It depends. If troubador a word that has particular meaning for you, then it’s easy to remember troubador.
Me, I generally make a compound word from words or parts of words that have meaning for me, then 1337 speak a few of the letters. For instance, my wife used to work on a play “Six Dance Lessons in Six Weeks” I might have made s1xl3sso my password.
I’m stuck because I have a number of work systems that can only take 8 characters, I’m definitely not going to have a half dozen different passwords based on the varying characteristics of each system.
The plus is, it should be easy to remember the base item I’m building my password from, and I can brute force my way through how I would have crafted a PW from it.
True, but remembering the details of TrØub4dor may take the easy out of it.
Writing down a password isn’t wholly evil, IF you keep your Internet passwords on your computer. You have tens of thousands of files on your computer, nobody is going to look in “cakes.txt” especially if you’re smart and don’t head all of the passwords with “bank password” to prevent desktop search from finding it for someone who doesn’t know one of your passwords already.
Admittedly, this method makes it a mild PITA to log in from other computers, you could carry it around on a USB key I guess.
You guys who are saying this are forgetting a critical asssumption: namely, that the computer trying to guess the password does not KNOW the string of characters represents a collection of words. Without that bit of knowledge, it would not be able to exploit (to make up a term) word theory.
Besides, even if it IS assumed that the password string is made up of words, how is the computer to know how long each word is and therefore where to break the string into chunks?
It doesn’t know the parameters at which the user created the password (though if it’s worth anything it knows the allowed character set and min/max characters), but a dictionary attack is still viable (if more complex). If you know the minimum/maximum number of characters, you can rule out some combinations (i.e. 8 char min rules out andthe). From there, you take all VIABLE combinations and stick them together in various ways. I_LIKE_HORSES, i like horses, i_LiKe_hOrSeS, etc even taking into account substitutions/typical misspellings (i_l1k3_h0r535, I leik horses) depending on the allowed character set. You don’t NEED to know the words if you treat words as the atomic structure you’re working around. Of course, this is still a simplistic, brute forcey way of doing a dictionary attack, I’m sure more sophisticated attackers can utilize things like the probability that two words will appear near each other, either in actual sentences or common abbreviations.
Sentences make it more complicated, for sure, but it just moves the problem from having characters as the building blocks that need to meet the constraints to words (and significant numbers/suffixes/abbreviations) as your atomic structure.
Edit: And depending on your memory and interests, there are plenty of good ways to generate seemingly random passwords. Memorized The Raven or The Gettysburg Address? Take the first letter from the first word, the second letter from the second word, etc. You can even use really complicated things like using the date on a letter generate a password from its text, depending on availability and your memory.
I think the point is, the computer will try obvious simple algorithms before complicated ones. For example, the computer can’t know that some people are dumb and just use “password” or “123456” for their password. But the person writing the algorithm WILL have that knowledge, and have the computer try those sort of passwords first, before random character attacks.
WHAT???
That’s.. like… the definition of a word.
For example, the word “word” ALWAYS ends after four letters.
I’m not sure what you are getting at.
Or was that a woosh?
It’s just like with numbers. It keeps trying different combinations until one works, piecing the words together. A basic attack without any extra parameters would run through the dictionary a word at a time (0 through 9), then take the first word and append every word in the dictionary to it (10 through 19), then once it went through those combinations (20-29, 30-39, etc.) it starts over again, using three words (100) and so on and so forth. ‘correcthorsebatterystaple’ is the equivalent of 2517, only you’re working with a set of elements as large as a dictionary rather than just ten elements.
Mathematically, it’s true that expanding the password space makes even the easiest passwords harder to crack (e.g., allowing capital letters means that cracking software must check for capital letters even if you don’t use them). Realistically, that’s not always true.
Most of the password cracking programs I’ve seen have lists of common passwords that they always try first – before going into any kind of algorithm. If your password is the same as your account name, it doesn’t matter whether there are 10^400 different possible passwords; you’re cracked.
This is where mathematical theories of randomness break down, too. A purely brute-force algorithmic password cracker will find “123456789” and “y$.wI3v?&” equally hard to crack. A well-designed cracking system will break “123456789” much, much faster than the second, because it’s much more likely for people to use.
There are, indeed, security systems that use delays. After a wrong password, it will wait 2 seconds before letting you try again. Wrong a second time? 4 seconds. A third time? 8 seconds. That’ll prevent brute-force cracking, right?
Unfortunately, wrong.
Even the inherent delays in response time from a web server are enough to prevent brute-force password cracking except with people who choose obvious passwords (see above). Crackers (or “hackers” if we accept that the bad guys have co-opted the word) traditionally look for ways to get into the computer through scripts, security holes in browsers, other accounts with limited access, and so forth. Then they grab the password file and go to work on it offline, where the speed of repeated attempts is limited only by their processing power.
I use password123 for everything and have never had a problem.
One thing to remember is that, in many cases, someone only has to guess one password to be able to login to many of your accounts, namely your e-mail password. If they know your e-mail password, they can go to various sites and go through the “I forgot my password” route to have a password reset link sent to the registered e-mail address, and then they can login to your account. Make sure that you have a very secure password for the e-mail address you use to register with a site.
xkcd may be right in saying that a long password with dictionary words is better than a short password with special characters. But it’s also true that a long password with randomly generated characters is harder to crack than both of the options mentioned in the xkcd comic. The disadvantage, of course, is that no one will remember the long password with randomly generated characters.
