$18.00
GeekGold Bonus for All Supporters: 61.29

4,382 Supporters

$15 min for supporter badge & GeekGold bonus
27.6% of Goal | 29 Days Left

Support:

Recommend
5 
 Thumb up
 Hide
40 Posts
1 , 2  Next »   | 

BoardGameGeek» Forums » Everything Else » Chit Chat

Subject: Your Password is Weak. Really?? rss

Your Tags: Add tags
Popular Tags: [View All]
David Jones
United States
Wilsonville
Oregon
flag msg tools
mbmbmbmbmb
I am thoroughly confused by something that seems to happen to me a lot.

I have two passwords that I regularly use on the internet. Now for obvious reasons I am not going to post the passwords, but I can briefly describe them to you.

One password is a genuinely random password. A number of years decades ago I belonged a BBS that would not let you choose a password. It was a randomly assigned, mixed case, alphanumeric password. It is a truly random password that could not be guessed (and took me over a month to memorize). When passwords started requiring symbols, I added one into the middle of the password. (In other words, I'm not just replacing an S with a $ or something predictable.) The only weakness of this password is the length of time I have been using it.

The second password is a kind of "two part" password. The first part of it is something very personal from my childhood that only three other people know about. One of them is dead and the other two I've not talked to, again, for decades. It is not a word; it is mixed case and, to an outsider, would appear random. The second part is something again personal that only a few people know about, alpha numeric, would appear random, and could only be guessed if you did some deep research into my past. Similar to the first password, I add a symbol between the two parts for sites that require one.

So I have two passwords that meet the most of the stringent requirements you are told to use when making passwords. Mixed case, has a number, has a symbol, and is random. And yet.....

Today I signed up for an account on a website and put in one of my usual passwords and, while the password was not rejected, I did get a warning that the password was "weak." This is not the first time I have had a system tell me this password was weak and the other password sometimes generates a "weak" response as well. So here is what I want to know:

If the algorithms that are used to decide if a password is weak or strong deem that a truly random password is weak, what kind of password does it think is "strong"? How exactly do these algorithms make these decisions? Unless there is something peculiar about my password that I don't know about, it seems like its a pretty worthless algorithm.
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
¡dn ʇǝƃ ʇ,uɐɔ ı puɐ uǝllɐɟ ǝʌ,ı
Canada
Chestermere
Alberta
flag msg tools
There are 10 kinds of people who understand binary: Those who do, and those who don't.
mbmbmbmbmb
One of my actual passwords, on a webite that kept complaining about "the strength" of the ones that I previously chose is:

I_FuckingHateLongPasswords365
7 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Exit 191
United States
Buckeye
Arizona
flag msg tools
Look to the past, learn for the future.
badge
This page intentionally blank.
mbmbmbmbmb
Stick with "YourSauceIsWeak!" for all passwords from now on.
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
♬♪♪ ♫ ♩ ♫♫♪ ♩♬♪ ♫
Australia
MURRUMBEENA
Victoria
flag msg tools
All reality is a game. Physics at its most fundamental, the very fabric of our universe, results directly from the interaction of certain fairly simple rules, and chance... (Iain Banks)
mbmbmbmbmb
This is not one of my passwords, but it is typical: g35UN6iOf0Ev

This is an average strength password.

Maybe the website is correct?
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Matt Brown
United States
Okemos
Michigan
flag msg tools
mbmbmbmbmb
Ozludo wrote:
This is not one of my passwords, but it is typical: g35UN6iOf0Ev

This is an average strength password.

Maybe the website is correct?


Average since you have capital and lowercase letters with a number. Adding a special character would likely make it strong.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
J.C.
United States
Marcellus
New York
flag msg tools
There Is No Shelter From The Storm
mbmbmbmbmb
The leads are weak. The fucking leads are weak? You're weak. I've been in the business 15 years.

What's your name?
15 
 Thumb up
0.02
 tip
 Hide
  • [+] Dice rolls
Matt Kruczek
United Kingdom
Colchester
Essex
flag msg tools
mb
Some algorithms take account of how many characters there are as well. So something like Y%tN6aJ1 would be considered weaker that mypassword01.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Jorge Montero
United States
St Louis
Missouri
flag msg tools
I'll take Manhattan in a garbage bag. With Latin written on it that says "It's hard to give a shit these days"
mbmbmbmbmb
Let's be serious about passwords: Pretty much every password under 20 characters is weak. Sharing passwords across sites? a horrible idea. So what you should do is use a password manager, and give every site a very long random password.

