back to article It's World (Terrible) Password (Advice) Day!

It's World Password Day! And you know what that means: all the effort you've put into trying to persuade people to rethink how they do passwords turns to mush because some company sees a PR opportunity and floods social media with terrible advice. This year's award for Terrible Password Advice goes to the wireless industry's …

Page:

  1. Phil Kingston Silver badge

    "don't waste your time trying to tell anyone else what they should do when it comes to passwords"

    Well that's ruined the comments for this article then.

  2. Anonymous Coward
    Anonymous Coward

    '2 Factor- This is proper security'

    Proper Security? Face it 2-factor is anything but, we need 3-Factor asap!

    BTW:

    Don't take my word for it. El-Reg has been warning us about this for years:

    -------------

    http://www.theregister.co.uk/2017/05/08/banking_protection_survey/

    https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

    http://www.theregister.co.uk/2016/03/08/natwest_mobile_hack/

    http://www.theregister.co.uk/2015/12/30/krebs_paypal_hack_criticism/

    1. hnwombat
      Coat

      Re: '2 Factor- This is proper security'

      "Proper Security? Face it 2-factor is anything but, we need 3-Factor asap!"

      You're still thinking too small. We need aleph-null factor security! The crims will never get in!*

      * by definition

    2. Paul Crawford Silver badge

      Re: '2 Factor- This is proper security'

      Lets face it the biggest problem with the text-based 2FA is not someone hacking the phone company's network but that likelihood that a user is relying on their phone for both the web login AND the text message.

      So that dual-use phone becomes a single point of security failure, more so given the piss-poor patching and updates for most Android phones (i.e. most phones in total).

      So use text-based 2FA if you possibly can, but please don't do both one the one device!

  3. Squander Two

    Some good advice missing from this piece:

    Yes, use a handful of real words, but misspell at least one of them.

    "korrekthorsbatterystaple"

    Capitalise some letters, but never the 1st of each word -- how about the 3rd?

    "koRrekthoRsbaTterystAple"

    Instead of having a password, memorize a simple password-generation rule which is based on the thing you're logging into.

    E.g. "koRrekthoRsbaTtery"+[1st & 3rd letters of app name]+[[number of letters in app name]-2]

    which for The Register would give:

    "koRrekthoRsbaTteryte9"

    This is just as easy to remember as a password while being different for every site or app you use.

    Also, a good alternative to random dictionary words is to use the initials of a memorable sentence, which gives utter gibberish that's very easy to remember.

    You're welcome.

    1. Anonymous Coward
      Anonymous Coward

      Huh

      How did you guess my password? !

    2. Tikimon Silver badge
      Megaphone

      User-friendly method for good passwords

      After years of frustration I finally found a trick that my users can work with, but creates good passwords. Maybe it's too simple to seem legit. I dunno, but here goes again...

      Base the password on an easily-remembered sentence. Easy example: "These aren't the droids you're looking for." Take the first two letters of each word, capitalize the first, add punctuation to the end. That gives:

      Tharthdryolofo!!! It's not necessary to remember that mess of letters. Run through the sentence to yourself as you type. My least technical users can do this and love it.

      Is it perfect? NO! Are there recognizable words to dictionary attack? NO! Can a user remember and use this near-random password? YES! It's the best compromise between random passwords and usability I've found.

      1. Robert Carnegie Silver badge

        Alternative mnemonic method

        Alternative mnemonic method: generate random letters, then make up the mnemonic to suit the letters, You'll have to write the password down in the first place - and maybe the mnemonic - but after a few repetitions it will stick.

        I have to use systems that impose rules, and while I could maybe break those, instead I use this method:

        Every password in the same format.

        The format is 2x letters and 2 numbers, and the letters and numbers are random - not repeated - and the letters are consonants. The first letter is capitalled. This meet various system requirements of:

        Contains letters and numbers

        Contains upper and lower

        Does not contain any English word

        Repeated letters are quite a stupid rule although I suppose you want to block "passssssword" as a password (but, why, Register wants long passwords, that is long)

        The password is constructed by taking random source and skipping any input that doesn't fit. If the source is letters, then A to J represents 1 to 0 (after 9) and K to T likewise.

        The middle letters of words from a book yield: Hvnk5ypsb4

        But pure random text is more consonanty.

        Then convert the letters to a sentence like "Havink your pure sweet Bovril". Never mind the numbers - if the mnemonic brings back the password letters from memory, then, for me at least, the numbers come too.

        Add ! at the end for a system that rejects a password without a non-alphanumeric symbol. B!@#$£rds.

      2. Phil Kingston Silver badge

        Re: User-friendly method for good passwords

        Gonna need a numeral in there for a lot of systems/sites.

