Choosing strong passwords: promise and peril

The Agile Bits blog discusses good methods for choosing a human-memorable "master password" that is used to lock up a file of non-memorable, strong passwords:
Avoid secrets or things that are personally meaningful
The more personally meaningful something is to you the fewer alternatives there are. There are more things that don't have personal meaning to you than do.

In particular avoid personal secrets. Twice in my life when I've been asked to find weak passwords where I worked, I had the embarrassing task of telling my friends and colleagues to change passwords that also revealed their secret crushes. Also there may be a time when you actually do need to reveal your master password to a loved one. When I spot passwords like IloveUVicky along with the owner's email address among 26000 email addresses and password exposed from a pornography site, I certainly hope that this won't cause too much trouble for the owner.

Toward Better Master Passwords (via JWZ)

(Image: Change your password or the dog gets it, a Creative Commons Attribution Share-Alike (2.0) image from dnisbet's photostream)


  1. As a dev myself, I find it a little disturbing that you aren’t storing encrypted passwords and can see them in plain text. You, nor anyone else should be able to view the passwords. As far as checking for weak passwords, you should be using a regular expression or some sort of algorithm to detect the weak password and just send a note to the user to change it.

    1. Granted, when he refers to a porn site, I’m sure it’s a simple plaintext file with username/password pairs. I’ve seen it before, mostly on homebrew websites. It usually relies on “hiding” it making the file readable only to the server side process, which is just as idiotic as having a plaintext file to begin with.

      In most they are stored using some sort of hashing algorithm. Part of the login function takes the users plaintext input and hashes and compares the hashes. Hashing not encrypting is the way to go. Hashes are one way functions the same plaintext will produce the same hash, but you can’t reverse it to get the plaintext like you can with encryption.

      Now as part of auditing password strength I take that hash table and use a tool like John the Ripper and load a dictionary file (not just “dictionary” words, but variants with symbol and numeric substitutions for vowels, etc…) Weak passwords will be revealed when JtR creates matching hash.

      There are also rainbow tables and good old bruting. Rainbow tables can be especially helpful when the hashing algorithm utilized a salt. There are more than a few sites that will generate tables for you for a modest fee.

      The more characters you use, and more entropy used in generating the password the less likely a hash collision, dictionary or table attack will work. I use 1Password to generate all my passwords for all my sensitive sites and I max out the number of characters the site will use (typically between 16-32 characters). I then only have to memorize one complex password I use to unlock 1Password.

      Now, it doesn’t have to be 1Password, Keypass or others work as well, but I recommend everyone use password managers. You can keep complex passwords, unique for every login, but only have to memorize one master password (which should still be somewhat complex).

    2. having been a dev many years, I can tell you that frequently there is a core business requirement (i.e. something that cannot be overruled by dev) for plain text, or easily decryptable passwords.

      sucks, but that’s business

      1. …frequently there is a core business requirement…for plain text, or easily decryptable passwords.

        Not to jump on you here, but:

        Is that ethical?

        User authentication should be a pass/fail prospect for an application. Gleaming secrets (or anything at all) from this authentication process should be off limits.

        With biometrics and other data collection/analysis in mind, where is the line drawn.

        Just out of curiosity, what would be an example of a valid core business requirement?

  2. Wow. This line from the article is equally concerning: “When I spot passwords like…”

    Why in the world is their system saving passwords in plain text, or in a way that can be extracted? Should be hashed/one way encription at the very least!

  3. Personally, I worry more about how absurdly often banks, etc. send me letters saying akin to, “sorry to tell you this, but someone stole the hard drive with all your personal information.”

    It happens about once a year.

  4. Doesn’t really matter how strong your password is, when Anonymous, LulzSec and assorted other unknown agents simply waltz in and steal the database.
    Now you need strong passwords AND you need to change them, oh, weekly? More often?

  5. Some of suggestions seem sort of crappy for ways to come up with a great password. Why use words at all for example? I know I use the first and last letters of each word of a phrase I know and a a few meaningful numbers. Easy to remember for me, painfully obscure for anyone else.

    1. I agree. Song lyrics are great along with a few numbers. Bluegrass song lyrics are REALLY strong.

  6. One way encryption doesn’t matter if you have the key and the method of encryption. Because then it’s just a matter of brute force and since most people are pretty crappy about the passwords they choose – well, they’ll be cracked in minutes.

    You will find with any online community about a third will have a really shitty password – like the same as their username. And, about half have passwords that are guessable or brute-forceable easily.

    I tend to favor the truly random from pwgen but my favorites are derived from a line from a song like: “That filthy five! They did nothing to challenge or resist.” which would maybe become “Tf5TdN2coR”. Nice password. Too bad I can never use it now.

    The time when we have one or three passwords that we re-use is over. Everything should be random and different – never reused – and even the most random will be found out eventually. Today’s encryption will be cracked trivially within 5 years. If this isn’t a rule yet… name it after me.

