back to article Password strength meters promote piss-poor paswords

Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley (@MarkStockley) revisited his examination of …

  1. Anonymous Coward
    Meh

    I'm in the wrong job!

    Like many will say here, it's stating the bleeding obvious.

    Password1! = Great

    jodfnbjiobioebvjiowrbvhuirbkomefbjonerinbkowmbvjibefirkobjoernobneriobvjklfnbjonfon = Bad

  2. Def Silver badge

    My company's website doesn't have any sort of password meter. I always thought them to be a bit suspect at the best of times.

    Nor does it limit choice of password characters.

    What it does do though, is force a password length of 10 characters or more, and confirms that the entered password is not one of the 110,000 common/known passwords stored in the database (which does include the aforementioned 'primetime21').

    Edit: And it has 'Password1!' too. ;)

    1. Robin

      My company's website doesn't have any sort of password meter. I always thought them to be a bit suspect at the best of times.

      Nor does it limit choice of password characters.

      What it does do though, is force a password length of 10 characters or more

      It's about time we got rid of annoying character restrictions and focussed more on password length. The number of sites which still accept 6-character passwords is amazing.

      1. Peter2 Silver badge

        Don't forget sites that demand fixed length passwords without using special characters.

        1. Paul Crawford Silver badge
          Facepalm

          Don't forget site that demand all of the restrictions in terms of mixed case, punctuation and numbers, along with a minimum length, then email it back to you in plaintext!

          Happened to a friend who filled in for Landlord Registration central online system for Scotland. Doh!

      2. bombastic bob Silver badge
        Devil

        correct horse battery staple

        perhaps the obvious isn't good enough.

        back in the day, CompuServe generated a password for you, consisting of two unrelated words and something from the 'shift number' row on your keyboard. Same basic idea.

        besides, abc123-fart would be just fine. It doesn't take much to destroy a dictionary attack. they're not that sophisticated. most of them are probably done by non-native English speakers or script kiddies anyway...

        (but don't use 'fart' as it's probably going to go into a dictionary now)

        so go ahead and use your easily remembered password, then add something else that's unrelated with a shift-number figure in between.

    2. Darryl

      "And it has 'Password1!' too. ;)"

      Ah, but does it have 'Password3!'?

      1. VinceH Silver badge

        And don't forget password meters that are quite simply broken: http://misc.vinceh.com/2014/01/ryanair-website-telephone-support-fail/ (more or less the second half of the page)

      2. Francis Boyle Silver badge

        no

        but it does have password1701. Also Picard 4-7 Alpha Tango (you wouldn't want anyone using that one).

  3. Crisp Silver badge

    Passwords need to be rethought

    There are lots of sites out there that seem to be stuck in the 1980's when an 8 character password would have been enough. Times have changed. Storage space is now so cheap we can afford for our users to have passphrases hundreds of characters long.

    (Obligatory XKCD link)

    1. Chazmon

      Re: Passwords need to be rethought

      The funny thing about that xkcd is that instead of encouraging better passwords it has simply lead to 'correcthorsebatterystaple' climbing up the most popular password lists!

      1. Version 1.0 Silver badge

        Re: Passwords need to be rethought

        While correcthorsebatterystaple style passwords have some flaws they are still several orders of magnitude better than Password1. The other "solution" used by US government sites is to force the users to change their password every few weeks - this gives another illusion of security as many users simply increment the number at the end of the password or write it on the monitor - I saw someone enter Password35 a while back.

        Personally I always use Passowrd1 ... (OK, I'm kidding).

        1. Charles 9 Silver badge

          Re: Passwords need to be rethought

          "The other "solution" used by US government sites is to force the users to change their password every few weeks"

          That's mainly to close or detect undetected breaches. Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected as the user is prevented from changing the password (because the crook did it first) and raises the alarm with IT.

          1. JLV Silver badge

            Re: Passwords need to be rethought

            >because the crook did it first

            Well the user couldn't log in that case. So...

            1. Charles 9 Silver badge

              Re: Passwords need to be rethought

              "Well the user couldn't log in that case. So..."

              ...he calls IT and asks what happened. This draws their attention to the breach. Precisely my point. It's a countermeasure to unknown breaches. It either closes them or reveals them.

