back to article Password1? You're so random. By which we mean not random at all - UK.gov

The UK government has renewed its efforts to persuade consumers to pick stronger passwords. The #ThinkRandom campaign is encouraging consumers to use three random words to create strong, separate passwords for their email, social media and online banking accounts. The effort follows a growing number of password dumps and …

Silver badge
Joke

Okay... let me be the first to post this :

Password Strength...

8
0
Silver badge
Flame

Re: Okay... let me be the first to post this :

... and let's see if you get assailed by the critical masses as I did for posting the same link in an article a couple of years ago!

The main issue I face with the CorrectHorseBatteryStaple approach is that most of the things I have passwords for insist on mixing upper and lower case letters with numbers and possibly symbols, but maybe not, and minimum and maximum lengths... so never mind reusing a password across different sites, I can't even reuse my password construction rules across sites!

10
0
Anonymous Coward

Re: Okay... let me be the first to post this :

Also, many sites have a maximum password length. Three words plus numbers and special characters can easily be too long.

I used to set my password manager to autogenerate 25 characters by default, but now have set it at 12...

2
0
Boffin

Re: Okay... let me be the first to post this :

Thankyouthankyouthankyou - I've now set all my passwords to "correcthorsebatterystaple" and will sleep soundly in my bed tonight.

7
0
Silver badge

Re: Okay... let me be the first to post this :

Handily one of the applications I use at work has to be accessed via Citrix and for some reason the password changed every 6 weeks or so. Apparently there is a password construction policy for this as I keep getting told my chosen password doesn't fit the organisations password policy, unfortunately it won't tell me what this is, and the passwords they send out for a reset don't follow it!!

4
0

Re: Okay... let me be the first to post this :

I wonder how many people have actually used "correcthorsebatterystaple" as a password for something?

I'm sure there are plenty of cases where people have used it for the irony factor on something they don't consider important, but I want to know how many people have actually used it, thinking it was a good password? I bet there's quite a few.

2
0
Silver badge

My formula

Abcdef78

Random letters from words from a book (any book) with case as shown but excluding repeats, random digits usually from minutes units and seconds units on digital watch.

So far it works just about everywhere - though now I've told you what it is I'll need to set another one :-) (and "Abcdef" was so easy to remember!)

If they want bloody punctuation then add on "!" at the end. Or an internal quote mark and a SQL Injection and serve them right. "passwd carnegie Bum\"shutdown -rightnow -nosave -allow-reboot=never" :-)

3
0

"Barely a day goes by without a major security breach coming to light..."

... and the business that is breached not suffering any business penalty worth mentioning.

No. The bit above _wasn't_ part of his quote. Which doesn't stop it being true.

Is it possible, therefore, that those who count beans decide the cost of effective, regularly reviewed and improved security isn't worth a single one of the mgic beans they so avidly count?

Could be. Just possibly.

"However, what we really need is a fundamental rethink of the basic security protocols,"

That's one approach. But it will take time and cost magic beans. And even if it happens, it's not a one-time thing - it needs to be done, frequently reviewed and assessed in line with new threats, done again and repeated forever.

Which, in this Idiot's view, ain't gonna happen while _not_ doing it doesn't impact the beans. HARD.And NOW.

Yes. I know. I'm shouting. Mostly because I don;t think anyone not reading these pages is listening... sigh.

6
0
Silver badge

Re: "Barely a day goes by without a major security breach coming to light..."

We're listening but then, we're also pushing for the same thing... The problem is the beancounters and their ilk aren't listening. Too many beans to count, I suppose.

2
0
Silver badge
Facepalm

or, they could really encourage 2FA everywhere

much more effective.

0
3
Silver badge

Re: or, they could really encourage 2FA everywhere

But what sort of 2FA?

Quite a few of us don't get a reliable phone signal at home, or even at work.

With phone software nasties that can intercept SMS, aren't we simply moving the goalposts?

