Question about Passwords - Is XKCD right?

Factual Questions
81

Not to mention if you forget the password to your password manager or your PC crashes and you lose your password manager.

You need one if you have 300 passwords but why in the world would you need 300 passwords?

I find it sufficient to have 4-5 passwords. My bank and other financial stuff have super-duper passwords. SDMB middling. Random website that makes me sign-in the one time I need something I do not really care.

If someone hacks my password for that one stupid site I signed into that one time two years ago…do I care?

82

I put them in the safe. Or at least, I would, if I had any jewels valuable enough to warrant that. The safe that everyone knows is a safe and everyone knows must contain something valuable is more secure than the hiding spot somewhere else that “nobody would ever think to look there”.

For all the most valuable things, those are all public knowledge.

The XKCD cartoon isn’t saying anything at all about “The SDMBisthebestforum!123”, because that’s not a random password; it’s a coherent sentence. Last I heard, a high-end password cracking program running on high-end consumer-level hardware will get coherent sentences with a few non-letter characters in about 8 hours. Now, granted, that’s still longer than a lot of attackers will even bother with, and they probably have more than enough for their purposes just from the folks using “password” and “123456”, but “hope the attacker gets bored of winning before he gets to mine” leaves a lot to be desired as a security strategy.

83

Well you would be using a hardware password manager/token (e.g. that plugs in via USB), right? Naturally, you also need to anticipate what happens when it gets lost/destroyed :slight_smile:

84

What system allows millions of password guesses in a row these days without putting the brakes on?

And a coherent sentence? Just add in a random character or two in there and you dramatically increase the time to crack it.

And, I am not sure “TheSDMBisthebestforum!123” is a coherent sentence. We can understand it. A computer won’t.

And to add, the search space for a sentence that is several words long is pretty big and will take a long time. Imagine using a dictionary and throwing random words at a problem until you guessed the sentence I thought up. That is not a quick thing to do.

85

A system that starts with getting a leak of the site’s password file. Which isn’t all that rare.

86

Their own computer. They’ve stolen the password database from your bank, and are trying to guess all of the passwords locally, before ever connecting to the bank. (Or in the real world, these are different groups who are selling the raw password database, cracked accounts, etc. to other groups.)

The encrypted blob that holds all of your passwords should have multiple backups. In most cases the blob exists in the cloud, so if your PC dies, then you just download the blob again. The cloud is also useful for syncing between devices, so you can use the same password manager across all of your devices.

If the cloud is unreachable, or the cloud copy gets lost, then you have cached copies on all of your local devices.

Don’t forget the password to your password manager. In many cases doing that will make it unavailable. The only way to open your encrypted blob is with the master password. Use some of the tricks mentioned here to come up with a good password (or pass phrase) for your password manager. Then use it multiple times per day, and you will remember it. Or just write it down and put it someplace safe, like your office at home.

But this password is shared with your accounts on a bunch of other stupid sites. Now you have to change your password on all of the other stupid sites, and you don’t even have a list of them. Maybe most of them really don’t matter, but what about the ones storing your credit card information?

What if it isn’t a stupid site password that is found, but your banking password. Now they have access to all of your banks.

Which is your email password? That is the holy grail password. If they can get into your email, then they can reset your password at all of your other places. Is that its own level of secure password, or is it shared with some random forum that uploaded their password database to github?

87

<< deleted by poster >>

88

Cue Barbarella:

89

I have at least 50 devices at home that have passwords, about 50 more at the office, maybe 75 client accounts for various purposes, and a few 100s of web sites. All but the most trivial - online newspapers and similar - have a unique password in my password manager.

90

Do you consider this common for most people?

91

I dislike password managers simply because of the need to synchronize them across multiple devices and have them be compatible on multiple platforms. I may log in to the same service from my iPad, iphone, laptop, desktop, work computer (which doesn’t allow the installation of 3rd party software), Linux dev box, etc. Maybe even Apple TV or XBox or other streaming devices. It’s just a hassle. And it ties you into someone else’s application/ecosystem just to access your own stuff.

But certainly for some people it’s a very good solution.

92

Not common, but my 85 year old mother probably has 25 logins. Many people would have more.

93

As an IT pro that regularly uses 5 or so devices, the sync is seamless and it is better than the alternative.

94

I haven’t seen this mentioned yet, what is wrong with keeping your passwords on a password protected Excel file? Is this just so wrong its obvious?

95

I think a password protected Excel file is decent with a few caveats. The major one is the version of Excel and the version type of the file you save matter.

Old versions of Excel, using the file format in use with Excel 97 through Excel 03 used RC4 encryption and a short hash. Since this is just a simple file on a computer, if a hacker obtains the file, they can run brute force on it pretty repeatably, and could brute force through this fairly quickly.

Excel 2007 and Excel 2010 improved this by switching to AES encryption and a longer hash, however there are VBA macros people can find online that can still brute force through this encryption.