          2. T. F. M. Reader Silver badge

            Re: Passwords need to be rethought

            @Being forced to reset the password means either the hole gets closed as the user changes the password or the breach gets detected...

            It also means, especially since the users cannot use passwords similar to old ones (along the lines of Password34->Password35), that a (more) significant portion of the user population gives up on mnemonics and starts writing passwords down. The overall effect is that the probability of breach increases.

        2. disgustedoftunbridgewells Silver badge

          Re: Passwords need to be rethought

          I like the initial format, eg:

          Bootnotes is the best bit of the register, sod the storage articles

          bitbbotr,stsa

          easyish to remember and pretty secure

          ( That's not my el-reg password, before somebody tries it )

          1. Kubla Cant Silver badge

            Re: Passwords need to be rethought

            Thumbs up to the initial letters method.

            I favour lines, couplets, or even stanzas from poems or Shakespeare plays. You can include punctuation, it's far more memorable than horses, batteries and staples, and it's moderately incomprehensible to anyone who doesn't know the source quotation. If numerics are required, it's easy to add a bit of 1337 substitution.

            For example: Nadwh,nafn,4hcttrwh - long and obscure, yet absurdly easy to remember when you know the secret. You can probably guess it, but it may take a while.

            1. John Brown (no body) Silver badge

              Re: Passwords need to be rethought

              "I favour lines, couplets, or even stanzas from poems or Shakespeare plays"

              Most people would likely choose one of the most well known quotes, and they are susceptible to dictionary attacks. Great if you have an interest and knowledge of more obscure quotations, but most people don't. One government dept, I did work for assigned passwords to users, non-changable by the users and were invariably the initials from common nursery rhyme lines. Randomly capitalising letters or adding unexpected punctuation would help if it's long enough. A personally memorable phrase that's not a literature quote would be even better.

        3. tom dial Silver badge

          Re: Passwords need to be rethought

          The requirement to change passwords periodically (every 60 days when I left government service) has less to do with crackability and much to do with limiting exposure time if either user passwords or the hashed password file is compromised.

        4. G7mzh

          Re: Passwords need to be rethought

          The company I used to work for had two systems, both of which demanded you changed your password every few weeks- usually at random times during the day when you were in the middle of something more important (like speaking to a customer), and which couldn't be anything you had used before or something similar (So if you had used Password1, then Password<n> was verboten).

          Several of us got into the habit of changing the password on the first of the month (which reset the timer) and instead of trying to think of something secure we just used the date. March2015 was sufficiently different from April2015 etc, and of course wouldn't be used again! Since it ended up with half the office using the same password, the system obviously didn't recognise that this was going on!

          Why thay did this is unknown, it wasn't an environment where operator security was relevant.

      2. Charles 9 Silver badge

        Re: Passwords need to be rethought

        "The funny thing about that xkcd is that instead of encouraging better passwords it has simply lead to 'correcthorsebatterystaple' climbing up the most popular password lists!"

        And what about those with terrible memories, who take that and end up instead mixing it up with "enginestapledonkeywrong" and getting all lost?

        1. Primus Secundus Tertius Silver badge

          Re: Passwords need to be rethought

          Passwords always have been difficult for the non-spellers.

          I remember a group shared account where the password was set to 'pterodactyl'. The non-spellers were complaining within the hour.

          It is better to write it down in e.g. a diary, rather than on a post-it note by the screen.

      3. Anonymous Coward
        Anonymous Coward

        Re: Passwords need to be rethought

        https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd?language=en

        And this woman says that Randall Munroe was wrong because people end up forgetting those passwords..

    2. Adam 1 Silver badge

      Re: Passwords need to be rethought

      If you think password length is related to the required storage space, you're storing it wrong.

      1. Robert Carnegie Silver badge
        Joke

        Re: Storage space

        I thought of a very efficient hashing system. Only store the length of the password. Up to 65,535 character length can be identified in 2 bytes. Oh wait - 32,767 characters; it's signed. And, yes, I'm allowing password length zero; someone's going to want it. Pedants, I expect.

        1. channel extended

          Re: Storage space

          Actually it's one less, All of the admins will want/have to use zero.

