The password for my (now defunct) Thus account was "fat_sweaty_biffer", a fairly strong password according to the xkcd scheme. However, I found out that Thus store passwords in clear text for anyone at their offshored call centre to see when it was read back to me during a support call. Quite funny to hear it said in a slightly bemused way by someone with a strong Mumbai accent though.
Verity's secret shame revealed
I defrosted my ideas box, and found several morsels which wouldn't make a whole meal in themselves, but nonetheless needed eating. Palmed off Here you are: a free chance get to laugh at-not-with me. I am a Palm Pre owner, pretty much the last one in the box. I hold this status in a work environment of iPeople. I feel my …
-
-
Monday 19th September 2011 10:49 GMT Anonymous Coward
ah, so similar.
I had problems with an online account, and called them up to help me fix it. Once we got past the who-are-you-who-am-i part and started trying to figure out my problem, it transpired that the password I entered was accepted by their system...on creation...but not on use. We found this by way of her resetting my password and me logging in and immediately changing it. Once I logged out, I was unable to log back in. When she asked for it to determine if it would work from her location (on the inside of their firewalls) I had to explain to her that I would likely be arrested if I said my password out loud to her. Yes, it was vulgar and obscene (by any reference) and met all of the criteria for a strong password. But there was no way I was going to say it out loud to another person, especially a female, and especially not on a 'recorded for training purposes' support line. I asked her to reset it again and told her this time I'd pick a password that had the same types of characters, but was socially acceptable. After repeating the process, she determined that the problem wasn't with my password, but with my login. Between field-length and character conversion, the login screen id field was different than the password change screen id field.
My only triumph was to have a note added to my account that says "The customer's legal name on this account is not the customer's legal name. The customer's legal name is xxxxxxxxxxxxxxxxxxx" because their programmers and QA drones probably have names like John Stupid or Ruth Moron, and not Stephen M. Firstpart Secondpartoflong-lastname.
I will say that the lady in the call center was professional, courteous, helpful, and only slightly amused at my problem.
-
-
-
Monday 19th September 2011 21:15 GMT Graham Dawson
Or swedish. The wife's name was over 30 characters long (not including spaces) before we married and, due to Swedish conventions for naming, she kept her surname as a middle name with mine tacked on the end. Believe it or not, a 40+ character name with accents is not something you can just brush off as an edge case. It's very common.
We've had no end of trouble with idjits who can't comprehend a slightly foreign name. She's been called all sorts of things on paper, from minor misspellings, to using the wrong name as her first name, to the unforgettable Mr Omordlinap in one case... it's fun waiting to see each new permutation.
-
Wednesday 21st September 2011 13:21 GMT Anonymous Coward
I have a very short (4 letters) german last name - Fuhr (ok no more jokes, been having the "Heil Hitler" thing since I was at primary school). There are a number of common mistakes made e.g. swapping the r & h round, replacing the "F" with an "S". Then you get people who despite you spelling the name assume they know better and insist it's Fuller, Fewer (not TOO far from how it is pronounced) or possibly worst of all Sewer. But where a few people have managed to get names like Fisher, Fitzgerald/Fitzpatric, Suter or Sully from..........
JUST hoe hard is it to get 4 letters right, spelled out using the phoenetic alphabet?
-
-
-
-
-
-
-
Monday 19th September 2011 10:31 GMT Mark #255
of slashes..
PHP is actually rather nice in this respect: you can write strings out using single quotes, which does minimal parsing (you're allowed a \' which ends up as a ' ). Alternatively, you can use / as a directory separator in Windows.
Actually, I've got that rather backwards: ideally, in PHP you should only use double-quotes when your strings need variable inclusion ("Hello $foo") or escaped characters ("Hello world\n").
-
Monday 19th September 2011 11:46 GMT CD001
Any string in single quotes, in PHP, is a string literal - basically.
Though when it comes to paths it's probably easier to just use UNIX-like paths and drop them into a realpath() function - though that does return false if the file/directory doesn't exist which can make debugging "interesting".
It's probably good practice to also enclose any variables you want to output in curly braces (just in case) so "Hello $foo\n" might be better written as "Hello {$foo}\n" - it makes sense if you want to output something like "Now you're {$sExpletive}ed\n" ;)
-
-
-
Monday 19th September 2011 12:35 GMT Loyal Commenter
Also...
E for Ewell (Near Epsom in Surrey)
G for Ghoul
H for Hoole (in Cheshire apparently)
K for Kewl [sic]
L for LOOL (http://www.urbandictionary.com/define.php?term=lool)
Q for Queue'll (an ugly but valid contraction)
S for [Brian] Sewell
W for Who'll
I'm a bit stuck for the vowels, V and X though
-
Monday 19th September 2011 14:52 GMT ArmanX
See, that's backwards of how I would do it.