6
0

This post has been deleted by its author

Silver badge

Re: or, they could really encourage 2FA everywhere

And lots of people don't even have a cellphone, let along get a signal. Seriously, if a site or service cannot come up with something that works for everybody without having to purchase additional equipment and services they should be questioning their ability to develop security solutions for themselves.

4
0
Silver badge

Reversed!

A certain UK government website told me that passwords containing 'password' were forbidden. But it accepted 'drowssap'.

3
0
Silver badge

Re:drowssap

That sounds like a spell component from a D&D manual.

I'm going to start generating passwords that way. Spell component as the password, name of the spell written down in the 'password hints' binder.

5
0
Silver badge

Re: Re:drowssap

Ah yes, your codebook can be in plain sight on your shelves and no one would be the wiser! :)

Me, I'm going to switch to a password set suggested by something funny a friend said to me a couple decades ago, him from a different discipline to mine and using a language I don't know (he had to explain _why_ it was funny). Now how is a profiler going to guess that from perusing *my* emails?!

3
0

Re: Re:drowssap

Upvote for the nerdiest password generation system I've ever heard of.

2
0
Anonymous Coward

Re: Reversed!

Our clinical software stores its application login passwords (hashed, but not salted) in a table in the SQL DB called "drowssap".

Amusingly, the vendor recommends we give read+write permission to Authenticated Users because "authentication is handled inside the application".

I dread the day someone realises you can siphon off the entire table using Excel.

Anon, but I dare say the vendor will know who I am if they read this.

2
0

Password managers FFS!

That is all

3
1

Re: Password managers FFS!

Password managers introduce a single point of failure, there is a serious trust relationship which is highly questionable for any password manager, and that's before you consider using a cloud-based one. Then there are issues with mutliple devices, lack of internet connectivity, or lack of ownership of devices you may be accessing secure accounts on.

They might work for you, but they are not a silver bullet.

3
0

Re: Password managers FFS!

Given that currently the single point of failure is the user, anything that avoids them either using weak passwords or reusing the same password, is a big win. Password managers make it trivially easy.

With the better password managers allowing you to keep your file on Dropbox, icloud, etc any miscreant has to crack one round of 2FA plus the database file's encryption.

No silver bullet, maybe, but certainly silver plated IMO.

0
1

Re: Password managers FFS!

Forgot to add.

Lack of internet is a red herring. Proper password managers keep your passwords file locally - no internet required. you just need to sync it automatically when you do have internet.

If you want access to secure sites on hardware that you don't own or trust, then more fool you.

1
0

I use a formula I came up with for generating my passwords, so it is a real pain when I find a website that insists my password has to be up to 8 characters, all lower case letters. (Yes, I still find ones like this).

Another thing I find annoying are sites that insist you change your password every so many months. Why??/ I created a unique password just for this site and now I have to change it even though my account has never been breached? Talk about an insecure website. When people have been using a password for a while, it is memorized. When you force them to now use a new password, what is the best way for most people to remember it. In my experience, I found a lot of people tend to write it on a sticky note and keep it near their computer. Personally, I use an encrypted password manager, but not everyone is as computer savy.

6
0
Silver badge
Devil

Foreign language to the rescue

I seed foreign profanity into my passwords. What dictionary attack is going to check multi-language cursing?

Agreed, DAMN the sites that have maximum-minimum or other requirements. They won't make a stupid user create a good password, and they screw up those of us with a good system.

Eta pizdets, faszfej!

3
0
Silver badge

"In a UK government pitch designed to persuade the public to adopt better password security,"

Might be better directed towards companies, since they are the ones responsible for the mega-dumps?

"consumers are advised against using words related to their personal lives that may be easy to guess or share."

I think if you have blue eyes, are 25 and live in Kent then 2kentEYEblue5!! is going to be pretty tough to break. Even Iliveinkentandhaveblueeyesandam25yearsold is pretty good.

2
0
Anonymous Coward

What about forehead recognition in keyboards?