A key difficulty of password safety is that you don't control, in any way, how the password is managed by a service you didn't write. Maybe the password is stored in plaintext (it happens), or it's protected in just the weakest of ways. The moment a password is compromised, it's compromised for all sites.

So I'd not be happy without using a password manager and using a unique site for even boring websites, and I want two factor authentication on top of that for something that holds money. Anything else is asking to get hacked.
4 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Bryan Thunkd
United States
Florence
MA
flag msg tools
mbmbmbmbmb
Davypi wrote:
The only weakness of this password is the length of time I have been using it.
Actually you have a much more serious weakness.

davypi wrote:
I have two passwords that I regularly use on the internet.
This. If any site you use gets hacked, they know the password you used there and can try it on every other site where you have an account. Since you use these passwords multiple places, it's likely to compromise many of your other accounts.

davypi wrote:
If the algorithms that are used to decide if a password is weak or strong deem that a truly random password is weak, what kind of password does it think is "strong"? How exactly do these algorithms make these decisions?
You probably didn't use any upper case letters. Lower case and upper case letters are different characters. It's easier for a hacker to crack a password when they have fewer characters to try. A number-only password is easier to crack than one that uses both letter and numbers. Imagine a password which only has a single character. If you use only numbers, that's 10 digits to try. If you include lower case letters that's 36 characters. If you include upper case letters that brings it to 62 characters. In passwords of longer length having to try all the combinations of upper and lower case characters substantially increases how many attempts it takes to crack the password. Limiting it to only upper or only lower case characters makes an easier nut to crack.

Thus many password sites will consider your password weaker if you don't mix case.
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
David Jones
United States
Wilsonville
Oregon
flag msg tools
mbmbmbmbmb
hibikir wrote:
Let's be serious about passwords: So what you should do is use a password manager, and give every site a very long random password.


Being serious about this, I've never really understood why this is considered a good idea. If someone manages to hack into your computer, doesn't this give them access to your password manager? I've always thought this was just as bad writing them down on a sticky next to your desk. If I am wrong, enlighten me.

Thunkd wrote:
If any site you use gets hacked, they know the password you used there and can try it on every other site where you have an account. Since you use these passwords multiple places, it's likely to compromise many of your other accounts.


Yes and no. My bank password is unique, as is the password for my only credit card and couple of other websites that might have my card information stored. I only recycle passwords for websites like message boards, online games, news sites, etc. If you manage to hack my BGG password, you are welcome to log into Pogo and add some credits to my account. I've similarly never understood why password recycling is considered "weak" as long you aren't doing it with your sensitive accounts.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Andy Andersen
United States
Michigan
flag msg tools
mbmbmbmbmb
I have read that 1234 is a very common password so I came up with a better one.

4321

I trust you folks to not tell anyone.
11 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Andy Leighton
England
Peterborough
Unspecified
flag msg tools
mbmbmbmbmb
davypi wrote:
hibikir wrote:
Let's be serious about passwords: So what you should do is use a password manager, and give every site a very long random password.


Being serious about this, I've never really understood why this is considered a good idea. If someone manages to hack into your computer, doesn't this give them access to your password manager? I've always thought this was just as bad writing them down on a sticky next to your desk. If I am wrong, enlighten me.


No because the password manager needs a password to access it - the database is encrypted. Because it is just the one password you have to remember you can go for something really long and difficult to crack. I think my password is about 30 characters long.
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Xander Fulton
United States
Lake Oswego
Oregon
flag msg tools
designer
mbmbmbmbmb
Mandatory XKCD reference:

17 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Xander Fulton
United States
Lake Oswego
Oregon
flag msg tools
designer
mbmbmbmbmb
Thunkd wrote:
davypi wrote:
If the algorithms that are used to decide if a password is weak or strong deem that a truly random password is weak, what kind of password does it think is "strong"? How exactly do these algorithms make these decisions?
You probably didn't use any upper case letters. Lower case and upper case letters are different characters. It's easier for a hacker to crack a password when they have fewer characters to try. A number-only password is easier to crack than one that uses both letter and numbers. Imagine a password which only has a single character. If you use only numbers, that's 10 digits to try. If you include lower case letters that's 36 characters. If you include upper case letters that brings it to 62 characters. In passwords of longer length having to try all the combinations of upper and lower case characters substantially increases how many attempts it takes to crack the password. Limiting it to only upper or only lower case characters makes an easier nut to crack.

