Thanks, clear to me now
But where does when one stop with the password length? 16? 17? 18? ...
But the longer it is, the longer it takes to get a satisfying result.
Thanks, clear to me now
But where does when one stop with the password length? 16? 17? 18? ...
But the longer it is, the longer it takes to get a satisfying result.
Towlie
ancillary character
- Joined
- May 22, 2009
- Messages
- 1,474
That depends entirely upon the function of the password. If it's a website like this one, you really don't have much at stake and there's not much motivation for others to try to hack your password. Also, there's no way to do a high-speed, brute-force attack because you have to wait for the server to tell you if the password is correct or not.
But if it's the online banking password for the account where you keep your life savings, that's a little different and you'll probably want the longest and most random password you can handle, although you're generally protected by limits the banking servers place on password attempts.
If it's encrypted data on your laptop, that might be where you need the best password of all, because a thief can take all the time he needs to crack it with an automated program.
Every security situation is different and has to be considered independently.
And by the way, never use the same password for two different purposes. Every time you enter a password, it should be completely different from any password you're using anywhere else.
ElMondoHummus
0.25 short of being half-witted
Thanks, clear to me now
But where does when one stop with the password length? 16? 17? 18? ...
Towlie is right. There is not really a "one size fits all" answer to that; it varies depending on multiple factors. It's just that the general principle of a longer password - or beyond a certain point, a passphrase - is better than a shorter one stands. The specifics depend on the situation.
An IT Security Officer answer
would be "the maximum the system is able to handle". But who wants to make a password that long?? 
Where I work, you can have over one hundred characters for our centralized authentication system, but I guarantee you nobody's got one that long. Mine is pretty abysmally long (well over 20+; don't want to give too much away), but I work in a place where a breach could potentially enable violations of US government FERPA and HIPAA laws, and that would mean my termination. So I make damn well sure I'm good. At risk of overgeneralization: A good passphrase length would depend on the state of the cracking technology. The SANS organization has a spreadsheet available for computation of expected times to crack a passphrase; you change the variables and read off the output. That can be found here:
http://blogs.sans.org/windows-security/2009/06/12/how-long-to-crack-a-password-spreadsheet/
If I use the following presumptions in that spreadsheet:
- A single computer doing a brute force attack
- The computer is able to calculate 1,000,000 "keys" (passwords or passphrases) per second
- The password I'm using in this example only uses upper and lower case letters, no numbers, no punctuation characters, etc.
So, you see what I mean by "situationally dependent"? For important systems, we actually have to pay attention to the state of the art in hacking to determine our defense. For unimportant places (sorry, JREF, I mean "unimportant" as far as "severity of a break in", so this site is my example), just having something simple and short is sufficient. Worst that would happen to me if someone compromised the ElMondHummus account is that I get kicked off of the forum. Personally painful, but hardly a large issue legally.
Anyway... I'm sorry I don't have a good, simple answer, but thanks to malicious people on the internet, there is no good, simple answer beyond "longer is better".
And the longer it is, the more exercise your hands get! Wait a minute, that's wrong on too many levels...
rjh01
Gentleman of leisure
One problem. There are heaps of sites that demand a password. I could use a unique one for each of them, however there is no way known I could remember them all.
Most of them are on the computer. I could buy some software to remember the password for me. But then I would never know if there is a weakness in the software that allowed someone to tell them of all the passwords.
So what is the answer in today's world?
JWideman
Graduate Poster
- Joined
- Dec 19, 2007
- Messages
- 1,233
Password managers.
Dan O.
Banned
- Joined
- Feb 14, 2007
- Messages
- 13,594
When is the last time you looked to see if there was a little dongle about 3/4" long (not much bigger than the plug on the keyboard) inserted between your keyboard and the computer. This little key logger can defeat the longest and most complex passwords.
rjh01
Gentleman of leisure
Not good enough
Ref:http://en.wikipedia.org/wiki/Password_manager See the section on Vulnerabilities
El Greco
Summer worshipper
- Joined
- Nov 11, 2003
- Messages
- 17,608
I have come up with ways of generating easy to remember and secure passwords, different for each site, that also fullfil all requirements regarding use of numbers, capital and lower case letters and special characters.
Then comes a site every now and then where some moron has decided that I shouldn't be able to change the password the site assigns to me, or that passwords should be of a certain length etc. Or, the most annoying, that I have to change my password every 3 months and not use a previously used password.
Then comes a site every now and then where some moron has decided that I shouldn't be able to change the password the site assigns to me, or that passwords should be of a certain length etc. Or, the most annoying, that I have to change my password every 3 months and not use a previously used password.
SezMe
post-pre-born
OMFSM!! An utter disaster. We'd be forced to laugh at Dan'el instead.
elgarak
Illuminator
- Joined
- Nov 7, 2003
- Messages
- 4,472
To me, it appears your argument only works if passwords/-phrases are truly random generated out of your character set. But that's not what actual users find workable.