    3. Tom -1

      Re: Passwords need to be rethought (@Crisp)

      How long ago was XKCD/936?

      way back in the dard ages, I used passwords with about 60 bits of entropy, a long time before XKCD suggested that using something with 44 bits of entropy was a good idea, and now I'm happy using passwords with 150 bits of entropy (the XKCD scheme would require a dozen or more English words to match that); I guess our salvations is the good ole password safe.

      Actually, given how many passwords I want (and how reluctant I am to use the same one twice) I's probably have to use a password safe even to hold that many passwords with 44 bits each of entropy (even more so with 64 bits of entropy, which I believe is more like the correct number for a sequence of 4 English words than XKCD's underestimate); and once I'm doing that, I can passwords as complex as I like, all I need to remember is a decent pass phrase (decent means more that 500 bits of entropy, and using famous bits of Shakrspeare or Chaucer or the like) in case someone gets access to my safe or its backup.

      So I believe that the thing about passwords that needs rethinking isn't a switch from things we can't remember to things we can, but a switch to acceptance that passwords we can't remember are what we have to live with - I'm happy to remember one nice long pass phrase, bu I'm not going to truy to remember a hundred (and anyone who does try is crazy).

  4. Novex

    Passweird Generator

    I never relied on those strength meters anyway. I use KeePass, and it has a built-in password generator which seems to be pretty good at coming up with complex passwords, and has configurable options as well. And, because KeePass is a password manager I don't have to remember those passwords, just the hellishly long one I use for the master password. I also use a keyfile, so it's not just a case of getting hold of my master password to try and get my online passwords. And, because it's KeePass, it's a local solution with no cloud interaction that means my password database stays out of other people's hands.

    1. Version 1.0 Silver badge

      Re: Passweird Generator

      "my password database stays out of other people's hands"

      Dream on.

      1. Charles 9 Silver badge

        Re: Passweird Generator

        "Dream on."

        Oh? How do they get to it if it never goes online?

        1. Captain Scarlet Silver badge

          Re: Passweird Generator

          Are you recommending everyone write their passwords on paper?

          1. phillip-b

            Re: Passweird Generator

            @Captain Scarlet

            Yes, writing down passwords for online accounts is recommended by no less a provenance than Qi:

            http://qi.com/infocloud/passwords

            "The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware"

        2. William 3 Bronze badge

          Re: Passweird Generator

          "Dream on."

          "Oh? How do they get to it if it never goes online?"

          -----

          Your machine is compromised by visiting a website with an exploit.

          Or is your machine free & your holy Keepass free from all past, present and future vulnerabilities.

          Security is about being paranoid all the time, you sound smug and complacent, an accident waiting to happen.

      2. Novex

        Re: Passweird Generator

        "my password database stays out of other people's hands"

        Dream on.

        Er, well, short of the NSA or GCHQ breaking in to where I live and cracking the password on my laptop, then cracking the password for my encrypted partition; and bearing in mind I am absolutely not putting my password database file anywhere near a cloud service; and noting that I don't let most javascript run in my browser so there's little hope that a script could get a virus onto my laptop via web browsing; and no-one else has a login to my laptop so they can't get anything on to it; and it runs Linux Mint for general work; I don't quite see how anyone else is going to get hold of the database file. So what is my dream exactly?

  5. Fortycoats

    primetime21 ?

    Wow, who'd have thought Deion Sanders was so popular as a basis for a password?

    Was beastmode24 on the list, too?

    1. Def Silver badge

      Re: primetime21 ?

      Was beastmode24 on the list, too?

      It is now. ;)

  6. phuzz Silver badge
    Facepalm

    I was trying to configure our Virgin Superhub* 3 the other day, and I'd got as far as the wireless password, so I put in the one that we'd been using previously, which is eleven characters long, and a mix of upper/lower and numeric (with a token symbol).

    Nope, the password strength meter stays on "bad".

    OK, I think, maybe they don't allow symbols.

    Nope, still no joy. It's only after really carefully reading the password restrictions that I notice "and must contain one or two numbers". The password I was trying to use had three numbers, and thus was deemed to be insecure.

    Yup, nice work there Virgin, and by nice I mean crappy.