Thus many password sites will consider your password weaker if you don't mix case.


As a counterpoint to this (which the XKCD comic was getting at)...

Yes, a single character password goes from 10 variations to 36 variations by using numbers and letters instead of just numbers.

On the other hand...just use numbers (10 variations) and add one more digit. A two-digit, just-numbers password, has 100 different variations. An obvious improvement on 36!

So the short version is - mixing case? Using numbers? Requiring special characters? All basically useless, as adding just one more character to the end is always going to add more complexity to the password than any combination of other changes.

IE., the only thing that really matters is the length of the password. (I mean, hell, a one-character password that uses the entire 255 character ASCII character set is still 'less random' than a three-character password using only the numbers from zero to nine)
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Andy Leighton
England
Peterborough
Unspecified
flag msg tools
mbmbmbmbmb
Although that XKCD reference is overstating the ease of remembering.

Was it correct horse battery staple? Or horse battery staple correct? Or battery staple horse correct? Did I use spaces or not? Did any of the words have capitals. I will also ignore that for some a word visualisation technique like seeing a picture of a horse and battery and staple (as depicted) just doesn't work.

But the real problem is that the people using poor passwords are not very creative. They will just gravitate to a set of similar words and the security will be no better.

 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Billy McBoatface
United States
Lexington
Massachusetts
flag msg tools
KGS is the #1 web site for playing go over the internet. Visit now!
badge
Yes, I really am that awesome.
mbmbmbmbmb
My workplace drove me nuts. Passwords much change every 90 days, must be 10 letters mixed letter+digit+punctuation, must not be based on words, and your new password must not be similar to your old ones. Gaaah!!!

So now I use a cryptographically strong RNG to generate a password, snap a photo of my password with my phone, use that to log in, and generally just around when I've learned it, it's time to change again. Not the most secure system, but what choice do I have?

Sample password: \x$Y:9&)a* - over 64 bits of entropy, which should take long enough to guess, but do you think you'd be able to remember that easily? soblue
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Barry Harvey
United Kingdom
London
flag msg tools
mbmbmbmb
One of the most effective way of producing a long, easily-remembered password is to pick a song or poem that you like and use the initial letters of the words. You can produce very long passwords this way.

Avoid songs from this thread though - One (or two) word Songs
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Scott Lewis
United States
Thornton
Colorado
flag msg tools
NFHS Football & Basketball
badge
Dread Our Coming, Suffer Our Presence, Embrace Our Glory (Solonavi War Cry)
mbmbmbmbmb
andyl wrote:
Although that XKCD reference is overstating the ease of remembering.

Was it correct horse battery staple? Or horse battery staple correct? Or battery staple horse correct? Did I use spaces or not? Did any of the words have capitals. I will also ignore that for some a word visualisation technique like seeing a picture of a horse and battery and staple (as depicted) just doesn't work.

But the real problem is that the people using poor passwords are not very creative. They will just gravitate to a set of similar words and the security will be no better.


It may depend on the person, too; I use XKCD style passwords for a few things, and while the words themselves are pretty randomly put together, I use them often enough where I have no trouble remembering them (even ones that I only use once in awhile). But there's no rhyme or reason to the particular words.
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Andy Leighton
England
Peterborough
Unspecified
flag msg tools
mbmbmbmbmb
caracfergus wrote:
One of the most effective way of producing a long, easily-remembered password is to pick a song or poem that you like and use the initial letters of the words. You can produce very long passwords this way.


Yes but ... again there is a high chance that the masses are going to gravitate to the same things over and over again.

If you can pick a song, poem, or a line from a book, or just something personal to you. Have some initials, some words in full, maybe some other personal tricks and you are much safer.

See Bruce Schneier although there is a problem with letter distribution which makes the Schneier method less secure than it should be. But as he says at the link a password safe application is more secure.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Andy Leighton
England
Peterborough
Unspecified
flag msg tools
mbmbmbmbmb
sigmazero13 wrote:
andyl wrote:
Although that XKCD reference is overstating the ease of remembering.

Was it correct horse battery staple? Or horse battery staple correct? Or battery staple horse correct? Did I use spaces or not? Did any of the words have capitals. I will also ignore that for some a word visualisation technique like seeing a picture of a horse and battery and staple (as depicted) just doesn't work.

But the real problem is that the people using poor passwords are not very creative. They will just gravitate to a set of similar words and the security will be no better.


