managing passwords

veronese68

Kieran_Burns wrote:

Incidentally - if I get repeated requests from the Support Engineers asking for a password reset 'cos they've forgotten it and locked their account again, I set it to:

1H4v345m4llP3n15

(or a variant)

and not allow them to change it.

Why would they care about the size of your old chap?

UndercoverElephant

bompington wrote:

Who's calling XKCD a geeky website? I always thought that was just how normal people think, with some simple maths thrown in ;-)

Normal people don't throw in maths.

CiB

Kieran_Burns wrote:

Incidentally - if I get repeated requests from the Support Engineers asking for a password reset 'cos they've forgotten it and locked their account again, I set it to:

1H4v345m4llP3n15

(or a variant)

and not allow them to change it.

Thanks for that snippet Kieran. I'll have a furtle about the domains to see who's been a bad lad.

rjsterry

edds wrote:

Greg66 wrote:

Option 1: If I choose an 11 character password randomly from those keys (allowing for repeat keys), the chances of guessing it are 1 in 97^11. Or 1 in 7,153,014,030,880,800,000,000

Option 2: Take four random English words. I am choosing from a pool of about 170,000 words. So the chances of guessing are 1 in 170,000^4. Or 1 in 835,210,000,000,000,000,000.

Option 3: If you take a 9 character word and make "semi-obvious" substitutions (eg 0 for o), then assume each character has at most 3 substitutes. You chances of guessing it are 1 in 170,000*(3^9). Add two random characters on the end and you get 170,000*(3^9)*(97^2). Bigger than option 2, but much smaller than option 1. 1 in 31,483,548,990,000.

So they are right in that Option 2 is better than option 3, but neither is as secure as a totally random set of 11 characters. Although 11 totally random characters will be much harder to remember.

Doing some simple maths on top of that. Current super computers can try around 90 billion passwords a secondurl=http://en.wikipedia.org/wiki/Password_cracking]cite[/url. So in real time terms to crack your passwords:

1. 2520 years url=http://www.wolframalpha.com/input/?i=%287%2C153%2C014%2C030%2C880%2C800%2C000%2C000+%2F+90+billion%29+seconds]wolfram[/url
2. 294.3 years url=http://www.wolframalpha.com/input/?i=%28835%2C210%2C000%2C000%2C000%2C000%2C000+%2F+90+billion%29+seconds]wolfram[/url
3. 5 mins 49 seconds url=http://www.wolframalpha.com/input/?i=%2831%2C483%2C548%2C990%2C000+%2F+90+billion%29+seconds]wolfram[/url

Personally I use 1Password and use 16 character letter, number, symbol passwords but using 4 random words is probably good enough for most people.

Hang on: how do you get from 4 random English words to a password? Just wodge them together? That could end up being a very long password unless you restrict the pool to -letter words only. Then you've got nowhere near 170,000 to choose from.

greg66_tri_v2.0

rjsterry wrote:

edds wrote:

Greg66 wrote:

Option 1: If I choose an 11 character password randomly from those keys (allowing for repeat keys), the chances of guessing it are 1 in 97^11. Or 1 in 7,153,014,030,880,800,000,000

Option 2: Take four random English words. I am choosing from a pool of about 170,000 words. So the chances of guessing are 1 in 170,000^4. Or 1 in 835,210,000,000,000,000,000.

Option 3: If you take a 9 character word and make "semi-obvious" substitutions (eg 0 for o), then assume each character has at most 3 substitutes. You chances of guessing it are 1 in 170,000*(3^9). Add two random characters on the end and you get 170,000*(3^9)*(97^2). Bigger than option 2, but much smaller than option 1. 1 in 31,483,548,990,000.

So they are right in that Option 2 is better than option 3, but neither is as secure as a totally random set of 11 characters. Although 11 totally random characters will be much harder to remember.

Doing some simple maths on top of that. Current super computers can try around 90 billion passwords a secondurl=http://en.wikipedia.org/wiki/Password_cracking]cite[/url. So in real time terms to crack your passwords:

1. 2520 years url=http://www.wolframalpha.com/input/?i=%287%2C153%2C014%2C030%2C880%2C800%2C000%2C000+%2F+90+billion%29+seconds]wolfram[/url
2. 294.3 years url=http://www.wolframalpha.com/input/?i=%28835%2C210%2C000%2C000%2C000%2C000%2C000+%2F+90+billion%29+seconds]wolfram[/url
3. 5 mins 49 seconds url=http://www.wolframalpha.com/input/?i=%2831%2C483%2C548%2C990%2C000+%2F+90+billion%29+seconds]wolfram[/url

Personally I use 1Password and use 16 character letter, number, symbol passwords but using 4 random words is probably good enough for most people.

Hang on: how do you get from 4 random English words to a password? Just wodge them together? That could end up being a very long password unless you restrict the pool to -letter words only. Then you've got nowhere near 170,000 to choose from.

See londonlivvy's link. horsestaplelockcorrect. The point of the article is that this sort of password is very easy to remember with a little (and contrived) mental image combining the four components, and very hard to crack with brute force.

Whereas h4;&YwI*~}+¥8T is not that easy to remember.

It's always best IMO to write the password on a post it and leave it stuck somewhere safe, like under your keyboard or on the bezel of your screen. You know, just in case you forget it.

itboffin

or like Greg you could just use the first names and dob of your six male sex slaves.

rjsterry

Greg66 wrote:

See londonlivvy's link. horsestaplelockcorrect. The point of the article is that this sort of password is very easy to remember with a little (and contrived) mental image combining the four components, and very hard to crack with brute force.

Whereas h4;&YwI*~}+¥8T is not that easy to remember.

I get that, but most passwords I've had to set are limited to under 20 characters, and some as few as 12, which reduces the security significantly.

Underscore

SimonAH wrote:

Seriously though, how in seven holy hells are you supposed to remember twenty odd secure cryptic passwords? Anyone got a cunning system?

Simple - don't remember 20 (or even hundreds) of different passwords, remember one but still use a different (randomly generated) password for each site: http://www.lastpass.com/

Been using it for a few years now and it just works.

_

greg66_tri_v2.0

itboffin wrote:

or like Greg you could just use the first names and dob of your six male sex slaves.

1. They don't have names, as such.
2. Dobs? WTF? Why would I want to know those?
3. They're chicks, dude. This is the big City. It's very different to Bumpkinsville, Windshire.
4. They're not slaves. They hang around 'cos they want to. This is the big City, etc...

lardboy

And what if you have to create a PIN? Then a 5 digit PIN, or a 6 digit, excluding your DoB. Or your password can only be a max of 15 letters, which your 4 words have exceeded.

I have to reset passwords on a weekly basis, now I've joined a company that doesn't allow you to reuse old ones. The post-it notes are getting rather full now.