If the idea is to introduce maximum confusion, you want to choose similar sounding words only for similar sounding letters. For example, M and N sound similar, thus you would choose "M for Meade" and "N for Need." Though, to be fair, "N for No" is great.
Other letters include "P for Pee" and "T for Tea," along with "B for Bee" and "G for Gee."
For letters without a like-sounding pair, you always choose words with that letter silent: "H for Hour," "K for Knight," and so on. Using a word that sounds like another word is bonus points: "E for Ewe," "Y for You," "C for Cay," or "A for Aitch."
-
-
-
-
Monday 19th September 2011 10:34 GMT Steve the Cynic
Slashes
Windows has allowed forward slashes in the file-system *API* for a very long time, at least as long ago as Win95 original, and probably all through the life of WinNT3.x, so for about 20 years. I'm sure there's a pedant somewhere who can tell me whether MS-DOS 2.x supported them back in 1982/3 or so, but I wouldn't be totally surprised to find it did.
-
-
Monday 19th September 2011 12:35 GMT cpage
Slases in URLs
I went to a talk by Tim Berners-Lee not long back and someone asked him if he had any second thoughts about the design of HTML etc. He said that he had only one regret: if had to do it again he definitely would have had just one slash after the http: instead of a double one. I think the audience were with him on that.
-
-
-
Tuesday 20th September 2011 13:49 GMT Steve the Cynic
I said the *API*, not stdlib. CreateFile(...) accepts slashes of either sort, with one exception: if you call CreateFileW with a "pre-parsed" path, i.e. one that begins \\.\ and then continues with a path, that path and the intro sequence must be ready to use exactly as they are, and will, for example, not have /-to-\ slash conversion done on them. They can also be up to 32767 UTF-16 characters long rather than the feeble 260 including NUL that is normally allowed.
-
-
-
This post has been deleted by its author
-
Monday 19th September 2011 10:49 GMT Anonymous Coward
@Cazzo Enorme
That sort of password works quite well .... until you have to register somewhere where they start to dictate to you what a secure password is - i.e. you find that that password is rejected because it has to contain some combination of upper case, lower case, numbers, symbols, spaces etc. So you end up adjusting the password you know by adding in a capital letter, changing an i to a 1 etc to meet the requirements. Then next time you try to login you type in your password and it fails, you then remember that you had to do something to get it accepts but what was it and you end you clicking the "forgot password" button.
As for the "security questions" ... I had a site recently where I had to choose 3 out of a fixed set of 7 or 8 possible questions and I struggled to find more than one to which I would be certain of giving the correct answer ... things like "what is you're favourite food" just don't have an single correct answer for me. Had another site once which asked me where I'd gone on my first holiday as a security question and when I submitted the answer got the response that that answer was not acceptable!
-
Friday 23rd September 2011 15:09 GMT Dave 15
Password dictatorship
I totally hate that sort of website... the quality of the protection of my data should be for me to decide not the website programmer.
Frankly most website programmers are far too dictatorial... you 'must' fill in your address - oh yes? Did you check that I didn't just put your company address in for you - oh no, done that again... you 'must' give your name - must I? How do you know its my name not something random (I post on the BBC as anotherfakename).... you 'must' give your age - oh come now you are jesting... you 'must' give us your phone number ... yes, have you tried dialing 0111112121232? Bet you didn't get me... and if you do check too much how about dialing your own office? you 'must' all sorts of things that frankly I don't do, but really p*** me off.
Let me give you the information I know you need to answer my question - mainly just an email addresss.
-
-
-
Monday 19th September 2011 12:00 GMT AndrueC
It's pretty close actually - the 'u' = 'i' is correct.
Not that I speak Welsh but I lived there for a few years and my Dad still does. I think that 'Llandidnor' is perhaps a little closer(*). In other words much as Verity spelt but apply a Welsh accent to mutate the final vowel :)
(*)Assuming you know all about 'll' in Welsh :)
-
-
Monday 19th September 2011 11:46 GMT Platelet
I for one would welcome the removal of Amy's bandage
"I am confident that Reg readers, who watch the programme solely for the intellectual enjoyment of high sci-fi concepts, will unanimously welcome the removal of this irrelevant, supposedly-titillating distraction."
prudishly painting on a skirt would not be practical as far from being irrelevant, the distraction is integral to the plot
-
Monday 19th September 2011 12:29 GMT Mage
Such irony
Win8 goes back to DOS 2.11!