It may depend on the person, too; I use XKCD style passwords for a few things, and while the words themselves are pretty randomly put together, I use them often enough where I have no trouble remembering them (even ones that I only use once in awhile). But there's no rhyme or reason to the particular words.

Sure - but we are talking in general. Most people are really poor at this. The fact that we are here talking about security probably puts us in the top quartile.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Bryan Thunkd
United States
Florence
MA
flag msg tools
mbmbmbmbmb
XanderF wrote:
As a counterpoint to this (which the XKCD comic was getting at)...

Yes, a single character password goes from 10 variations to 36 variations by using numbers and letters instead of just numbers.

On the other hand...just use numbers (10 variations) and add one more digit. A two-digit, just-numbers password, has 100 different variations. An obvious improvement on 36!

So the short version is - mixing case? Using numbers? Requiring special characters? All basically useless, as adding just one more character to the end is always going to add more complexity to the password than any combination of other changes.
No! Wrong! False!

Compare a 4 character number-only password to a 3 character password with a full character set. The number only password can have 10,000 possible answers, 0000 through 9999. Or to show it a different way: 10 choices for the first place x 10 choices for the second x 10 choices for the third x 10 choices for the fourth = 10,000.

A full character set includes the 10 digits (0-9), 26 lower case characters, 26 upper case characters and symbols (my iOS keyboard has at least 30 symbols). That's 92 characters. So looking at a 3 character password, I can have 92 possibilites for the first character (Let's say I choose A), then 92 for the second (let's say I pick AA), then 92 for the last (AAA). That's 92 x 92 x 92 = 778,688 possibilities. You'd need a 6 digit number-only password to beat a 3 character full-character-set password.

Just adding length won't always beat adding more characters! Especially if your longer password is limited to just numbers.

Quote:

On the other hand...just use numbers (10 variations) and add one more digit. A two-digit, just-numbers password, has 100 different variations. An obvious improvement on 36!
This only works with a single character and a two digit number... it fails if we look at a double character vs triple digit number.

Your triple digit number can be 1,000 possiblities (10 x 10 x 10) but the double character password has 1,296 possibilities (36 x 36 = 1,296). And that's without adding in uppercase or symbols. As you add more and more length, the password with a larger character set is going to blow a numbers only password out of the water.
1 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Chris
United States
Sandy Springs
Georgia
flag msg tools
mbmbmbmbmb
The whole general thought process behind passwords irritates me. Fisrt off, yes I am going to reuses passwords between sites. I don't give a flip if someone hacks my BGG account or other forums I use so I will reuse passwords for those. But my banking and email sure those are unique passwords because that stuff matters.

But ultimately the strength of passwords is a BS argument because hackers aren't brute forcing passwords, they are getting them from social engineering attacks and companies that have my information getting hac ked - usually because some idiot leaves a laptop laying around with a list of every user, their personally identifying information and password. So it doesn't matter how strong my password is if Yahoo, Target, Linkedin, Best Buy etc. (a list of some bug companies that have done this) don't properly guard my info.

Passwords are old hat and not secure no matter how long they are. We need to see more use of two factor authentication. If your company is only using passwords for you to log into your computer than they are behind and vulnerable.
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Joe McKinley
United States
San Jose
California
flag msg tools
When I heard the learn’d astronomer; When the proofs, the figures, were ranged in columns before me; When I was shown the charts and the diagrams, to add, divide, and measure them; When I, sitting, heard the astronomer, where he he lectured with
badge
much applause in the lecture-room, How soon, unaccountable, I became tired and sick; Till rising and gliding out, I wander’d off by myself, In the mystical moist night-air, and from time to time, Look’d up in perfect silence at the stars. W.W.
mbmbmbmbmb
I generated some strong passwords for you. Feel free to use them:

*Ck@gT0%CuuqfqZzMdF9doWJ9K@D1cc

rKBKkMukvQ7H#PWS1&gLnWH^hmd*dTV

Oq^!#*tDez9dm$5gO^7ou*4Dg2%rii9

O9Ag33UAhFOLO3@9PNkK7T7p4u$71Fl

75uKIjW8zJ2F*8Cu^NQ@FT*%zSK&k08
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Christopher Dearlove
United Kingdom
Chelmsford
Essex
flag msg tools
SoRCon 8 27 Feb - 1 Mar 2015 Basildon UK http://www.sorcon.co.uk Essex Games 27 Jul '15
badge
mbmbmbmbmb
XanderF wrote:
the only thing that really matters is the length of the password.