Excel 2013 and newer adopted a SHA-512 hash and at least as of this writing, I don’t believe any defects in implementation are known that allow for easy decryption–obviously if your password is “password” you’re still in trouble, but assuming a password that meets reasonable standards no one (that we know of) is going to be able to break into your password protected excel file. Note that like all computer security, the way around strong encryption is usually attacking weaker parts of the system, think of strong encryption like a very expensive and complicated pick-proof lock for your front door. If your back door is an old sliding glass door that can easily be pried out of frame and opened, the fancy front door lock isn’t providing that much security. But that being said, I think the Excel solution, with the caveat that you need to use Excel 2013 and the correct file type, is fine.

The negatives that security people will point out to a password protected file is:

  • You could lose the file (you can mitigate this by storing it in the cloud)
  • It doesn’t have various features like identifying weak passwords, easily tracking password change history, integration with web browsers and mobile phones etc

The most important thing to my mind would be making sure you have a reliable backup for the file, hard drives fail, files become corrupted etc all the time.

96

I know others addressed this above but since you were replying to me …

The manager I use has provisions for handling a forgotten master password. But given that I type it several times a day, essentially each time I sit down at my browser, that PW is not going to be forgotten.

As to crashes …

It happens that my main Win10 PC / tablet suddenly died about a month ago. Went from fine to a brick instantly. Damn. I hate it when that happens. But not nearly as much as I used to hate it 10-15 years ago.

I sent it in and got a factory refurb in return. A clean wiped none-of-my-stuff-on-it refurb. Booted it up and used my Microsoft cloud sign in, one of the two PWs I actually know. Because I also use that one multiple times every day as I unlock the PC.

About 30 minutes later the vast majority of my lifetime accumulation of documents, pix, and audio had appeared on the new device with exactly zero effort on my part. One of which was my encrypted password vault. The rest showed up over the next hour or so while I kept working.

Now I browsed to the website of my password manager, downloaded the Win10 app and browser extension, then once the installation finished, clicked the icon. Entered my username and the other password I have memorized through frequent use and viola! All my PWs were instantly available. Just as they had been all along on my backup Win10 mini-tablet and my Android phone. And could have been on my company-issue iPad if I so chose.

This is a solved problem.

Heck, because I use Office365, the majority of my custom settings for Word, Excel, & Outlook also self-downloaded. The only traditional and vexing thing I had to do was set up the local Outlook client to connect to all of my various personal, cloud, and corporate email and calendaring systems. All of the relevant connection details are also stored in the PW vault, so I just had to copy a few DNS addresses, ports, and PWs from the PW manager’s window to Outlook’s dialog box.

The 21st Century is really pretty grand sometimes.

As to why 300 PWs? Once it’s one-click easy to generate secure passwords even to Bob’s Plumbing TidBits and one-click easy to save them forever in the vault along with the username and login URL, it becomes easier to use different high-quality passwords everywhere rather than “Fido123$” everywhere except my bank(s).

97

Mine was dust dregs.

Good God, that was 26 years ago.

98

What web browser do you use? Most passwords you use will be used through your web browser, and most web browsers nowadays both include a built-in password manager and let you log in to the browser to sync across any number of devices.

99

Yes, as the discussion of security by obscurity - if they have no idea your “trick” then they have a plethora of options to try, none of which are trivial. If somehow they know your trick, then the range of guesses they have to try diminishes significantly.

If for example I know that your password combines (only!) 4 or 5 random full words, that’s a lot simpler than if it could involve initial letters, numbers, “nerd” substitution for letters, etc. If I know too that the only capitals are at the first letters and the only numerals or punctuation are 3 or less at the end, that too limits the number of guesses.

How would they know? You tell someone? You mention it in an email or post? In The Cuckoo’s Egg Cliff Stoll mentions a German hacker got access to an early email system where the messages were plaintext - and simply scanned for “password”. (And so many, back around 1990, sent emails like “I’ll be away next week, can you watch my email? User is xxxxx and password is xxxxx”)

Let’s say a common vocabulary is 20,000 words - then all possible combinations would be 20,000^5 or 32,000,000,000,000,000. Know it’s a normal phrase, take an educated guess that it contains at least one of: The, it, is, a, an, I, or be - cut search down significantly to 1/5,000 the time…

100

I use a password manager (1Password, which I pay for). I currently have 168 passwords. Some of them I don’t use anymore, but it’s still a significant amount. I used to have 3-4 passwords I used, depending on how secure I needed the login to be, but I think I am much safer now that I have a unique login.

Most of my passwords look like
pqny4QWTUuh6D3inVb_DiyC8

For some, where it is likely that I have to type it in manually, I use randomly generated words like:
gavel-ROSY-sherbet-droplet

I add a standard couple of capitalized netters and numbers if it is required by the site.

My master password I made up myself, and is 5 words connected by some absurd story I made up in my head.

I trust this so much, that I also have all of my credit cards, my drivers licence and passport saved on 1Password.