You smash you head into said keyboard to log into the service. I see no problem with this approach.

8
0
Coffee/keyboard

re: forehead recognition

comment of the week :)

0
0

Today many sites force an active password to include a mixture of case and special characters. That's not random. Read up on the fatal weakness of the Enigma machine - the non-random requirement that the machine cannot generate the character typed. And yes, despite much opposition that I've received, it's the same issue.

4
0
Silver badge

Edward Nygma

I'm not expert on this but would it be necessarily "fatal" to a code if a fiendish algorithm swapped each letter for any letter in the same half of the alphabet, A-M or N-Z, including the same letter, and then performed ROT13 on the output?

Now - Nazis were not without boneheaded giving and obeying of orders, so, "Make sure the output letter is always different from the input" sounds like a stupid management instruction that has to be obeyed, which is familiar to many.

My site password formulas include not repeating any letter because some services or web sites do forbid that, but it makes the password so much less random if e.g. you know that a 26 character password must use each letter only once.

For a password to give away for encrypted data, I generate several sets of 5 uppercase letters, used with space after each 5. This is intended to be passed in writing or spoken, instead of being e-mailed.

0
0
Silver badge

'Social media' as the same level of importance as banking??

If you get into my Facebook account, you can't steal my money. If you get in my online bank account, on the other hand...

Email is sort of in between - often control of it will allow an online password reset though hopefully your bank would require more than that.

If they make stupid statements like this, they aren't contributing to a solution. Just muddying the waters even more.

5
0

Re: 'Social media' as the same level of importance as banking??

If they have your Facebook account, they can pretend to be you and ask your friends and relatives for money. With a bit of social engineering some people will fall for this. For example, if they pick a date when you are on holiday and say there's been a disaster, you've lost your phone and wallet, and you need money to get home ASAP.

0
0

Re: 'Social media' as the same level of importance as banking??

Many sites allow you to log in using credentials from Facebook, Google, Twitter, etc.

0
0
Anonymous Coward

Yep, That's the password

Visited one of our hospitals and the local admin password on every PC and server was password1.

I think the "1" was so no one could guess what the password was.

They're all about convenience.

2
0
Anonymous Coward

Re: Yep, That's the password

We had something similar, well something better than password1 - but was easy to remember.

Then the manager's son decided it was insecure, and changed it to a randomly generated password that changed every month via group policy - which didn't always update correctly. So us poor mortals in support ended up having to do the cardinal sin of writing them down, just so we log in!

1
0
Silver badge

More and more online sites demand tighter and tigher password rules - for utterly ridiculous things, a job vacancy website for f***'s sake!!! - that I end up using my high-strength banking password, just to look at ***king job vacancies!!!!!!!! - which then means I have to try and work out a stronger banking password that I can remember. And then discover that my bank won't let me strengthen my password beyond what I've just given to an advert site.

Why the FUCK!!!! should non-financial websites demand the same type of password as my banking website?

6
0
Silver badge

They shouldn't. Heck, if a website's only function is to show you ads, it has no business requesting any password at all.

On the other hand, if it looks after personal data - like, f'rinstance, if it allows you to upload your CV for forwarding to selected advertisers - that's another story.

2
0
Anonymous Coward

Got a DBS check email in the summer

Moving on to the next stage "If the link doesn't work, just visit blahblah.co.uk and enter this username and password"

FFS it's a DBS check for security and they send an effin' plaintext email with credentials to login and confirm my identity!!!!

And yes, it's for real, documents submitted and approved etc. It all came out ok in the end, but a fecking plaintext email? <still gobsmacked>

3
0
Anonymous Coward

Password1

Was tis article written directly at me?

Spooky!!!

;O)

1
0

The Bank of Melbourne whose password policy EXCLUDES special characters and LIMITS passwords to 12 characters. When I raised my concerns, customer support replied that that should be hard enough to guess.

They’re probably wondering why I closed my accounts. Morons.