    * (actual hub may be 60% less super than advertised)

    1. Anonymous IV

      @phuzz

      "I was trying to configure our Virgin Superhub* 3 the other day...

      * (actual hub may be 60% less super than advertised) "

      Your comment made me laugh - but I think your percentage is too low...!

  7. DaddyHoggy

    My first email password was 'ncc1701' (and here's me thinking I was being clever! <facepalm>) because the email system only allowed a max of eight characters. Even now, the same email system allows a max of 10 characters (although they didn't tell me this until I gave it a 16 char password and it wouldn't let me login afterwards - that when support told me it had only registered the first 10 characters and when I was trying to login with all 16 - it wasn't actually the same password...)

    I like long passwords, but ones that make sense to me, but are therefore very easy to remember.

    2bOR!2bThatIsThe? is one I used for quite a while (where systems allowed for sufficient length)

    1. Charles 9 Silver badge

      But can you do that over and over again, hundreds of times, with different sites with different rules, without getting them mixed up? One or two good passwords can be doable for most, but most people have to manage well over 100, and any breach can result in a cascade as the knowledge gained from weaker sites can be used to break stronger ones.

      1. moiety

        I gave it a 16 char password and it wouldn't let me login afterwards

        PayPal does that. 20-chr limit and if you go over it just chops the end off without telling you.

  8. Anonymous Coward
    Anonymous Coward

    "Paul C. van Oorschot of Carleton University, Canada, joined the password provocateurs in a paper published months earlier in which they rammed a research rod into best practice security spokes arguing crap passwords should be reused on low risk websites so users can concentrate on recalling a couple of really good passwords for important sites."

    The problem here is that weak sites can still be stepping stones to identity theft which can then be used to gain the credentials needed to break the higher-security sites.

    1. Anonymous Coward
      Anonymous Coward

      Yes, but it's best to have a crap password for sites that don't employ any sort of security, such as posting on tech website forums.

    2. CustardGannet

      "weak sites can still be stepping stones to identity theft"

      Only if you're stupid enough to give your real details to sites that don't need them, instead of signing up as Jethro Q. Walrus-Titty, with an address in the Svalbard Archipelago.

      But unfortunately, as George Carlin said, “Think of how stupid the average person is, and realize half of them are stupider than that.”

      1. Charles 9 Silver badge

        They can still match you by IP and other habits, which can be gleaned no matter how much you try to cover it up (because people usually can't afford to use two separate ISPs and in any event usually only have ONE connection in or out of the house).

        1. Kiwi Silver badge

          They can still match you by IP and other habits, which can be gleaned no matter how much you try to cover it up

          Hell, my IP points back to my domain name (RDNS). Nothing to hide there.

          I use a number of throwaway email addresses (no idea how many, they're single use) eg 10minutemail.com for sites I want a quick answer from that I am not likely to visit again where I have to create an account to get the answer (and I can't find it reasonably quickly enough elsewhere). Cracking those sites would give you nothing, you don't have a valid or even existing email address. You might get my external IP (which gives you a few thousand possibilities for internal IPs) but that's about it.

          For more secure things (bank, email etc including my spam address) I have unique passwords which hopefully are plenty secure enough, and not stored somewhere obvious (yes all are written or typed but even if you had the list you wouldn't know what belongs where).

          Now tell me.. if you have my email address (as many hundreds or thousands of people do) but not my log in details for my email address, what use is that? If you have a couple of hundred of my weak passwords and can deduce what pattern I use, what use is that? So you can log in as me on a few dozen sites I've forgotten about (and probably did not use any identifying info on) - how can you breach anything that matters?

          I would honestly like to know if there is some risk I've overlooked.

  9. Anonymous Coward
    Anonymous Coward

    saggfwuepp53hlq%4k12h

    saggfwuepp53hlq%4k12h

    1. Swarthy Silver badge
      Joke

      Re: saggfwuepp53hlq%4k12h

      Dammit! Now I have to change my El Reg password!

      - Wait - How did you get my password?!

      1. Adam 1 Silver badge

        Re: saggfwuepp53hlq%4k12h

        Well your auth cookie is sent in clear text every time you login here because apparently TLS is too much effort or something.

  10. CustardGannet

    In a related topic...

