Password Protection


Will Truman

Will Truman is the Editor-in-Chief of Ordinary Times. He is also on Twitter.

Related Post Roulette

32 Responses

  1. Avatar Kazzy says:

    But is it a really good sports message board? That might be more valuable than the totality of what is in your financial accounts.Report

    • Avatar Will Truman says:

      It was the hometeam message board to a Conference USA school that I didn’t even attend but whose fans I enjoy chatting with. One of the best fanboards I’ve ever seen, but for a team that’s the equivalent of Marshall or Tulsa.Report

    • Avatar Jeff says:

      And, as is often the case, xkcd is wrong. He’s comparing one 11-character password to 4 passwords each up to 7 characters. If I was writing a “password buster”, I would start with letters and numbers (with extra weight for “real” words). That would catch his silly example long before the one he thinks is bad.

      One thing I’ve discovered from xkcdsucks is that Randall is really bad at math.Report

      • Avatar Patrick Cahalan says:

        Yes, he’s wrong, but he’s not as far off as that.

        Since the sub-words in the passphrase are of unknown individual length, it’s not four separate passwords. It’s still one big one, particularly if you use any non-alpha character as a word separator.


        (the MD5 hash 9aacebbd75c2d8804cfc8b3ff20055dc is not in any currently published rainbow table)

        is not as easy to crack as


        (which would be trivial)

        Of course, if you *know* from social engineering what sorts of words your target picks from, then yes it’s a pretty crappy algorithm for generating passwords.

        Note: everybody still uses MD5 and they ought to switch to SHA-256, but that’s an aside.Report

        • Avatar BlaiseP says:

          There’s an interesting little site I’ve bookmarked which explains how this works.Report

          • Avatar James Hanley says:

            Thanks for the link to that website. I’ve devised my own casual algorithm for coming up with memorable but, I hoped, difficult to break passwords. Turns out that the online attack scenario timeline for them runs into the century–in one case of an easily remembered password, 2.7 hundred thousand centuries. I’m gratified to be reconfirmed in my satisfaction with my method.Report

  2. Avatar BlaiseP says:

    Banks are by far the worst in this regard. It’s unfathomable, why they insist on such dumbass password schemes.

    But the absolute worst, and I’ve been seeing a lot of it lately, is open username/pwd combinations in PHP

    $link = mysql_connect(“localhost”, “user”, “tr00t”) or die(mysql_error());

    Stuff like that causes me to stomp and shoot and spit. So I talk to the client about it: “oh, don’t worry about it, there’s nothing important back there anyway.”Report

    • Avatar Morat20 says:

      I’ve been trying — in vain — to get my work to switch to RSA tokens. I use them for another aspect of my work, and I don’t work in a small shop. There are far, far, far and away enough people to make it economically feasible.

      But nope. We’re up to 12 character passwords, changed every 60 days, no reuse for a year, one upper case and one special character, no dictionary words, and god knows what else.

      So everyone cheats and writes them down.

      RSA tokens are dirt cheap and secure. (Blizzard was subsidizing the dang things for World of Warcraft, basically charging you shipping to get one). A four digit pin, which everyone can remember, and a 6 digit number that changes every 60 seconds.

      Secure as hell, even if you lose the token. You’d have to be dumb enough to write your PIN ON the token to break it.Report

      • Avatar BlaiseP says:

        I issue revokable X.509 certs from my own CA, loaded onto an encrypted USB drive. Lots cheaper than RSA. No tickee, no washee, you mount the USB drive, point your app security to that cert, then it will runReport

        • Avatar Kolohe says:

          Well, a good number of enterprise IT folks (at least in the government) consider USB drives to be the bisexual heroin addict prostitutes of computer hardware and won’t let a USB drive even come into their buildings anymore, much less on their systems.Report

          • Avatar BlaiseP says:

            This is really nothing but the good ol’ CAC card X.509 paradigm, only a hell of a lot cheaper and far more secure. The cert is tied to the absolute release of the executable instance: Bob can’t run Sally’s installed software. The last thing I want is some GS-3 moron fucking with my security. If they want, I’ll retrofit the security model to their OS security but I will not play li’l password games with this species of chump.Report

          • Avatar Patrick Cahalan says:

            USB drives aren’t the Evil Widget, there… it’s “Autorun”. This is a trivial problem to fix.Report

            • Avatar Mike Schilling says:

