If you don’t have letters and numbers in your password, you are an idiot

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,820
Password length > password complexity
Until you make it quite simple and easy to guess. Brute force attacks have become wise to using dictionary words. So you end up using multiple dictionaries, spelling words differently, using upper- and lowercase, and adding numbers or even special characters which kinds of defeats the purpose and adds complexity anyway. Then there's the issue of password fields not being able to handle that many characters. I've been getting away with 24 so far but one or two sites I had to make them 20 characters and one was so short I just left it to the default one they gave.
 

Blu82

Expert Member
Joined
Nov 15, 2005
Messages
3,743
If you rue the inevitable day when IT makes you change your password, you're not alone. It is incredibly frustrating to constantly think of new passwords with a capital letter, a special character and numbers that isn't a variation on your old password. And it turns out that we're pretty bad at it, which is why the man responsible for the password hell we've been in this past decade has recanted his recommendations.

Source
 

Blu82

Expert Member
Joined
Nov 15, 2005
Messages
3,743
If you rue the inevitable day when IT makes you change your password, you're not alone. It is incredibly frustrating to constantly think of new passwords with a capital letter, a special character and numbers that isn't a variation on your old password. And it turns out that we're pretty bad at it, which is why the man responsible for the password hell we've been in this past decade has recanted his recommendations.

Source
 

The Door

Honorary Master
Joined
Jul 18, 2008
Messages
58,593
Password length > password complexity
Use passwords easy to remember and difficult for computers to guess, not the other way around.

Exactly this... the one thing I would recommend from this article is
Use a passphrase – instead of a typical password, use a passphrase like “”correct-horse-25-battery”.
'My mother loves chakalaka on toast first thing in the morning' is easy to remember and reproduce yet incredibly difficult for any computer to calculate / guess.

Here are NIST's guidelines
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

What are the major differences between current received wisdom about “secure passwords” and what NIST is now recommending?

Some of the recommendations you can probably guess; others may surprise you.

We’ll start with the things you should do.

Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.

In other words, we need to stop asking users to do things that aren’t actually improving security.

Much research has gone into the efficacy of many of our so-called “best practices” and it turns out they don’t help enough to be worth the pain they cause.

Size matters. At least it does when it comes to passwords. NIST’s new guidelines say you need a minimum of 8 characters. (That’s not a maximum minimum – you can increase the minimum password length for more sensitive accounts.)

Better yet, NIST says you should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.”

Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!

This is great advice, and considering that passwords must be hashed and salted when stored (which converts them to a fixed-length representation) there shouldn’t be unnecessary restrictions on length.

We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variety.

Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on.

More research needs to be done into how to choose and use your “banned list,” but Jim Fenton thinks that 100,000 entries is a good starting point.

The don’ts

Now for all the things you shouldn’t do.

No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.

No password hints. None. If I wanted people have a better chance at guessing my password, I’d write it on a note attached to my screen.

People set password hints like rhymes with assword when you allow hints. (Really! We have some astonishing examples from Adobe’s 2013 password breach.)

Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.”

No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily.

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

Why favour the user? Because if you don't they will write it on a sticky note and put it on their monitor.
Check your own passwords here

For devs, here is Daniel Meissler's seclists
https://github.com/danielmiessler/SecLists/tree/master/Passwords
 
Last edited:

The Door

Honorary Master
Joined
Jul 18, 2008
Messages
58,593
Password manager, no?

IMO yes within reason. Make sure they don't store your stuff in any reversible format - e.g. non hashed... and make sure you don't 'save my master password' in the app to make your life easier. A stolen device will reveal all.
 

The Door

Honorary Master
Joined
Jul 18, 2008
Messages
58,593
Won't work well, they're logically following words and it's not difficult/common to use multiple dictionaries. That possibility thing doesn't mean much as it's based on number of letters only (at least I think it is).

Find us evidence of this. While I can agree with the sentiment, I believe we are a heck of a long way away from anything that makes this approach vulnerable.
IMO the biggest education needs to be aimed at devs - brute force attacks should not be possible on most services for various reasons. Offline files are different, but then with multi word phrases, you have guess the words, the number of words and the order of the words. In addition, the example is in two languages.
Bottom line is it's better for people to use something that's easier to remember over something more complex, otherwise they simply resort to insecure storage.
If you're paranoid, use phrases that are unique to you and not common... something quirky that people in your circles say.
 
Last edited:

Marius Flash

Expert Member
Joined
Aug 25, 2016
Messages
2,017
So by avoiding to being an idiot as OP puts it...... Here is a password for recommendation : (use at your own risk )

Password: abc123def456ghi789jkl@#$%&enter
 

Vice

Expert Member
Joined
Aug 8, 2005
Messages
1,134
Why crack your skull trying to guess a password when you can use simple methods, e.g. rubber hose and social engineering? <bob_is_your_uncle :crylaugh: />
 

The Door

Honorary Master
Joined
Jul 18, 2008
Messages
58,593

Trouble with that is it's not based on dictionary attacks - it's brute force only if I'm not mistaken.

e.g. it says this for the password 'Mailcreated5240'

LAeDGAd.png


...yet it's in one of the common password lists available in the wild... so realistically, using a wordlist, it will take a few minutes to crack in the case of an encrypted file. For web services, there are far easier tools to use like phishing and keyloggers - brute forcing any reputable web page should just plain not work.
 
Last edited:
Top