But I think a useful taxonomy is “Attacks directed at you specifically by name because of who you are or what you have or what they already know about you”, versus “Attacks directed equally at every user of website X, of whom you happen to be one of thousands or millions.”
Here in 2022 unless someone is rich, prominent, or a high official in business or government, the former type of attacks are by far the statistical outlier. And those are the attacks for which the defender giving up some obscurity directly helps the attacker. This is like them fishing with spear watching a particular fish. a fish named “you”.
The far more common attack technique is more like sea-floor trawling: drop a huge net and drag up everything it touches, be that fish, by-catch fish, rocks, or old ship parts. Then dig through the haul & keep whatever looks valuable.
In that mass-production form of thievery or espionage, no person or computer program is particularizing their attack against username Joe_Jones. He’s getting the same treatment as the other 100,000 or 100,000,000 users in the stolen database. Whether or not Joe ever posted online that he preferred 133+speek!$# passwords over 5-English words passwords is immaterial.
One can make a good argument that there’s zero upside and to sharing your PW technique, so why do it? Any impact at all is sure to be to the downside, microscopic though it might be. And that is a logically valid argument. But … for an ordinary schlub such as myself and presumably most Dopers, it’s IMO a practically useless argument; it’s making a distinction that fails to rise to a level of making a difference.
YMMV of course.
A separate issue is one’s work login credentials versus personal ones. I might be a totally ordinary schlub in the public / internet world, but at the same time be immersed in vicious office politics at work, with semi-psycho cow-orkers desparately trying to discredit me or get me fired. IOW, in a sufficiently small pond I may well be a big enough fish to be specifically targetted. That cow-orker is a threat of the first kind above and deserves one’s best efforts at both PW quality and at secrecy about one’s methodologies.
My issue is with the claim that any four random words are easy to remember. I do not find it that way, especially once you have to generate even a small number of passwords. I never can actually even remember the four words in the comic, which Munroe says you’d have memorized before you finish reading it.
Password managers are fine. Sure, it does put all your eggs in one basket, but then that just means that one basket needs to be quite secure. I use Chrome’s built in system, which is locked to you having to use Chrome and log in to my account, where I have two-factor enabled. Google knows security and doesn’t leave their files where they can be easily leaked or cracked.
Due to the whole “reset your password with email” system, your eggs are always in one basket anyways. Might as well make it a secure one.
I understood the claim as being that it is easier to create a decent mnemonic for 4–5 words than for an equivalent amount of ASCII garbage. Whether or not that is true is another question, but I would not dismiss it as preposterous.
I dismissed it (for myself, mind you) because I tried it and could not do it. It’s easy when you start with a meaningful passphrase, but much harder when you don’t. Based on my experience, I don’t find it necessarily preposterous, just dubious.
Then again, I’m really bad with mnemonics, always forgetting words in them. Heck, I’d actually forgotten there was a mnemonic in the comic until I just checked it (to make sure I hadn’t misremembered that last line).
My technique for high level passwords is that I used to have a habit of memorizing out of state license plates. So, I have a whole list of license plates in my head, and I’ll pick two of them.
Going along with the general principle that your tastes aren’t as quirky and unique as you think you are. Your favourite line is a lot of people’s favourite line.
For memorizable passwords, the simplest solution is to use an acronym (first letter of each word) of a moderately long phrase. That gives you a near-random string of letters* short enough to be accepted by most password prompts but information-dense enough to be secure. Add a few more rules to cover poorly designed sites that insist on mixed-case and digits (e.g. "Capitalize anything that was capitalized in the original phrase, tack on the number of letters in the final word).
*I did a Shannon entropy calculation of a string of first letters collected from a couple of books and got a value of 4.07 bits of entropy per letter (compared to log2(26) = 4.70 bits of entropy for truly random letters)
Edit: As noted above, don’t use a phrase from some common bit of pop culture, etc.
If it gets to the point that we have to digitize pictures of lava lamps along with leaves blowing in the wind, well, I’m gonna retire. I’m almost there anyway.
For those who didn’t get the reference, Cloudflare uses lava lamps to generate random numbers. “LavaRand” was originally proposed as a joke at Silicon Graphics in the 90s before they actually built it, and Cloudflare built their own when SG’s patent expired.
It might be overkill for generating your own passwords, but it’s an option.
Thanks TroutMan. I posted that ‘somewhere’ or saw it here. I actually mentioned it to my crew and said that I’ll never complain about strong pwd’s again.
Yeah, way overkill, but it’s ‘sexy’. I could digitize pictures of my dogs and get the same pwd strength.