    3. bombastic bob Silver badge
      Devil

      @Squander Two - you're trying too hard here.

      Just do the 'correct horse battery staple' with predictable non-alpha-numeric characters between each word, like: "correct-horse+battery/staple". To "change" your password, merely change the value and/or order of the non-printables, making it easy to remember, difficult to crack.

      back in the day Compuserve issued passwords very similar to that concept, consisting of two unrelated words separated by a non-alpha-numeric, like "kettle?gear" [no that wasn't my password, but I still remember what it was, more than 20 years later].

      Also a line from your favorite movie might work, with similar characters between words... "go-ahead+make!my/day?"

  4. ThatOne Bronze badge
    Joke

    Or just use "1234" since your login & password will be stored unencrypted on a public server, and will thus rather sooner than later end up (with any other private information you provided) in one of the hacked passwords databases... What's the point of having a $20000 key when the door is made out of plywood?

    1. Aqua Marina Silver badge

      Hey! Don’t go giving out the code to my luggage!!!

      1. Anonymous Coward
        Anonymous Coward

        Hey, just a heads up but four digit codes are not recommended at all.

        https://pastebin.com/2qbRKh3R

      2. AndrueC Silver badge
        Joke

        That's the code for the parental lock on my Sky box. If I had any kids I'd be jolly annoyed by it being made public.

  5. Steve Knox Silver badge
    Trollface

    Sensible Rules

    1. Require a fixed-length password, so that it can be stored and retrieved efficiently.

    2. Require a specific pattern of {lower-case letter}{upper-case letter}{number}{special character}

    3. UNDER NO CIRCUMSTANCES ALLOW:

    Spaces ( )

    Quotes (')

    Double-quotes (")

    Ampersands (&)

    Backslashes (\)

    Forward Slashes (/)

    ASCII control characters

    Anything other than 7-bit ASCII printable characters (specifically ASA X3.4-1965, to maintain compatibility with IBM 2260s)

    4. Determine the average amount of time to brute-force a password created using these rules, and require password changes at least twice as frequently*.

    5. Require all employees to share their current passwords with their manager in case of emergency.

    Problem solved!

    * In fact, just require a password change every time a user logs in. Make sure to automatically lock that workstation when idle for over 1 minute!

    1. Anonymous Coward
      Anonymous Coward

      Re: Sensible Rules

      You spoiled my fun,

      Our shop rolling out a one password for all scheme. I have been having loads of fun breaking it with combinations of special characters that our different platforms don't like...

      1. bombastic bob Silver badge
        Joke

        Re: Sensible Rules

        just hand out the root password to everyone who might need it. Make sure it's so cryptic that you have to write it down or store it someplace. Problem "solved".

    2. MiguelC Silver badge

      Re: Sensible Rules

      You forgot for forbid other special purpose characters.

      I once broke a Oracle based app by using an underscore on the password. Said app would then only let me log in again if I encapsulated the password in double quotes.

      1. el_oscuro

        Re: Sensible Rules

        That's weird. Normally oracle allows upper case, numbers, _# and $. Anything else will break it. And if you have a ', it is SQLi

    3. Phil Kingston Silver badge

      Re: Sensible Rules

      By making it fixed length, doesn't that make it easier to attack?

      Efficiency of retrieval shouldn't be the driver for passwords surely? If there's one thing that I detest it's processes/forms/systems/interactions that are designed to make it easier for the processing bod to work on.

  6. Schultz

    Rule number 6

    Make your better half write down her login passwords in that old calendar. Or, better yet, incorporate them into your password manager. Because you will be held responsible if she can't recover that hotel booking.

    1. onefang Silver badge

      Re: Rule number 6

      I don't make her do that, she came up with the idea all by herself. Coz she's lousy at remembering passwords, a password manager is too hard for her, and me being a sysadmin at times, I'm used to looking after other peoples passwords, so what's a few more? So, when she remembers, she tells me her passwords and I store them in my password manager. It's the times she forgets that are a pain, then neither of us knows them.

  7. Charles 9 Silver badge

    So what about people who don't own anything that can be used as a password manager or second factor AND has such a terrible memory that "correcthorsebatterystaple" regularly becomes "donkeyenginepaperclipwrong"?

    1. jake Silver badge

      What about 'em, Chuck?

      They are hardly likely to manage to get online in the first place, now are they?

      1. Charles 9 Silver badge

        Re: What about 'em, Chuck?

        "They are hardly likely to manage to get online in the first place, now are they?"

        Yes, actually. Or are you forgetting EVERYTHING'S going online these days...including the bank (no more local branches), the benefits tracker, all the friends and family, and so on?

