Who needs hackers? 'Password1' opens a third of all biz doors

No long passwords

Since I never access important/secure sites away from home I use a locally based password generator/manager. I set it up to generate a 20 printable character passwords. At least 60% of the sites I try this on will not allow it - too long, objectionable characters etc. Not that any of these tell you beforehand what the restrictions are. 16 character alphanumeric works on most sites but even that is rejected by some as too long.

Much as I dislike it, I think 2 factor authentication has to be the way to go for sites requiring genuine security and everyone else should accept at least 32 printable characters.

Once or twice I have actually sent emails to webmasters at particularly bad sites (max 8 chars etc) saying that I have refrained from registering because the password policy was inherently insecure. I've never had a reply, though.

The passwords that really annoy me are on recruitment websites that insist on mindlessly secure password JUST TO APPLY FOR A F****G JOB!!!! The first time I go to the website I use my usual throw-away password, which is rejected, and then have to go through a sequence of trying to get it to accept a password. Some weeks later I follow up another vacancy to the same website and then have to try and remember: was this with a capital letter? a terminal number? a capital letter and two terminal numbers? some crazy punctuation as well? f*** it, if you're going to these lengths to stop people applying for your jobs, you've succeeded.

Nothing to worry about here!

We're clever. We use P@ssword1

Ah goddammit.

Mobile phone password issue

So you have a password based on a phrase, using simple number substitution, e.g. s becomes 5.

On a computer keyboard use Shift+5 for upper case S. Then you get a nice new phone and have to enter the password. What is the character you type for Shift+5?

Answer: It's % but how many people know the ten characters used on the numeric keys, and some are different depending on language and machine, " and @ are transposed on Macs compared to PCs in the UK

what if ...

... password replacement policies were based on time needed to brute-force an existing password? Say, you are new employee about to set your network password first time (because the one you received on welcome, comes with "must change" setting). You try "Password1" and since this is "cracked" by validator in real time it is not even accepted, since check for minimum password complexity can be run synchronously, as soon as you press Enter. So you try something a bit more complex and it is accepted, but within few hours or few days you receive an email explaining that you need to change your password again because it has been deemed too weak by automated password complexity assessment (i.e. cracked by security team). This comes with obligatory picture borrowed (legally, of course) from xkcd and a longer explanation about how password complexity works. Sounds like pain?

But here is a good part: if you read the instructions carefully, you will figure out how to set a password that you won't ever have to change (bar emergencies). You simply make it complex enough!

Now, if only one password was needed at work ...

At work our main password has to change every 30 days. I just n+1 to the number at the end of my very basic password.

You get what you pay for

You get what you pay for and if you can't afford decent IT services or staff, too bad for you.

"Password1" it is then.

I use a collection of words associated with my interest. Not all in English. So, for instance, Shimano105crevaisson.

Good luck breaking that.

Don't allow retries

A password can often be cracked quickly, because the systems allow dozens of attempts per second. Simply don't allow more than one password attempt per 5 seconds, and an 8 character password would take more than a million years to crack.

There is a simple fix for this problem

Most password hacking relies on having a system that allows continuous retries until a password works. ALL password systems should work on the basis of an incorrect entry equaling a wait time for each retry with the wait time increasing exponentially for each incorrect entry. First inccorect entry. 30 seconds. Second 5 minutes. Third 30 minutes and so on.

Down with the password length limitations

Should be able to add sentences or phrases.

Question: Who likes short shorts?

Password: We like short shorts!

NO REALISTIC

Who can humanly keep track of all the passwords needed in todays world? It's not realistic to use password security because of ALL the MOUNTAINS of passwords that are needed. Not even the human brain can keep track of it all. I know I use as little passwords as necessary...it's just not realistic to think people are going to create new 8 character obscure passwords for every little task in their lives.

welcome to the 1970s

I am amazed that 50 years on we still have no better way of proving who someone is than the name of thier first girlfriend. It is bizzare.

No password change advice needs caveat

It's all well and good to not change passwords as frequently, but in order for it to work you have to enforce a long password length - long enough to be longer than it would take a hacker with full access to your hashes to crack the hashes with the a GPU setup similar to what you've outlined in the article. Always ASSUME that your hashes are in the hands of the bad guys, because chances are, they are.

I guess what I'm saying is, there is no substitute for doing the math. And re-doing the math every few months as the number of hashes that can be checked in a short time increases.

Ignorance on all sides

One of the things that really annoys me about this - of course these stupid rules "upper+lower case, digit, special symbol" do not yield a good password. Not at all. And there are lots of good passwords that are lower case only, eg. wcbhfeae (easy to remember, isn't it?) is not that bad.

Ranking passwords by these categories is completely senseless.

/Zane