Unmissable piece of comedy:
https://www.icloud.com/iclouddrive/0SIuzhx6ldThpftzyrRQDEuyQ#Passwords
–e.
2 Likes
No need for charity. DoD organizations consistently undermine security by their misguided policies of forcing password changes at the most, every six months. This does nothing but add to the burden of users seeking benefits info/support or health care support, if not actively p***ing people off to use deliberately weaker passwords. Glenn’s article is excellent and spot on, and I wish government IT folks would wise up.
2 Likes
I wish that it was a universal option, that merchant websites all have Guest Checkout. No need to create an account unless it benefits you(perks, discounts, member bonuses…). That would be less pwds to worry about and less breach concerns.
I agree, no need to change password unless breached and never use same one twice.
I should stress that there are a ton of sites that have limits on characters and length.
3 Likes
There have been many times where I was ready to purchase an item but they required I create an account with password. No thanks – I have too many already. Guest checkout is very useful.
3 Likes
Charitable to users.
I used to be more charitable about it…but best password practices are all over the internet from smart, knowledgeable people and they just get ignored. Corporate It departments who one would imagine are run by competent people are as wrong as often as non geek users…and that’s just deliberate stupidity on their part because they do…or at least should…know better.
This is all great advice. The NCSC has a good password guide aimed at businesses that specifically advises against practices like expiring passwords, limiting length, or imposing ‘complexity’ requirements. They also have a good infographic that can be passed on to unenlightened IT departments. 
2 Likes
The worst nuisance in the passwords area is when websites have a length limit, don’t bother telling you about it, and then silently truncate the password you create. Since you have no way of knowing that they’ve chopped off part of what you typed, you don’t know your own password. This has happened to me a few times over the years.
By the way, I don’t agree that everybody should use a passwords manager. There are alternative ways of saving passwords that are just as secure, if not more so, and I don’t like putting all my eggs in one basket. I’ve never used a passwords manager, but I assume that if your master password is lost or compromised, all your logins are now lost or compromised. (Please correct me if I’m wrong.)
There were a couple of legitimate reasons for changing a password, assuming that a hacker can steal the password hash. However, if your browser alerts you when your password hash has been posted on the web (including the dark web), you only need to change it when that happens (google-chrome does that reporting).
For a stolen hash:
-
If the password was composed of characters from only one or two of the possible sets of characters (lower-case, upper-case, numeric digits, and symbols), a hacker can run a brute-force effort using only one of those sets at a time, then progress to two at a time. That takes far less time than a brute-force crack using characters from all four sets. “correcthorsebatterystaple” (an example above) uses only one set (lower-case), probably the first set a hacker would try.
-
For any hash, changing the password means all of the time the hacker spent on trying to match the old password hash is wasted. If you use all character sets in a password, and the password is long enough, that may take a hacker years, and if you change the password once year, you’ll always stay a step ahead.
If you expect havibeenpwned to alert you to your password being hacked before it is used, then you’re going to be sorely disappointed. I can speak of this from personal experience. Meanwhile, not all companies REALIZE that they’ve been breached for a long time in order to even report it, and many are not even doing their due diligence in reporting it at all. Then you have to consider that stolen passwords are not always, despite one commenter’s opinion, used immediately. They are often packaged and sold as password and credential lists on DW and BH forums, sometimes for years, and then used for credential stuffing.
If you’re going to advocate using a password manager, then there is absolutely no reason to suggest that you should avoid taking the three seconds it takes to generate a new password every-so-often. If you’re using easily-remembered passphrases… Where? Because pretty much 90% of the internet requires users to limit themselves to ridiculously small limits, and dumb requirements of including symbols.
1 Like
Although Troy Hunt (owner of havibeenpwned) makes ever effort to contact sites that he has determined to have been compromised, he does not always rely on the company to admit to having been breached before updating his site to include such compromises. Rather, he hangs out on the dark web for information on breaches being posted for sale and reports form others, then accomplishes do-diligence to determine whether possible hoax of not. The FAQ on his site gives a lot more information concerning his methods and data.