    2. Flocke Kroes Silver badge

      Password for people with bad memories

      Set the password to 'incorrect' and tell them to try any word at all. If they guess wrong the computer will them what the password is.

  8. Mark 65 Silver badge

    Missing the point

    Maybe I'm missing something with password policies I've encountered online. If a user's password is stored as a salted bcrypt hash, which is presumably then of a fixed length, why do some policies then specifiy 10-18 characters in length? I've witnessed this a number of times and unless it is an arbitrary limit based upon computational resources to repeatedly hash something what point does such a low maximum length serve - I understand the minimum length requirement? I have other accounts where I've used random 30 characters and those sites don't care and just accept them.

    Can someone in the know explain this phenomenon?

    1. Dodgy Geezer Silver badge

      Re: Missing the point

      Yes I can. But No, I won't.

      http://lmgtfy.com/?q=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FPassword_strength

    2. Charles 9 Silver badge

      Re: Missing the point

      String field limits. Probably put in place long ago but now so institutionalized it can't be changed anymore. Overflowing a string input field is unpredictable.

      1. Anonymous Coward
        Anonymous Coward

        Re: Missing the point

        NAB bank password used to be only 8 chars long, but they didn't mention this and the input field would accept longer than 8 characters. It simply discarded anything after the 8th.

        They only needed to fess up when they finally changed their system to be more secure and allow longer passwords. They then had to advise that anyone previously using a password longer than 8 chars, should only put the first 8 in or it would be rejected.

        1. David Given

          Re: Missing the point

          I encountered a system once which would lowercase your password as you typed it in... but only in the form where you set up the password in the first place. It didn't do it when you tried to log in.

          That one was _real_ fun to figure out. Death's too good, etc.

  9. Brian Miller Silver badge
    FAIL

    What's the point?

    There's just been two articles about very popular sites writing passwords in plain text, so what's the point of the complexity when the website writes it out in plain text, stores it in plain text, and sometimes spafs it all to world+dog+gerbil because ... ah, what's the latest excuse for stupid, anyways?

    Really, I don't trust the password managers, so I've been keeping password in a text file. The passwords just happen to be individually encrypted in AES256. Yes, they are random passwords.

    But again, WTF is the point when assorted websites totally fail at their end to have any sense of security?

    1. Doctor Syntax Silver badge

      Re: What's the point?

      "There's just been two articles about very popular sites writing passwords in plain text, so what's the point of the complexity when the website writes it out in plain text, stores it in plain text, and sometimes spafs it all to world+dog+gerbil"

      In both cases the suggestion is that the password is stored in hashed form but that a log grabbed the plain-text password before it was hashed. I didn't read up on the details of the first instance but the second was that the logs were internal so no splashed to world with or without dog but only to the sysadmin gerbils who had sufficient integrity to flag up the problem rather than try to hide it.

      That is not sufficient reason to give up on complexity.

      1. Brian Miller Silver badge

        Re: What's the point?

        But logs don't grab passwords, the computers store them there because the programmers wrote logging statements putting them there!

        Come to think of it, can you imagine a computer system where systems are individually sentient? "The logging system grabbed that info because it suffers from kleptomania, and it's also a hoarder." "I keep getting spam in my inbox because the mail system feels that my love life needs improvement." "The compiler has been taking hits off the bong again."

        1. onefang Silver badge

          Re: What's the point?

          "The compiler has been taking hits off the bong again."

          That explains a lot about LSL. (Linden Scripting Language, the scripting language in Second Life, for those that don't know.)

  10. FuzzyWuzzys Silver badge
    Facepalm

    Oh yeah!!!!

    So let's check this, every user will now think....

    "Right so I can't use 'ABC123' as it won't let me use something that simple anymore, let me try 'ABC_123'. Cool, it works! Pub anyone?"

    1. el_oscuro

      Re: Oh yeah!!!!

      And of course they will make you change it every two weeks. So:

      ABC_123

      ABC_124

      ABC_125

      Works great!

    2. handleoclast Silver badge

      Re: Oh yeah!!!!

      Too weak. I went with '#PasswordDay'.

  11. Halcin

    What about paper?

    There was a time when everyone screeched "Don't write it down!" Well, why not? Ok putting up a large sign, for all to read, is clearly silly.

    But everyone has spent their entire lives learning how to look after little bits of paper. It's called money. We all have special gadgets, devices and procedures for keeping paper safe. As a society we have been learning how to do so for centuries.

    How often do El Reg publish an article about crim's breaking into houses or offices to rummage for bits of (non-currency) paper? How often are people mugged for the passwords in their wallet?