That’s why nowadays a password program is essential. Something like Keepass. In my case, I use a password program that synchronizes between my portable computer (iPod touch) and my desktop at home, so I can retrieve my passwords even when I am not at home. The problem is that the password program has one master password to protect its encrypted file listing all my passwords, so that master password has to be super-secure. 
For the master password, I would use the long phrase method (i.e. SuperProtectionDeMesMotsDePasse) and replace some letters with special characters, but not using LEET speak, i.e. replace “e” with “!” and “s” with “%”, and separate each word with a non-alpha character to end up with something like this “Sup!r]Prot!ction]D!]M!%]Mot%]D!]Pa%%!”.
In conclusion, I always tell people that any password method can be broken with the simplest of tools: a stick. Find the person that knows the password, and beat them with a stick until they tell you what the password is.
This is amazingly still true. I have earthlink as my ISP and the earthlink password is limited to 8 characters.
What is even more annoying is that (as I have posted many times at the SDMB), when you are asked to enter a new password, you are NEVER given all of three pieces of the information that you need:
- shortest allowed length
- longest allowed length
- list of characters that you can use in your password
Some places will give you one of these pieces of information, some places will give you two, but I have never seen a system that tells you all three. :mad:
Here’s the information given on the page when setting a password for Chase’s online banking:
Sure, it doesn’t allow special characters but combine allowing long passwords, a lockout after three consecutive failures, and an extra validation (a one-time PIN sent via email, text, or phone) on first-time log-in from any device and if one doesn’t come up with a reasonably secure password they aren’t putting in any effort.
I would guess that the most common way passwords are compromised (other than social engineering) is the person uses the same password at a less secure site as they do for their online banking.
What is the definition of special characters? Is a period a special character? Is an @ a special character? (anyone using a computer might consider the @ to be a “standard” character because of its common use in e-mail addresses.) Can I have a space in my password? Can I have letters like “é” or “ñ”, common in Western European languages, and present even in very old PC character encodings? Or are you limited to “abcdefghijklmnopqrstuvwzxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789” ?
I admit that the Chase site is better than most, but they need to define “special characters” better.
I’m not saying that Chase’s system is insecure (though the lockout after failures doesn’t help when people steal the password file and try to crack it on another machine, as mentioned by Gary “Wombat” Robson), but I’ve never seen systems in the USA as secure as what Swiss banks use.
Noodles, you missed one criterion. I’ve seen a site that specified that the password should be at least 8 characters, and contain at least one each lower-case letter, upper-case letter, number, and special symbol… But then the system would only actually accept a 6-digit number. Nothing longer, no letters, no nothing.
What do Swiss banks use?
And, if you steal Chase’s password file for brute force attack (though, if that happens, the security of my individual password probably isn’t the highest concern) it doesn’t necessarily help unless you, the hacker, also have access to either my computer or my phone or email address because user ID/password is not enough to log in on an unrecognized machine (or even a different browser on the same machine).
Which is certainly in the realm of the possible but is now out of the realm where a stronger password is going to be of much help.
Yes, an essential criterion. The guidelines you list for password acceptance must be accurate.
I remember a few years ago trying to use Amazon France (amazon.fr). They have the same username/password for amazon.fr as amazon.com - in theory! In practice the password I had setup for amazon.com was too long for amazon.fr, even though amazon.fr listed the same rules for acceptable passwords; so amazon.fr kept on telling me “invalid username/password”. It took me several days to figure this out. After e-mailing people at amazon.com and amazon.fr I eventually made my password on amazon.com shorter and was able to login to amazon.fr.
It depends on the bank. I have an account at a small regional bank. At their site you enter your username and password, and then they show you two sets of four characters (e.g. AB07 and F5B2). With those two sets I look in a grid that the bank gave me (on paper), and at the intersection of the row and column corresponding to those two sets of four characters, I find a third entry that I have to type in as a response (e.g. at the intersection of row AB07 and column F5B2 I find entry D96B). I compared with someone else who has an account at the same bank and their “crib sheet” is different than mine. They also change the “crib sheets” periodically and send a new one.
My brother has an account with a larger bank. When you enter your username/password, the system shows you a random number. He has a calculator-type device that the bank gave him. He enters the number, and the device thinks for a second and displays a second number. He has to enter the second number at the bank’s site to be able to login, and that second number is only valid for a short period of time (less than a couple of minutes IIRC).
Another example of why they Swiss banks are more secure:
When I was in Switzerland this summer and trying to login to my credit union account, they saw that this was a login from outside the USA and asked me to answer two out of several identification questions I entered (like “what was the name of the street you grew up on”). I screwed those up and after four or five attempts I gave up. I called the credit union (from Switzerland) and after I gave them the last 4 digits of my SSN they rest all the identification questions so that I could login.
Also this summer, while I was in Switzerland, I tried to login to my Swiss bank account and then realized that I had forgotten my “crib sheet” in the USA. I called the bank and asked them to send me a crib sheet. They said I had to go into the bank with a proof of ID to request a new “crib sheet”, and then they couldn’t give me the crib sheet in person, but had to mail it to the address listed in their records for the bank account.
This is another example of why e-mail address passwords are so important. To break into your Chase account, all I really need is your e-mail password to reset the password. Then when I login from a new device, the challenge/PIN can be answered via e-mail.
And World of Warcraft encourages to the point of nearly requiring a similar device, though it’s not a calculator but simply a device that spits out a number you enter on login.
I find it kind of sad that a game account should be more secure than my bank account.