2
0
Silver badge
Facepalm

The Bank of Melbourne whose password policy EXCLUDES special characters and LIMITS passwords to 12 characters.

I don't know whether they still do, but the Bank of America used to insist that passwords to access (and trade) your portfolio online (average customer worth: several million dollars) must contain a mix of upper and lower case letters plus digits not more than six characters long!

That showed them pesky hackers.

2
0
Anonymous Coward

"The Bank of Melbourne whose password policy EXCLUDES special characters and LIMITS passwords to 12 characters."

That's bollocks. Try ING Direct in Oz. 4-6 numeric, I believe, FTW.

1
0

Secure Passwords?

try this one:

ӊTҎybyѴҊhKҘȻÏҔemVUbk

1
0
Silver badge

Three random words

Expect future "most common password" lists to contain

Oh My God

My Mail Box

Let me in(*)

Bank account password

Won't guess this!

(*) A golden oldie.

1
0
Silver badge

Assumptions

Lost my attention at "Your most important accounts are your email, social media and online banking accounts."

Social media - no.

Online banking - no.

Email - ooh, I actually have that!

2
0

Stub + algorithm

It's really not hard to create easy to remember, cryptographically hard passwords that are not duplicated across sites. First, think of a phrase.

I will choose 'yet another flippin password for:'.

That makes 'yaFp4:'. Yay, six characters including upper, lower, numeric, special.

Next. What is it for? theregister.co.uk? I will choose a selection of letters in a fixed pattern; let's say, third, second, fourth, first. Makes 'ehrt'.

Now tack on a memorable number. Yer mum's birthday. You *do* remember that every year? Well, maybe if you type it in ten times a day, you will from now on. Win-win situation.

Result: yaFp4:ehrt120152

1
0
Silver badge

It's not exactly an algorithm, but I find that random drunken ramblings sampled at 3 AM in a bar is a good starting point for creating strong passwords.

1
0
Bronze badge
Joke

Random lives in a House and does a lot of Publishing

"It's not exactly an algorithm, but I find that random drunken ramblings sampled at 3 AM in a bar is a good starting point for creating strong passwords."

For creating strong passwords ... or for creating new Australian colloquialisms to rival the likes of "flat out like a lizard drinking" and "she'll be apples".

But to vaguely waver back towards seriousness for a moment, it's the old adage that "anything is better than nothing". Whatever system you have works, so long as you have a system, and you use it.

Random drunken ramblings, reverse typing, random creature names from an AD&D Monstrous Manual and the page number they came from, pig latin, inverted ASCII, R3PL4C1N6 letters with digits (with or without full leetspeak), or even rousing games of Bingo and Battleship can all provide wonderfully difficult passwords to crack.

0
0
Bronze badge
Devil

Random and Corwin drove to Amber

The problems with 2FA have already been covered. (AKA besides the fact that not everyone has a smartphone, when was the last week you made it through that didn't read a headline, "phone cloned", "Android / iOS hole found", etc.?) Frankly, and with good reason, I trust my PC more than I do my phone!

Likewise a bad idea in security is the finger print. Even if they were truly unique (which they are not) most scanners are still beaten by a gummy bear, with or without involving a printer. I'm not sure about retinal scanners, but then I don't see many of those kicking around. And even if we could go straight to DNA, I'm betting most systems that could be made to fit into something small enough to use would be flummoxed by family members. (Not to mention all those pins and needles and hazmat concerns.) So anything biometric is out. (And yet companies still do try.)

Frankly, it's Steam that has some of the best solutions that I've seen combined. As simple as a password ... but protected by sanity checks such as location and device. Chances are pretty low that I would travel continents to log in from Estonia, at 3 in the morning, from a device that I have never used before. And if it really is me because I really went on a vacation, I just have to get my confirmation code from a second factor of my choosing. It's a much more sane solution that covers a majority of situations well, and is customizable to cover the rest.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018