  7. To be fair, I think the “IloveUVicky” guy was just a big fan of teen idol and Mystery Science Theater 3000 subject Arch Hall Jr.

    And also to be fair, I think that the porn site in question was hacked and the results were leaked to the internet, which is why they were in plain text.

    The time when we have one or three passwords that we re-use is over. Everything should be random and different – never reused – and even the most random will be found out eventually. Today’s encryption will be cracked trivially within 5 years. If this isn’t a rule yet… name it after me.

    The big problem is that people aren’t actually going to do this. First, they don’t know they should, and second, from what I can tell to even sort of do this my mother would have to learn and install at least two different programs on her computer. This is a woman who is seriously intimidated by a bluray player. She’s just going to bluntly refuse if you tell her that her password process needs to be that complicated.

  8. What good does having a very strong password do me when a site either is willing to send me a new password at the drop of a hat, or requires me to include “Your Hometown” or “First Pet?”

    I either have to remember two more passwords to be really secure, or I have to enter gibberish for these fields and hope I never need to recover my password.

  9. My master password is something Sammy Hagar said to me at his bar in Cabo San Lucas one evening. Good luck guessing that one.

    1. “Christ what an asshole”?

      “I can’t drive. I’m 63.”

      “Yes, I know I made shitty music my whole life, but now I’m sitting on a bunch of money. So there.”

      “You wanna learn how squids fuck?”

  10. I agree that hackers actively looking to steal passwords will be hard to stop, but why make it super easy for a disgruntled employee? At a minimum encrypt the password.

  11. Just make a memorable short password using all the types of characters and add a bunch of memorable punctuation. For example, “123Urchin< (--1--)>< (--2--)>< (--3--)>” as a password won’t be in any dictionary and will take a really long time to brute force, but any kind of padding will work. An attacker only knows if a guess is right or wrong and a brute-force attack will move from simple passwords to longer passwords with more kinds of characters. Length, a bit of entropy and making sure the password isn’t in a dictionary results in a pretty secure and memorable password.

    1. I hate to tell you this but 123Urchin would most definitely be cracked. So would Urchin123. Both will fall to good password cracker with a decent password dictionary. The program can iterate through prepended and appended numbers to words (which is a more common “strategy” than you’d think). Usually you’d have it check by iterating through all 3 and 4-digit combos applied before and/or after the dictionary. With modern processors, GPU offloading, etc… it’s really doesn’t add a lot to the cost of cracking.

      Now, Urch123in would pose more of a problem (still too short), but that’s where brute forcing comes into play. However, the cost is much much greater to brute. So it boils down to resources and how valuable is the information the password is protecting. If it’s something like banking or other financial data you really want a password with higher entropy. Something like ‘vA2ZJuidij563v2FJjeVcE’ would be very good (it was generated by 1Password and rated as “Fantastic” for password strength)

  12. All passwords are unreliably weak and insecure regardless of their complexity.

    They leech 100% of the information required to hack the account every time they are typed. In order to make complex passwords memorable, people tend to write them down someplace. Furthermore, people tend to say their passwords out load, sometimes on the phone to strangers. It happens. Worse, your password can be visually recorded as you type it, it can be recorded by a keylogger resident on or near your keyboard and I’m sure some clever chap out there is capable of uncovering your password via an audio recording of your keystrokes.

  13. I’ve done more than a couple of password audits in my time, and this is much more prevalent among women than men. Most interestingly, the passwords seem to last longer than the crushes/relationships themselves. At some point, they cross from ‘something on your mind’ to ‘muscle memory’, and two years after the relationship ends you still have ‘ilovesteveholt’ as a password.

    Other key things to avoid: your birthday, you spouses birthday, the day your children were born, your pets names, your childrens names, your spouse names…and of course, your phone number. a huge number of people use their mobile number as a password because it’s long and easily remembered, but it’s also one of the first things to try from a social engineering standpoint.

  14. Passwords are out. Use pass-phrases, e.g. “This is my password!”. This is far superior to any password since it’s hard for a computer to crack and easy for a human to remember. For sites that stupidly do not allow spaces in passwords (WHY??!?!), replace spaces with “-” or “_”. For sites that limit the length of your password, you’re screwed and if possible you should avoid such sites. (Unfortunately, banks typically fall into this category. Their password policies were probably created by ignorant committees.)

    Further info: (The Usability of Passwords)

    1. The rest of us didn’t bother inventing a new name for passwords with spaces in them. You can just substitute the word “passphrase” for the word “password” from now on and we’ll all be on the same wavelength.

      I rarely use passwords less than 64 characters long, and have followed that policy since VMS started supporting them in the early 1980s I think. Took a while for macs to catch up, but they do long passwords now too.

  15. Use pwgen or similar (I use one of my own invention…I know, the world really needed another, right…) If you have trouble remembering difficult passwords, use one of the KeePass variants. For a bonus, KeePass (or at least KeePassX) can generate passwords for you. Just keep backups of your keychain and you’re fine.

Comments are closed.