    ...if you've never read this article which analyses common and uncommon bank card PINs (based on 3.4 million leaked PINs), you really should (especially as it includes loads of great graphs and TWO xkcd cartoons) :

    http://www.datagenetics.com/blog/september32012/

    1. vir

      Re: In a related topic...

      Fascinating article. I now have the heatmap printed out and stuck to my whiteboard, presented without comment. I was a little surprised to see that 7779311 didn't crack the top 10 7-digit pins. I guess Morris Day just isn't as popular as Tommy Tutone?

  11. Anonymous Coward
    Anonymous Coward

    Complex password are not secure

    The more complex a password is, the harder it is to remember. Which pretty much guarantees either people will use the same one everywhere or will write it down on a post-it note (or use the browser's "save password" feature).

    1. Charles 9 Silver badge

      Re: Complex password are not secure

      So what can you do? There seems to be an UNhappy rather than happy medium here. You reach a point where people can't remember their passwords yet they're still too simple to block brute forcing. And people don't have the best of memories nor have any other means of identification. So what do we use?

  12. Anonymous Coward
    Anonymous Coward

    Password strength meters should work like this:

    "Well, your password is WEAK, so we won't allow it until you bring it up to standard."

    Instead of:

    "Well, your password is WEAK, but okay..."

    1. Kubla Cant Silver badge

      @AC Password strength meters should work like this:

      "Well, your password is WEAK, so we won't allow it until you bring it up to standard."

      Instead of:

      "Well, your password is WEAK, but okay..."

      Since the article points out that password-strength meters are useless, this seems like a pointless suggestion.

    2. Kiwi Silver badge
      Windows

      @AC

      Password strength meters should work like this:

      "Well, your password is WEAK, so we won't allow it until you bring it up to standard."

      Maybe not the greatest idea you've had.

      Example. A while ago I created a new Skype account. I used a passphrase that was 5 or 6 words with symbols/numbers filling the "spaces". It wasn't based on anything common. MS's password strength tester told me it was too weak.

      So I went with a line down and up the keyboard. The password of "3edcVFR$" is considered "secure" by MS's systems (yes, "MS" and "secure" in the same sentence... :) ) but a password like "Shorewall77cleans&*and79protectsmy*)sHiney" (yes, the last word is Shiney! :) ) is insecure.

      Try as I might, MS's server would not allow me to use a secure password and insisted on the insecure one that is probably in every password dictionary since the day Noah wrote down the combination to his tool locker. Apparently too much of my password was made up of English words. But they weren't in a common combination (eg a well known quote) and had a considerable amount of other stuff in there as well (even if alternating use of shift over 77 78 79 80).

      A common quote with normal spelling etc is quite weak. A common quote with a numbers or special characters replacing the spaces should be enough to get around any reasonable rate-limiting system (my own server has a limit of just 3 tries, then you're blacklisted until I manually remove your IP address from the blacklist; took less than 5 minutes to set up using a couple of standard tools).

      The best password security is out of the user's hands; rate-limiting (like a lock out for a few hours on an account after 3 bad tries) and doing a damned good job at protecting your server's files. If you seriously limit number of tries against a password, even "12345" can become relatively secure again - if the baddies only get 3 goes then chances of them breaking even the weakest passwords are greatly limited. And yes, I would rather have to prove my identity after 3 mis-typed passwords then lose access to something that mattered.

      I'll accept "we tried our best but they got in anyway" over "they didn't get in but only through their stupidity" any day.

      1. Robert Carnegie Silver badge

        Re: @AC

        Leave out vowels and you may not hit a block on using real words in a password. However, my method is a handful of random letters... that aren't vowels; when I make a password up, I expect it to be accepted.

        Counter example as I've mentioned before: Fiqbly54 apparently contains a real word (I presume "Fiq", either a sort of fig or a mistyped one) and a personal name ("Bly" I suppose exists), so a strict password rejecter may reject it.

        I presume you wrote or have seen the spoof password policy which allows at most one actual password to be used, so we will take that as read.

  13. Stevie Silver badge

    Bah!

    Most websites won't allow me to strengthen my password by lengthening it beyond an arbitrary eight or nine characters, and when they do they won't authenticate me next time because what gets accepted, what gets stored and what gets presented to the client for the login process are not standardized in the organization running the site.