Users need to be able to remember their passwords, and this requires much more work with random passwords. Instead, they use easy to remember passwords, as in dictionary words, which can be used to cut down time on an attack as you don't need to check every combination, just the ones that appear in everyday language. Let's not forget personal data that allow specific attacks (birthdates of children, for instance).
Adding special characters, capitalization and random typos is a way to keep both the rememberability and security high.
I presume that's also where the OP's 12 characters come from: There are not that many dictionary words that are that long, hence it forces people to use additional (special) characters to reach that length. Of course, adding just "1" (or "1234" or some such) at the end to fulfill the requirement of digits does not increase security very much if everything before is a common word.
Last edited:
It's not very novel. It's been in widespread use for a decade, especially in the online banking world. It's usually combined with other things though, like a PIN code on the key generator itself or a password (and a semi-secret username like a national identification number), so you have even more to remember.
One way is to use some 'base' password and then add a site specific portion. So, for instance, the first several letters of the site name could be grafted on.
How this might work in practice: Base is Home45dog and for this forum it becomes -- Home45JREFdog and for PayPal -- Home45PAYPdog
Not ideal, but works in the wild. It also has the property of getting you away from dictionary style attacks.
No, that's just what I thought was mentioned in the thread I can't find anymore.
Aepervius
Non credunt, semper verificare
All password system I know which are halfway modern and secure (read : not older than 15/20 years ETA and not html forum level security) allow variable length password , up to whatever you want.
What they save *anyway* is a salted hash of fixed length, and it does not matter how long is your password.
If a system limit yourself to a special length (16 or whatever) then it is either limiting itself due to some artificial technical constraint imposed by the programmer (read : idiotic constraint) or it is not salt-hashing the password but save in reality it in encrypted form to allow a later retrieval, (a security hole in itself, and can be relatively easily exploited with social hacks).
All mainframe or WS system I know of use salted hashed password, and need an administrator intervention to reset the account, but this is much secure as you have neigh unlimited length to make your password.
One of my password used to be "GIST 2501 tohokami emi tame *" where * was a number I increased every time Iw as asked a new password.
No special char. Good luck with your dictionary acttack. Unless you already have physical access (key logger or similar in which case anyway physical acces==I lose no matter password strength) or you look over my shoulder, you have no chance to find it out.
I have another citation in the mean time, but I mix 3 different language (english german japanish) and 1 number. No special char. Nothing.
That type of password is much much more secure than any combo of of special char/number/lowercase/uppercase you can think of, limited to 16 char or 12 char. And easy to remember , and probably much harder to keyboard-spy than a 12 digit stuff. And I don#t need to write it on post it.
Last edited:
JWideman
Graduate Poster
- Joined
- Dec 19, 2007
- Messages
- 1,233
Meh. You've got one strong password to remember rather than dozens (or hundreds for some of us) and keyloggers aren't as big a worry as some suggest. You have much bigger problems than criminals accessing your online banking if someone broke into your home and installed a keylogger without disturbing anything. "Ha! They do that with trojans and viruses and worms and things!" If you're not savvy enough to avoid that, you're probably not savvy enough to use a strong password in the first place.
90% of the "I was hacked via a keylogger" claims I've heard, the password was compromised some other way. Of the actual keyloggers, few resulted in compromised accounts. And of THOSE, almost all were of the sort where someone installed the keylogger thinking it was a cheat for an online game (in other words, just deserts.)
Dan O.
Banned
- Joined
- Feb 14, 2007
- Messages
- 13,594
Speaking of use in the wild, do you ever access unencrypted web sites from open wireless access points? Unless the site is kind enough to have the script pre hash your password before sending it to the server, you might as well shout your password to everyone in the room.
Once someone has collected a couple of your passwords from open sites it won't be that hard to guess your pattern and start attacking the hard sites where the money is.
No, no open wireless -- I'm strictly a home user.
Very true. What I am striving for is a balance between usability and security. Before this, I was using the same username and password everywhere... and I wondered what was going on at some of those sites that conned me into a sign-up for a white paper or something. What I do like is visiting a site I haven't been to in a coon's age and being able to sign in by knowing the algorithm I used to construct the password.
So I'm memorizing the recipe instead of a series of passwords. Anyone with some access and savvy could also reconstruct the recipe. But I like it. Better might be an automated construction from the URL in a little hot-key activated app. Not being a coder, someone would have to write it for me.
"For every lock there is a pick."
Towlie
ancillary character
- Joined
- May 22, 2009
- Messages
- 1,474
Like I said back in post #22, "Every time you enter a password, it should be completely different from any password you're using anywhere else. "
Dan O.
Banned
- Joined
- Feb 14, 2007
- Messages
- 13,594
This difference could be accomplished if there were a standard password hasher built into the browser. Even if the user entered the same password for every site, hashing the password with the user name and a site provided sequence code would insuer that each site sees a unique passcode. Sites could even rotate the sequence code to increase security because each login would setup a new code for the next one.