              One of the amazing things about security is how many holes are trivial to close but stay wide open. (Something everyone in this conversation is painfully aware of.)Report

          • Avatar Will Truman says:

            Tangential, but I was once upon a time reluctant to get a smartphone because I thought my Pocket PC plus a regular phone suited me just fine. This changed when I got a job at a place that banned Pocket PCs… but didn’t ban smartphones. Pocket PCs represented a security threat, by a Pocket PC with cellular capability and a camera (which most PPC’s lacked) didn’t.Report

            • Avatar BlaiseP says:

              Most corporate security is a joke. Everyone knows it. Industrial espionage is big business and everyone’s doing it. Most intel breaches are inside jobs anyway.

              All this hoo-hah about prohibiting devices onsite: anyone who’s running an MS Exchange Server has already hung his big naked ass out the window for the world to see, and the family jewels too.Report

            • Avatar Kazzy says:

              What’s a pocket PC?Report

              • Avatar Will Truman says:

                Also called PDAs. Smartphones without the cell part (and, because of the technology at the time, usually without a camera). The modern equivalent would be the iPod Touch.Report

              • Avatar BlaiseP says:

                Once, Kazzy, back when the plesiosaurs’ reign of terror was sweeping across the coasts of Pangaea, there was the Pocket PC, which ran an operating system called Windows CE, short for Cretaceous Edition, though some believe CE arose from Cretinous Excel. The archaeologists differ on this subject but all agree on that bit about the plesiosaurs.

                As its name implies, WinCE was half o’ this and none o’ that. It featured manly edition names like Stinger and Chainsaw, but its chief attributes were Slow and Stupid, which the aforementioned plesiosaurs were not, let me tell you. We early mammals continued to believe in low-powered ARM processors and evolved smaller and more efficient kernels to best utilise their very considerable resources.

                Well, the plesiosaurs are gone and good riddance. They were fast and rude and predatorious in extremis. But WinCE is still out there, somewhere, equally irrelevant but still an annoyance.Report

              • Avatar Tod Kelly says:

                Actually, I’m just happy to see you.Report

    • Avatar Will Truman says:

      As others have pointed out, banks produce layers upon layers of password requirements… that are undone by simply knowing the street that the account-holder grew up on or their favorite pet.Report

  3. Avatar Mike Schilling says:

    Who steals my purse steals trash, but who steals my opinion of Alex Smith steals red and gold.Report

  4. Avatar Patrick Cahalan says:

    FWIW, a couple of GPU machines can break 8 character passwords in feasible time, now.


    Probably the right number of characters is now > 12, for anything you want to keep secure for a while. Passwords are right out; you need a passphrase instead.

    RSA tokens are a possible solution, but they are an administrative pain (there’s a guy at JPL whose full-time job is replacing and revoking RSA tokens) and you can’t transmit them over the Internet or the phone… so if a traveling user loses their token, they’re SOL until they get back to the office. This can be a deal breaker.Report

    • Avatar BlaiseP says:

      RSA got beat down. Google’s certs got beat down. All these third-party sites are trivially beat down. The CA mechanism is dead.

      Physical tokens are the way to go. Nobody whines about needing a physical key to get in their front door or into their cars.Report

    • Avatar Morat20 says:

      They also last five years. JPL is a big, big place.

      My company? One of the HR reps handles it. There’s generally a few weeks where she’s handling a couple hundred RSA turnovers (when they expire — generally tied to some contract reaching a 5 year milestone), but msotly she hands out one a week.

      True, being on travel can screw you — but in the age of smartphones (and Blizzard has done this as well) syncing an app to cell is another fashion of generating a token. You can still clone the cell phone and probably access the token that way, but you’d still need the PIN.

      Treat cell-generated tokens as suspect requiring a check-in or prior authorization (give them a use or three gratis), and you’ve got a guy on travel who can use an app on his phone.

      If he’s lost both his phone AND his token, well he’s fucked enough that they’re shipping him new stuff anyways.Report

  5. Avatar Snarky McSnarkSnark says:

    This information is a few years old, but at one point, 60% of all web passwords were one of the following:

    (same as username)


    • Avatar Brandon Berg says:

      You could get up to five bits of entropy by picking three of them at random (with possible repeats) and stringing them together.Report

      • Avatar Mike Schilling says:

        I wouldn’t be surprised if an appreciable number of “7 character or more” passwords were “sexsexsex”.Report