  14. fearnothing

    I personally favour sloppykissesfromgrandma69420.

  15. knottedhandkerchief

    Work insists on a change every two months. This just results in a common password with the month after it, e.g. PasswordAugust. What is the benefit of regularly changing passwords, really?

    1. Anonymous Coward
      Anonymous Coward

      It works as a countermeasure to undetected breaches. When the deadline hits, the password gets changed one way or the other. If the user changes it, the breach gets closed because the stolen password doesn't work anymore. If the intruder changes it, the user gets blocked and informs IT, which then notices the breach.

      And yes, some breaches won't get detected because they're either very cleverly disguised or they're inside jobs so are easily masked.

      PS. Don't smarter password systems detect the "just append something to the old password" approach?

      1. DavCrav Silver badge

        "PS. Don't smarter password systems detect the "just append something to the old password" approach?"

        I remember mentioning this the last time there was an article here about password stupidity. If you are only storing a hash of the previous password, you could maybe check a couple of characters added or subtracted, so see password1 from password or password2, but other than that it would take a very long time to check the hashes. Now, I've never set up a password checking system, but are the passwords hashed on the client side or the server side? If it's the client side, you cannot even do what I said above.

        1. Charles 9 Silver badge

          I doubt it's done client-side since the possibility of a dumb client is always there (for example, SSHing in). But any password system that's out to block reuse and common foibles won't keep a hash but the actual password (encrypted if it's smart).

          1. John Brown (no body) Silver badge

            "But any password system that's out to block reuse and common foibles won't keep a hash but the actual password (encrypted if it's smart)."

            Good point. It doesn't even need to keep the current password stored at all other than as the normal hash. At the point where the system asks you to change your password, it asks you to enter your existing password first. It can use this to match against the new one, at which point the old one is now forbidden and safe to keep stored and added to the list of n previously used passwords. Still encrypted preferably since if anyone got access to a users previous list of passwords, many will probably demonstrate a pattern of password construction.

      2. Kiwi Silver badge

        @AC

        . If the intruder changes it, the user gets blocked and informs IT, which then notices the breach.

        Wouldn't this get noticed the next time the user tried to log in and found their password didn't work any more, regardless of when they last changed it?

        1. Charles 9 Silver badge

          Re: @AC

          "Wouldn't this get noticed the next time the user tried to log in and found their password didn't work any more, regardless of when they last changed it?"

          Precisely the point!

          If someone else changes a user's password without IT's knowledge (which is what an intruder would be forced to do if he stole account details and hits the forced-change deadline), then the real user would get locked out, find out about it, and inform IT. You WANT IT to be informed since that means a newly-detected breach.

          1. Kiwi Silver badge

            Re: @AC (@ Charles 9)

            "Wouldn't this get noticed the next time the user tried to log in and found their password didn't work any more, regardless of when they last changed it?"

            Precisely the point!

            If someone else changes a user's password without IT's knowledge (which is what an intruder would be forced to do if he stole account details and hits the forced-change deadline), then the real user would get locked out, find out about it, and inform IT. You WANT IT to be informed since that means a newly-detected breach.

            Actually point the AC was making was that changing a hacker changing a users password would make the breach undetected until there was a monthly forced password changed, evidenced by the first line of the paragraph I was replying to :

            It works as a countermeasure to undetected breaches.

            What you say is logical, but my post was in response to the implied "forced regular password changes mean hacks are detected more quickly" of the original post.

            (In reality, I think you'll find most hackers won't change the password as they wish to remain undetected, and will try to find a way to get the new password as soon as it's entered)

    2. bombastic bob Silver badge
      Trollface

      "Work insists on a change every two months."

      a really good password can be kept for DECADES, so long as it's hard to guess and easy to remember. Changing it more often than your socks can only create confusion and resentment and HORRIBLY insecure passwords like "passwordAugust"

      "solutions" that hyperfocus on pathetically insignificant details just irritate me, like the people who think them up AND the people who insist on implementing them. They probably 'feel' everything instead of 'think', too. How predictable, yeah.

      1. Charles 9 Silver badge

        "a really good password can be kept for DECADES, so long as it's hard to guess and easy to remember."

