Except according to the article (which I just read) Sony had these passwords stored as plain text, which is, frankly, fucking unbelievable. And in that case you make a good point.

In the case of almost every other website in the world, including the website your local primary school set up to advertise their annual fete, passwords stored in the database would be encrypted.

Sony should switch to WordPress, for Christ’s sake.

Going by a hypothetical scenario where someone managed to get an online service’s database, but that online service managed to at least hash the passwords, and assuming the cracker has the capability to make one hundred billion password guesses per second (which isn’t unreasonable since someone built a homebrew rig that could make 33.1 billion password guesses per second) the 10 char alphanumeric password would take 24.47 minutes to guess. Replacing one character with a digit and another with a symbol changes that to taking 9.47 months to guess that single password. Pad that to 15 and it’ll take 8.52 hundred million centuries.

Steve Gibson came up with a really good way to make secure and easily memorable passwords which I’d recommend using: https://www.grc.com/%5Chaystack.htm

Course you wouldn’t want to reuse the same pattern on random websites since if one was cracked and had plaintext they could look at your padding pattern. So I’d recommend using it in combination with something like LastPass or KeePass.

The only sites worth having real security on are ones that matter. My banking password and my Amazon account have strong passwords. My Google account, which could potentially give you ALL of my passwords has 2-step encryption so that you would not only need to know my password, but also have my phone. At that point, it means you have a gun to my head and I’m probably not going to fret if you break into my bank account.

Frankly, the password obsession is a bit much to begin with. The difference between a 6 letters all lower case (300 million combinations) password that can’t fall to a dictionary attack and one that is 32 random characters is pretty minimal and not worth thinking about except in truly high security situations. It is better to have something you can remember and don’t have to write on post-it notes that can be “hacked” by someone looking at the post-it note. The only reason to enforce any sort of password standard is to prevent people from doing “boobs” as a password.

Far more important is to have some sort of 2-step authentication on things that are worth locking down. It isn’t a perfect defense. Someone can always take a security token and put a gun to your head, but for most people, a cell phone and a password is security enough. I give big props to Google for doing a really good job on their 2-step encryption for gmail.

Far more important is to have some sort of 2-step authentication on things that are worth locking down.

Ah, two-factor authentication. Something you know, and something you stole while working for RSA.

ouch.

Email and banking on the other hand…

It’s a good mnemonic, and easy to use.

If you’re choosing a password for an admin account or a role account on a server, or something that’s likely to see a lot of exposure, making it a target, it really doesn’t make much of a difference. For end-user stuff, as long as you pick something relatively arbitrary that has no personal connection, it won’t get guessed, even by a script.

As someone who’s been a sysadmin at various times, I can say that it’s far safer to encourage people to choose simple, hard to guess passwords and encourage them to change them frequently than it is to enforce draconian password policy. If you force them to use difficult passwords, they’ll just get frustrated and write them down, share them with others, etc.

It boils down to this simple fact: hackers probably don’t want your data. Your computer is more useful as a node in a botnet than as a source of data. If they do want it, it’s far less work for them to trick you into giving it to them than trying to extract it via technical means. Having safe passwords is less about syntactic complexity than it is about good stewardship.

I’m not surprised at all that most people reuse their passwords.

The surprising twist here is that the Gawker data was released 5 months ago. That means that 2/3 of the Gawker victims kept using the same password for multiple accounts even after they knew this password had been published on the web with their email addresses for months!.

Does Boing Boing store our passwords as plain text? If so, I’m going to change mine to something rude and humorous.

A few months ago I switched from having 2-3 strong passwords for my 6-7 Important Accounts (banks, etc) to having 1 strong password with small variations on it for each account.

So I now have an 10-character strong “base” password (mixed-case alphanumeric) with 3 extra unique characters bracketing it for each of the 6-7 important websites.

How secure is this strategy?

klqwf43hfpo3uh4p;o4h4oif;3nfkjwen’f3xr80[8u09

But the idea was that each site had a cryptographically very secure password (14 alphanumeric mixed-case characters), and each site had a different password, all while being extremely easy to commit to memory.

So it would take a long time for someone to crack one of them, and even if one of the sites has a horrendous breach of security and was storying plain-text passwords (mine couldn’t be rainbow-tabled), the hackers would need to be looking at all hundreds of thousands of passwords by hand, see mine and guess there was a system to it, rather than doing any of the kind of automated processing in the article above.

At least that was the idea.

For most people, keeping difficult passwords – right or wrong – just doesn’t seem worth the effort.

In that case, the difficulty of cracking your password grows exponentially with length. There are 26 lower and 26 upper case letters, and 10 digits. The number of possible length-n alphanumeric passwords is then 62^n. That is 1.2^n times more than letter-only, and 2.4^n times more than lower-case only
A truly random bit string, using all possible ASCII characters including some you can’t normally type, would give a password space of size 256^n. For a nine character password, this would be a billion time more difficult to guess than lowercase-only.

My premises are, of course, unreasonable. Hacking a server is much easier than guessing individual passwords. Taking advantage of password re-use is quite effective as well, I’d expect.

She didn’t find it nearly as funny.