In DOS 2.11 you could redefine "switchchar" from / to - and thus options on command line are -h -x etc rather than /h /x etc. A side effect was that the Path character became / instead of \
I'm not sure when they added subdirectories, Early DOS didn't have them. DOS2.x something was likely the first.
I just use a password Address book. Which I don't keep in the Laptop bag.
And passwords that look like N5hX1qfap
I only memorise my main login.
-
Monday 19th September 2011 12:56 GMT Loyal Commenter
I think the point of the XKCD comic in question was that N5hX1qfap has a much lower entropy* than something like 'banana level thirteen biscuit' whilst being also much harder to remember.
This is true even when the attacker uses a dictionary attack, since they have to guess the number of words in the dictionary, plus that number squared, plus that number cubed, plus a good proportion of that number raised to the power four before hitting your combination (in the order of 10^16 to 10^20 variations depending on how many words are in the dictionary), rather than the number of allowable characters (around 75) raised to the ninth power (about 7.5 x 10^16 combinations).
The password 'N5hX1qfap' is not only hard to remember, it is hard to type, and hard to read out to another user if they need to type it in, and is easier for a machine to guess.
*i.e. it can be broken by brute-force by a computer quicker
-
Monday 19th September 2011 13:38 GMT Ru
Not quite
Truly random strings exhibit lots of entropy for their length... in this case, a random alphanumeric password using upper and lower case characters has about 6 bits of entropy per character. 'N5hX1qfap' therefore has a fair amount more entropy than the example short phrase the XKCD cartoon suggested.
The cartoon points out that mangled dictionary words merely look complex, but aren't. Random text looks complex and is, but as you pointed out isn't very easy to remember.
-
-
-
Monday 19th September 2011 12:34 GMT Wombling_Free
T for Trololololol
Oh, this is too much fun.
P for Physics
P for Ptolemy
P for Psychic
P for Phone
Y for Yttrium
C for Cue
K for Knight
W for Why
W for Wide
W for Wren
W for Wrist
E for Ewe
E for Ere
U for Urn
O for Oestrus (also sounds funny if you yell it)
Q for Quaint
F for For
D for DNA
A for ABC
A for Aitch
B for Time Began
E for X
F for XXXX
G for Gnu
H for Heir
-
Monday 19th September 2011 12:34 GMT Flocke Kroes
One password to bring them all and in the darkness gpg them
Here is the program I use to generate new passwords:
strings < /dev/urandom | less
Passwords live in an encrypted password file next to their corresponding user names and security question false answers. If you cannot type, cut & paste to annoy the key loggers.
-
Tuesday 20th September 2011 12:44 GMT GrahamT
I want to play this game
A for Air
E for ere
H for heir
B for Christ
C for cue
Q for queue
D for W
F for vescent
G for Gnostic
I for ire (or "an eye")
J for Jugoslavia
K for knave (or kyu)
N for nave
M for Mnemonic
O for Oedipus
P for Ptolomey
R for right (or " for Miller")
W for write
S for 's-Gravenhage
T for Thought (faw' if you are a cockney)
U for me
V for engine
X for horizontal (or unknown quantity)
Y for vertical
Z for depth
-
Tuesday 20th September 2011 17:33 GMT Alan Esworthy
OK, I'll trot out my foenetick alphabet
I put this together some years back and use it for amusement from time to time:
A as in Aeolian
B as in Bilirubin
C as in Cello
D as in Duh
E as in Eidetic
F as in Fungible
G as in Gila monster
H as in Herb
I as in Idiotic
J as in Junta
K as in Knit
L as in Llama
M as in Mneme
N as in Nit
O as in Oenophilia
P as in Pneumaturia
Q as in Quiche
R as in Ring
S as in Seamus
T as in Tsar
U as in Uilleann pipes
V as in Volkswagen
W as in Wring
X as in Xylophagous
Y as in Ypres
Z as in Zoon
-
Friday 23rd September 2011 15:36 GMT Dave 15
Irrelevant? The bandage isn't
"their skill by replacing the bandage that Amy wears with some sort of skirt."
This is not an irrelevance in an otherwise dramatic and amazing intellectual program, it is in fact a test... I hadn't noticed the tiny skirt at all....
(not sure whether it was the plot, intellectual depth or the legs under the skirt that distracted me from the skirt itself...)
-
Sunday 25th September 2011 11:23 GMT David Pollard
Imitation is the sincerest form of flattery
Clearly it is not just Reg readers who take notice when Verity defrosts her ideas box. There's not even a passing nod of acknowledgment though over at the Observer:
http://www.guardian.co.uk/technology/2011/sep/25/password-security-networker-john-naughton