What's the real issue?

Not necessarily, they can just hold a hash value (although with brute force they can recover the password that generated the hash). Most of these things only store the last n passwords anyway, so you can always repeatedly change your password until it lets you have your old one back.

2
0
Facepalm

Re: What's the real issue?

I think the real issue is that by having any rule, you're limiting entropy.

11
0
Silver badge
Facepalm

Re: What's the real issue?

I got uneasy and started racking my brain where else did I see this "have one more than the last N values the system checks and denies" scheme, then I remembered - certain printers refuse to use the last (chipped) toner cartridge even if you refill it / reset it / whatever successfully, because they store its read-only serial number (and that's stored in the printer not in the cartridge so you can't just reset it) - so obviously, people just use TWO sets of cartridges because only the last serial is remembered. Yeah, life is strange...

4
0
Silver badge

Re: What's the real issue?

I think the real issue is that by having any rule, you're limiting entropy.

The real issue is that passwords are terrible authenticators. They make precisely the wrong trade-offs. They're a relic of resource-constrained systems from decades ago, and no new systems should be using them.

Passphrases are a little better.

1
0

I'd love to just go the correct-horse-battery-staple route, but most sites won't let me. Rejecting a 30+ characters password just because it's all lower-case is stupid.

25
1
Anonymous Coward

Had this very problem today

Tried to enter a 30 character password, with 4 caps, 3 digits, 5 special characters and the rest lower case. Too long. Bleh. Damn you char(20) !!!

6
0

This post has been deleted by its author

Silver badge

I'd love to just go the correct-horse-battery-staple route, but most sites won't let me. Rejecting a 30+ characters password just because it's all lower-case is stupid.

Well, it's not hard to have a long passphrase and scatter some capital letters and punctuation into it to satisfy "strength" requirements imposed by a moron.

The real problem with using passphrases is length restrictions, which are even more idiotic. The number of web sites - web sites, for the love of god - that impose password length or entry restrictions is truly amazing. Microsoft's Outlook Web Access, for example, silently truncates the password entered by the user, as I discovered when I couldn't get it to accept my 38-character passphrase.

Even worse: Schwab's online banking site limits passwords to 8 characters. There's no excuse for that - it's sheer incompetence. (Even if their backend is a legacy system with password-length restrictions, hash longer passwords and then express them in base-n, where n is the size of the password alphabet for the backend system. Then converting longer passphrases to allowable passwords is trivial.)

1
0
Silver badge
Facepalm

Let's not forget the sites, like some banks, who implement this policy then limit you to 10 characters or less.

22
0
Silver badge

There's a reason for that: they'll be able to blame you when your account is inevitably hacked. Solution: use HBCI only.

0
0

I get annoyed when some of the sites require exactly the mix of letters, numbers, symbols, and caps that the specify, and will not allow anything more.

I don't know how many times I've run into one that wants exactly eight characters, with one being caps, one a number, and a certain subset of symbols (which it does not state, until it rejects an attempted password...)

9
0
Silver badge

"I don't know how many times I've run into one that wants exactly eight characters"

It's as stupid as PHP email validation routines which disallow "+"

limiting to 8 characters makes password cracking trivial once the crypts have been obtained.

1
0

My previous company requires passwords in the form of 5 letters, a special character, then 3 numbers. This was caused by some ancient mainframe system and a home-brewed password encryption system. The company's name has 5 characters in it, and people tend to increment the last three digits each time they reset their password... I discovered my old boss's password, it was just Sunil&### with ### being which cycle, started at 001 then was incremented to 002 and so forth....

And these are the people that are designing your phones, running your cloud systems and in case of one division, guiding your airplanes.

My new company requires a minimum of a 16 character password and requires white space. The employee manual actually has a whole guide on pass phrases and recommends that people use sentences and phrases like:

" Chapter 5 starts with 'But alas, he was alone!' "

or

"This book cost me $19.99."

But overall, it recommends using sentences like that that you would logically write on a piece of paper or type several times a day to defeat people finding it by snooping around or even using a keylogger. For a while my password was "Where is the 10:30 meeting today?" a reasonable reminder (not that I needed one) could have been a post-it with just 10:30 meeting written on it and no one would be the wiser.

7
0
Silver badge
Facepalm

@Crazy Operations Guy - So the first thing you typed after returning from lunch every day was, "Where is the 10:30 meeting today?"

0
1

It's as stupid as PHP email validation routines which disallow "+"

That's hardly PHP's fault. They even provide a working function to test email addresses:

filter_var('user+name@example.org', FILTER_VALIDATE_EMAIL)

1
0

Yep - sometimes I will even send them a mail that their password policy is plain stupid. So far I never got an answer.

/Zane

1
0

My personal bugbear are those that won't even tell you why they're rejecting your password, so you keep having to shorten and simplify it till you get one that works.

3
0
Silver badge

So the first thing you typed after returning from lunch every day was, "Where is the 10:30 meeting today?"

That's shorter than my current Windows domain passphrase, which I enter several times a day. I don't let any software remember my passwords, so I have to enter it when I reconnect to the VPN, unlock my laptop, etc. I don't think I've mistyped the current one yet, and I've had it for a couple of weeks now.

Typing a 32-character passphrase quickly and accurately isn't hard if you're a decent touch-typist.

I generate my passphrases with a simple (Cygwin) bash command line, using $RANDOM/sort/head/strings on aspell's English dictionary. That gives me a screenful of words chosen at random from the dictionary. I put together a nonsense but memorable phrase (as in the XKCD method, which has been recommended by various security researchers for decades), then scatter some numerals, capitals, and punctuation to make the group-policy password constraints happy. Jot down a hint in case I forget it and put that in a safe location, and I'm good to go.