No. What matters in theory is the entropy of the password. If your password is totally random, the two are the same (*). If not, the entropy is lower. For example if you use diceware - a perfectly sound way of generating passwords (it's basically that xkcd done properly) - the entropy is lower than the length, but in a predictable way.

In practice, if you are generating not entirely random passwords (and few people do generate entirely random passwords) you're also more likely to be broken if you use a pattern that people who with password crackers have identified as a pattern lots of people use.

(*) As people can't use all possible characters, the entropy is always lower. If for example they use A-Z, a-z, 0-9 and two special characters - two because the maths I'm about to summarise is easier that way, with more, things get a bit better, but not enough that this isn't a good rule of thumb still - that's 64 possible options, or about 6 bits. So that's 6 bits per character - if the characters are totally random. 10 bits is a factor of 1000, or in other words, multiple by 0.3 to get a power of ten, or 1.8 powers of 10 per character.

Hw many powers of 10 do you need? You can do guesses like how many computers can the attackers use (probably millions if they create a botnet). How lon does each hash take (should be slow, but might be fast - many millions per second). And how long do they have? a million seconds is about a fortnight. Roll those up and a totally random password of a dozen characters should be more than enough. But non-random passwords? Longer (but you might not be as paranoid as those figures - I know I'm not).
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Christopher Dearlove
United Kingdom
Chelmsford
Essex
flag msg tools
SoRCon 8 27 Feb - 1 Mar 2015 Basildon UK http://www.sorcon.co.uk Essex Games 27 Jul '15
badge
mbmbmbmbmb
davypi wrote:
If someone manages to hack into your computer, doesn't this give them access to your password manager? I've always thought this was just as bad writing them down on a sticky next to your desk. If I am wrong, enlighten me.


Putting aside password managers for the moment, let's consider how passwords are stored by systems that use them:

First, the very bad. They store your password, you enter your password, they compare them. Really bad, but people - even people where it really matters (I've seen it from a large British supermarket online ordering) - do this. One way to check that is to ask for a password reminder. If they send it back to you, that's a complete fail. They should never know your password and all they can do is ask you to set up a new one. How? On to the next case.

Better, they store not your password, but something derived from it by a function that is hard to run backwards. The usual sort of function is called a hash function. So they store a hash of your password. When you enter a password attempt, they hash it and compare hashes. (They should either hash the password on your computer, or pass the hash encrypted as well.) There are some very good hashes, ones that are good enough that the NSA will allow them to be used in places where Top Secret information is compromised if the hash function is ever able to be broken (in some technical ways). There are also some less good hash functions that are older. Some people are still using the latter.

There are however two things that can be done to improve on that. The first is that hash functions have been created to be very fast. And in many places fast is good. But fast is bad here, because fast allows the attacker lost of attempts. (We'e assuming the attacker captures the file with the hashes in.) So what we actually want is a slow hash. The easiest way to create a slow hash is to do a fast has lots of times (hash it, then hash the result, and again and again). It still needs to be fast enough to long in, but you wouldn't notice say a tenth of a second. (I don't actually know how long is used in practice - or more subtly how they handle variable machine speeds).

The last step is important. If we just has the password, we can test everyone's passwords at once. Attackers can (and do) even create standard dictionaries of hashed common passwords - lots of them. So what should be done is a way to individualise that. The technique used is called salting, but I'm not going to describe it here. That way each person's password needs cracking individually. It's quite clear from reports of some hacks that passwords weren't salted.

Now on to that password manager. Any one of any value will use all these techniques (and some more). So if your computer is hacked, and the password manager's contents spirited away, then what they get is those salted (slow) hash values. If you have top secret information on your computer, they'll try to crack it. If all you have is your Amazon password, it's just not going to be cost-effective to try.

If on the other hand your computer is hacked leaving some malware behind that actively watches what you (and your password manager) do, then that's a possible avenue to attack. The simplest thing there is a keylogger.

Hope some of that helps. And the sticky next to your desk? Safe against someone in Belarus or wherever an attacker is. Not safe against your colleagues or the office cleaner. Or at home, against your nearest and dearest, or visitors.


12 
 Thumb up
0.07
 tip
 Hide
  • [+] Dice rolls
1 , 2  Next »   | 
Front Page | Welcome | Contact | Privacy Policy | Terms of Service | Advertise | Support BGG | Feeds RSS
Geekdo, BoardGameGeek, the Geekdo logo, and the BoardGameGeek logo are trademarks of BoardGameGeek, LLC.