I use 1Password. I have a rescue kit printed out and locked in a safe. It will let me or my wife or son get to the info if needed. Just getting my master password won’t give access unless you also have access to one of my devices. Setting up a new device requires the use of a secret key. As is appropriate my master password is unique, memorable, and not used anywhere else.
I have over 400 passwords stored. I challenge anybody to come up with a system to remember that many passwords that isn’t crackable given that one password of your “system” is compromised.
3 Likes
Wow—tons of comments about Glenn’s article in Hacker News.
1 Like
I heard an interview once with someone who claimed to have invented the uppercase, lowercase, number and symbol formula and regretted it because there are only 10 numerals vs. 26 letters, and a similar limit applies to the easily typed symbols. Adding a random alphabetical letter to a password makes it harder to crack than adding a number.
He recommended long phrases of ordinary words instead. Length by itself he said was the surest deterrent.
1 Like
@paulbrians, he’s certainly correct about a longer password being much better (the difficulty increases exponentiallyl with the length), but it’s far better to use all sets than to increase by one character.
Here’s a little gedankenexperiment:
You’re a hacker, and you have the collection of hash values for the users in a system. The cover the gamut of password choices, from lower-case-only words to randomized sequences of lower-case (LC), upper-case (UC), numeric (N), and symbols (S). Your goal is to crack as many passwords as possible, as quickly as possible. You don’t know which passwords use only a single set (eg, lower-case).
You start by a LC-only brute-force attack. After each hash calculation, you check to see if any of the hashes have that value. If they do, you have the password. Each one-character increase in password length increases the brute-force time by 26x, so a 10-character LC-only password costs 26^10 = 1.56e+12
You end by a LC/UC/N/S brute-force attack. If we limit S to the set of 94 printable ascii symbols (0x21-0x7e), each one-char increase in password length increases the brute-force time by (26 + 26 + 10 + 94)x = 156x, so a 10-character password using LC/UC/N/S costs 156^10 = 8.54e+21 tries. A system that could crack a 10-char LC-only password in 1 minute would take about 10 millenia to crack an LC/UC/N/S password of the same length.
So if a user has added that single LC character vs adding a single N character, it’s only true that it takes a lot longer to crack if the hacker knows which set that character belongs to. But you (as the hacker) don’t care, since you’re working on cracking all of the hashes simultaneously. The first successful password cracks you’ll get will be LC-only.
I tried Elcomsoft’s “password retrieval” product many years ago (when it was Russian-based), and it was pretty snappy at LC-only cracking. Now it’s available as a GPU-based product, so probably a lot quicker. Their patents (eg US Patent for Use of graphics processors as parallel math co-processors for password recovery Patent (Patent # 7,929,707 issued April 19, 2011) - Justia Patents Search) describe a method in which the CPU provides subsets of the total range of password possibilities to each of the GPUs, after which each GPU generates the hashes and checks them against the complete list of hashes … this is pretty much what I described above, but is a parallel-processing implementation (akin to bitcoin mining on GPUs)
1 Like
I hesitate to use a password manager for several reasons. If I change my password on a website on my iMac, I assume the manager won’t also automatically remember the change on my iPad and my iPhone. Or do some manage to manage multiple devices?
Say I’m traveling and am forced to change my password using my iPhone—if it’s an automatically generated obscure string of characters there’s a good chance of losing all trace if it by the time I get home.
Or—suddenly my insurance company login stopped working so I thought I’d better check “I forgot my password” and set up a new login. But it turned out the problem wasn’t the password at all. Something they did to their pages made it stop working with Chrome. It does work with Safari. But Chrome’s memorized password was now different on the two browsers. There’s no way to retrieve the new password from Chrome and use it in Safari.
I like the option when I’m creating a new password of seeing what it is, but some hide it as I type and if I make a typo I won’t know it.
Password file is encrypted locally and stored on a mutually accessible cloud server.
Modern password managers use end-to-end encryption to synchronize your changes among devices. Chrome and Google don’t offer a “modern” password manager. Apple’s Passwords featured synchronized by iCloud Keychain, 1Password (either via Dropbox local sync or using its zero-knowledge website-based sync), and LastPass are all end-to-end encrypted.