    A challenge - here is a copy of my paper based password reminder:

    A5dQ1 t6F2P0 e4e2G8

    m23ZX 8GjK4 DeW4I

    mIiL8 qb4V3 60A1a

    Now hack my account! Which account? Exactly.

    So where is the evidence to show any/all paper based solutions are terrible? (evidence, not opinion :P ) This has been an issue long enough for there to be evidence, so where is it?

    1. Anonymous Coward Silver badge
      Joke

      Re: What about paper?

      One step further... My credit card pin code is just the last 4 digits of the card number. Or was it the 1st of each block? Or 1st,2nd,3rd,4th of successive blocks? Or was it that backwards?

      But it's always just there, so I can't forget it when I need it.

      Ah yes, I remember now, I used one card's number as the pin for the other (and vice versa) so that I can see it while the card is in the machine.

      .

      It's not really, but my point is that it's not a problem having a system if there are so many possible systems that nobody will be able to work it out.

      1. Skwosh

        Re: What about paper?

        For most people the vast majority of the systems and services we use depend on us having access to a particular email account – that is ultimately how we are authenticated – not through knowing a password, but through our ability to access the email account we registered with. I can forget all of my passwords and still have access to all my accounts by clicking 'forgot password' so long as I still have access to the registration email.

        Knowing and protecting the password/access-rights to that email account is really really important – knowing the passwords to all the other accounts, ultimately, not so important.

        Personally I try to use a strong but memorable password for my main email account (easier said than done of course) and store that password only in my brain. That way (assuming my email service provider hashes passwords) no plain-text of it should ever permanently exist anywhere in the Universe other than encoded in my neurons (unless someone exfiltrates it during a logon – which is of course possible for any password based system if either end-point is dodgy or there is a man-in-the-middle – but hey – nothing is perfect).

        Also, I agree with some here that paper (as an aide memoire for strong but less essential passwords) should no longer be blanket ruled out.

        I remember reading an interview a while back with one of Google's security bigwig admins – he said he always used strong passwords, a small number of which he memorised, but most of which... he recorded with the aid of a physical (paper) notebook.

        Quelle horreur!

        The threat landscape has changed: Malware and assorted hacks mean that the security of end-point devices and in some cases even data on servers might (in some scenarios at least) be rather worse on average than the security of a piece of paper (or several pieces of paper) stored physically in a building or on-person.

        1. Charles 9 Silver badge

          Re: What about paper?

          But what about Evil Maid/Co-worker attacks? Many break-ins, after all, are still INSIDE jobs.

          1. Halcin

            Re: What about paper?

            @Charles 9

            I suspect you have been watching too many Hollywood films.

            I'm talking about treating a bit of paper (with your password on) with the same care you would give £$1,000. Would you leave £$1,000 laying around for anyone to pick up? Are you that careless with your money?

            1. Charles 9 Silver badge

              Re: What about paper?

              "Are you that careless with your money?"

              Oh, the things I have seen...

          2. Dave Bell

            Re: What about paper?

            Having a paper notebook in a safe place is a good situation for using a written record.

            But what's a safe place?

            At one extreme is the sticky note on your office computer's monitor. That's the total insecurity that prompts "Don't write your password down" rules.

            Stupid users, it seems, prompt stupid rules. I think, with my personal situation, I'd be more worried about the other end of the chain. The Twitter example resembles other cock-ups I know of, and it could be an instance of poor management of programmers. Specifications and documentation are critical weaknesses.

        2. SW10
          Mushroom

          Re: What about paper?

          This.

          Knowing and protecting the password/access-rights to that email account is really really important

          I work with a lot of millennials and often tell them that if I get hold of their email password I can control their lives.

  12. Michael Habel Silver badge

    By some strange coincidence

    Its also Star Wars Day.... Something that used to be celebrated the world over. Has henceforth become Mary Sue Day.

    1. Doctor Syntax Silver badge

      Re: By some strange coincidence

      "Has henceforth become Mary Sue Day."

      Who's Mary and who is she suing?

  13. Flocke Kroes Silver badge

    Biometric?

    Since when has biometric become sane? I open the door to a shop and forget to wipe my fingerprints off the door handle. I had better change my authentication token. I buy a snack and take my Halloween mask off to eat it. My face is now on CCTV recordings in all the surrounding buildings. The office buys a really expensive retinal scanner that checks for a pulse. A thief takes your eye and tries to fool the scanner by squashing the eyeball. Do you care if the scanner spots the problem?

    Biometric must not be inflicted on people capable of remembering their passwords.

    1. onefang Silver badge

      Re: Biometric?

      Biometrics is a user name, not a password.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019