1
0

This post has been deleted by its author

Emoji Passwords are the way forward :-)

1
0

"...What would help is if more sites would let you use Unicode..."

I've wondered about this. Why the (censored) _can't_ I use Unicode? (To send a password: switch keyboard layout to Russian, type something in English that comes out as Cyrillic gibberish, switch back to English.) And why, oh why, can't I use spaces or more than 20 characters? (Honest question here: am I correct in assuming these last two limitations mean the site is probably storing an unhashed password? Or are there actually valid reasons for crippling security in this manner?)

-- Bill

2
0
Silver badge
Trollface

Re: "...What would help is if more sites would let you use Unicode..."

Awesome idea. Now please access the same system from a smartphone keyboard. I'll even let you install Cyrillic support on it! Just hold on until I fetch the popcorn...

2
0

Re: "...What would help is if more sites would let you use Unicode..."

@DropBear :

"...Now please access the same system from a smartphone keyboard. I'll even let you install Cyrillic support on it! Just hold on until I fetch the popcorn..."

True, not a system for all people or purposes. Or possibly, even very many. But there are those of us (myself included) who use phones as little as possible. I make the occasional traditional, 19th-century style "call" from time to time, where you talk and listen, just like Great-Grandma used to do. And, on rare occasion, a text message or two. No passwords. And in any case, this is 2015; the world extends beyond nations with languages fitting conveniently into eight bits

0
0
Silver badge

Re: "...What would help is if more sites would let you use Unicode..."

am I correct in assuming these last two limitations mean the site is probably storing an unhashed password?

Probably not, actually. These sort of restrictions are more likely due to legacy limitations in input systems, poor coding in applications that accept passwords and submit them to the verification back end, or artificial constraints imposed by programmers who weren't sure if there might be a problem, and rather than find out simply restricted the input.

One common case is where the back end is, or originally was, a system with terminal input that could only handle a restricted character set: IBM EBCDIC mainframe, for example, with something doing ASCII-EBCDIC translation in front of it, or an old UNIX system. Since these back ends only let users enter a limited character set, when people put web or GUI-application front ends in front of them, the developers would restrict the input.

So, for example, while RACF on modern zOS uses strong password hashes, an old COBOL transaction program running in a zOS CICS region and doing an EXEC CICS SIGNON is limited to 8 printable EBCDIC characters for the password. Put a fancy web front end on that, but if you're passing the user password directly to that old COBOL app, the user's password will have to be no more than 8 characters, and they'll have to be ones that map to printable EBCDIC.

Now, as I pointed out in another post, it's certainly possible to hash longer passwords into short printable strings; and the same goes for reducing the character set.1 But few organizations doing this kind of legacy-application modernization seem to understand that, or be willing to implement it.

1An idea this obvious - why, I ought to patent it.

1
0
Gold badge

Case sensitivity

Don't forget that there are some sites out there that are case insensitive on passwords and others that are case sensitive on email addresses.

Fortunately, the worst offenders often perform all the validation in Javascript so if you View Source on the offending web page it is possible to reverse engineer the rules. (Dunno what "normal" people do, though.)

6
0

Re: Case sensitivity

Like sprint and their case-sensitive usernames and passwords shorter than 15 characters with no punctuation. Screams "client-built SQL query"...

3
0
Unhappy

Password rage

This. Largely caused by having to remember* a complex never-before-used upper/lower/numeric/punctuation password for a supermarket loyalty card** to protect my largely spurious personal information. And trying to follow good practice by not duplicating another password and not being systematic.

Just because the eager beaver who put the system together *could* tick all the security boxes, it doesn't automatically mean that it was absolutely necessary.

* okay, not remember. Just reset when I use it. Like that stupid Verified by VISA thing.

** yeah, but there are some convenient savings sometimes.

8
0
Anonymous Coward

Re: Password rage

I up-voted you for mentioning the idiotic Verified by VISA thingy.

Using my credit card number and my birthday as only requirements to reset the password it is plain stupid because they are not so secret. Besides that, the reset being done into a small frame of a hidden website for which you can not verify the validity of SSL certificates is close to dangerous.

I makes me sick to think a cretin turned into developer takes pride in pushing that as a security measure.

I even called my bank to talk about it and they refused to discuss that matter insisting it's being done for security purposes.

23
0
Silver badge

Re: Password rage

Yup, VbV is a complete waste of time.

I actually made the effort to try and remember the phrase I used a while back (rather than setting a random string knowing I'd just reset next time). Got one, ONE character incorrect the next time I tried to use it, and as a result of that single borked attempt they made me reset and wouldn't let me reset to the phrase I'd bother to remember.

So I'm back to 'forgot my password' -> set to a random string -> make no attempt to remember it

Which means it, once again, provides bugger all value whatsoever.

8
0

Re: VbV

What is even worse is when you get the password wrong and they lock your card. Had that happen to me while booking a last minute ticket out of Ukraine last year. Passwords are pretty hard to type on a smartphone with such a ridiculous password policy when you're in the back of cab that is red-lining the engine and blowing every stoplight...

6
0

Re: VbV

when you're in the back of cab that is red-lining the engine and blowing every stoplight...

In some places that's normal behaviour for a taxi.

3
0

This post has been deleted by its author

Gold badge

Re: Password rage

I wrote down my VbV password once (the horror) just to prove to myself that I wasn't going senile, and it still didn't work. When I managed to complain to someone knowledgeable there, he admitted to me that the password was automatically retired after 4 weeks of no use, so that was the reason why. Now I just reset it every time.

0
0
Anonymous Coward

Use a high-entropy password generator

Low entropy in your passwords is the weakest link in any crypto-system.

Use a high-entropy Random Bit Generator

0
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018