        No password no matter how long is immune to shoulder-surfing and keyboard sniffing. In which case, the resultant breach could go unnoticed for decades, too.

        Which would you rather have? A bunch of weak passwords that at least get changed every two months, closing any holes they might have made or stagnant passwords that in turn get stolen and go unnoticed?

        1. Kiwi Silver badge

          No password no matter how long is immune to shoulder-surfing and keyboard sniffing. In which case, the resultant breach could go unnoticed for decades, too.

          At least one of mine is. It's for a secure server so I don't allow anyone in a place where they could see me log in to the account (and no, no way you could install cameras to catch it either), and requires a certain bit of cut'n'paste as well so is immune to hardware loggers (although as the keyboard is plugged into the machine as needed you'd have to doctor the keyboard itself, and as you can't be sure which keyboard would be used...).

          With thought and location planning you can make a password completely immune to shoulder surfacing and to all but decently sophisticated software loggers. Which would be flagged up the moment they were installed on the machine as well (unless several systems fail, not realistically likely - but having said that I'll schedule a few checks to make sure all is as it should be over coming months, Murphy 'n'all).

          1. Charles 9 Silver badge

            "and no, no way you could install cameras to catch it either"

            Really? You know how small they're getting. How do you keep a camera being hidden IN something (including something already there like the computer case or monitor)? Is the room TEMPEST-rated?

  16. sdaugherty

    At this point, with the problem of password reuse, why are we even allowing users to pick their own passwords? Unless it's something like a desktop login password, give them a random password of 24 or more characters and tell them to save the damn thing in a password manager.

    "Here's your new password, you won't be able to type it, much less remember it. Please save it in your password manager and enter it twice now."

    1. Charles 9 Silver badge

      Probably because a business setting is more prone to insider theft and "shoulder-surfing". Most office settings are discouraged from storing anything of security significance, be it the Post-It on the monitor or the text file on the computer. It's something right out of Dilbert: they're required to produce a password too difficult to remember and then be required to remember it anyway.

    2. John Brown (no body) Silver badge

      "Here's your new password, you won't be able to type it, much less remember it. Please save it in your password manager and enter it twice now."

      And then the user chooses the master password for the password manager, and it's 123456 because they have to type it every damned time ;-)

  17. John Brown (no body) Silver badge

    crap passwords should be reused on low risk websites

    Great! Now all we have to do is educate the users on risk assessment!

    1. Charles 9 Silver badge

      Re: crap passwords should be reused on low risk websites

      "Now all we have to do is educate the users on risk assessment!"

      Given the human history on risk assessment, you'd have better luck finding a unicorn. So what now?

      1. John Brown (no body) Silver badge

        Re: crap passwords should be reused on low risk websites

        Follow the rainbow and hope?

  18. rmacd

    "paswords"

    Did I miss the pun, or was the password entered incorrectly?

  19. MacMcMeans
    Thumb Up

    Passphrase.Life gets it right!

    Here's some needed perspective on passwords and analyzers:

    According to https://Passphrase.Life, EVERY 8-character (and under) password will be automatically cracked in under 6 hours, assuming a database breach (offline attack)! It's just simple math. The GPU hardware cracking rigs are only getting cheaper. That means that "abc123", "trustno1" and "ncc1701" aren't worth consideration.

    The slightly longer ones, "iloveyou!" and "primetime21" will be cracked in mere seconds, because they are lo-bound human passwords, not randomly created, and have little entropy. Again, Passphrase.Life makes this clear. It's the only analyzer that shows you the difference in strength between a truly random password, and one made the other way.

    1. Robert Carnegie Silver badge

      Re: Passphrase.Life gets it right!

      Since Passphrase.Life snidely rejects connection by Internet Explorer, feel free to tell me how it rates my recently discarded random-ish password: Mtlhrw13

      (Mnemonic: "Metal harrow")

      I have been sceptical of https://www.my1login.com/resources/password-strength-test/ which says,

      "Time to crack your password: 443 years

      Review: Fantastic, using that password makes you as secure as Fort Knox."

      - but also says "Make your passwords at least 15 characters long": why? 443 years to crack that one, and it expires after about one month.

      So... maybe the assumption about how good cracking hardware will be 442 years from now is not up-to-date.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019