Use longer passwords

[Hawkmoon]

So sayeth the FBI:

https://dnyuz.com/2020/02/27/fbi-says-length-is-more-important-than-complexity-for-passwords/

Their thesis is that longer passwords require more computer power to crack than shorter ones, even if the shorter ones are more complex. Thoughts?

[bedlamite]

https://www.xkcd.com/936/

[K Frame]

Interesting stuff.

I use a combination of patterns on my keyboard, random substitution of punctuation, numerals, and capitals, and an associated phrase word.

P1 standard W2 as my reminder tells me everything I need to know about my password.

But, that one is a short password, fewer than 20 total characters, so I only us it on systems that require 2 factor authentication.

For systems that don't require 2 factor my passwords are a LOT longer, but still pattern based. 

[Ben]

This is well-known, as can be attested to by the age of the xkcd comic.

I have always used passphrases where allowed. Unfortunately too many sites still not only require specific special characters, but also have a length limit. A twenty character passphrase is much faster for me to input than an eight character, three special characters, and "no part of the password can be found in a dictionary" password.

I still recall one of the fed.gov finance sites I was on,  I think for doing my gov credit card statements, was nearly impossible to choose an acceptable password for, and you had to choose a new one like every two months. Something like !F^1bee1R2 would be denied because "bee" is in the dictionary. I ended up using German words mixed with special characters to get around it and have a password I could also remember.

[MechAg94]

I have seen the idea presented in that cartoon and I more or less agree with it, but I still end up doing a version of the other password all the time.  Just habit I guess.  I have over a dozen different applications I have to access at work and many have unique password requirements.  Most everyone I know writes their passwords down in some form.  They use a notepad, a cell phone, or one of those password programs because they can't remember them.

I talked to someone recently who admitted to using 1,2,3,4,5,6.  I don't think they had ever seen Spaceballs. 

[K Frame]

I use a password manager on my cell phone. It's there just in case.

Does anyone know of a website where you can enter a potential password and it will tell you roughly how long it would take a dedicated program to crack it?

[lupinus]

This has been well known for awhile. It's also well known that the more silly requirements imposed the more likely people are to write their passwords down and use the same one for everything. And yet, sysadmins continually find new goofy requirements to impose. Then wonder why people write their password on a post it and stick it to their monitor.

Sent from my Pixel XL using Tapatalk

[cordex]

Does anyone know of a website where you can enter a potential password and it will tell you roughly how long it would take a dedicated program to crack it?

There are quite a few, but most just assume brute force cracking and I have yet to see one that takes into consideration the many ways of attacking a password.

There's also dictionary attacks, rules-modified dictionaries, targeted attacks (technically a rules modified dictionary attack using information about the password creator such as names and dates important to that person), hash collision attacks, and so forth.  Just because your password would take umpteen centuries to brute force doesn't mean it can't be broken in 15 minutes with another attack.

[WLJ]

I talked to someone recently who admitted to using 1,2,3,4,5,6.  I don't think they had ever seen Spaceballs. 

The FBI says they should change it to 1,2,3,4,5,6,7,8,9

[MillCreek]

When I am wandering around in the clinics doing my compliance checks, it is interesting to see how often I can lift up someone's keyboard and find the post-it with their password.

[bedlamite]

When I am wandering around in the clinics doing my compliance checks, it is interesting to see how often I can lift up someone's keyboard and find the post-it with their password.

I'd be way too tempted to swap out the post-it with a new one that was slightly different.

[WLJ]

Some would be amazed how many big company and govt computers I could log into using Administrator with no password. Later versions of windows started making that a bit harder but still doable if their admins were set in their ways.

[K Frame]

When I was working at State Dept. having your password written down and taped under your keyboard would get you a security violation and would cost your company money.

Where I am now? It will cost you your job.

[WLJ]

When I was working at State Dept. having your password written down and taped under your keyboard would get you a security violation and would cost your company money.

Where I am now? It will cost you your job.

Sticky notes on the monitor is frighteningly common

[dogmush]

After the DOD got a couple of laptops stolen out of recruiter's cars it became mandatory to enable BitLocker on the drive so that you needed the decrypt password to even start (or restart) a government computer.

There's one default password that the image comes out with, and I have never found a computer that had it changed.

Honestly, I'm just waiting for smartcards and biometrics to be ubiquitous enough we give up on passwords completely.  For my part, I tend to use the randomly generated passwords that Chrome offers up.  Of course, if you get into my Google account, you get everything, but hey, you got to take some risks.

[MechAg94]

Sticky notes on the monitor is frighteningly common

But at home I am not really trying to prevent someone from breaking into my house to steal my passwords.  At home it is a matter of who has access to it.

[MechAg94]

The other problem at work is that different systems have different password requirements such that one password might not work on everything. 

[Ben]

After the DOD got a couple of laptops stolen out of recruiter's cars it became mandatory to enable BitLocker on the drive so that you needed the decrypt password to even start (or restart) a government computer.

My favorite thing to do after CACs came out and became mandatory for computer access was to walk the office, grab all the CACs that I saw left plugged in to the readers and unattended, then go for a long lunch. 

[TechMan]

My favorite thing to do after CACs came out and became mandatory for computer access was to walk the office, grab all the CACs that I saw left plugged in to the readers and unattended, then go for a long lunch. 

I'll bet you were loved in the office when you did that.   

[Ben]

I'll bet you were loved in the office when you did that.   

 

[RoadKingLarry]

After the DOD got a couple of laptops stolen out of recruiter's cars it became mandatory to enable BitLocker on the drive so that you needed the decrypt password to even start (or restart) a government computer.

There's one default password that the image comes out with, and I have never found a computer that had it changed.

Honestly, I'm just waiting for smartcards and biometrics to be ubiquitous enough we give up on passwords completely.  For my part, I tend to use the randomly generated passwords that Chrome offers up.  Of course, if you get into my Google account, you get everything, but hey, you got to take some risks.

When they switch to facial recognition my company will still require to to change your face every 60 days, and it can't be the same face you used for the last 6  log ins.

[AmbulanceDriver]

I'd be way too tempted to swap out the post-it with a new one that was slightly different.

I'd be tempted to swap it with a neighbors - or a desk down the hall a bit.

[bedlamite]

I'd be tempted to swap it with a neighbors - or a desk down the hall a bit.

No, use the same type of pen, copy the style, and transpose a couple letters.

[AJ Dual]

The best answer is to get people to use a very strong password, and compensate for it's difficulty by making them not need to change it very often, or ever.

"Correct Horse Battery Staple" is not really all that correct.  Most systems are insulated from brute force attacks because most systems will lock you out after a number of bad attempts, many of them with increasing increments of time, and some permanent lockout that can only be undone by an administrator or automatically only after you provide some sort of multi-factor authentication to get yourself unlocked. Or even things like phones that will wipe themselves after a number of bad attempts. Or the system has something like a captcha which is difficult or impossible for a script to manipulate.

Most attacks forgo the random brute force method, and are database/dictionary keyword informed attacks, and four plaintext English words are pretty vulnerable to that. Something like T@1ntMa5+3r is good because it's not in any dictionary, and you're insulated from social engineering because you're too embarrassed to share it.